Page 1
Research Center for Cyber Intelligence and information Security
CIS SapienzaResearch Center for Cyber Intelligence
and information Security
CIS Sapienza
DynamicAnalysis
SystemsandEnterpriseSecurity2017-2018Dr.GiuseppeLaurenza,Ph.D.Student,[email protected]
Page 2
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• VirtualMachineandSandboxing• Manualdynamic analysis tools• Analysisofpersistence• Dynamic analysis withCuckoo Sandbox• DLL/Codeinjection
Page 3
Research Center for Cyber Intelligence and information Security
CIS Sapienza
VirtualMachine[VM]
• AVMemulates thebehaviour ofafullphysicalmachineinwhich it is possible torun thedesiredoperating system:– Host:machineinwhich it is run theVMsoftware.– Guest:theVMitself.
• AVMprovided afake andseparatedenvironment;
• it is possible toexecute suspicious softwareinisolation.
Page 4
Research Center for Cyber Intelligence and information Security
CIS Sapienza
VirtualMachine[VM]:Snapshot
• Manyvirtualizationsoftwaresprovidethepossibilitytocreatesnapshot;
• asnapshotrepresentsaphotographyofthecurrentstateoftheVM;
• itallowstorestoreapreviousstateofthesystem.
Page 5
Research Center for Cyber Intelligence and information Security
CIS Sapienza
VirtualMachine[VM]:Snapshot
• Snapshotsareanimportant resource fordynamic malaware analysis,infact analysts:– createandconfigure aVM;– createsnapshotoftheVM,readyfortheanalysis– run themalware;– study theexecution andtheeffects ofthesample;– restore thesnapshotinorder tobereadyforthenext analysis.
Page 6
Research Center for Cyber Intelligence and information Security
CIS Sapienza
VirtualMachine[VM]:Virtualbox[1]
• VirtualBox is anopen-sourcevirtualizationsoftwaredeveloped forWindows,LinuxandMacOs;
• it allows theexecution ofvarious operatingsystems,including Windows,Linuxe*BSD;
• it offers asnapshotsystemtosave andrestorethestateoftheVM.
[1]https://www.virtualbox.org
Page 7
Research Center for Cyber Intelligence and information Security
CIS Sapienza
VirtualMachine[VM]:SnapshotExercise
• Boot uptheVM;• openVirtualbox intheVM;• restore thesnapshotSnapshot2;• starttheVMcuckoo1;• observe thestateoftheVM,trying toexecutesomemalware;
• shutdown theVMandrestore thesnapshotSnapshot1;
• run again theVMandobserve any changes.
Page 8
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Sandbox• Itconsistsofexecutingthemalwareinacontrolledenvironmentinordertoobservemalwarebehavior;
• thisapproachusesemulationorvirtualizationsoftwareproductstoexecutemalwareinisolation;
• asandboxcanproducedepthreportsusingsignaturestodetectpatternsofactions;
• itcanalsoprovideadditionalinformationlikecreatedfileornetworktrafficgeneratedbythesample.
Page 9
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• VirtualMachineandSandboxing• Manualdynamic analysis tools• Analysisofpersistence• Dynamic analysis withCuckoo Sandbox• DLL/Codeinjection
Page 10
Research Center for Cyber Intelligence and information Security
CIS Sapienza
RegShot
• It is anopen-sourceutilitytocompareinstances ofWindowsregistry;
• it enables tostorethecurrent stateoftheregistry andcompareit withanother createdafter somemodifications;
• it is widely used todiscover which registrykeys aremodified bythemalwareexecution.
Page 11
Research Center for Cyber Intelligence and information Security
CIS Sapienza
RegShot– Exercise• RestorethesnapshotSnapshot2oftheinternalVM;• bootuptheVM;• runexecutableregshot intheRegshot folderonthedesktop;• use1-shottostorethecurrentstateofregistry;• changedesktopbackground;• use2-shottostorethenewstateoftheregistry;• comparethe2snapshotswithcompare;• changelogsformatwithHTML;• usecleartodeletethe2ndshot;• performanewcomparisonandobservethedifferencesinthe
report.
Page 12
Research Center for Cyber Intelligence and information Security
CIS Sapienza
AutoRuns
• UtilitydevelopeddirectlybyMicrosoft;• itallowaneasyinspectionofdifferentaspectoftheoperatingsystem,like:– thesystemlocationstomodifyinordertoloadapplicationduringOSboot;
– Explorerextensions;– toolbars.
Page 13
Research Center for Cyber Intelligence and information Security
CIS Sapienza
AutoRuns- Exercise• RestorethesnapshotSnapshot2oftheinternalVM;
• bootuptheVM;• launchAutoruns,ifaskedaccepttheEULA;• observethevarioustabs;• savecurrentstateofthesoftware;• modify/deletesomeelements;• usecompareinthefilemenutoperformacomparisonbetweentheprevioussavedstate.
