SlideShare a Scribd company logo

Building an Automated Behavioral Malware Analysis Environment using Free and Open-Source Software

Download as PPTX, PDF
J
Jim Clausing

The document describes building an automated malware behavioral analysis environment using free and open-source tools. It details setting up analysis machines running Debian, installing analysis tools including Volatility, RegRipper, and AIDE. Samples are submitted to the machines via SSH and analyzed for network traffic using tools like tcpdump, DNS queries with fauxDNS, and open ports with connections. The results including OS identification, registry changes, and network indicators are summarized for analysts.

1 of 46
Download to read offline
Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source ToolsJim Clausing, PMTS, AT&T CSO18 Jun 2009
Thanx up frontPage 2
The Author
Page 4Jim Clausing, GCIA, GCFA, GREM, GCIH, GCFW, GSIP, GSOC, SSP-MPA, CISSPGCIA (Gold) #64 – 2000GCFA (Gold) #25 – 2002GREM (Gold) #48 – 2005And other certs along the way…SANS Mentor, StaySharp/STAR instructor, CommunitySANS instructor, Internet Storm Center handler since 2002Instrument-rated private pilot – 2003/2004
The Paper
Page 6SANSFIRE 2008
The patches and scriptshttp://handlers.sans.org/jclausing/grem_gold/http://www.giac.org/certified_professionals/practicals/grem/48.phpPage 7
The Environment – A Little History
In the beginningPage 9
Malware DBPage 10
Motivation – The Environment
Forest? Trees?Page 12
Unpacking may lead to surprises – like no results Page 13
Page 14We’ve got malware, now what?
Truman (well, and Joe Stewart) FTWPage 15
The Analysis Environment
Processing a Sample
Analysis FlowPage 18
Submission[jac@fltruman001 ~]$ for i in 090???-*.piz; do sudo submit.sh $i && mv $i old-malware/; sleep 10; done Archive: 090529-rnd_jpg.piz inflating: rnd.jpg *****Processing rnd.jpg - ONEBOOT******interface: eth1 (4.0.0.0/255.0.0.0)filter: (ip) and ( not port 45612 and not port 45611 and not tcp port 6987 and not udp port 32785 )tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth1, link-type EN10MB (Ethernet), capture size 96 bytestcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 1514 bytesStarting Faux FTP Server Emulation on port 21Starting Faux MySQL Server Emulation on port 3306Starting Faux SMTP Server Emulation on port 25Starting Faux SMB Server Emulation on port 445Starting Faux IRC Server Emulation on port 6667Starting Faux DNS Server Emulation on port 53Page 19
Monitoring[jac@fltruman001 ~]$ alias statusalias status='cat /tmp/current.txt && echo "" && cat /tmp/sandnet*.log | tr -c "[:print:][:blank:]\r\n" "." ; tcpdump -nnr /tmp/sandnet.pcap -w - "not broadcast and (not src net 4.5.6 or not dst net 4.5.6)" | ipaudit -CST -r - -l 4.5.6.7 ; ngrep -I /tmp/sandnet.pcap "GET|POST|HEAD|OPTIONS|JOIN" "tcp port 80 and not host 4.5.6.1" | tr -c "[:print:][:blank:]\r\n" "."‘Page 20
Monitoring, cont’d[jac@fltruman001 ~]$ statusServer.exerequest: name=ftp.sickbassline.com, class=IN, type=A, peer=4.5.6.7responseIP: 4.3.2.86responseIP: 4.3.2.63response: rcode=NOERROR, … …, auth=, add=, aa=1request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7responseIP: 4.5.6.1response: rcode=NOERROR, ans=…, auth=, add=, aa=1Connection from 4.5.6.7USER 0wn@sickbassline.comPASS smokeweedTYPE APORT 4,5,6,7,4,7STOR User.mpsreading from file /tmp/sandnet.pcap, link-type EN10MB (Ethernet)4.5.6.7 4.3.2.86 6 1030 21 674 578 9 9 2009-06-04-11:24:02.2148 2009-06-04-11:24:03.3459 1 14.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-06-04-11:24:09.5569 2009-06-04-11:24:10.4709 1 1input: /tmp/sandnet.pcapfilter: (ip) and ( tcp port 80 and not host 4.5.6.1 )match: GET|POST|HEAD|OPTIONS|JOIN##########exitPage 21
Page 22Original Truman Analysis Tools
Page 23The 4 Areas of Analysis
The Report – Tool Output
Page 25Identify the OSSummary report for xxx.xxx-XPSP2-files created at ………OS info>>>kern - Determine OS from a Windows RAM Dump (v.0.1_20060914)Ex: kern <path_to_dump_file>File Description : NT Kernel & SystemFile Version : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)Internal Name : ntoskrnl.exeOriginal File Name : Product Name : Microsoft® Windows® Operating SystemProduct Version : 5.1.2600.2180
Page 26Analyzing Network Traffic – fauxdnsDNS>>>request: name=sslrapidshare.or.tp, class=IN, type=A, peer=4.5.6.7responseIP: 4.3.2.51responseIP: 4.3.2.154response: rcode=NOERROR, ans=… …, auth=, add=, aa=1request: name=gfmd1.or.tp, class=IN, type=A, peer=4.5.6.7responseIP: 4.3.2.104responseIP: 4.3.2.240response: rcode=NOERROR, ans=… …, auth=, add=, aa=1request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7responseIP: 4.5.6.1response: rcode=NOERROR, ans=…, auth=, add=, aa=1
Analyzing Network Traffic – fauxftpConnection from 4.5.6.7USER 0wn@sickbassline.comPASS smokeweedTYPE APORT 4,5,6,7,4,7STOR User.mpsPage 27
Page 28Analyzing Network Traffic – fauxircIRC>>>2009-05-27-16:49:17: Connection from 4.5.6.72009-05-27-16:49:17: PASS lammers2009-05-27-16:49:17: NICK [00|USA|296161]2009-05-27-16:49:18: USER XP-8165 * 0 :ATT2009-05-27-16:49:18: MODE [00|USA|296161] +iB-x2009-05-27-16:49:18: JOIN #WiFi-a Crypt2009-05-27-17:00:13: QUIT System shutting down.2009-05-27-17:00:15: QUIT Leaving
Page 29Analyzing Network Traffic – ipauditIP traffic>>>srcdst proto sp dp bytes pkts start end 1 / 24.5.6.7 4.3.2.516 1046 80 748 346 5 5 2009-05-27-16:49:17.1300 2009-05-27-16:49:17.1473 1 24.5.6.7 4.3.2.104 6 1047 4242 816 697 10 10 2009-05-27-16:49:17.1613 2009-05-27-17:00:15.5921 1 24.5.6.7 239.255.255.250 17 1050 1900 0 525 0 3 2009-05-27-16:49:17.3746 2009-05-27-16:49:23.3815 1 14.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-05-27-17:00:14.2087 2009-05-27-17:00:14.9690 1 1
Page 30Analyzing Network Traffic – tshark===================================================================Protocol Hierarchy StatisticsFilter: frameframe frames:602 bytes:733467 eth frames:602 bytes:733467ip frames:573 bytes:731979tcp frames:387 bytes:146779 http frames:30 bytes:22708 short frames:5 bytes:17790 data-text-lines frames:3 bytes:644 data frames:8 bytes:849udp frames:57 bytes:10014nbdgm frames:11 bytes:2511smb frames:11 bytes:2511mailslot frames:11 bytes:2511 browser frames:11 bytes:2511nbns frames:27 bytes:2538dns frames:6 bytes:532 http frames:3 bytes:525ntp frames:2 bytes:180bootp frames:8 bytes:3728 short frames:127 bytes:575066igmp frames:2 bytes:120arp frames:29 bytes:1488===================================================================
