CS6262_P3_writeup_Spring2020 Project 3: Malware Analysis CS 6262 Agenda • Part 1: Analyzing Windows Malware • Part 2: Analyzing Android Malware Scenario • Analyzing Windows Malware • You got a malware...

attached file


CS6262_P3_writeup_Spring2020 Project 3: Malware Analysis CS 6262 Agenda • Part 1: Analyzing Windows Malware • Part 2: Analyzing Android Malware Scenario • Analyzing Windows Malware • You got a malware sample from the wild. Your task is to discover what the malware does by analyzing it • How do you discover the malware’s behaviors? • Static Analysis • Manual Reverse Engineering • Programming binary analysis • Dynamic Analysis • Network behavioral tracing • Run-time system behavioral tracing(File/Process/Thread/Registry) • Symbolic Execution • Fuzzing Scenario • In our scenario, you are going to analyze the given malware with tools that we provide. • These tools help you to analyze the malware with static and dynamic analysis. • Objective 1. Find which server controls the malware (the command and control (C2) server) 2. Discover how the malware communicates with the command and control (C2) server • URL and Payload 3. Discover what activities are done by the Linux malware • Attack activities Scenario • Requirement • Make sure that no malware traffic goes out from the virtual machine • But, updating the malware (stage 2), and downloading the Linux malware (stage 3) must be allowed for us to understand the malware’s behavior • The command and control server is dead. You need to reconstruct it • Use tools to reconstruct the server, then reveal hidden behaviors of the malware • Analyze network traffic on the host, and figure out the list of available commands for the malware • Analyze network traffic trace of the host, and figure out what malware does • Write down your answer into assignment-questionnaire.txt Project Structure • A Virtual Machine for Malware analysis • Please install/update to the latest version of VirtualBox. • https://www.virtualbox.org/wiki/Downloads • Download the VM • Download the project VM from one of the following links • https://b.gatech.edu/37gIH4o • Unarchive the file with 7zip and password is cs6262 • MD5 Hash: 07f0248a5e78e8cfdd29176bb8b12b95 https://www.virtualbox.org/wiki/Downloads Project Structure • Network Configurations Ubuntu The Internet Fake servers C2 server Fake targets Analysis toolsWindows (QEMU) Malware Tap0 (NIC) br0 (NIC) enp0s3 (NIC) iptables (firewall) Project Structure • Network Configurations • tap0 • Virtual network interface for Windows XP • IP Address: 192.168.133.101 • br0 • A network bridge between Windows XP and Ubuntu • IP Address: 192.168.133.1 • enp0s3 • A network that faces the Internet • IP Address: 10.0.2.15 (it varies with your VirtualBox settings) Project Structure • Open VirtualBox • Go to File->Import Appliance. • Select the ova file and import it. • For detailed information on how to import the VM, see: • https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html • VM user credentials • Username: analysis • Password: analysis https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html Project Structure • In the Virtual Machine (VM) • Files • init.py • This initializes the project environment • Type your Georgia Tech username (your Canvas login name) after running this • e.g $ ./init.py • update.sh • This script updates the VM if any further update has been made by TAs • Please run this script when you start the project! (If it says that you’re already updated when you run it, that’s fine) • If you have already completed stage 1 before running update.sh, you do NOT need to redo stage 1 – but you will need to run update.sh to complete stage 2 • archive.sh • This will archive the answer sheet for submission (create a zip file) Project Structure • In the Virtual Machine (VM) • Directories • vm • A directory that stores the Windows XP virtual machine (runs with QEMU) • We use the given VM for both Cuckoo and a testbed. Please see page 19. • shared • A shared directory between the Ubuntu host and Windows guest (XP is running on a VM within your project VM). You can copy/move files to or from this directory. • Please see page 22. • report • The answer sheet for project questionnaire. • setup • Required files for setting up the machine. You don’t need to modify, nor use the files in this directory. Project Structure • In the Virtual Machine (VM) • Directories • tools • network • Configure your network firewall rules (iptables) by editing iptables-rules. • You can allow/disallow/redirect the traffic from the malware • ‘./reset’ command in this directory will apply the changes • cfg-generation (CFG stands for Control-Flow Graph) • An analysis tool that helps you to find interesting functions of malicious activity • You need to edit score.h to generate the control-flow graph • Use xdot to open the generated CFG. Project Structure • In the Virtual Machine (VM) • Directories • tools • sym-exec • A symbolic executor (based on angr: https://github.com/angr) • Helps you to figure out the commands that malware expects • Use cfg-generation tool to figure out the address of the function of interests • c2-command • A