Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

In the previous session, we learned how to install Windows XP machine, VMware, and Kali. In this session, we'll learn more about malware analysis tools that are used for virtual machine. These include: SysInternals, MAP Pack, 010, PE Viewer (such as CFF Explorer, PE Explorer, PE View, PE Studio), IDA Pro, Cygwin, and Notepad++. There are several tools available that are used for dynamic analysis. These are Capture BAT, RegShot, PEiD, LordPE, Import Reconstructor, OllyDbg 2.0, and many more. You will also understand some limitations of VirtualBox (or VBox) and Windows Vista. Additionally, you'll learn why taking snapshots for every major update, service pack, and software version is important in preventing malware attack. We will conclude with the different levels of automation that can be done in the malware analysis arena. Several tools such as Zen, Malware Farms, Cuckoo Sandbox, FireEye, Joe Sandbox, ThreatGrid, VirusTotal, Anubis, Hyper-V allow you to automate malware analysis and sometimes removal. Although these tools help in capturing report data, signatures, and indicators, they are unable to replace human malware analysts. And finally, there are some good resources that will help you establish expertise: Cuckoo Malware Analysis by Digit Octavianto, Iqbal Muhardianto; Malware Analysis Cookbook by Michael Ligh, Steven Adair, Blake Hartstein; Gray Hat Python by Justin Seitz.

Video Transcription

00:04
So where the tools we just copied in our virtual machine While the first is CeCe internals from Microsoft made by micro scan a ***, They're very useful. I think they're fantastic. They're amazing. Of the second is the map pack
00:19
by Dave Summer. We discussed some of these tools last time, and we installed him,
00:24
and I showed you how to use all of them. I suggest 010 the hex editor some p e viewer like CFF Explorer P Explorer, Pee View P studio. I just saw another one today that didn't know off. It's like
00:39
Baird, if I'd a pros Ah, free dissembler. At least a 5.0 version or five point something version the 6.0 version eyes also free. But I will not let you save your analysis. But if you upgrade to the pro vert or to pay for version, it will let you save it.
00:58
And, uh,
01:00
it's about $700. So there are free versions out there, but they're not nearly as good on as I said last time. Seguin with GCC Ben, you tills *** de aunt has his own version of python built in is something I suggest it's a personal preference of mine.
01:15
Ah, no pad plus plus tools for our virtual machine. For a dynamic malware analysis, I would suggest these capture that is usually my first since my default. It just captures major system events. Break Shot captures changes to the registry and can also be configured to watch for any file system changes.
01:34
P. I. D is a static
01:37
file
01:38
analysis on Par Sur and Signature Scanner. It'll look for common packers. See if the Mauer's encrypted with something that we can easily find.
01:49
Lord P. E helps you dump something out of memory. So if you start executing something, a piece of malware and it's just running as a regular program, you can just dump it straight to disc. And then you can use import reconstruct ER to rebuild some of the structures that lost when you dumped it to disk.
02:07
This is useful for
02:09
Mauer that's packed, so if it unfolds air decrypt and memory, you just want that end result. You don't wanna have to
02:19
unpack it manually, although you can. It's a bit harder on Lee de Bowed
02:24
eyes, a very common
02:28
de bugger for reverse engineers. It's just very
02:30
friendly, user friendly, comparatively has a lot of plug ins, but so that will cover that later. And more dynamic, more advanced, dynamic analysis because it allows you step through the instructions and execute them one by one.
02:46
So just a few notes about what we did before, just like I said, Virtual box or V Box or Oracle Virtual Box is open. Source. It's freeze, very useful. I find it that it runs very fast, but sometimes corrupts a little easier. There is some differences. Like I said, one of the reasons why I chose when his Ex P
03:06
because of permissions or a lot
03:07
easier to deal with the lot of malware targets when his Ex P because it's still fairly common out in the wild.
03:15
But when it was just an up 78 10 they have different permission, architectures and different security architectures and usually much better security. But a lot of malware will kind of mess up or fail, or just kind of assumed the wrong things.