Page 31Analyzing Network Traffic – tcptraceHTTP>>>mod_http: Capturing HTTP traffic (port 80)1 arg remaining, starting with '../small.pcap'Ostermann'stcptrace -- version 6.6.7 -- Thu Nov 4, 200410 packets seen, 10 TCP packets tracedelapsed wallclock time: 0:00:00.002643, 3783 pkts/sec analyzedtrace file elapsed time: 0:00:00.017257Http module output:4.5.6.7:1046 ==> 4.3.2.51:80 (a2b) Server Syn Time: Wed May 27 16:49:17.130145 2009 (1243457357.130) Client Syn Time: Wed May 27 16:49:17.130085 2009 (1243457357.130) Server Fin Time: Wed May 27 16:49:17.146947 2009 (1243457357.147) Client Fin Time: Wed May 27 16:49:17.147323 2009 (1243457357.147)GET /here2 HTTP/1.0 Response Code: 404 (Not Found) Request Length: 66 Reply Length: 468 Content Length: 289 Content Type : text/html; Time request sent: Wed May 27 16:49:17.130584 2009 (…) Time reply started: Wed May 27 16:49:17.146886 2009 (…) Time reply ACKed: Wed May 27 16:49:17.147077 2009 (…) Elapsed time: 16 ms (request to first byte sent) Elapsed time: 16 ms (request to content ACKed)
Page 32Analyzing Disk Image – AIDE---------------------------------------------------Added files:---------------------------------------------------added: /mnt/new/WINDOWS/avmont.exeadded: /mnt/new/Documents and Settings/All Users/Application Data/TEMP---------------------------------------------------Removed files:---------------------------------------------------removed: /mnt/new/WINDOWS/system32/CatRoot2/tmp.edb---------------------------------------------------Changed files:---------------------------------------------------changed: /mnt/new/WINDOWS/system32/drivers/etc/hostschanged: /mnt/new/WINDOWS/WindowsUpdate.logchanged: /mnt/new/WINDOWS/setupapi.log
Page 33Analyzing Disk Image – ADSAlternate Data Streams>>>/mnt/new/Documents and Settings/All Users/Application Data/TEMP -> 75443743getfattr --absolute-names -n ntfs.streams.list -PR /mnt/new
Page 34Analyzing Disk Image – RegRipperRegistry Run Key changes>>>Registry Service Key changes>>>+AvMont|Monitor de Antivirus|"C:\WINDOWS\avmont.exe"|0x0|Auto Start|-RemoteRegistry|Remote Registry|%SystemRoot%\system32\svchost.exe -k LocalService|Share_Process|Auto Start|+RemoteRegistry|Remote Registry|%SystemRoot%\system32\svchost.exe -k LocalService|Share_Process|Disabled|-wscsvc|Security Center|%SystemRoot%\System32\svchost.exe -k netsvcs|Share_Process|Auto Start|+wscsvc|Security Center|%SystemRoot%\System32\svchost.exe -k netsvcs|Share_Process|Disabled|Firewall changes>>>-EnableFirewall -> 1
Page 35Analyzing Disk Image – hosts file*Host file changes>>>++127.0.0.1 www.symantec.com+127.0.0.1 securityresponse.symantec.com+127.0.0.1 symantec.com+127.0.0.1 www.sophos.com+127.0.0.1 sophos.com+127.0.0.1 www.mcafee.com+127.0.0.1 mcafee.com+127.0.0.1 liveupdate.symantecliveupdate.com+127.0.0.1 www.viruslist.com+127.0.0.1 viruslist.com+127.0.0.1 viruslist.com+127.0.0.1 f-secure.com+127.0.0.1 www.f-secure.com+127.0.0.1 kaspersky.com+127.0.0.1 kaspersky-labs.com+127.0.0.1 www.avp.com+127.0.0.1 www.kaspersky.com+127.0.0.1 avp.com
Memory Image Analysis – VolatilityPage 36
Page 37Analyzing Memory Image – connectionsOpen Ports>>>Local Address Remote Address Pid4.5.6.7:1047 4.3.2.104:4242 1484 896 135 6 Wed May 27 20:39:59 2009 1032 1027 17 Wed May 27 20:40:13 2009 1096 1900 17 Wed May 27 20:40:14 2009 1484 1047 6 Wed May 27 20:49:18 2009 < 908 -> 135 TCP > 896 -> 135 TCP 9,11c9,11< 992 -> 1032 TCP > 1484 avmont -> 1047 TCP C:\WINDOWS\avmont.exe 14,15c14,16< 992 -> 138 UDP < 908 -> 445 UDP > 1484 avmont -> 137 UDP C:\WINDOWS\avmont.exe > 0 System -> 138 UDP > 896 -> 445 UDP
Page 38Memory/Static Binary Analysis – ssdeepssdeep info>>>1536:RVt4qqO5FjciL3KBupEAbAX/e9SP+IaiOW:eu5tciL3KApRbAz+Ia1W,"abod.exe"768:ruBNNTLa973GMVkIZqqnO5FDvcTsvJesUJDSP+f4/cF1oGoiOWK:YVt4qqO5FjcSe9SP+JaiOW,"/data/forensics/abod.exe-XPSP2-files/0c596000-abod.exe“--------------------------------------------------------------------------------ssdeep info>>>1536:0BlSTT+JwGgVXGsOkCMGVLwaQyafnSI0OYRr:0BYNlVXGsOtPwFtfm,"1b1e067fdb0f2a44a50d9e290022b9ed.exe"1b1e067fdb0f2a44a50d9e290022b9ed.exe matches e933dbd16c9509418a2212c9d62c7976.exe (80)3072:0zhQO2dw847UiImHkwebMPK4wRE4pRThKt/94:09QbViEwEM94TThKt14,"/data/forensics/1b1e067fdb0f2a44a50d9e290022b9ed.exe-XPSP2-files/0ca74000-sandnet.exe"/data/forensics/1b1e067fdb0f2a44a50d9e290022b9ed.exe-XPSP2-files/0ca74000-sandnet.exe matches /data/forensics/e933dbd16c9509418a2212c9d62c7976.exe-XPSP2-files/007bc000-sandnet.exe (96)
Page 39Static Binary Analysis – binhashBinHash info>>>File: [/forensics/exes/abod.exe] b826d0f222242c1e48f4e1ebe778a534PE Phdr: af86103672ba3bba2d21f2691465520fPE Opt Hdr: f8ea55a399eeec409874af01ca0cf01dImport [1] Offset: (f570) Size: (180): 93f613363a9cb87c3a20e3f2e1fc47b7Import [12] Offset: (f000) Size: (608): eafa58275a218a26f92631bf75b10b8f[0] (.text)(VirtualAddress: 00001000) (PtrToData: 00001000) (SizeOfData: 0000e000) Shdr: aaa4cacbb1cc38713961cc2e5931b982Shdr Data: f571948f8203e66d09c87b00ae748c8d[1] (.rdata)(VirtualAddress: 0000f000) (PtrToData: 0000f000) (SizeOfData: 00002000) Shdr: 46aa637bbc2c0335c427f6ca42021df9Shdr Data: 3b10f3f4c6012e87d46686464575926c[2] (.data)(VirtualAddress: 00011000) (PtrToData: 00011000) (SizeOfData: 00003000) Shdr: cff63d398711731f58eee390a6ce8513Shdr Data: 71cc6a0ff1c18b313d21f1f03229738e
Page 40Static Binary Analysis – packerid.pyPacker info>>>[['Armadillo v1.71'], ['Microsoft Visual C++ v5.0/v6.0 (MFC)'], ['Microsoft Visual C++']]
Page 41Static Binary Analysis – Volatility malfind.py*## lsass.exe (Pid: 676)#+ VAD node @821bfb00 Start 00c60000 End 00c6ffff Tag VadS Flags 18+ VAD node @8236b208 Start 00c80000 End 00c96fff Tag VadS Flags 18 - Status: disassembling with pydasm... 0xc80000 call 0x567d 0xc80005 retn 0x8 0xc80008 push ecx 0xc80009 push esi 0xc8000a call 0x1582Found 2 suspicious Vad entries
Page 42Limitations
Page 43Future Work
Page 44More Future Work
Questions?E-mail: jac@att.com or jclausing@isc.sans.org Page 45
SANS Mentor Class – SEC 508 (Forensics)For those of you from central OH (or folks you work with), I’ll be facilitating another mentor class in the fall.Thursday evenings from 6:30-8:30PM in Reynoldsburg, OH running 10 Sep-12 Nov.http://www.sans.org/mentor/details.php?nid=19458Page 46

