Using Cuckoo Sandbox to Write OSSEC Rootcheck Signatures

Report
Malware detection
with OSSEC
@santiagobassett
Setting up a malware lab
Collection
Analysis
Detection
@santiagobassett
MW collection techniques
Honeypots
Web spiders - honeyclients
Malware crawlers
@santiagobassett
Honeypot
Dionaea: Low interaction honeypot that
emulates vulnerable network services.
https://github.com/rep/dionaea (written in C)
[email protected]:~$ nmap dionaea
Starting Nmap 6.00 ( http://nmap.org ) at 2014-09-07 21:04 PDT
Nmap scan report for dionaea (54.235.216.XXX)
Host is up (0.070s latency).
Not shown: 992 closed ports
PORT
STATE SERVICE
21/tcp
open ftp
42/tcp
open nameserver
80/tcp
open http
135/tcp open msrpc
443/tcp open https
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds
@santiagobassett
Honeypot results
• Captured 126 unique binaries in 3 months
• Highly detected by clamav (80%)
[email protected]:/opt/dionaea/var/dionaea/binaries# clamscan *
022aeb126d2d80e683f7f2a3ee920874: Trojan.Spy-78857 FOUND
05800e1eb163994359e4c946d4a0fecb: Backdoor.Floder-3 FOUND
06267149140c0bc9ba51222c165f2d61: Worm.Autorun-7683 FOUND
0682f3dfbdab7c040ac9307c50792d0a: Trojan.Buzus-9369 FOUND
----------- SCAN SUMMARY ----------074b815d9ded01b516a62e3b739caa10: Win.Trojan.Agent-372503 FOUND
Known viruses: 3517573
07fea379703307c5addc20e237cdd0f0: Win.Trojan.Jorik-1388 FOUND
Engine version: 0.98.1
09481313331ff5a8b8bfa4e25cbaa524: Worm.Autorun-7516 FOUND
Scanned directories: 0
0a9f1cd12f1b34ca71fa585e87e91c7d: OK
Scanned files: 126
0b4c4078231ee36731080858187a49b8: Win.Trojan.Injector-8166 FOUND
Infected files: 101
0feae931ee71a495614f14f3c1d37246: Trojan.Mybot-5073 FOUND
Data scanned: 17.65 MB
10ec7cb47314a2c08decb25e53fedcfa: Trojan.Injector-558 FOUND
Data read: 18.11 MB (ratio 0.97:1)
1205a52e42687c922aa4d3700d778398: Trojan.Kazy-1372 FOUND
Time: 56.447 sec (0 m 56 s)
12fb7332920a7797c2d02df29b57c640: Trojan.Spy-78857 FOUND
16b0357b804d9651d9057b61d78bee08: Win.Trojan.Agent-368816 FOUND
1a813b6ea08a47f2997e2e4215eba96b: WIN.Trojan.IRCBot-1225 FOUND
…
@santiagobassett
Honeyclient
Thug: Low interaction honeyclient, used to detect
drive-by-download attacks.
https://github.com/buffer/thug (Python)
Thug emulates:
• Core browser functionality
• ActiveX controls
• Browser plugins
@santiagobassett
Drive by download attack
http://urlquery.net/report.php?id=1410227505197
@santiagobassett
Honeyclient results
[email protected]:~/thug/src$ ./thug.py webgalleriet.no/
[2014-09-11 22:58:31] [HTTP] URL: http://www.webgalleriet.no/wordpress/wp-includes/js/commentreply.js?ver=20090102 (Status: 200, Referrer: http://www.webgalleriet.no/)
[2014-09-11 22:58:31] [HTTP] URL: http://www.webgalleriet.no/wordpress/wp-includes/js/commentreply.js?ver=20090102 (Content-type: application/javascript, MD5: d484fa08997df765852c6ad283ec52c6)
[2014-09-11 22:58:31] <iframe align="center" frameborder="no" height="2" name="Twitter" scrolling="auto"
src="http://168bet.com/cocs.html?j=1095012" width="2"></iframe>
[2014-09-11 22:58:31] [iframe redirection] http://www.webgalleriet.no/ ->
http://168bet.com/cocs.html?j=1095012
[2014-09-11 22:58:31] [URL Classifier] URL: http://168bet.com/cocs.html?j=1095012 (Rule: Redkit 1,
Classification: Landing page, Exploit Kit)
@santiagobassett
Malware crawlers
Retrieve files using malware tracking sites.
