Research Center for Cyber Intelligence and information Security
CIS SapienzaResearch Center for Cyber Intelligence
and information Security
CIS Sapienza
DynamicAnalysis
SystemsandEnterpriseSecurity2017-2018Dr.GiuseppeLaurenza,Ph.D.Student,[email protected]
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• VirtualMachineandSandboxing• Manualdynamic analysis tools• Analysisofpersistence• Dynamic analysis withCuckoo Sandbox• DLL/Codeinjection
Research Center for Cyber Intelligence and information Security
CIS Sapienza
VirtualMachine[VM]
• AVMemulates thebehaviour ofafullphysicalmachineinwhich it is possible torun thedesiredoperating system:– Host:machineinwhich it is run theVMsoftware.– Guest:theVMitself.
• AVMprovided afake andseparatedenvironment;
• it is possible toexecute suspicious softwareinisolation.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
VirtualMachine[VM]:Snapshot
• Manyvirtualizationsoftwaresprovidethepossibilitytocreatesnapshot;
• asnapshotrepresentsaphotographyofthecurrentstateoftheVM;
• itallowstorestoreapreviousstateofthesystem.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
VirtualMachine[VM]:Snapshot
• Snapshotsareanimportant resource fordynamic malaware analysis,infact analysts:– createandconfigure aVM;– createsnapshotoftheVM,readyfortheanalysis– run themalware;– study theexecution andtheeffects ofthesample;– restore thesnapshotinorder tobereadyforthenext analysis.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
VirtualMachine[VM]:Virtualbox[1]
• VirtualBox is anopen-sourcevirtualizationsoftwaredeveloped forWindows,LinuxandMacOs;
• it allows theexecution ofvarious operatingsystems,including Windows,Linuxe*BSD;
• it offers asnapshotsystemtosave andrestorethestateoftheVM.
[1]https://www.virtualbox.org
Research Center for Cyber Intelligence and information Security
CIS Sapienza
VirtualMachine[VM]:SnapshotExercise
• Boot uptheVM;• openVirtualbox intheVM;• restore thesnapshotSnapshot2;• starttheVMcuckoo1;• observe thestateoftheVM,trying toexecutesomemalware;
• shutdown theVMandrestore thesnapshotSnapshot1;
• run again theVMandobserve any changes.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Sandbox• Itconsistsofexecutingthemalwareinacontrolledenvironmentinordertoobservemalwarebehavior;
• thisapproachusesemulationorvirtualizationsoftwareproductstoexecutemalwareinisolation;
• asandboxcanproducedepthreportsusingsignaturestodetectpatternsofactions;
• itcanalsoprovideadditionalinformationlikecreatedfileornetworktrafficgeneratedbythesample.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• VirtualMachineandSandboxing• Manualdynamic analysis tools• Analysisofpersistence• Dynamic analysis withCuckoo Sandbox• DLL/Codeinjection
Research Center for Cyber Intelligence and information Security
CIS Sapienza
RegShot
• It is anopen-sourceutilitytocompareinstances ofWindowsregistry;
• it enables tostorethecurrent stateoftheregistry andcompareit withanother createdafter somemodifications;
• it is widely used todiscover which registrykeys aremodified bythemalwareexecution.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
RegShot– Exercise• RestorethesnapshotSnapshot2oftheinternalVM;• bootuptheVM;• runexecutableregshot intheRegshot folderonthedesktop;• use1-shottostorethecurrentstateofregistry;• changedesktopbackground;• use2-shottostorethenewstateoftheregistry;• comparethe2snapshotswithcompare;• changelogsformatwithHTML;• usecleartodeletethe2ndshot;• performanewcomparisonandobservethedifferencesinthe
report.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
AutoRuns
• UtilitydevelopeddirectlybyMicrosoft;• itallowaneasyinspectionofdifferentaspectoftheoperatingsystem,like:– thesystemlocationstomodifyinordertoloadapplicationduringOSboot;
– Explorerextensions;– toolbars.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
AutoRuns- Exercise• RestorethesnapshotSnapshot2oftheinternalVM;
• bootuptheVM;• launchAutoruns,ifaskedaccepttheEULA;• observethevarioustabs;• savecurrentstateofthesoftware;• modify/deletesomeelements;• usecompareinthefilemenutoperformacomparisonbetweentheprevioussavedstate.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• VirtualMachineandSandboxing• Manualdynamic analysis tools• Analysisofpersistence• Dynamic analysis withCuckoo Sandbox• DLL/Codeinjection
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence
• Setoftechniquesthatguaranteestomalwaretosurvivesystemreboot;
• currently,mainapproachesarefour:– creationormodificationofregistrykeys;– creationoffileinstartuplocations;– creationofWindowsServices;– modificationoftheMasterBootRecord(MBR)ortheBIOS
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:creation ormodification ofregistry keys• Windowsregistry contains informationaboutwhat mustbestarted at boot,like:– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run– HKLM\System\CurrentControlSet\Control\SessionManager\KnownDlls– HKCU\Software\Microsoft\Windows\CurrentVersion\Run– HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\
• this approach consists ofcreateormodifythese keys tolaunch malwareat thestartup.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:creation offileinstartuplocations
• During theboot,WindowsOSchecks somedirectories which contain softwaretostart,like:– %USERPROFILE%\StartMenu\Programs\Startupcontainingsingleusersoftware;
– %ALLUSERSPROFILE%\StartMenu\Programs\Startupcontainingalluserssoftware.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:creationofWindowsServices
• Windowsservicesareexecutableslaunchedinthebackgroundwithouthanyinteractionswiththeusers(like*nixdaemons);
• theycanbeconfiguredtobeautomaticallystartedduringthebootprocess;
• tipicallymalwaretrytocreatenewservices,moreovertheyusuallyimitatenamesofsystemservicestoremainhidden.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:modification oftheMBRortheBIOS• It is anadvanced technique toachievepersistence;
• Advantages:– difficult todetect;– extremely difficult toremove.
• Disadvantages:– highdifficulty toapply this approach.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:Exercise1AnalysiswithRegshot
• RestorethesnapshotSnapshot2oftheinternalVM;
• bootuptheVM;• useregshot todiscover which registry keys areused bymalwareImworm toobtainpersistence.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:Exercise2AnalysiswithAutoruns
• RestoresnapshotSnapshot2oftheinternalVM;
• bootuptheVM;• useAutoruns todiscover someoftheeffectsofmalwareIMWorm onthesystems.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Persistence:Exercise3AnalysiswithAutoruns
• RestoresnapshotSnapshot2oftheinternalVM;
• bootuptheVM;• useAutoruns todiscover someoftheeffectsofmalwareHydraq onthesystems.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• VirtualMachineandSandboxing• Manualdynamic analysis tools• Analysisofpersistence• Dynamic analysis withCuckoo Sandbox• DLL/Codeinjection
Research Center for Cyber Intelligence and information Security
CIS Sapienza
CuckooSandbox
• Opensourcesystemtoautomatically analyzefiles andURLs;
• it tracks all theAPIs calls andthegeneralbehaviour ofthefile;
• it analyzesalso thenetworktraffic;• it allows anadvanced systemmemoryanalysis;
Research Center for Cyber Intelligence and information Security
CIS Sapienza
CuckooSandbox
• it is developed inpython withamodularstructure,soit canbeeasily extended;
• it contains avery longlistofsignaturesofsuspicious behaviours;
• it allows thepossibility ofinteraction throughthree different interfaces:– Python scripts;– RESTAPIs;– Webinterface.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Cuckoo Sandbox – Exercise 1
• Openterminalandsubmit amalwarewiththecommand:python /opt/cuckoo/utils/submit.pyfilename
• Cuckoo Sandbox assigns anIDtothesubmission;
• after acouple ofminuteschecks thedirectory/opt/cuckoo/storage/analyses/ID/reports/andopenthevarious reports.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Cuckoo Sandbox – Exercise 2
• OpenFirefoxandtheCuckoo Sandboxbookmarks;
• logininthewebinterface (user:cuckoo,password:cuckoo);
• inspect thevarious sections ofthewebinterfaceandsubmit asampleusing thesubmission tab;
• after theendoftheanalysis,consult thereportinorder tounderstand its structure;
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• VirtualMachineandSandboxing• Manualdynamic analysis tools• Analysisofpersistence• Dynamic analysis withCuckoo Sandbox• DLL/Codeinjection
Research Center for Cyber Intelligence and information Security
CIS Sapienza
DLL/codeinjection
• This approach consists ofload amalicious DLLinto oneormoreprocesses;
• inthis waymalicious codewill beexecutedinto alegitimate process;
• this process canbeaneffective waytoovercome securitysoftware.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
DLL/codeinjection
• Main approaces are:– takeadvantagesofAppInit_DLLs registrykeythatcontainsthelistofalltheDLLthathavetobeloadedtogetherwithuser32.dll;
– manipulate existing processes through anexternaldynamic load.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
DLL/codeinjection:Exercise
• OpenCuckoo Sandbox WebInterface;• Submit– Parite– onlinegames 2;
• After theanalysis,checkreportstofind anyDLLinjection attack.