Recommended

Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
Sneha Inguva
 
A curious case of broken dns responses - RIPE75
A curious case of broken dns responses - RIPE75A curious case of broken dns responses - RIPE75
A curious case of broken dns responses - RIPE75
Babak Farrokhi
 
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
DevOpsDays Tel Aviv
 
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
Babak Farrokhi
 
Php Security
Php SecurityPhp Security
Php Security
ricardophp
 
HTTP/2で 速くなるとき ならないとき
HTTP/2で 速くなるとき ならないときHTTP/2で 速くなるとき ならないとき
HTTP/2で 速くなるとき ならないとき
Kazuho Oku
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
Rob Gillen
 
Programming TCP for responsiveness
Programming TCP for responsivenessProgramming TCP for responsiveness
Programming TCP for responsiveness
Kazuho Oku
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado
 
H2O - the optimized HTTP server
H2O - the optimized HTTP serverH2O - the optimized HTTP server
H2O - the optimized HTTP server
Kazuho Oku
 
Reorganizing Website Architecture for HTTP/2 and Beyond
Reorganizing Website Architecture for HTTP/2 and BeyondReorganizing Website Architecture for HTTP/2 and Beyond
Reorganizing Website Architecture for HTTP/2 and Beyond
Kazuho Oku
 
7. protocols
7. protocols7. protocols
7. protocols
Marian Marinov
 
Programming TCP for responsiveness
Programming TCP for responsivenessProgramming TCP for responsiveness
Programming TCP for responsiveness
Kazuho Oku
 
Teach your (micro)services talk Protocol Buffers with gRPC.
Teach your (micro)services talk Protocol Buffers with gRPC.Teach your (micro)services talk Protocol Buffers with gRPC.
Teach your (micro)services talk Protocol Buffers with gRPC.
Mihai Iachimovschi
 
7.protocols 2
7.protocols 27.protocols 2
7.protocols 2
Marian Marinov
 
Promise of Push (HTTP/2 Web Performance)
Promise of Push (HTTP/2 Web Performance)Promise of Push (HTTP/2 Web Performance)
Promise of Push (HTTP/2 Web Performance)
Colin Bendell
 
Cache aware-server-push in H2O version 1.5
Cache aware-server-push in H2O version 1.5Cache aware-server-push in H2O version 1.5
Cache aware-server-push in H2O version 1.5
Kazuho Oku
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PROIDEA
 