https://github.com/technoskald/maltrieve (Python)
https://code.google.com/p/malware-crawler/ (Python)
http://malc0de.com/rss
http://www.malwareblacklist.com/mbl.xml
http://www.malwaredomainlist.com/hostslist/mdl.xml
http://vxvault.siri-urz.net/URL_List.php
http://urlquery.net/
http://support.clean-mx.de/clean-mx/xmlviruses.php
@santiagobassett
Malware tracking site
Malware crawlers results
• Captured 345 unique binaries in 15 minutes
• Poorly detected by clamav (16%)
[email protected]:~/binaries/maltrieve$
clamscan *
02d36dff08b63b123d2d2a36089e3d97: OK
03a6ac145099cf77bf5c7af127696687: OK
03e49fb415aacf9d2c90821ff0596024: OK
0568a72d4c5a2eb510207ca45b8d8799: OK
06ddb91e1d5f056590dfeef71a2da264: JS.Iframe-2
FOUND
074fbceca8fe84bae582a7a114b2ce94: HTML.Iframe-63
FOUND
0889504acc370f2adec7869b9bc5bc5c: OK
08d53833d032d71c1e7ffd3cddcd2a5e: JS.Iframe-2
FOUND
0ac790c459a0ef9bb4959321918a2d57: OK
0cc1c5c2ef510bd9f587abbc402d04a3: OK
0e3c692048a35c06ffe81a473ffd1d41: OK
136264a09b94bf8f08278b0045a84905: OK
13e78b2bab4a0ae9a3c2003d3f004dd1: JS.Obfus-31
FOUND
----------- SCAN SUMMARY ---------Known viruses: 3517100
Engine version: 0.98.4
Scanned directories: 0
Scanned files: 235
Infected files: 38
Data scanned: 164.24 MB
Data read: 143.86 MB (ratio 1.14:1)
Time: 254.462 sec (4 m 14 s)
@santiagobassett
Malware database - Viper
Binary analysis and management framework.
https://github.com/botherder/viper (Python)
@santiagobassett
Static Analysis - Yara
Flexible, human-readable rules for identifying
malicious streams.
private rule APT1_RARSilent_EXE_PDF {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
Can be used to analyze:
• files
• memory (volatility)
• network streams.
strings:
$winrar1
$winrar2
script commands"
$winrar3
= "WINRAR.SFX" wide ascii
= ";The comment below contains SFX
wide ascii
= "Silent=1" wide ascii
$str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/
$str2 = "Steup=\"" wide ascii
condition:
all of ($winrar*) and 1 of ($str*)
}
@santiagobassett
Static Analysis - Yara
rule APT1_WEBC2_TABLE
{
meta:
viper > find name 3f2fda43121d888428b66717b984a7fb
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
+---+----------------------------------+-----------------------+----------------------------------+------+
| # | Name
| Mime
| MD5
| Tags |
strings:
+---+----------------------------------+-----------------------+----------------------------------+------+
$msg1 = "Fail To Execute The
| 1 | 3F2FDA43121D888428B66717B984A7FB | application/x-dosexec | 3f2fda43121d888428b66717b984a7fb
| apt |
Command" wide ascii
$msg2 = "Execute The Command
+---+----------------------------------+-----------------------+----------------------------------+------+
Successfully" wide ascii
viper > open -l 1
$gif1 = /\w+\.gif/
[*] Session opened on
$gif2 = "GIF89" wide ascii
/home/santiago/viper/binaries/6/a/f/2/6af2116c4b59c69917e0e25efe4530a127830e2ed383ea91e0eebfa1cae4b78e
condition:
3 of them
viper 3F2FDA43121D888428B66717B984A7FB > yara scan
}
