Sunday, August 19, 2012

Quick and Dirty Python Malware Static Analysis script



Quick and Dirty Python Malware Static Analysis script 


I'm still having fun going through the Practical Malware Analysis book but started getting tired of all of the various tools that are presented in this book and other - Malware Analyst's Cookbook and Grey Hat Python books. So I decided to utilize Python scripts to automate the process of analyzing Malware by starting with the PEfile module that I covered in my previous writeup.

I then added the strings command in my script to ensure that I was able to read the string information utilizing my python script, and I was also able to locate a great power point presentation from - "Win32 Static Analysis in Python" by Ero Carrera Sabre Security GmbH (http://www.recon.cx/en/f/lightning-ecarrera-win32-static-analysis-in-python.pdf). They pretty much provide all of the code in this presentation for the other portions of the script - 
#Section Inspection
#Inspecting the Headers
#Imports

I have yet to see the def H(data): function work and I am curious on its functionality and will test on other Malware examples. (Stay Tuned)

Now that I have great start for analyzing Malware statically on a 32 bit environment, I will continue refining this script to make the output prettier and to file out some of the garbage. 

To Do:
  • Submit the file to virustotal or other online submissions - the code is in the Malware cookbook
  • Perform a HASH and update my db with values
  • Filter out garbage data whenever possible
  • Work with the various debuggers including immunity debugger and to try and incorporate the same process of scripting most of the actions required to analyse malware. 
  • Start working with the Debuggers



Working version of my script


###########################################################################


import pefile
import math
import os

#pe = pefile.PE (sys.argv[1])
path = 'C:/admin/Practical Malware Analysis Labs/BinaryCollection/Chapter_3L/Lab03-01.exe'
pe = pefile.PE (path)


def H(data):
    if not data:
        return 0
 
    entropy = 0
    for x in range(256):
        p_x = float(data.count(chr(x)))/len(data)
        if p_x > 0:
            entropy += - p_x*math.log(p_x,2)
         
    return entropy

#Section Inspection #############################################################

#This will print strings to the screen - the strings must be in your windows path

try:
    HoldString = os.system("strings " + "\"" + path + "\"")
except: os.error

#################################################################################

print "\n"
print "This will print the Section inspection information"
print "\n"
for section in pe.sections:
    print (section.Name,
           hex(section.VirtualAddress),
           hex(section.Misc_VirtualSize),
           section.SizeOfRawData)

#Inspecting the Headers
###############################################################################

print "\n"
print "This will print the Headers in the file"
print "imageBase -->", hex(pe.OPTIONAL_HEADER.ImageBase)
print "AddressOfEntryPoint -->",  hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)
print "NumberofSections -->",  hex(pe.FILE_HEADER.NumberOfSections)
print "\n"
################################################### Section Data File

for section in pe.sections:
 
    try:
        print section.Name
        print H(section.data)    
    except:
        print ("No Section Data File")

# Imports
###############################################################

print "\n"
print "This will print the import of the file"
print "\n"

for entry in pe.DIRECTORY_ENTRY_IMPORT:
    print entry.dll
    for imp in entry.imports:
        print '\t' , hex(imp.address), imp.name

############################################################################3


Sunday, August 12, 2012

Building a Practical Malware Analysis Environment using (Snort, SPLUNK, Python, Eclipse, md5deep, Dependency Walker, PeFile, UPX, WireShark, Nessus and VirtualBox)


This is my documentation space for future reference(s) in my current Malware Analysis adventure using the "Practical Malware Analysis" (The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig) book that I picked up at BlackHat this year.

The books downloads can be located at the following -


There is an unencrypted file version and you can also download the encrypted files at the following location -



I will also post all supported files used in this project in my DropBox folder for future references.

Please note: There is a heavy reference of using https://www.virustotal.com/  to scan all malware ridden executables.

As part of this malware analysis project, I will also implement the utilization of Snort and SPLUNK on the host machine in order to monitor various log coming from the VirtualBox PC on my network. The traffic should hold some very valuable information and lessons learned, and please see my blog post concerning splunk on ubuntu.

http://ubuntumongol.blogspot.com/2012/07/installing-and-using-splunk-on-ubuntu.html

Here is my notes concerning snort and installing it on my ubuntu box with a virtualbox interface.




sudo apt-get install snort

sudo snort -v -i vboxnet0 -c /etc/snort/snort.conf -l /var/log/snort/


This was a slight pain starting this on my ubuntu system since I am using Firestarter to manage my firewall logs and I had to ensure that my wlan interface allowed for internet sharing in order for my host box to communicate with my virtual box implementation.


Please see screenshot below for VirtualBox settings -





This is my FireStarter Setting to allow for network connectivity between my host system and virtualbox testing station.




