Intrustion detection and malware analysis

SephStorm

Want to make an environment where I can test intrusion detection and to a small extent malware analysis. Does anyone have suggestion for software? Specifically I need to know how to detect when a piece of software is doing something malicious, also, if possible, I need some tutorials that can get me started in this area, it seems like you have to have some knowledge of what executables are supposed to be doing, i.e what registry changes are normal, and what is abnormal.

FYI, I am aware of tripwire, can someone tell me is it free? Is there a free windows version? I feel I will be doing mostly windows analysis as my environment is windows based at work, i'd like to spend my time focusing on that.

docrice

I haven't spent much time on it, but perhaps OSSEC?

SephStorm

seems too complex for a basic deployment, server/client that kind of thing, i'd like to avoid that as much as possible. What about sysinternal's?

SecurityThroughObscurity

that might help.
https://www.youtube.com/watch?v=zXh-1mK5FyU

docrice

I think I misread what you were trying to do. Sysinternals has a lot of good tools like Process Explorer (which now has a VirusTotal integration), Process Monitor, etc.. Mandiant's Redline is also supposed to be pretty good although I really haven't played with it much. I've also used RegShot for registry snapshots. There are some others that I can't remember at the moment.

The Volatility Framework in SecurityThroughObscurity's YouTube video link is probably worth checking out. I'm not a malware-analysis guy so understanding memory structure, debugging code, etc. is beyond me. Hopefully SANS FOR508 will eventually get me introduced to this area a bit more.

5ekurity

Two part answer:

Detecting good vs bad "stuff"- You'll need a baseline understanding of how malware analysis tools work; volatility and redline are a good place to start. You can look into some online scanners too, like cuckoo sandbox (Malwr) and Anubis.

Regarding an IDS - Try running Security Onion with Snort for a NIDS.

IMO, anything involving true malware analysis and reversing is highly specialized. I dabbled with it on/off for a few weeks and I found that the learning curve is rather steep.

Harlan Carvey has some great books on forensics and investigations which can be helpful too. http://www.amazon.com/Harlan-A.-Carvey/e/B001JPCIY6

YFZblu

SephStorm wrote: »

Specifically I need to know how to detect when a piece of software is doing something malicious

My recommendation for right now is to start a honeypot OS, compromise it, and watch what happens - Ultimately any major changes and/or network connections to unknown hosts at that point should be considered malicious until analysis proves otherwise. From there, you can begin to understand some of the basic things common malware families utilize to call home, hide their presence, evade detection, etc. Long term, you're going to want to learn the Windows operating system in-depth. It's one of the reasons I want to take SANS SEC408 so badly. FYI: if you want, I can provide you with a couple compromised domains which are serving malware - I find getting the environment owned naturally in the wild is a much better representation than downloading samples from malware libraries. It provides more context in my opinion.

SephStorm wrote: »

FYI, I am aware of tripwire, can someone tell me is it free? Is there a free windows version?

I feel like to use Tripwire properly, you'd need to know what you don't know, which is how/where to monitor. I don't think using it indiscriminently would be beneficial for you right now.

Some suggestions on tools:

-Microsoft Sysinternals Suite: An excellent suite of tools to see under the hood of the OS. Specifically 'Process Monitor', which does a good job of showing you what Task Manager will not.
-RegShot: Compare the registry before and after infection
-Volatility: - Memory forensics
-Fiddler HTTP Proxy: - I use this when I compromise my VM via drive-by download, so I can see the interaction with the browser and grab copies of the malicious scripts
-Wireshark: Watch the wire. Because of the natural shiftiness of malware, I prefer to monitor network traffic outside of the compromised host. Right now I have a Raspberry Pi attached to a SPAN port on my switch, listening with TCPdump and collecting full pcap. But generally speaking Wireshark will give you what you want as well.

After that I would start suggesting code analysis tools, but I'm not at a level where I can confidently speak about that. And it sounds like you're more interested in the OS/Network level in terms of detection right now anyway, not the code of the malware itself.

SephStorm

Thanks all.

I'm unsure of the exact setup of what will be running and when. Right now i'm thinking I will have SO, KL and Windows 7 in separate VM's on one box.

Would I be putting wireshark and the PSTools on the W7 host I intend to have compromised? Or should I just insure it oon the same network segment (virtual) with the SO box running in IDS mode?

YFZblu

If you're dealing with commodity malware, I don't think you'll have issues firing up Wireshark or Sysinternals on the compromised host, in terms of the malware being aware and modifying its behavior.

That being said I have come across Fake A/V variants that would prevent me from starting non-essential applications - To work around this I renamed any app I wanted to open 'svchost.exe'. You likely won't run into this situation, it's just an FYI.

SephStorm

FYI,

Right now i've got Autoruns, fiddle, ossec client, Process Explorer/Monitor, Regshot, tcpview, and wireshark. I think that's a decent start. I'll get them all installed.

