This is my documentation space for future reference(s) in my current Malware Analysis adventure using the "Practical Malware Analysis" (The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig) book that I picked up at BlackHat this year.
The books downloads can be located at the following -
There is an unencrypted file version and you can also download the encrypted files at the following location -
I will also post all supported files used in this project in my DropBox folder for future references.
Please note: There is a heavy reference of using https://www.virustotal.com/ to scan all malware ridden executables.
As part of this malware analysis project, I will also implement the utilization of Snort and SPLUNK on the host machine in order to monitor various log coming from the VirtualBox PC on my network. The traffic should hold some very valuable information and lessons learned, and please see my blog post concerning splunk on ubuntu.
http://ubuntumongol.blogspot.com/2012/07/installing-and-using-splunk-on-ubuntu.html
Here is my notes concerning snort and installing it on my ubuntu box with a virtualbox interface.
sudo apt-get install snort
sudo snort -v -i vboxnet0 -c /etc/snort/snort.conf -l /var/log/snort/
This was a slight pain starting this on my ubuntu system since I am using Firestarter to manage my firewall logs and I had to ensure that my wlan interface allowed for internet sharing in order for my host box to communicate with my virtual box implementation.
Please see screenshot below for VirtualBox settings -
This is my FireStarter Setting to allow for network connectivity between my host system and virtualbox testing station.
Here is a quick reference on how to setup a quick dashboard in Splunk to monitor my /var/log/snort/ logs
- The first step is to ensure that you have included the snort logs into the data repository -
- The next step is to click on the Files & Directories and ensure that it contains the correct file location and if you are using the *nix download then the /var/log should be set by default.
Fingerprint the Malware using MD5 hashes -
Need to to install md5deep
http://md5deep.sourceforge.net/
Download strings and place it on my XP system and utilize this to read any text in any executable.
http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx
Install dependency walker
“Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules.” http://www.dependencywalker.com/
- Download PEid to detect packed files also there is a PEid (pefile python script that will parse PEiD's signature databases) and install on my XP system. - I
I started looking for a compatible windows PEid on the internet without any luck so I decided to deviate from the books examples and utilize Python in the windows environment. Since most of my favorite code is written in Python. - See Step 7
Install Python on Windows
I will install Python 2.5 only because I also work with the Gray Hat Python book and will utilize this environment image for all of those fun activities.
http://www.python.org/ftp/python/2.5/python-2.5.msi
Install Eclipse with Python on Windows -
http://www.rose-hulman.edu/Class/csse/resources/Eclipse/eclipse-python-configuration.htm
installing pefile for python so that I can write my own scripts to work with portable executables.
http://www.python.org/ftp/python/2.5/python-2.5.msi
Install Eclipse with Python on Windows -
http://www.rose-hulman.edu/Class/csse/resources/Eclipse/eclipse-python-configuration.htm
installing pefile for python so that I can write my own scripts to work with portable executables.
pefile
pefile is a Python module to read and work with PE (Portable Executable) files
http://code.google.com/p/pefile/downloads/detail?name=pefile-1.2.10-118.zip&can=2&q=
I created a quick python script to read all of the PE information for the books examples,
Code - pefile_dump.py
------------------------------------------------------
import pefile
import sys
pe = pefile.PE (sys.argv[1])
print pe.dump_info()
-------------------------------------------------------
Usage
python pfile_dump.py Lab01-01.exe
I did find an really great and functional WindowsGUI tool that will perform the same function but with XML reporting capabilities, so it will save some serious programming
http://www.winitor.com/
Download UPX for packed files
http://upx.sourceforge.net/
Download Wireshark and install on Client and Host System
http://www.wireshark.org/download.html
Download Nessus and install on the Host and Client System
http://www.nessus.org/products/nessus/select-your-operating-system ]
The Last step is to take a snapshot and backup your VirtualBox image to revert back to a clean operating system state when playing with malware.
Hi ubuntumongol
ReplyDeletei want to ask, i have install virtualbox on my laptop with only one physical wireless nic. i install snort on ubuntu with two virtual nic. the two virtual nic use bridged adapter to single physical nic on my laptop. one virtual nic i set as promisc mode and another one is non-promisc with ip add ( for management ). but it seem doesnt work. i cannot sniff any traffic.
Hello termvri,
ReplyDeleteI had the same issues until I configured my iptables with the firestarter gui, please see the screen shot after the virtual box setup.
I hope this helps