SES2017 - Dynamic Analysis · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, [email protected]. Research Center for Cyber

Research Center for Cyber Intelligence and information Security

CIS SapienzaResearch Center for Cyber Intelligence

and information Security

CIS Sapienza

DynamicAnalysis

SystemsandEnterpriseSecurity2017-2018Dr.GiuseppeLaurenza,Ph.D.Student,[email protected]


CIS Sapienza

Outline

• VirtualMachineandSandboxing• Manualdynamic analysis tools• Analysisofpersistence• Dynamic analysis withCuckoo Sandbox• DLL/Codeinjection


CIS Sapienza

VirtualMachine[VM]

• AVMemulates thebehaviour ofafullphysicalmachineinwhich it is possible torun thedesiredoperating system:– Host:machineinwhich it is run theVMsoftware.– Guest:theVMitself.

• AVMprovided afake andseparatedenvironment;

• it is possible toexecute suspicious softwareinisolation.


CIS Sapienza

VirtualMachine[VM]:Snapshot

• Manyvirtualizationsoftwaresprovidethepossibilitytocreatesnapshot;

• asnapshotrepresentsaphotographyofthecurrentstateoftheVM;

• itallowstorestoreapreviousstateofthesystem.


CIS Sapienza

VirtualMachine[VM]:Snapshot

• Snapshotsareanimportant resource fordynamic malaware analysis,infact analysts:– createandconfigure aVM;– createsnapshotoftheVM,readyfortheanalysis– run themalware;– study theexecution andtheeffects ofthesample;– restore thesnapshotinorder tobereadyforthenext analysis.


CIS Sapienza

VirtualMachine[VM]:Virtualbox[1]

• VirtualBox is anopen-sourcevirtualizationsoftwaredeveloped forWindows,LinuxandMacOs;

• it allows theexecution ofvarious operatingsystems,including Windows,Linuxe*BSD;

• it offers asnapshotsystemtosave andrestorethestateoftheVM.

[1]https://www.virtualbox.org


CIS Sapienza

VirtualMachine[VM]:SnapshotExercise

• Boot uptheVM;• openVirtualbox intheVM;• restore thesnapshotSnapshot2;• starttheVMcuckoo1;• observe thestateoftheVM,trying toexecutesomemalware;

• shutdown theVMandrestore thesnapshotSnapshot1;

• run again theVMandobserve any changes.


CIS Sapienza

Sandbox• Itconsistsofexecutingthemalwareinacontrolledenvironmentinordertoobservemalwarebehavior;

• thisapproachusesemulationorvirtualizationsoftwareproductstoexecutemalwareinisolation;

• asandboxcanproducedepthreportsusingsignaturestodetectpatternsofactions;

• itcanalsoprovideadditionalinformationlikecreatedfileornetworktrafficgeneratedbythesample.


CIS Sapienza

Outline



CIS Sapienza

RegShot

• It is anopen-sourceutilitytocompareinstances ofWindowsregistry;

• it enables tostorethecurrent stateoftheregistry andcompareit withanother createdafter somemodifications;

• it is widely used todiscover which registrykeys aremodified bythemalwareexecution.


CIS Sapienza

RegShot– Exercise• RestorethesnapshotSnapshot2oftheinternalVM;• bootuptheVM;• runexecutableregshot intheRegshot folderonthedesktop;• use1-shottostorethecurrentstateofregistry;• changedesktopbackground;• use2-shottostorethenewstateoftheregistry;• comparethe2snapshotswithcompare;• changelogsformatwithHTML;• usecleartodeletethe2ndshot;• performanewcomparisonandobservethedifferencesinthe

report.


CIS Sapienza

AutoRuns

• UtilitydevelopeddirectlybyMicrosoft;• itallowaneasyinspectionofdifferentaspectoftheoperatingsystem,like:– thesystemlocationstomodifyinordertoloadapplicationduringOSboot;

– Explorerextensions;– toolbars.


CIS Sapienza

AutoRuns- Exercise• RestorethesnapshotSnapshot2oftheinternalVM;

• bootuptheVM;• launchAutoruns,ifaskedaccepttheEULA;• observethevarioustabs;• savecurrentstateofthesoftware;• modify/deletesomeelements;• usecompareinthefilemenutoperformacomparisonbetweentheprevioussavedstate.