[*] Scanning 3F2FDA43121D888428B66717B984A7FB
(6af2116c4b59c69917e0e25efe4530a127830e2ed383ea91e0eebfa1cae4b78e)
viper 3F2FDA43121D888428B66717B984A7FB >
+------------------+--------+--------+----------------------------------+
yara rules
| Rule
| String | Offset | Content
|
+----+-----------------------------------+
+------------------+--------+--------+----------------------------------+
| # | Path
|
| APT1_WEBC2_TABLE | $msg1 | 440032 | Fail To Execute The Command
|
+----+-----------------------------------+
| 1 | data/yara/hangover.yara
|
| APT1_WEBC2_TABLE | $msg2 | 440060 | Execute The Command Successfully |
| 2 | data/yara/citizenlab.yara
|
| APT1_WEBC2_TABLE | $gif1 | 440100 | sdwefa.gif
|
| 3 | data/yara/APT_NGO_wuaclt_PDF.yara |
| APT1_WEBC2_TABLE | $gif1 | 440101 | dwefa.gif
|
| 4 | data/yara/kins.yara
|
| APT1_WEBC2_TABLE | $gif1 | 440102 | wefa.gif
|
| 5 | data/yara/themask.yara
|
| 6 | data/yara/vmdetect.yara
|
| APT1_WEBC2_TABLE | $gif1 | 440103 | efa.gif
|
| 7 | data/yara/index.yara
|
| APT1_WEBC2_TABLE | $gif1 | 440104 | fa.gif
|
| 8 | data/yara/GeorBotBinary.yara
|
| APT1_WEBC2_TABLE | $gif1 | 440105 | a.gif
|
| 9 | data/yara/leverage.yar
|
| APT1_WEBC2_TABLE | $gif2 | 440112 | GIF89
|
| 10 | data/yara/apt1.yara
|
| 11 | data/yara/GeorBotMemory.yara
|
+------------------+--------+--------+----------------------------------+
| 12 | data/yara/rats.yara
|
| 13 | data/yara/embedded.yara
|
| 14 | data/yara/urausy_skypedat.yar
|
| 15 | data/yara/fpu.yara
|
+----+-----------------------------------+
@santiagobassett
Static Analysis – Trojan Dropper
viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe sections
[*] PE Sections:
+--------+---------+-------------+-------------+---------------+
viper 0A37D49E798F50C8F1010D5CFDE0E851 > virustotal
| Name
| RVA
| VirtualSize | RawDataSize | Entropy
|
[*] VirusTotal Report:
+--------+---------+-------------+-------------+---------------+
+----------------------+---------------------------------------------+
| .text | 0x1000 | 0xbe8f
| 49152
| 6.52204488284 |
| Antivirus
| Signature
|
| .rdata | 0xd000 | 0x1855
| 6656
| 5.17849300065 |
+----------------------+---------------------------------------------| .data | 0xf000 | 0x19cb8
| 512
| 1.31023024266 |
+
| nProtect
| Trojan.Downloader.JKVR
| .CRT
| 0x29000 | 0x10
| 512
| 0.21310128451 |
|
| McAfee
| Artemis!0A37D49E798F
| .rsrc | 0x2a000 | 0x7fd8
| 32768
| 5.79943302325 |
|
+--------+---------+-------------+-------------+---------------+
| K7GW
| Trojan-Downloader
|
viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe imports
| NANO-Antivirus
| Trojan.Win32.Agent.hbmsz
|
...
| Symantec
| Downloader
[*] DLL: ADVAPI32.dll
|
| TotalDefense
| Win32/FakeDoc_i
- 0x40d000: RegCloseKey
|
|
TrendMicro-HouseCall
| TROJ_DLOADER.VTG
- 0x40d004: RegOpenKeyExA
|
- 0x40d008: RegQueryValueExA
| Avast
| Win32:Trojan-gen
|
- 0x40d00c: RegCreateKeyExA
| ClamAV
| Trojan.Downloader-83571
|
- 0x40d010: RegSetValueExA
| Kaspersky
| Trojan-Downloader.Win32.Agent.thb
...