Page 14
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• VirtualMachineandSandboxing• Manualdynamic analysis tools• Analysisofpersistence• Dynamic analysis withCuckoo Sandbox• DLL/Codeinjection
Page 15
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence
• Setoftechniquesthatguaranteestomalwaretosurvivesystemreboot;
• currently,mainapproachesarefour:– creationormodificationofregistrykeys;– creationoffileinstartuplocations;– creationofWindowsServices;– modificationoftheMasterBootRecord(MBR)ortheBIOS
Page 16
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:creation ormodification ofregistry keys• Windowsregistry contains informationaboutwhat mustbestarted at boot,like:– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run– HKLM\System\CurrentControlSet\Control\SessionManager\KnownDlls– HKCU\Software\Microsoft\Windows\CurrentVersion\Run– HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\
• this approach consists ofcreateormodifythese keys tolaunch malwareat thestartup.
Page 17
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:creation offileinstartuplocations
• During theboot,WindowsOSchecks somedirectories which contain softwaretostart,like:– %USERPROFILE%\StartMenu\Programs\Startupcontainingsingleusersoftware;
– %ALLUSERSPROFILE%\StartMenu\Programs\Startupcontainingalluserssoftware.
Page 18
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:creationofWindowsServices
• Windowsservicesareexecutableslaunchedinthebackgroundwithouthanyinteractionswiththeusers(like*nixdaemons);
• theycanbeconfiguredtobeautomaticallystartedduringthebootprocess;
• tipicallymalwaretrytocreatenewservices,moreovertheyusuallyimitatenamesofsystemservicestoremainhidden.
Page 19
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:modification oftheMBRortheBIOS• It is anadvanced technique toachievepersistence;
• Advantages:– difficult todetect;– extremely difficult toremove.
• Disadvantages:– highdifficulty toapply this approach.
Page 20
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:Exercise1AnalysiswithRegshot
• RestorethesnapshotSnapshot2oftheinternalVM;
• bootuptheVM;• useregshot todiscover which registry keys areused bymalwareImworm toobtainpersistence.
Page 21
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:Exercise2AnalysiswithAutoruns
• RestoresnapshotSnapshot2oftheinternalVM;
• bootuptheVM;• useAutoruns todiscover someoftheeffectsofmalwareIMWorm onthesystems.
Page 22
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:Exercise3AnalysiswithAutoruns
• RestoresnapshotSnapshot2oftheinternalVM;
• bootuptheVM;• useAutoruns todiscover someoftheeffectsofmalwareHydraq onthesystems.
Page 23
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• VirtualMachineandSandboxing• Manualdynamic analysis tools• Analysisofpersistence• Dynamic analysis withCuckoo Sandbox• DLL/Codeinjection
Page 24
Research Center for Cyber Intelligence and information Security
CIS Sapienza
CuckooSandbox
• Opensourcesystemtoautomatically analyzefiles andURLs;
• it tracks all theAPIs calls andthegeneralbehaviour ofthefile;
• it analyzesalso thenetworktraffic;• it allows anadvanced systemmemoryanalysis;
Page 25
Research Center for Cyber Intelligence and information Security
CIS Sapienza
CuckooSandbox
• it is developed inpython withamodularstructure,soit canbeeasily extended;
• it contains avery longlistofsignaturesofsuspicious behaviours;
• it allows thepossibility ofinteraction throughthree different interfaces:– Python scripts;– RESTAPIs;– Webinterface.
Page 26
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Cuckoo Sandbox – Exercise 1
• Openterminalandsubmit amalwarewiththecommand:python /opt/cuckoo/utils/submit.pyfilename
• Cuckoo Sandbox assigns anIDtothesubmission;
• after acouple ofminuteschecks thedirectory/opt/cuckoo/storage/analyses/ID/reports/andopenthevarious reports.
Page 27
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Cuckoo Sandbox – Exercise 2
• OpenFirefoxandtheCuckoo Sandboxbookmarks;
• logininthewebinterface (user:cuckoo,password:cuckoo);
• inspect thevarious sections ofthewebinterfaceandsubmit asampleusing thesubmission tab;
• after theendoftheanalysis,consult thereportinorder tounderstand its structure;
Page 28
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• VirtualMachineandSandboxing• Manualdynamic analysis tools• Analysisofpersistence• Dynamic analysis withCuckoo Sandbox• DLL/Codeinjection
Page 29
Research Center for Cyber Intelligence and information Security
CIS Sapienza
DLL/codeinjection
• This approach consists ofload amalicious DLLinto oneormoreprocesses;
• inthis waymalicious codewill beexecutedinto alegitimate process;
• this process canbeaneffective waytoovercome securitysoftware.
Page 30
Research Center for Cyber Intelligence and information Security
CIS Sapienza
DLL/codeinjection
• Main approaces are:– takeadvantagesofAppInit_DLLs registrykeythatcontainsthelistofalltheDLLthathavetobeloadedtogetherwithuser32.dll;
– manipulate existing processes through anexternaldynamic load.
Page 31
Research Center for Cyber Intelligence and information Security
CIS Sapienza
DLL/codeinjection:Exercise
• OpenCuckoo Sandbox WebInterface;• Submit– Parite– onlinegames 2;
• After theanalysis,checkreportstofind anyDLLinjection attack.