DNS-SD Extentions
DNS-SD ExtentionsDNS-SD Extentions
DNS-SD Extentions
Nina Buchina
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing Sleep
Sadique Puthen
 
Wuala, P2P Online Storage
Wuala, P2P Online StorageWuala, P2P Online Storage
Wuala, P2P Online Storage
adunne
 
How happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTPHow happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTP
Ichito Nagata
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Now
julievreeland
 
Make gRPC great again
Make gRPC great againMake gRPC great again
Make gRPC great again
Roberto Veral del Pozo
 
gofortution
gofortutiongofortution
gofortution
gofortution
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Ravi Rajput
 
Developing the fastest HTTP/2 server
Developing the fastest HTTP/2 serverDeveloping the fastest HTTP/2 server
Developing the fastest HTTP/2 server
Kazuho Oku
 
Unidad II. Modelo de Datos
Unidad II. Modelo de DatosUnidad II. Modelo de Datos
Unidad II. Modelo de Datos
ucbasededatos
 
Jesuitas Ecuador - Noticias Diciembre 2012
Jesuitas Ecuador - Noticias Diciembre 2012Jesuitas Ecuador - Noticias Diciembre 2012
Jesuitas Ecuador - Noticias Diciembre 2012
JesuitasEc
 

More Related Content

What's hot (20)

DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado
 
H2O - the optimized HTTP server
H2O - the optimized HTTP serverH2O - the optimized HTTP server
H2O - the optimized HTTP server
Kazuho Oku
 
Reorganizing Website Architecture for HTTP/2 and Beyond
Reorganizing Website Architecture for HTTP/2 and BeyondReorganizing Website Architecture for HTTP/2 and Beyond
Reorganizing Website Architecture for HTTP/2 and Beyond
Kazuho Oku
 
7. protocols
7. protocols7. protocols
7. protocols
Marian Marinov
 
Programming TCP for responsiveness
Programming TCP for responsivenessProgramming TCP for responsiveness
Programming TCP for responsiveness
Kazuho Oku
 
Teach your (micro)services talk Protocol Buffers with gRPC.
Teach your (micro)services talk Protocol Buffers with gRPC.Teach your (micro)services talk Protocol Buffers with gRPC.
Teach your (micro)services talk Protocol Buffers with gRPC.
Mihai Iachimovschi
 
7.protocols 2
7.protocols 27.protocols 2
7.protocols 2
Marian Marinov
 
Promise of Push (HTTP/2 Web Performance)
Promise of Push (HTTP/2 Web Performance)Promise of Push (HTTP/2 Web Performance)
Promise of Push (HTTP/2 Web Performance)
Colin Bendell
 
Cache aware-server-push in H2O version 1.5
Cache aware-server-push in H2O version 1.5Cache aware-server-push in H2O version 1.5
Cache aware-server-push in H2O version 1.5
Kazuho Oku
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PROIDEA
 
DNS-SD Extentions
DNS-SD ExtentionsDNS-SD Extentions
DNS-SD Extentions
Nina Buchina
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing Sleep
Sadique Puthen
 
Wuala, P2P Online Storage
Wuala, P2P Online StorageWuala, P2P Online Storage
Wuala, P2P Online Storage
adunne
 
How happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTPHow happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTP
Ichito Nagata
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Now
julievreeland
 
Make gRPC great again
Make gRPC great againMake gRPC great again
Make gRPC great again
Roberto Veral del Pozo
 
gofortution
gofortutiongofortution
gofortution
gofortution
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Ravi Rajput
 
Developing the fastest HTTP/2 server
Developing the fastest HTTP/2 serverDeveloping the fastest HTTP/2 server
Developing the fastest HTTP/2 server
Kazuho Oku
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado
 
H2O - the optimized HTTP server
H2O - the optimized HTTP serverH2O - the optimized HTTP server
H2O - the optimized HTTP server
Kazuho Oku
 
Reorganizing Website Architecture for HTTP/2 and Beyond
Reorganizing Website Architecture for HTTP/2 and BeyondReorganizing Website Architecture for HTTP/2 and Beyond
Reorganizing Website Architecture for HTTP/2 and Beyond
Kazuho Oku
 
7. protocols
7. protocols7. protocols
7. protocols
Marian Marinov
 
Programming TCP for responsiveness
Programming TCP for responsivenessProgramming TCP for responsiveness
Programming TCP for responsiveness
Kazuho Oku
 
Teach your (micro)services talk Protocol Buffers with gRPC.
Teach your (micro)services talk Protocol Buffers with gRPC.Teach your (micro)services talk Protocol Buffers with gRPC.
Teach your (micro)services talk Protocol Buffers with gRPC.
Mihai Iachimovschi
 
7.protocols 2
7.protocols 27.protocols 2
7.protocols 2
Marian Marinov
 
Promise of Push (HTTP/2 Web Performance)
Promise of Push (HTTP/2 Web Performance)Promise of Push (HTTP/2 Web Performance)
Promise of Push (HTTP/2 Web Performance)
Colin Bendell
 
Cache aware-server-push in H2O version 1.5
Cache aware-server-push in H2O version 1.5Cache aware-server-push in H2O version 1.5
Cache aware-server-push in H2O version 1.5
Kazuho Oku
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PROIDEA
 
DNS-SD Extentions
DNS-SD ExtentionsDNS-SD Extentions
DNS-SD Extentions
Nina Buchina
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing Sleep
Sadique Puthen
 
Wuala, P2P Online Storage
Wuala, P2P Online StorageWuala, P2P Online Storage
Wuala, P2P Online Storage
adunne
 
How happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTPHow happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTP
Ichito Nagata
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Now
julievreeland
 
Make gRPC great again
Make gRPC great againMake gRPC great again
Make gRPC great again
Roberto Veral del Pozo
 
gofortution
gofortutiongofortution
gofortution
gofortution
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Ravi Rajput
 
Developing the fastest HTTP/2 server
Developing the fastest HTTP/2 serverDeveloping the fastest HTTP/2 server
Developing the fastest HTTP/2 server
Kazuho Oku
 

Viewers also liked (20)