CIS Sapienza

Outline



CIS Sapienza

Persistence

• Setoftechniquesthatguaranteestomalwaretosurvivesystemreboot;

• currently,mainapproachesarefour:– creationormodificationofregistrykeys;– creationoffileinstartuplocations;– creationofWindowsServices;– modificationoftheMasterBootRecord(MBR)ortheBIOS


CIS Sapienza

Persistence:creation ormodification ofregistry keys• Windowsregistry contains informationaboutwhat mustbestarted at boot,like:– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run– HKLM\System\CurrentControlSet\Control\SessionManager\KnownDlls– HKCU\Software\Microsoft\Windows\CurrentVersion\Run– HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\

• this approach consists ofcreateormodifythese keys tolaunch malwareat thestartup.


CIS Sapienza

Persistence:creation offileinstartuplocations

• During theboot,WindowsOSchecks somedirectories which contain softwaretostart,like:– %USERPROFILE%\StartMenu\Programs\Startupcontainingsingleusersoftware;

– %ALLUSERSPROFILE%\StartMenu\Programs\Startupcontainingalluserssoftware.


CIS Sapienza

Persistence:creationofWindowsServices

• Windowsservicesareexecutableslaunchedinthebackgroundwithouthanyinteractionswiththeusers(like*nixdaemons);

• theycanbeconfiguredtobeautomaticallystartedduringthebootprocess;

• tipicallymalwaretrytocreatenewservices,moreovertheyusuallyimitatenamesofsystemservicestoremainhidden.


CIS Sapienza

Persistence:modification oftheMBRortheBIOS• It is anadvanced technique toachievepersistence;

• Advantages:– difficult todetect;– extremely difficult toremove.

• Disadvantages:– highdifficulty toapply this approach.


CIS Sapienza

Persistence:Exercise1AnalysiswithRegshot

• RestorethesnapshotSnapshot2oftheinternalVM;

• bootuptheVM;• useregshot todiscover which registry keys areused bymalwareImworm toobtainpersistence.


CIS Sapienza

Persistence:Exercise2AnalysiswithAutoruns

• RestoresnapshotSnapshot2oftheinternalVM;

• bootuptheVM;• useAutoruns todiscover someoftheeffectsofmalwareIMWorm onthesystems.


CIS Sapienza

Persistence:Exercise3AnalysiswithAutoruns

• RestoresnapshotSnapshot2oftheinternalVM;

• bootuptheVM;• useAutoruns todiscover someoftheeffectsofmalwareHydraq onthesystems.


CIS Sapienza

Outline



CIS Sapienza

CuckooSandbox

• Opensourcesystemtoautomatically analyzefiles andURLs;

• it tracks all theAPIs calls andthegeneralbehaviour ofthefile;

• it analyzesalso thenetworktraffic;• it allows anadvanced systemmemoryanalysis;


CIS Sapienza

CuckooSandbox

• it is developed inpython withamodularstructure,soit canbeeasily extended;

• it contains avery longlistofsignaturesofsuspicious behaviours;

• it allows thepossibility ofinteraction throughthree different interfaces:– Python scripts;– RESTAPIs;– Webinterface.


CIS Sapienza

Cuckoo Sandbox – Exercise 1

• Openterminalandsubmit amalwarewiththecommand:python /opt/cuckoo/utils/submit.pyfilename

• Cuckoo Sandbox assigns anIDtothesubmission;

• after acouple ofminuteschecks thedirectory/opt/cuckoo/storage/analyses/ID/reports/andopenthevarious reports.


CIS Sapienza

Cuckoo Sandbox – Exercise 2

• OpenFirefoxandtheCuckoo Sandboxbookmarks;

• logininthewebinterface (user:cuckoo,password:cuckoo);

• inspect thevarious sections ofthewebinterfaceandsubmit asampleusing thesubmission tab;

• after theendoftheanalysis,consult thereportinorder tounderstand its structure;


CIS Sapienza

Outline



CIS Sapienza

DLL/codeinjection

• This approach consists ofload amalicious DLLinto oneormoreprocesses;

• inthis waymalicious codewill beexecutedinto alegitimate process;

• this process canbeaneffective waytoovercome securitysoftware.


CIS Sapienza

DLL/codeinjection

• Main approaces are:– takeadvantagesofAppInit_DLLs registrykeythatcontainsthelistofalltheDLLthathavetobeloadedtogetherwithuser32.dll;

– manipulate existing processes through anexternaldynamic load.


CIS Sapienza

DLL/codeinjection:Exercise

• OpenCuckoo Sandbox WebInterface;• Submit– Parite– onlinegames 2;

• After theanalysis,checkreportstofind anyDLLinjection attack.

Documents

SES2017 - Dynamic Analysis · Dynamic Analysis Systems and Enterprise Security 2017-2018 Dr. Giuseppe Laurenza, Ph.D. Student, [email protected]. Research Center for Cyber