JDMurray

You're gonna need a hex editor to search binary file contents. There are a couple of good editors mentioned on this list: Top 20 Free Digital Forensic Investigation Tools for SysAdmins

dmoore44

Check out this white paper from SANS, its a fascinating read: https://blogs.sans.org/windows-security/files/Process_Hacker_SANS_Jason_Fossen.pdf

SephStorm

Thanks for the WP! Thanks JD! At the very least it looks like I have the sysinternal apps working and snorby in SO. If I can figure out how get OSSEC running properly I should be in good shape to get started.

NovaHax

I just run malware in a VM and run some various tools for traffic analysis, registry analysis, file system changes, memory ****, etc... I'm currently doing some analysis on crypto-locker. This one has to call back to the CnC server, so you will have to have your VM connected to the web to view the entire execution flow of the malware. Can be downloaded at Steve Gibson's site here (https://www.grc.com/malware.htm). THIS IS LIVE MALWARE. Keep in mind, this is fairly new malware and is still not detected by most AV software. Do NOT download these in a production environment. That being said...its a great subject for analysis, and will run on new OS platforms like Win 7/8. They also have the fairly new Zeuz / Zbot too. Somewhat less exciting to watch in my opinion though.

YFZblu

Regardless of Cryptolocker being relatively new when compared to Zbot and ZeroAccess, it's still commodity malware that has been observed in the wild for five months. There is no excuse for any self-respecting A/V vendor to lack signatures for it. If the binaries you're looking at were not detectable, it's likely due to obfuscation techniques and not because Crypolocker is an unknown or too new. My understanding is that Cryptolocker is written in .net which is especially good about revealing its makeup during code analysis.

Something I'd like to add to NovaHax point about not running it in prod; additionally I would refrain from running Cryptolocker anywhere you have removable media or network shares of any kind within reach as it is capable of scanning and encrypting those as well.

NovaHax

YFZblu wrote: »

Regardless of Cryptolocker being relatively new when compared to Zbot and ZeroAccess, it's still commodity malware that has been observed in the wild for five months. There is no excuse for any self-respecting A/V vendor to lack signatures for it. If the binaries you're looking at were not detectable, it's likely due to obfuscation techniques and not because Crypolocker is an unknown or too new. My understanding is that Cryptolocker is written in .net which is especially good about revealing its makeup during code analysis.

I personally didn't test it against any AV products. Just basing my claims off of virus total. Cryptolocker has had several new versions/signatures since it was originally detected in the wild. The latest version available from GRC is currently being detected by 35 out of 51 on virus total. When ran less than a month ago (Jan 22), only was detected by only 6 out of 51.

YFZblu

NovaHax wrote: »

I personally didn't test it against any AV products. Just basing my claims off of virus total. Cryptolocker has had several new versions/signatures since it was originally detected in the wild. The latest version available from GRC is currently being detected by 35 out of 51 on virus total. When ran less than a month ago (Jan 22), only was detected by only 6 out of 51.

IMO that is simply the cat-and-mouse nature of malware authors employing packing / obfuscation techniques, and doesn't have much to do with Cryptolocker being new. Had the binary you're referring to been run on a system, it's highly likely more of those vendors would have picked it up on heuristics alone. That being said I'm certainly not suggesting A/V products will find everything or even most things. I'm just offering my perspective

Along the same lines I have seen ZeroAccess infections go undetected by McAfee enterprise even two years after its release - not because McAfee didn't know what ZA looked like, but because malware authors make a living off of employing clever changes to their software.

JDMurray

YFZblu wrote: »

but because malware authors make a living off of employing clever changes to their software.

...and testing the stealthiness of their changes using pubic services, like VirusTotal.

SecurityThroughObscurity

JDMurray wrote: »

...and testing the stealthiness of their changes using pubic services, like VirusTotal.

actually they don't, they use private services.

JDMurray

No, a lot of Malware authors use VT, and some eventually get caught because of it. A file hash that was initially 0/45 on VT ends up hitting on most of the A/V a week or two later indicates a zero-day was tested. Information collected on the IP and browser by VT has aided in attributing the source of some new Malware.

SecurityThroughObscurity

It does not mean that executables were uploaded by malware authors. They ain't so stupid. There are AV-check SaaS on closed black market forums which don't send anything to AV companies.

SephStorm

NovaHax wrote: »

I just run malware in a VM and run some various tools for traffic analysis, registry analysis, file system changes, memory ****, etc...

Care to share the specific tools, if you don't mind?

SephStorm

Anyone have links to open databases where malware can be downloaded? Preferably without an account.

JDMurray

Steve Gibson of GRC keeps his Malware research stuff here: https://www.grc.com/malware.htm

SephStorm

Yeah, I saw a few things on there, I started up a blog chronnicling my exploits, NPI. SecTest Blog I welcome everyone's feedback and comments on blog and here.