simplified tool for C2 server reconstruction • You can write down command in the *.txt file as a line • It will randomly choose one command at a time to send to the malware https://github.com/angr) Project Structure • Malware • stage1.exe – stage 1 malware • It will download the stage 2 malware if this malware receives the correct command • stage2.exe – stage 2 malware • It will download the stage 3 malware if this malware receives the correct command • payload.exe – the linux malware attack payload • Analyze the dynamic instruction trace • Write a script to detect where the C&C communication happens – Find the loop entry point and function sequence in the loop • Add constraint to symbolic execution to limit the loop to one • Find the feasible attacks within given set of possible attacks. Questionnaire • 1) To get credit for the project, you have to answer the questionnaire, found at ~/report/assignment-questionnaire.txt !!!!! • 2) Please strictly follow the format or the example answer for each question in assignment-questionnaire.txt. TAs use a autograder for your submission. • Windows Part • Read ~/report/assignment-questionnaire.txt • Carefully read the questions, and answer them in ~/report/assignment- questionnaire.txt • For each stage, there are 4-6 questions regarding the behavior of the malware. • Android Part • READ ~/Android/MaliciousMessenger/writeup.pdf • Carefully read the writeup, answer in ~/report/assignment-questionnaire.txt Submitting Questionnaire • Required files • Zip the following files and upload to Canvas • Running ~/archive.sh will automatically zip all of the files • ~/report/assignment-questionnaire.txt • Stage1.exe, stage2.exe, payload.exe (linux malware) • ~/tools/network/iptables_rules • ~/tools/cfg-generation/score.h • Running ~/archive.sh will create report.zip automatically • Please check the content of your zip file before submitting it to Canvas Tutorial (for stage1.exe malware) • Update the project 3 before begin. • Open the terminal (Ctrl-Alt-T, or choose terminal from the menu) • Run, ./update.sh • It will update any necessary files that are required for this project. Tutorial (for stage1.exe malware) • Initializing the project • Open the terminal (Ctrl-Alt-T, or choose terminal from the menu) • Run ./init.py • Type your Georgia Tech username (the login name used for Canvas) • This will download the stage1 malware (stage1.exe) into the ~/shared directory Tutorial (for stage1.exe malware) • Special NOTE • These are malware samples hosted under the Goergia Tech Network • It is likely that security measures would kick in and encrypt these files • That is, all the malware samples you will be downloading during this project • IMPORTANT • After each download, make sure to check the type of file. • In the linux VM, execute • $ file • If the result of that is an archive of some sort then execute: • unzip • Password: infected Tutorial (for stage1.exe malware) • Special NOTE • For stage1 and stage2, the file format should be • For stage3, the file format should be Tutorial – Secure Experiment Environment • We need a secure experiment environment to execute the malware. • Why? • Insecure analysis environment could damage your system • You may not want: • Encrypting your file during a ransomware analysis • Infecting machines in your corporate network during a worm analysis • Creating a tons of infected bot client in your network during a bot/trojan analysis • The solution: • Contain malware in a virtual environment • Virtual Machine • Virtual Network • Conservative rules(allow network traffic only if it is secure) • We provide a Win XP VM as a testbed! Tutorial – Run Win XP VM • Run Windows XP Virtual Machine with virt-manager • Open a terminal • Type "virt-manager" and double click "winxpsp3" • Click the icon with the two monitors and click on "basecamp" • Run Windows XP Virtual Machine with virt-manager • Right click on basecamp, and click "Start snapshot." Click Yes if prompted. • Once, virt-manager successfully calls the snapshot, click Show the graphical console. • Click on the Windows Start Menu and Turn off Computer. • Then select Restart Tutorial – Run Win XP VM • DO NOT MODIFY OR DELETE THE GIVEN SNAPSHOTS! • The given snapshots are your backups for your analysis. • If something bad happens on your testbed, always revert back to the basecamp snapshot. Tutorial – Run Win XP VM Tutorial – Copy from Shared Directory • Go to the shared directory by clicking its icon (in Windows XP) • Copy stage1.exe into Desktop • If you execute it in the shared directory, the error message will pop up. Please copy the file to Desktop. Tutorial – Run the malware! • Now we will run the malware • Execute stage1.exe (double click the icon) • It will say “Executing Stage 1 Malware”. Then, click OK. • You should click OK on each dialog to dismiss it • Otherwise, malware execution will be blocked Tutorial – Run the malware! • If you want to halt the malware that is running... • Execute stop_malware in the temp directory. • This will stop the currently running malware. • Please halt first before you execute another malware file. Tutorial – Network behavioral analysis • To analyze