Unidad II. Modelo de Datos
Unidad II. Modelo de DatosUnidad II. Modelo de Datos
Unidad II. Modelo de Datos
ucbasededatos
 
Jesuitas Ecuador - Noticias Diciembre 2012
Jesuitas Ecuador - Noticias Diciembre 2012Jesuitas Ecuador - Noticias Diciembre 2012
Jesuitas Ecuador - Noticias Diciembre 2012
JesuitasEc
 
Globalizacion1
Globalizacion1Globalizacion1
Globalizacion1
Jack Herrera
 
Librovirtual1 47
Librovirtual1 47Librovirtual1 47
Librovirtual1 47
Diana Noboa
 
Maxwell Y Los Bichos Raros
Maxwell Y Los Bichos RarosMaxwell Y Los Bichos Raros
Maxwell Y Los Bichos Raros
maspereiracom
 
Revista fetracom pdf
Revista fetracom pdfRevista fetracom pdf
Revista fetracom pdf
Rodrigo Brito
 
Redes Clase 3
Redes Clase 3Redes Clase 3
Redes Clase 3
juanlopeztp
 
Estrutura patrimonial e plano de contas
Estrutura patrimonial e plano de contasEstrutura patrimonial e plano de contas
Estrutura patrimonial e plano de contas
Concurseiro Antenado
 
Inteligencia emocional
Inteligencia emocionalInteligencia emocional
Inteligencia emocional
Salmi Aguirre Uscanga
 
Parque nacional río abiseo
Parque nacional río abiseoParque nacional río abiseo
Parque nacional río abiseo
ronald3025
 
Constancia
ConstanciaConstancia
Constancia
DGETI Zacatecas
 
Cartilla de políticas
Cartilla de políticas Cartilla de políticas
Cartilla de políticas
Tatiana Rodriguez
 
Educación[1]..
Educación[1]..Educación[1]..
Educación[1]..
maryguayonge
 
Code of conduct
Code of conductCode of conduct
Code of conduct
Vedanta Zinc International
 
Mediana
MedianaMediana
Mediana
Elesteph
 
A doena como_caminho
A doena como_caminhoA doena como_caminho
A doena como_caminho
Wilson L. Silva
 
Estratégia
EstratégiaEstratégia
Estratégia
Helder Rodrigues
 
Actividad de aprendizaje 8
Actividad de aprendizaje 8Actividad de aprendizaje 8
Actividad de aprendizaje 8
Veronica Patricia Collantes Perez
 
Atitudes
AtitudesAtitudes
Atitudes
Tânia Silva
 
Chapter3
Chapter3Chapter3
Chapter3
SUNY Ulster
 
Unidad II. Modelo de Datos
Unidad II. Modelo de DatosUnidad II. Modelo de Datos
Unidad II. Modelo de Datos
ucbasededatos
 
Jesuitas Ecuador - Noticias Diciembre 2012
Jesuitas Ecuador - Noticias Diciembre 2012Jesuitas Ecuador - Noticias Diciembre 2012
Jesuitas Ecuador - Noticias Diciembre 2012
JesuitasEc
 
Globalizacion1
Globalizacion1Globalizacion1
Globalizacion1
Jack Herrera
 
Librovirtual1 47
Librovirtual1 47Librovirtual1 47
Librovirtual1 47
Diana Noboa
 
Maxwell Y Los Bichos Raros
Maxwell Y Los Bichos RarosMaxwell Y Los Bichos Raros
Maxwell Y Los Bichos Raros
maspereiracom
 
Revista fetracom pdf
Revista fetracom pdfRevista fetracom pdf
Revista fetracom pdf
Rodrigo Brito
 
Redes Clase 3
Redes Clase 3Redes Clase 3
Redes Clase 3
juanlopeztp
 
Estrutura patrimonial e plano de contas
Estrutura patrimonial e plano de contasEstrutura patrimonial e plano de contas
Estrutura patrimonial e plano de contas
Concurseiro Antenado
 
Inteligencia emocional
Inteligencia emocionalInteligencia emocional
Inteligencia emocional
Salmi Aguirre Uscanga
 
Parque nacional río abiseo
Parque nacional río abiseoParque nacional río abiseo
Parque nacional río abiseo
ronald3025
 
Constancia
ConstanciaConstancia
Constancia
DGETI Zacatecas
 
Cartilla de políticas
Cartilla de políticas Cartilla de políticas
Cartilla de políticas
Tatiana Rodriguez
 
Educación[1]..
Educación[1]..Educación[1]..
Educación[1]..
maryguayonge
 
Code of conduct
Code of conductCode of conduct
Code of conduct
Vedanta Zinc International
 
Mediana
MedianaMediana
Mediana
Elesteph
 
A doena como_caminho
A doena como_caminhoA doena como_caminho
A doena como_caminho
Wilson L. Silva
 
Estratégia
EstratégiaEstratégia
Estratégia
Helder Rodrigues
 
Actividad de aprendizaje 8
Actividad de aprendizaje 8Actividad de aprendizaje 8
Actividad de aprendizaje 8
Veronica Patricia Collantes Perez
 
Atitudes
AtitudesAtitudes
Atitudes
Tânia Silva
 
Chapter3
Chapter3Chapter3
Chapter3
SUNY Ulster
 

Similar to Building an Automated Behavioral Malware Analysis Environment using Free and Open-Source Software (20)

Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
Engine Yard
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
Napier University
 
Day2
Day2Day2
Day2
Jai4uk
 
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Ontico
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
Aman Gupta
 
HTTP/2 What's inside and Why
HTTP/2 What's inside and WhyHTTP/2 What's inside and Why
HTTP/2 What's inside and Why
Adrian Cole
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
Mohammad Reza Kamalifard
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
Shuya Osaki
 
The Road to End-to-End Encryption in Jitsi Meet
The Road to End-to-End Encryption in Jitsi MeetThe Road to End-to-End Encryption in Jitsi Meet
The Road to End-to-End Encryption in Jitsi Meet
Saúl Ibarra Corretgé
 
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PROIDEA
 
Stress your DUT
Stress your DUTStress your DUT
Stress your DUT
Redge Technologies
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
import rdma: zero-copy networking with RDMA and Python
import rdma: zero-copy networking with RDMA and Pythonimport rdma: zero-copy networking with RDMA and Python
import rdma: zero-copy networking with RDMA and Python
groveronline
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
faker1842002
 
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart NeedhamThe post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
Stewart Needham
 
Top-5-production-devconMunich-2023-v2.pptx
Top-5-production-devconMunich-2023-v2.pptxTop-5-production-devconMunich-2023-v2.pptx
Top-5-production-devconMunich-2023-v2.pptx
Tier1 app
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
Ontico
 
CCNP Data Center Centralized Management Automation
CCNP Data Center Centralized Management AutomationCCNP Data Center Centralized Management Automation
CCNP Data Center Centralized Management Automation
E.S.G. JR. Consulting, Inc.
 