|
| BitDefender
| Trojan.Downloader.JKVR
viper 0A37D49E798F50C8F1010D5CFDE0E851 > pe compiletime
|
|
Agnitum
|
Trojan.DL.Agent!virRS0ijj7k
[*] Compile Time: 2010-03-14 23:27:58
|
viper 0A37D49E798F50C8F1010D5CFDE0E851 > yara scan
| Emsisoft
| Trojan.Downloader.JKVR (B)
|
[*] Scanning 0A37D49E798F50C8F1010D5CFDE0E851
| Comodo
| TrojWare.Win32.TrojanDownloader.Agent.thb_30
(dbf0436908c9d900e69ea2a108f08061786d299b511265b78620a4401361084b) |
| F-Secure
| Trojan.Downloader.JKVR
viper 0A37D49E798F50C8F1010D5CFDE0E851 > fuzzy
|
| TrendMicro
| TROJ_DLOADER.VTG
[*] 1 relevant matches found
|
|
McAfee-GW-Edition
| Artemis!0A37D49E798F
+-------+----------------------------------+------------------------------------------------------------------+
|
| Score | Name
| SHA256
|
| Sophos
| Troj/DwnLdr-IYR
|
+-------+----------------------------------+------------------------------------------------------------------+
| Jiangmin
| TrojanDownloader.Agent.boly
|
| 68%
| 003EE3D21DF82975337AE976F8BA67CC | 2803fba5fbe908f6151597c2a387caef8f00a5f0f194bfc6b4d9f89026d53621
|
| Antiy-AVL
| Trojan/Win32.Agent.gen
+-------+----------------------------------+------------------------------------------------------------------+
|
| Microsoft
|
| Commtouch
|
| AhnLab-V3
@santiagobassett
| TrojanDownloader:Win32/Pingbed.A
| W32/Downloader.NIHT-8726
| Dropper/Malware.101512
Fuzzy hash match info
@santiagobassett
Dynamic Analysis - Cuckoo
Automated malware analysis. Runs binary files in
virtual machines to study their behavior.
•
•
•
•
Traces Win32 API calls
Files created, deleted and downloaded
Memory dumps of malicious processes
Network traffic pcaps
Integrated with yara, virustotal and volatility among
other tools. Supports Virtualbox KVM and Vmware.
@santiagobassett
Dynamic Analysis – Trojan Dropper
@santiagobassett
Behavioral Analysis – Filesystem
@santiagobassett
Behavioral Analysis - Filesystem
@santiagobassett
Behavioral Analysis – Network
@santiagobassett
Behavioral Analysis – Network
@santiagobassett
Behavioral Analysis - Network
[email protected]:~/Cuckoo/cuckoo/storage/analyses/34$ sudo tcpdump -s 0 -XX -AA -nn -r
4 63.233.155.6
reading from file dump.pcap, link-type EN10MB (Ethernet)
23:32:20.655808 IP 8.8.8.8.53 > 192.168.56.103.63943: 53551 1/0/0 A 63.233.155.6 (50)
0x0000: 0800 2723 f165 0a00 2700 0000 0800 4500 ..'#.e..'.....E.
0x0010: 004e eca8 0000 2d11 97d7 0808 0808 c0a8 .N....-.........
0x0020: 3867 0035 f9c7 003a ef52 d12f 8180 0001 8g.5...:.R./....
0x0030: 0001 0000 0000 0377 7777 0867 6172 7968 .......www.garyh
-23:32:20.662766 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815,
[mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E.
0x0010: 0034 10ab 4000 8006 161a c0a8 3867 3fe9 .4..@.......8g?.
0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 8002 .....P..<.......
0x0030: 2000 e231 0000 0204 05b4 0103 0302 0101 ...1............
-23:32:23.663174 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815,
[mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E.
0x0010: 0034 10c2 4000 8006 1603 c0a8 3867 3fe9 .4..@.......8g?.
0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 8002 .....P..<.......
0x0030: 2000 e231 0000 0204 05b4 0103 0302 0101 ...1............
-23:32:29.661778 IP 192.168.56.103.49166 > 63.233.155.6.80: Flags [S], seq 2615622815,
[mss 1460,nop,nop,sackOK], length 0
0x0000: 0a00 2700 0000 0800 2723 f165 0800 4500 ..'.....'#.e..E.
0x0010: 0030 10dc 4000 8006 15ed c0a8 3867 3fe9 .0..@.......8g?.
0x0020: 9b06 c00e 0050 9be7 3c9f 0000 0000 7002 .....P..<.....p.
0x0030: 2000 f63a 0000 0204 05b4 0101 0402
...:..........
dump.pcap | grep -A
win 8192, options
win 8192, options
win 8192, options
@santiagobassett
Behavioral Analysis – Registry
@santiagobassett
Memory Analysis - Volatility
[email protected]:~/Cuckoo/cuckoo/storage/analyses/34$
Volatility Foundation Volatility Framework 2.4
Offset(P) Name
PID pslist psscan
---------- -------------------- ------ ------ -----0x7b6fa500 audiodg.exe
960 True
False
0x7b7afd40 sppsvc.exe
1780 True
False
0x779fb808 svchost.exe
724 True
False
0x7b7be710 svchost.exe
1892 True
False
0x7c4ea7d8 VBoxService.ex
624 True
False
0x7b6f4030 svchost.exe
900 True
False
0x7b7bb618 svchost.exe
3376 True
False
0x7cd99a58 AcroRD32.exe
3080 True
False
0x7b4fa030 SearchIndexer.