03:34
So that's why I like working with Windows X P. But
03:36
generally I have a window seven
03:38
computer on hand for more modern threats, root kits and 64 bit programs you really need when debug. It is the day bugger supplied by Windows. It is very powerful, very difficult to use. That's very it's not user friendly at all, but it helps you deal with
03:58
it, lets you get good at it. You will absolutely know what is going on
04:01
within your operating system within any program you want. And that includes the colonel, the core operating system. So you can really figure out what's going on in there
04:14
even with Vista 78 and 10. You know, even when they have all the security precautions like
04:20
you know, the U S C R U S c prompt, the user can control a less our address layout round space, random ization. Um
04:30
dp duh
04:31
execution prevention on so one. And as I said before, I took a snapshot of every major
04:39
update every month after every patch Tuesday.
04:43
I've really never had to use that
04:46
to verify that vulnerability
04:48
was being exploited by malware. Um,
04:51
but you might want to.
04:54
So I want to talk about the different levels of automation. You know, we just set up a local V. M, and we just put some tools in there, and we just,
05:02
uh, we can throw some hour in there and just start executing it and see what comes out, and we will do that. But in the next video, just coming right up.
05:13
But I do want to know the VM. Where can be scripted? There is an A P I application programming interface for Veum Wear and Virtual Box V Box,
05:25
and that's that's awesome. You can, you know, write a program to download some malware automatically and pop it in the virtual machine on Mac receptor tools and execute the malware. And then, you know,
05:36
then
05:36
you can march s'more programs to plot report, and then you can just go on and on and on, and these solutions already do exist. You know, they're people who have automated things and scripted Yes, X I, which is the server
05:51
version Hyper Visor version of V M, where Zen is another
05:58
no V M
05:59
hosting hyper visor and hyper views Microsoft's version as it is open source.
06:05
There's like cuckoo Sandbox, which is built on GM, where AVM or Excuse me virtual box, and it does like automated malware analysis. You can just upload malware to it and has a little Web interface Don't produce is nice, you know, report afterwards and about what the
06:25
program did.
06:26
You know, there's there's Holm, our farms out there. And then there's, like websites that do this on a massive scale like virus total Or do this or any others. And they, you know, they go through thousands, tens of thousands of Mauer samples per minute,
06:42
and there's even commercial products like Joe Sandbox and Threat Good. And
06:47
do this and those even appliances like fire I that will they sell you a computer and sits on your network and anymore, a program that gets downloaded
06:57
over your network fire. I will just grab out of the network and throw it in its proprietary virtual machines executed and just immediately tell you there's something dangerous about it.
07:06
So you may be thinking, Okay, well, why am I even dealing with any of them since they're already tools out there to do it for me?
07:15
What? We go back to what I said before, which was you really need a human to analyze this stuff.
07:19
Antivirus companies have been trying for years to develop
07:24
algorithms to develop software to determine if something's malicious and they have come up against the wall, they really cannot do it. And
07:32
part of being a Mauer analyst is being able to just look at something and get a good feeling for it. You get these uncanny feelings because you know what a normal program is supposed to look like. You know what malware is supposed to look like? And every time you
07:48
automate something, you assume something. So they're most sandboxes out there like Joe Sandbox or Threat Grid. They'll only run them our for
07:59
five minutes. So a lot of mount, where have built in timers to just wait longer than five minutes before it starts executing.
08:07
It's a very simple defense mechanism.
08:09
Or, you know, a lot of Mauer out there will look to see if it's on a real machine or if it's running very slow because a lot of these systems, you know, like virus total or threat grid. They have thousands of virtual machines running on the same hardware, so of course, they're gonna run a bit slower. And so the Maori thinks, like Okay, I'm gonna
08:28
running with the seven or I'm gonna run next T It's like I should be on some
08:31
relatively modern hardware. If it isn't. If I'm not executing fast enough, then I'm just gonna die because I'm probably in a virtual machine. Be trying. Someone's trying to analyze me, right? So
08:43
you cuckoo,
08:45
sandbox and others are great for, like collecting indicators of compromise and just turning out reports and signatures. But it really doesn't help when it comes down to it. When when you're,
09:00
you know, get some incident in your organization and your box goes over. And he's just like, What is this?