Encrypted DNS research @ nic.at
Encrypted DNS research @ nic.atEncrypted DNS research @ nic.at
Encrypted DNS research @ nic.at
Alex Mayrhofer
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
Engine Yard
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
Napier University
 
Day2
Day2Day2
Day2
Jai4uk
 
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Ontico
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
Aman Gupta
 
HTTP/2 What's inside and Why
HTTP/2 What's inside and WhyHTTP/2 What's inside and Why
HTTP/2 What's inside and Why
Adrian Cole
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
Mohammad Reza Kamalifard
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
Shuya Osaki
 
The Road to End-to-End Encryption in Jitsi Meet
The Road to End-to-End Encryption in Jitsi MeetThe Road to End-to-End Encryption in Jitsi Meet
The Road to End-to-End Encryption in Jitsi Meet
Saúl Ibarra Corretgé
 
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PROIDEA
 
Stress your DUT
Stress your DUTStress your DUT
Stress your DUT
Redge Technologies
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
import rdma: zero-copy networking with RDMA and Python
import rdma: zero-copy networking with RDMA and Pythonimport rdma: zero-copy networking with RDMA and Python
import rdma: zero-copy networking with RDMA and Python
groveronline
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
faker1842002
 
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart NeedhamThe post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
Stewart Needham
 
Top-5-production-devconMunich-2023-v2.pptx
Top-5-production-devconMunich-2023-v2.pptxTop-5-production-devconMunich-2023-v2.pptx
Top-5-production-devconMunich-2023-v2.pptx
Tier1 app
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
Ontico
 
CCNP Data Center Centralized Management Automation
CCNP Data Center Centralized Management AutomationCCNP Data Center Centralized Management Automation
CCNP Data Center Centralized Management Automation
E.S.G. JR. Consulting, Inc.
 
Encrypted DNS research @ nic.at
Encrypted DNS research @ nic.atEncrypted DNS research @ nic.at
Encrypted DNS research @ nic.at
Alex Mayrhofer
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 

Building an Automated Behavioral Malware Analysis Environment using Free and Open-Source Software