360 True
False
0x7b94a858 taskhost.exe
2920 True
False
…
vol.py psxview --profile=Win7SP1x86 -f memory.dmp
thrdproc
-------True
True
True
True
True
True
True
True
True
True
pspcid
-----True
True
True
True
True
True
True
True
True
True
csrss
----True
True
True
True
True
True
True
True
True
True
[email protected]:~$ strings
session
deskthrd
3080.dmp
| grep -i garyhart
-------------www.garyhart.com
True w.garyhart.com
True
True w.garyhart.com
True
w.garyhart.com
True www.garyhart.com
True
True st:True
www.garyhart.com
True w.garyhart.com
True
True tp://www.garyhart.com/nfuse.htm
True
tp://www.garyhart.com/nfuse.htm
True tp://www.garyhart.com/nfuse.htm
True
True tp://www.garyhart.com/nfuse.htm
True
tp://www.garyhart.com/nfuse.htm
True
True
True tp://www.garyhart.com/nfuse.htm
True
www.garyhart.com
http://www.garyhart.com/nfuse.htm
[email protected]:~/Cuckoo/cuckoo/storage/analyses/34$ vol.py memdump --profile=Win7SP1x86 -f memory.dmp -D
./ -p 3080
Volatility Foundation Volatility Framework 2.4
************************************************************************
Writing AcroRD32.exe [ 3080] to 3080.dmp
@santiagobassett
Memory Analysis - Yara
[email protected]:~/Cuckoo/cuckoo/storage/analyses/34$ yara /home/santiago/viper/data/yara/apt1.yara 3080.dmp
APT1_WEBC2_UGX 3080.dmp
rule APT1_WEBC2_UGX
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1”
strings:
$persis =
"SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN"
wide ascii
$exe = "DefWatch.exe" wide ascii
$html = "index1.html" wide ascii
$cmd1 = "!@#tiuq#@!" wide ascii
$cmd2 = "!@#dmc#@!" wide ascii
$cmd3 = "!@#troppusnu#@!" wide ascii
condition:
3 of them
}
@santiagobassett
OSSEC - Rootcheck
Used for rootkits and malware detection. It can be
used to:
• Look for suspicious files.
• Inspect files and registry keys for common
rootkits/malware entries.
• Look for hidden processes and network ports.
@santiagobassett
OSSEC – Rule for Trojan Dropper
[Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851]
f:C:\Users\IEUser\AppData\Local\Temp\AcroRD32.exe;
r:HKEY_USERS\S-1-5-21-3463664321-2923530833-3546627382-1000
\Software\Microsoft\Windows\CurrentVersion\Run -> Acroread
-> r:AcroRD32.exe;
p:r:AcroRD32.exe;
/var/ossec/etc/shared/win_malware_rcl.txt
@santiagobassett
OSSEC – Alert for Trojan Dropper
alienvault:/var/ossec/bin# ./rootcheck_control -L -i 001
Policy and auditing events for agent 'Windows7 (001) 172.16.126.134':
Resolved events:
** No entries found.
Last scan: 2014 Sep 12 18:54:24
Windows Audit: Null sessions allowed.
Windows Malware: Trojan Dropper.
File: C:\Users\IEUser\AppData\Local\Temp\AcroRD32.exe.
Reference: 0A37D49E798F50C8F1010D5CFDE0E851 .
@santiagobassett
Demo – Alert for Trojan Dropper
@santiagobassett
Future Work
• Use/create Cuckoo signatures to identify different
malware patterns (droppers, downloaders, trojans,
rootkits, …)
• Create Cuckoo reporting module to report (JSON)
on those patterns that OSSEC can detect.
• Python tool to parse module output and generate
rootcheck rules.
• Add/improve OSSEC malware detection capabilities.
@santiagobassett
Thank you!
[email protected]
@santiagobassett

similar documents