Here is a quick reference on how to setup a quick dashboard in Splunk to monitor my /var/log/snort/ logs

  1. The first step is to ensure that you have included the snort logs into the data repository -


  1. The next step is to click on the Files & Directories and ensure that it contains the correct file location and if you are using the *nix download then the /var/log should be set by default.







  • Fingerprint the Malware using MD5 hashes -

Need to to install md5deep

http://md5deep.sourceforge.net/

Download strings and place it on my XP system and utilize this to read any text in any executable.

http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx

Install dependency walker
Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules.” http://www.dependencywalker.com/

- Download PEid to detect packed files also there is a PEid (pefile python script that will parse PEiD's signature databases) and install on my XP system.  - I

I started looking for a compatible windows PEid on the internet without any luck so I decided to deviate from the books examples and utilize Python in the windows environment. Since most of my favorite code is written in Python. - See Step 7

Install Python on Windows

I will install Python 2.5 only because I also work with the Gray Hat Python book and will utilize this environment image for all of those fun activities.

http://www.python.org/ftp/python/2.5/python-2.5.msi


Install Eclipse with Python on Windows -

http://www.rose-hulman.edu/Class/csse/resources/Eclipse/eclipse-python-configuration.htm


installing pefile for python so that I can write my own scripts to work with portable executables.


pefile
pefile is a Python module to read and work with PE (Portable Executable) files


http://code.google.com/p/pefile/downloads/detail?name=pefile-1.2.10-118.zip&can=2&q=

I created a quick python script to read all of the PE information for the books examples,

Code - pefile_dump.py
------------------------------------------------------
import pefile
import sys

pe = pefile.PE (sys.argv[1])
print pe.dump_info()
-------------------------------------------------------

Usage

python pfile_dump.py Lab01-01.exe


I did find an really great and functional WindowsGUI tool that will perform the same function but with XML reporting capabilities, so it will save some serious programming


http://www.winitor.com/


Download UPX for packed files

http://upx.sourceforge.net/



Download Wireshark and install on Client and Host System

http://www.wireshark.org/download.html

Download Nessus and install on the Host and Client System

http://www.nessus.org/products/nessus/select-your-operating-system ]


The Last step is to take a snapshot and backup your VirtualBox image to revert back to a clean operating system state when playing with malware.

Sunday, July 15, 2012

Installing and Using SPLUNK on Ubuntu to index/monitor audit, snort, router and any other logs on my Linux system(s)

Recently, I started using SPLUNK for most of my log monitoring activities and I wanted to document some of my actions for future reference.

The first Step is to Install SPLUK on Ubuntu.

You will have to register with the website to obtain this download files and it will come with a temporary enterprise license, and after this license expires it will default to the 500 Mb per day license, without some of the enterprise functionality. This free license is still useful for monitoring logs on sytems that do not require more than 500Mb per day of data processing
.
http://www.splunk.com/download/?ac=ga0508_s_splunk&_kk=download%20splunk&_kt=0d0ee68f-00b5-441f-966d-e7b6c9228ad1&gclid=CLT9oK6jnLECFQ5Thwod-HNhfw

I installed and utilized the following version on my 32 bit system :
splunk-4.3.3-128297-linux-2.6-intel.deb

Once SPLUNK is installed you will need to start the service with the following commands  
sudo /opt/splunk/bin/splunk start

You can also stop and restart with the following commands:
sudo /opt/splunk/bin/splunk start¦ restart| stop

Go to the following location to access the web interface:


The web interface will provide a logon screen with the following default login credentials:

Login = admin
Password = changeme

Once you enter the above information, you will be given the change to change the default password

Once this all done then you will be take to the following screen -





Click on App -> *.nix


This app will provide most capabilities necessary to manage your host system - 


I have been utilizing the Log Files functionality to manage my audit logs, snort logs, and pretty much all of my logs in "/var/log/*"

As  you can see below - rkhunter, audit.log and I am also monitoring my routers logs - 




Log Files Overview

|ActionsDropdown
























The best part of splunk's capabilities is the application does not care what type of data it indexes, you can pretty much index any type of data.


The dashboard and command interface are huge benefits that SPLUNK provides. 

You can enter any commands on the bar and any object you select in the web interface it will automatically build a command string for future use or reference, 


Log Files Overview

|ActionsDropdown











I've barely scratched the surface of SPLUNK's capabilities and usefulness and I will post in future blogs my Snort Dashboard and some great reports that it provides through the pre-built *nix and advanced searches- 









I have spent many years importing the data in MySQL and writing programs, C, C++, PERL, Python, etc... parsing these logs and importing the results in EXCEL for these types of reports, and really appreciate these pre-built capabilities.


Useful Links -
Splunk Log Analysis: Overview of cheat sheets, documents and other useful resources (Google Docs)
https://docs.google.com/document/d/1RXKG0NsnGApEu4mBlQV_frGEWb8V95UMYKkyOU7oJK0/edit?pli=1