  • 1. Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source ToolsJim Clausing, PMTS, AT&T CSO18 Jun 2009
  • 4. Page 4Jim Clausing, GCIA, GCFA, GREM, GCIH, GCFW, GSIP, GSOC, SSP-MPA, CISSPGCIA (Gold) #64 – 2000GCFA (Gold) #25 – 2002GREM (Gold) #48 – 2005And other certs along the way…SANS Mentor, StaySharp/STAR instructor, CommunitySANS instructor, Internet Storm Center handler since 2002Instrument-rated private pilot – 2003/2004
  • 7. The patches and scriptshttp://handlers.sans.org/jclausing/grem_gold/http://www.giac.org/certified_professionals/practicals/grem/48.phpPage 7
  • 8. The Environment – A Little History
  • 11. Motivation – The Environment
  • 13. Unpacking may lead to surprises – like no results Page 13
  • 14. Page 14We’ve got malware, now what?
  • 15. Truman (well, and Joe Stewart) FTWPage 15
  • 19. Submission[jac@fltruman001 ~]$ for i in 090???-*.piz; do sudo submit.sh $i && mv $i old-malware/; sleep 10; done Archive: 090529-rnd_jpg.piz inflating: rnd.jpg *****Processing rnd.jpg - ONEBOOT******interface: eth1 (4.0.0.0/255.0.0.0)filter: (ip) and ( not port 45612 and not port 45611 and not tcp port 6987 and not udp port 32785 )tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth1, link-type EN10MB (Ethernet), capture size 96 bytestcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 1514 bytesStarting Faux FTP Server Emulation on port 21Starting Faux MySQL Server Emulation on port 3306Starting Faux SMTP Server Emulation on port 25Starting Faux SMB Server Emulation on port 445Starting Faux IRC Server Emulation on port 6667Starting Faux DNS Server Emulation on port 53Page 19
  • 20. Monitoring[jac@fltruman001 ~]$ alias statusalias status='cat /tmp/current.txt && echo "" && cat /tmp/sandnet*.log | tr -c "[:print:][:blank:]\r\n" "." ; tcpdump -nnr /tmp/sandnet.pcap -w - "not broadcast and (not src net 4.5.6 or not dst net 4.5.6)" | ipaudit -CST -r - -l 4.5.6.7 ; ngrep -I /tmp/sandnet.pcap "GET|POST|HEAD|OPTIONS|JOIN" "tcp port 80 and not host 4.5.6.1" | tr -c "[:print:][:blank:]\r\n" "."‘Page 20
  • 21. Monitoring, cont’d[jac@fltruman001 ~]$ statusServer.exerequest: name=ftp.sickbassline.com, class=IN, type=A, peer=4.5.6.7responseIP: 4.3.2.86responseIP: 4.3.2.63response: rcode=NOERROR, … …, auth=, add=, aa=1request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7responseIP: 4.5.6.1response: rcode=NOERROR, ans=…, auth=, add=, aa=1Connection from 4.5.6.7USER 0wn@sickbassline.comPASS smokeweedTYPE APORT 4,5,6,7,4,7STOR User.mpsreading from file /tmp/sandnet.pcap, link-type EN10MB (Ethernet)4.5.6.7 4.3.2.86 6 1030 21 674 578 9 9 2009-06-04-11:24:02.2148 2009-06-04-11:24:03.3459 1 14.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-06-04-11:24:09.5569 2009-06-04-11:24:10.4709 1 1input: /tmp/sandnet.pcapfilter: (ip) and ( tcp port 80 and not host 4.5.6.1 )match: GET|POST|HEAD|OPTIONS|JOIN##########exitPage 21
  • 22. Page 22Original Truman Analysis Tools
  • 23. Page 23The 4 Areas of Analysis
  • 24. The Report – Tool Output
  • 25. Page 25Identify the OSSummary report for xxx.xxx-XPSP2-files created at ………OS info>>>kern - Determine OS from a Windows RAM Dump (v.0.1_20060914)Ex: kern <path_to_dump_file>File Description : NT Kernel & SystemFile Version : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)Internal Name : ntoskrnl.exeOriginal File Name : Product Name : Microsoft® Windows® Operating SystemProduct Version : 5.1.2600.2180
  • 26. Page 26Analyzing Network Traffic – fauxdnsDNS>>>request: name=sslrapidshare.or.tp, class=IN, type=A, peer=4.5.6.7responseIP: 4.3.2.51responseIP: 4.3.2.154response: rcode=NOERROR, ans=… …, auth=, add=, aa=1request: name=gfmd1.or.tp, class=IN, type=A, peer=4.5.6.7responseIP: 4.3.2.104responseIP: 4.3.2.240response: rcode=NOERROR, ans=… …, auth=, add=, aa=1request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7responseIP: 4.5.6.1response: rcode=NOERROR, ans=…, auth=, add=, aa=1
  • 27. Analyzing Network Traffic – fauxftpConnection from 4.5.6.7USER 0wn@sickbassline.comPASS smokeweedTYPE APORT 4,5,6,7,4,7STOR User.mpsPage 27
  • 28. Page 28Analyzing Network Traffic – fauxircIRC>>>2009-05-27-16:49:17: Connection from 4.5.6.72009-05-27-16:49:17: PASS lammers2009-05-27-16:49:17: NICK [00|USA|296161]2009-05-27-16:49:18: USER XP-8165 * 0 :ATT2009-05-27-16:49:18: MODE [00|USA|296161] +iB-x2009-05-27-16:49:18: JOIN #WiFi-a Crypt2009-05-27-17:00:13: QUIT System shutting down.2009-05-27-17:00:15: QUIT Leaving
  • 29. Page 29Analyzing Network Traffic – ipauditIP traffic>>>srcdst proto sp dp bytes pkts start end 1 / 24.5.6.7 4.3.2.516 1046 80 748 346 5 5 2009-05-27-16:49:17.1300 2009-05-27-16:49:17.1473 1 24.5.6.7 4.3.2.104 6 1047 4242 816 697 10 10 2009-05-27-16:49:17.1613 2009-05-27-17:00:15.5921 1 24.5.6.7 239.255.255.250 17 1050 1900 0 525 0 3 2009-05-27-16:49:17.3746 2009-05-27-16:49:23.3815 1 14.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-05-27-17:00:14.2087 2009-05-27-17:00:14.9690 1 1
  • 30. Page 30Analyzing Network Traffic – tshark===================================================================Protocol Hierarchy StatisticsFilter: frameframe frames:602 bytes:733467 eth frames:602 bytes:733467ip frames:573 bytes:731979tcp frames:387 bytes:146779 http frames:30 bytes:22708 short frames:5 bytes:17790 data-text-lines frames:3 bytes:644 data frames:8 bytes:849udp frames:57 bytes:10014nbdgm frames:11 bytes:2511smb frames:11 bytes:2511mailslot frames:11 bytes:2511 browser frames:11 bytes:2511nbns frames:27 bytes:2538dns frames:6 bytes:532 http frames:3 bytes:525ntp frames:2 bytes:180bootp frames:8 bytes:3728 short frames:127 bytes:575066igmp frames:2 bytes:120arp frames:29 bytes:1488===================================================================
