Introduction To Malware Analysis
In order to build upon work done by the LCDI’s Malware Analysis Team last semester, we are adopting Amazon Web Services. Amazon WorkSpaces will allow us to conduct malware research with the guarantee that the LCDI network will remain unaffected by any samples we choose to analyze. The Malware Team has its sights on a variety of malware – like spyware, keyloggers, worms, and trojans – and intends to document and report the effects they have on our virtual environment.
In order to ensure that we are safely obtaining our malware samples, we plan on using VirusTotal to retrieve most of them. VirusTotal is a free service for users as long as its use does not contain any commercial/business activity.
Within our Amazon Workspace we have a ThreatAnalyzer server setup. ThreatAnalyzer is a dynamic malware analysis sandbox that we plan to use to reveal the risks posed by the material we investigate. ThreatAnalyzer runs executable files and URLs in a monitored environment to identify targeted attacks, zero-day exploits and other complicated malware that isn’t always detected by traditional defense software. When we submit malware samples, ThreatAnalyzer will spot system configurations on our network are vulnerable to them.
Unfortunately we are currently unable to use ThreatAnalyzer until we install, configure, and deploy ThreatAnalyzer clients. To do this we need a hypervisor to install the client on. The malware needs to remain off of the LCDI’s network so we attempted to install VMware Workstation within our Amazon Workspace and set it up that way, but we encountered errors. We are currently working with a network administrator to find another way to set up the Hypervisor system and ThreatAnalyzer client. In the meantime, we plan to obtain samples of malware that we can do static analysis on. We already have static analysis tools, such as CFF Explorer, installed on our Amazon Workspace that can be used for this.
Tools
Within this project are several different approaches to malware analysis. The main method for this project is the use of specific Linux and Windows virtual machines that can be used to study the behavior of the installed malware.
ThreatAnalyzer™
As mentioned above, ThreatAnalyzer is an easy to use sandbox tool designed to use multiple clients in order to increase the speed at which it conducts its analysis. The tool highlights which system components and configurations are targeted by the malware, which can be used by people within a malware defense field to harden their networks and systems against what they have analyzed. ThreatAnalyzer runs in a GUI which we have assigned to a server to run our analysis from, this allows us to keep it separate from our working network. It is also compatible with VirusTotal, and has a fairly seamless method of merging the accounts, allowing the user to extract their samples directly from VirusTotal and put it into ThreatAnalyzer. Our main issue, as we alluded to in our introduction, is that we are unable to configure the clients we need to test malware within our AWS environment. This is due to an issue the AWS WorkSpace client has with the configuration of the clients, which involves the use of a rootkit to hide ThreatAnalyzer running from the malware. One option we have to move forward is to reinstall the ThreatAnalyzer service and disable the rootkit capabilities within the client’s configuration file.
REMnux
Remnux is a fairly new Linux distribution specifically designed for malware analysis operations. This distribution contains a collection of tools for locating malware through even complex obfuscation. From PDF parsers to XOR reversing tools, this kit has everything required to reverse engineer software. This is all built upon Ubuntu, making it lightweight and highly modular. This also allows for internet simulation and can create reports on the activity of malware running within the distro (Linux distribution). In addition to basic security features, Linux makes it easy to duplicate and wipe the distro if needed without the a lengthy re-installation process.
Features:
- Browser-based malware examination
- Malicious document analysis
- Extract and decode suspicious artifacts
- Manage laboratory network interactions
- Review multiple malware samples
- Examine properties and contents of suspicious files
- Investigate Linux and Windows malware
- Perform memory forensics
HoneyDrive
Honeydrive is a product from the Honeynet project. The idea behind it was to create a Linux distribution that had tools to analyze who and what is attacking a honeypot without the hassle of having to build a server from the ground up. The VM comes pre-configured with several popular services and tools to analyze traffic and is built on the robust Xubuntu platform. There are around 90 different forensic and monitoring software packages shipped with the free distribution, as well as 10 pre-installed and configured honeypot software packages. This allows us to rapidly and repeatedly set up a honeypot server that has tools built in to disguise its nature as a VM and allow full access as a normal system would. This allows us to see all traffic that would be attempted by potential attackers.
Features:
- Virtual appliance based on Xubuntu 12.04.4 LTS Desktop.
- Distributed as a single OVA file, ready to be imported.
- Full LAMP stack installed (Apache 2, MySQL 5), plus tools such as phpMyAdmin.
- Kippo SSH honeypot, plus Kippo-Graph, Kippo-Malware, Kippo2MySQL and other helpful scripts.
- Dionaea malware honeypot, plus DionaeaFR and other helpful scripts.
- Amun malware honeypot, plus helpful scripts.
- Glastopf web honeypot, along with Wordpot WordPress honeypot.
- Conpot SCADA/ICS honeypot.
- Honeyd low-interaction honeypot, plus Honeyd2MySQL, Honeyd-Viz and other helpful scripts.
- LaBrea sticky honeypot, Tiny Honeypot, IIS Emulator and INetSim.
- Thug and PhoneyC honeyclients for client-side attacks analysis, along with Maltrieve malware collector.
- ELK stack: ElasticSearch, Logstash, Kibana for log analysis and visualization.
- A full suite of security, forensics and anti-malware tools for network monitoring, malicious shellcode and PDF analysis, such as ntop, p0f, EtherApe, nmap, DFF, Wireshark, Recon-ng, ClamAV, ettercap, MASTIFF, Automater, UPX, pdftk, Flasm, Yara, Viper, pdf-parser, Pyew, Radare2, dex2jar and more.
- Firefox add-ons pre-installed, plus extra helpful software such as GParted, Terminator, Adminer, VYM, Xpdf and more.
*Features List from Official Release Site
Looking Forward
Once we have fully configured our testing environment and circumvented our current issues with ThreatAnalyzer in our AWS environment, our next step will be to carefully choose which malware samples to test our system with. With the possibility of having to move away from our initial AWS solution, we will need to make a conscious decision on what to use for our first test. Ideally, we will find something that has a low potential impact but will also give us results that can verify our environment is functioning correctly.