09:05
Yeah, you can't pop it in to coo coo and give you a good answer. You can't use fire. I give you a good answer. Those solutions are great generally,
09:15
But if something actually happens to you and you need to know what it is, you can't really rely on those solutions that says generic threat or generic Trojans like Okay, now what? Like how much of a risk is a town? How much of an impact will have on our organization? How how much of resource is do we put in this? You know, those shoes,
09:35
appliances, the solutions don't tell you that,
09:37
and they make since they've automated everything,
09:41
they make really common mistakes. Like I've seen Mauer out there that
09:48
checks to see if it's file. Name is sample orifice file. Name is malware,
09:52
and if it is, it just dies. It doesn't execute or does something crazy. You know, it just creates tons of random events. And so the long is just turn out and say, Oh, this thing, you know, create 1000 and one files that you know being getting out Beacon doubt to Google It weakened out, toe
10:11
being dot com Maybe those air now malicious domains and blah blah. And so it's really easy to just mess things up.
10:20
And, you know, one of those sandboxes made the mistake of saying, Okay, I'm just gonna rename all the malware samples from our Don t X C and then executed or sample that yet see and then drop it of'em and execute. It's making an assumption, and the malware is taking advantage of that assumption. And that's really why,
10:39
Ah, human is still needed to do all this, and I don't see that changing anytime soon. A human has the intelligence to just look at these things and know them, and
10:52
computers and algorithms just simply do not
10:54
so notes for the paranoid.
10:58
There have been vulnerabilities in VM where there have. I've never seen Mauer exploit any of them in the wild,
11:05
but there happen proof of concepts where some malicious code could theoretically get out. Uh,
11:13
there have been proof of concepts where
11:18
Mauer will act differently if GM, where tools is installed
11:22
in its environment.
11:24
Um,
11:26
I've heard about it a few times. I've never really seen it, and I think it's becoming less common because more and more people are working on work stations.
11:37
So I think it's more common that Mauer chooses not to be all crazy when it's in a virtual machine,
11:45
but instead to have other kind of anti analysis and other kind of defense is built in that won't go over in the future.
11:52
But some of them do so well. That's why I recommend changing your Mac address. You know, that's why I recommend only running like one or two virtual machines on your computer at time,
12:03
Um,
12:03
and maybe letting out, letting the Mauer out onto the Internet to not spoof every I p address that you see because I have seen some our that will do on I p address check. So it'll go and check for cool dot com and see what I P addresses come back. And if it's not any of the Google
12:22
I P addresses that it knows about, it just will not work. It assumes that it can't get to the Internet.
12:28
And if you can't get to the Internet, then it's useless, says about so it doesn't need to run, and it's probably in a virtual machine anyway.
12:37
And if you're worried about your privacy being compromised by running malware like it,
12:43
you got some hour from a sensitive source. You can run it through a V P M.
12:48
Um,
12:50
may or may not be a good idea, depending on your situation.
12:54
You know, I've seen malware where
12:56
you know executes in the target environment on Lee, and it does that by checking his i p address. It goes out to some service and says, OK, what is mine? I p addresses like, Okay, I'm in the range of the company. I'm attacking. Okay, good. But if you
13:11
say oh, I'm gonna upload it to your wire Still where I'm gonna upload it to Joe Sandbox or whatever, and it does
13:18
a check to see what I P addresses coming from. It says, Oh, I'm coming from and
13:22
I p address that's known to be from an anti virus or I know I'm coming from I p address known to be coming from you know,
13:30
you know something other than my target company. It won't work right and alert the attacker that something is going on, that someone is analyzing their malware. And so I suggest,
13:43
you know, having in your organization, your own
13:46
dedicated environment that's routed straight to the Internet. Or
13:50
you know, those proxies or something so that you can
13:54
simulate it kind of being in a real environment.