  • 31. Page 31Analyzing Network Traffic – tcptraceHTTP>>>mod_http: Capturing HTTP traffic (port 80)1 arg remaining, starting with '../small.pcap'Ostermann'stcptrace -- version 6.6.7 -- Thu Nov 4, 200410 packets seen, 10 TCP packets tracedelapsed wallclock time: 0:00:00.002643, 3783 pkts/sec analyzedtrace file elapsed time: 0:00:00.017257Http module output:4.5.6.7:1046 ==> 4.3.2.51:80 (a2b) Server Syn Time: Wed May 27 16:49:17.130145 2009 (1243457357.130) Client Syn Time: Wed May 27 16:49:17.130085 2009 (1243457357.130) Server Fin Time: Wed May 27 16:49:17.146947 2009 (1243457357.147) Client Fin Time: Wed May 27 16:49:17.147323 2009 (1243457357.147)GET /here2 HTTP/1.0 Response Code: 404 (Not Found) Request Length: 66 Reply Length: 468 Content Length: 289 Content Type : text/html; Time request sent: Wed May 27 16:49:17.130584 2009 (…) Time reply started: Wed May 27 16:49:17.146886 2009 (…) Time reply ACKed: Wed May 27 16:49:17.147077 2009 (…) Elapsed time: 16 ms (request to first byte sent) Elapsed time: 16 ms (request to content ACKed)
  • 32. Page 32Analyzing Disk Image – AIDE---------------------------------------------------Added files:---------------------------------------------------added: /mnt/new/WINDOWS/avmont.exeadded: /mnt/new/Documents and Settings/All Users/Application Data/TEMP---------------------------------------------------Removed files:---------------------------------------------------removed: /mnt/new/WINDOWS/system32/CatRoot2/tmp.edb---------------------------------------------------Changed files:---------------------------------------------------changed: /mnt/new/WINDOWS/system32/drivers/etc/hostschanged: /mnt/new/WINDOWS/WindowsUpdate.logchanged: /mnt/new/WINDOWS/setupapi.log
  • 33. Page 33Analyzing Disk Image – ADSAlternate Data Streams>>>/mnt/new/Documents and Settings/All Users/Application Data/TEMP -> 75443743getfattr --absolute-names -n ntfs.streams.list -PR /mnt/new
  • 34. Page 34Analyzing Disk Image – RegRipperRegistry Run Key changes>>>Registry Service Key changes>>>+AvMont|Monitor de Antivirus|"C:\WINDOWS\avmont.exe"|0x0|Auto Start|-RemoteRegistry|Remote Registry|%SystemRoot%\system32\svchost.exe -k LocalService|Share_Process|Auto Start|+RemoteRegistry|Remote Registry|%SystemRoot%\system32\svchost.exe -k LocalService|Share_Process|Disabled|-wscsvc|Security Center|%SystemRoot%\System32\svchost.exe -k netsvcs|Share_Process|Auto Start|+wscsvc|Security Center|%SystemRoot%\System32\svchost.exe -k netsvcs|Share_Process|Disabled|Firewall changes>>>-EnableFirewall -> 1
  • 35. Page 35Analyzing Disk Image – hosts file*Host file changes>>>++127.0.0.1 www.symantec.com+127.0.0.1 securityresponse.symantec.com+127.0.0.1 symantec.com+127.0.0.1 www.sophos.com+127.0.0.1 sophos.com+127.0.0.1 www.mcafee.com+127.0.0.1 mcafee.com+127.0.0.1 liveupdate.symantecliveupdate.com+127.0.0.1 www.viruslist.com+127.0.0.1 viruslist.com+127.0.0.1 viruslist.com+127.0.0.1 f-secure.com+127.0.0.1 www.f-secure.com+127.0.0.1 kaspersky.com+127.0.0.1 kaspersky-labs.com+127.0.0.1 www.avp.com+127.0.0.1 www.kaspersky.com+127.0.0.1 avp.com
  • 36. Memory Image Analysis – VolatilityPage 36
  • 37. Page 37Analyzing Memory Image – connectionsOpen Ports>>>Local Address Remote Address Pid4.5.6.7:1047 4.3.2.104:4242 1484 896 135 6 Wed May 27 20:39:59 2009 1032 1027 17 Wed May 27 20:40:13 2009 1096 1900 17 Wed May 27 20:40:14 2009 1484 1047 6 Wed May 27 20:49:18 2009 < 908 -> 135 TCP > 896 -> 135 TCP 9,11c9,11< 992 -> 1032 TCP > 1484 avmont -> 1047 TCP C:\WINDOWS\avmont.exe 14,15c14,16< 992 -> 138 UDP < 908 -> 445 UDP > 1484 avmont -> 137 UDP C:\WINDOWS\avmont.exe > 0 System -> 138 UDP > 896 -> 445 UDP
  • 38. Page 38Memory/Static Binary Analysis – ssdeepssdeep info>>>1536:RVt4qqO5FjciL3KBupEAbAX/e9SP+IaiOW:eu5tciL3KApRbAz+Ia1W,"abod.exe"768:ruBNNTLa973GMVkIZqqnO5FDvcTsvJesUJDSP+f4/cF1oGoiOWK:YVt4qqO5FjcSe9SP+JaiOW,"/data/forensics/abod.exe-XPSP2-files/0c596000-abod.exe“--------------------------------------------------------------------------------ssdeep info>>>1536:0BlSTT+JwGgVXGsOkCMGVLwaQyafnSI0OYRr:0BYNlVXGsOtPwFtfm,"1b1e067fdb0f2a44a50d9e290022b9ed.exe"1b1e067fdb0f2a44a50d9e290022b9ed.exe matches e933dbd16c9509418a2212c9d62c7976.exe (80)3072:0zhQO2dw847UiImHkwebMPK4wRE4pRThKt/94:09QbViEwEM94TThKt14,"/data/forensics/1b1e067fdb0f2a44a50d9e290022b9ed.exe-XPSP2-files/0ca74000-sandnet.exe"/data/forensics/1b1e067fdb0f2a44a50d9e290022b9ed.exe-XPSP2-files/0ca74000-sandnet.exe matches /data/forensics/e933dbd16c9509418a2212c9d62c7976.exe-XPSP2-files/007bc000-sandnet.exe (96)
  • 39. Page 39Static Binary Analysis – binhashBinHash info>>>File: [/forensics/exes/abod.exe] b826d0f222242c1e48f4e1ebe778a534PE Phdr: af86103672ba3bba2d21f2691465520fPE Opt Hdr: f8ea55a399eeec409874af01ca0cf01dImport [1] Offset: (f570) Size: (180): 93f613363a9cb87c3a20e3f2e1fc47b7Import [12] Offset: (f000) Size: (608): eafa58275a218a26f92631bf75b10b8f[0] (.text)(VirtualAddress: 00001000) (PtrToData: 00001000) (SizeOfData: 0000e000) Shdr: aaa4cacbb1cc38713961cc2e5931b982Shdr Data: f571948f8203e66d09c87b00ae748c8d[1] (.rdata)(VirtualAddress: 0000f000) (PtrToData: 0000f000) (SizeOfData: 00002000) Shdr: 46aa637bbc2c0335c427f6ca42021df9Shdr Data: 3b10f3f4c6012e87d46686464575926c[2] (.data)(VirtualAddress: 00011000) (PtrToData: 00011000) (SizeOfData: 00003000) Shdr: cff63d398711731f58eee390a6ce8513Shdr Data: 71cc6a0ff1c18b313d21f1f03229738e
  • 40. Page 40Static Binary Analysis – packerid.pyPacker info>>>[['Armadillo v1.71'], ['Microsoft Visual C++ v5.0/v6.0 (MFC)'], ['Microsoft Visual C++']]
  • 41. Page 41Static Binary Analysis – Volatility malfind.py*## lsass.exe (Pid: 676)#+ VAD node @821bfb00 Start 00c60000 End 00c6ffff Tag VadS Flags 18+ VAD node @8236b208 Start 00c80000 End 00c96fff Tag VadS Flags 18 - Status: disassembling with pydasm... 0xc80000 call 0x567d 0xc80005 retn 0x8 0xc80008 push ecx 0xc80009 push esi 0xc8000a call 0x1582Found 2 suspicious Vad entries
  • 45. Questions?E-mail: jac@att.com or jclausing@isc.sans.org Page 45
  • 46. SANS Mentor Class – SEC 508 (Forensics)For those of you from central OH (or folks you work with), I’ll be facilitating another mentor class in the fall.Thursday evenings from 6:30-8:30PM in Reynoldsburg, OH running 10 Sep-12 Nov.http://www.sans.org/mentor/details.php?nid=19458Page 46