Malware Lab for Dynamic Malware Analysis
As malware and its different variants have been exponentially increasing during the past few years, it is very important for our customers and Incident Response team members to keep learning new vectors and techniques used by hackers to avoid security controls and achieve their goal. That is why I present to you an adopted Malware Dynamic Analysis methodology based on standards and international methodologies such as:
- NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response
- NIST SP 800-44, Guidelines on Securing Public Web Servers
- NIST SP 800-45, Guidelines on Electronic Mail Security
- RFC 3227: Guidelines for Evidence Collection and Archiving
- NIST SP 800-101 Guidelines on Mobile Device Forensics
- NIST SP 800-83 Guide to Malware Incident Prevention and Handling
- Computer Forensics Tool Testing (CFTT)
The result of carefully studying those methodologies has produced an outcome of its own methodology that is adaptable to the environment in which it is implemented. Here are some phases and steps, but not limited to this methodology:
- Malware dynamic analysis laboratory, this lab gives a full picture of:
- Network connections attempt to the C&C server.
- Type of protocol (TCP/UDP) used to communicate with the C&C server.
- Registry modifications.
- File modifications.
- System modifications.
- The algorithm used to perform a malware analysis:
- Malware acquisition, integrity, and authenticity
- Minimum effort
- Execute the malware binary file in an isolated environment
- Malware analysis behavior
- Network Forensic analysis if necessary
- Memory forensics if necessary
- Final report
The objective of this methodology is to present to readers the importance of having a malware laboratory that will help to understand the way malware works and its behavior when it is exploited into an isolated victim machine so the Incident Response team member can provide a better contingency plan. The mitigation step depends on having sufficient knowledge about the root cause and impact of the threat as well as the knowledge and skills to do something about it. It is a time-sensitive step where security practitioners will benefit greatly by having an integrated and centralized malware laboratory to view all threat-related activities, as well as streamlined cross-organizational collaboration capabilities, knowledge bases, and automated responses, and understands how the malware works and its impact on an infected host.
I propose to implement a malware laboratory into a production environment and describe its benefits and how a good dynamic malware analysis will help understand how a malware infects a machine and its effectiveness. It doesn´t try to change or modify any methodology or policy implemented to handle an Incident Response alert, otherwise, it will be offering security intelligence into the detection and response life cycle.
The malware laboratory is being composed of two virtual machines hosted on one physical server or in a physical laptop orchestrated by a hypervisor.
One virtual machine works as the target computer and the second machine works as a unified platform that can manage, control and analyze the network traffic and events generated by the victim machine. Those computers are going to be composed of the following tools:
Tools and Operating Systems
- Microsoft Windows 7 is the most common operating system used by many companies around the world, the goal is to emulate a real environment that will give us a better understanding about the impact that will cause a possible malware infection into a real system.
- Microsoft Office 2010 will give us a better understanding about the impact that will cause a possible malware infection into a real system.
- Internet Explorer is one of the most common web browsers used by many users.
- SSH Secure, as we know, much malware software encrypts information stored in the endpoint once it´s executed. The purpose to have this software is to upload logs, pictures, or pre-analysis-reports taken before launching the anomaly software into a safe location in the central server.
- Process Monitoring. This useful tool is used to monitor in real time the system, registry and process/thread activity.
- Process Explorer. Also known as procexp.exe, shows information about which handle’s/DLL’s processes have opened or loaded.
- Sysmon is part of the Sysinternals tools and very helpful in providing a comprehensive monitoring of activities at the operating system level. Sysmon is running in the background all the time and is writing events to the event log.
- WinMD5 is freeware software for Windows that allows the user to calculate MD5 hash or checksum for files.
- RegShot is a freeware tool for Windows that allows taking a pre- and post-registry record and comparing them. It will give us an approach about all deletes, modifications and add registry keys that the malware does in the victim machine.
- Syslog Agent. It will send all the logs generated by the operating system into a LogAnalyzer during malware execution, in case the malware erases the event log registry and cleans its footprints, leaving the analyzer visionless about his behavior.
- Wireshark. There is some malware that does not support proxy, and it tries to contact the command and control server directly or it can try to spread itself even horizontal or vertically. This tool will help the analyzer to catch all traffic packets produced during the malware execution.
- Adobe Reader will be used to open suspicious files on PDF format and to be analyzed.
- Adobe flash player will be used as an add-on on IE to open an run suspicious files.
- OSSEC is a powerful HIDS tool that will be configured for monitoring and reporting all possible IoCs to the LogAnalyzer and changes the registry in the system during the malware execution.
- Ubuntu server is a free Linux operating system: stable, flexible and tiny.
- SquidProxy The purpose of installing a proxy server is to:
- Control the web traffic.
- Register every single Internet attempt by the malware, in case of a catastrophe shutdown of LAN communication.
- Xplico is a network forensics analysis tool (NFAT), this is software that reconstructs the Internet chat contents acquired with a packet sniffer (e.g. Wireshark, tcpdump, Netsniff-ng).
- Bind is open source software that will enable DNS resolution and, at the same time, registers all DNS queries performed during the malware execution.
- SSH Server is open source software that will enable you to upload into a safe location the pre-task-results performed before launching the malware in the victim machine.
- DHCP Server is open source software that is used to issue the network configuration to the victim machine.
- Tcpdump - this tool will help the analyzer to catch all traffic packets produced during the malware execution so it can analyze them during the investigation phase.
- Graylog will be the central management console and log storage for all events generated during the malware execution.
- IPTables is a powerful open source firewall that will manage all network connections and, in case of a catastrophe, shut down the communication with the LAN.
Most of these tools are open source and can be used under the GNU license and it doesn't impact the company's budget, giving you a benefit.
Malware is now developed with intelligence techniques capable of detecting if they are or not running on Virtual Machines (SandBoxes) and stop running. This is called Anti-SandBox techniques, just to mention a few of these techniques, they include the possibility to detect:
- CPU Instructions
- Checking known MAC Addresses
- Processes indicating a VM (such as VMWare tools installed)
- Existing files indicating a VM
- Running services
For this reason, I definitely recommend you harden your Malware Lab, test manually or automatically using public scripts such as Pafish (Paranoid Fish from the author Alberto Ortega), that way you will cheat the malware and it will run in your lab environment.
The central server will have two virtual interfaces, one will be used to communicate with your ISP, especially for internet browsing, and the second interface will be used to create an isolating LAN between the target machine and the central server. The isolated VLAN will have the following services enabled:
All these services on the isolating LAN are going to be monitored by the central server and managed with the IPTables firewall. The following image illustrates the infrastructure:
This environment is not limited to only this protocol, as the virtual environment can be escalated to a real environment including: AD servers, Web servers, FTP servers, Virtual switches and different DMZ zones. I leave this part to your imagination and needs.
Dynamic Malware Analysis cycle