13:58
Ah, and
13:58
use generic names for your user for your computer. But not so generic is to like
14:07
the user name the user or your malware, always being
14:11
the file called malware dot dxc. Because I've seen malware that checks to see if the user name is user or analysis machine or
14:20
no malware machine, and it won't work if it
14:24
sees that. So just a recap of what we did. We set up our Mao analysis lab in here the next video. We're just gonna start running some hour and seeing what we can do with it. You can do it all for free. And there are multiple levels of automation you can make this, I suggest. For now, let's not do any automation lifts.
14:41
Just run some tools. Let's see what
14:43
we can get from arm our samples and let's just have fun with it. That's really the best way to go.
14:50
Um,
14:52
but we are gonna have to configure them and slightly tuned them. And I'll show you that in the next video. And
14:58
some good resource is if you're
15:00
if you like this kind of stuff. There is a book out there like The Cuckoo Malware Analysis book, and there's, Ah, Malware Analysts Cookbook and DVD. I highly suggest that it's, ah certain by a very smart guy,
15:13
Earth guys, and they contribute a lot of code to, uh,
15:20
our analysts. Ah, lot of it's really helpful of its and python if you like that. And, uh,
15:26
like when you start looking at the stuff, you're just like, Oh, wow, that's helpful. You know, those dumps all the function calls that's gonna make, uh oh, wow. you know this program will generate Jara signatures, or this program will automatically hash it and check virus total this part and we'll do this. You know, it's really easy kind. Get carried away with automating
15:46
whatever set up you have.
15:48
And I would suggest
15:50
you doing your analysis.
15:52
And then if you kind of have a question about something,
15:56
check the cookbook. See if they already have an answer for that and occasionally, you know, read through what you could do with it. But it's important not to let
16:07
your tools drive your analysis.
16:10
Your analysis to drive your tools. If you think
16:12
there's a resource in your malware that you need to pull out, then look up a recipe for pulling out the resource or do it. However you can Don't just, you know, make a giant script to do 9% of
16:27
what could be done. I remember when I first started in this industry,
16:32
I read through a bunch of these books and I was just like, Oh, I can do this and this and this and I wrote, You know, like five or six different scripts to like, you know,
16:41
dumped the headers and dumped the sections and show me the entropy of,
16:45
you know, the sections to show me if there's any major differences between virtual size and psycho disc and any interesting sections and dump the process once it's in memory and just see if it's injected into any other processes and you know, all this other stuff.
17:00
And I remember I got into this reversing group at my company and,
17:04
you know, really smart guys there watching me do this. I got a sample of just Oh, you know, I have all these scripts of la Blah and,
17:12
you know, I went and I ran on my scripts almost like, okay,
17:17
And they looked at me and there was like, Okay, now what? I was just like, I
17:21
I don't know what it's like
17:23
You don't know, because the question you were asked was, you know, is this like Plug X? Is this Zeus is this You know what? Whatever the question was like
17:36
is this, you know, does this speaking out to this I p address like that was the question and my tools didn't answer that. And to answer that question, all I had to do was executed in a v m and see if it was doing anything or executed on a real machine and see if it was doing anything,
17:52
just in case it was v m aware. And that was the answer to the question I need. That was the question I needed to answer. My scripts were driving
18:03
my idea of what I should do. And that's not how we should do things we should be thinking. Okay, what is the information we need?
18:11
Like
18:11
And usually,
18:14
you know, the thing that your boss wants to know
18:17
is what is the risk? What is the impact?
18:21
Who sent this
18:22
like? Can we expect them again? How can we better defend ourselves like these questions we can answer with our analysis?
18:32
All right. Thank you for watching the video.
18:34
I'll see you next time.

Up Next

Intro to Malware Analysis and Reverse Engineering

In this malware analysis course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor