SANS DFIR Webcast  – What’s New in REMnux v4 for Malware Analysis?

SANS DFIR Webcast – What’s New in REMnux v4 for Malware Analysis?

– [Benjamin] Hello
everyone and welcome to Digital Forensics and
Incident Response webcast. What’s New in REMnux v4
for Malware Analysis. I’m Benjamin White
with SANS Institute and I’ll be moderating
this webcast. Today’s features speaker
is Lenny Zeltzer, Senior Faculty Member
of the SANS Institute and Project Management
Director for NCR Corp. Before I turn
things over to Lenny the Q&A portion
will take place at the end of the webcast. Please feel free to
send your questions at any point by using
the chat window. Right now, I’d like to introduce our featured speaker
Lenny Zeltzer. – [Lenny] All right,
thank you very much for the introduction Ben, and
thank everybody for joining. I’m very happy to be
talking to you about REMnux because while I love tools
and there’s a whole lot of new tools, that can be added to the latest version
of this distribution. I’ll be showing you
lots of screenshots, lots of command line parameters
and lot’s of live demos. We’ll be going
pretty fast but don’t worry because you
will be able to download all of these slides
and all of my speaker notes and all of the hyperlinks
and everything else. You’ll be able to download
them as a PDF file about an hour after
this webcast ends. So don’t worry if we
move too quickly for you to be able to write
everything down. Not only will you be able to
review the recorded version of the webcast, you
will also get access to all of my speaker notes. All right, so I want
to talk about REMnux. Of course, REMnux is
the Linux distribution that I put together. The idea is to have
a bunch of tools that are useful for
analyzing malware and make it easier for people to get into the world
of malware analysis because you don’t have
to install this tool, you don’t need to find
them, you don’t need to configure them. That’s really the
biggest benefit to REMnux that I can find. Now, all I did is I started
with Ubuntu version 11.10 and added a bunch
of tools to it. The full credit for all
the wonderful usefulness of the distribution really goes
to the authors of the tools I just put them together. But there’s a whole lot
of tools to keep track of and that’s why I put
together this webcast to focus specifically
on those tools that have been added to REMnux in
the release that came out in early April, that’s
version 4 of the release. So I wanted to review
with you what are the major changes and also what are some of the tools
and how do you use them. But if you’re new to REMnux
you can certainly download a copy of REMnux on and also you can tune in to a webcast
that I recorded previously I’m sure you’ll
find it on Google if you look for Malware Analysis
Essentials using REMnux. All right, so let’s see, what’s the best way to get started? The best way to get
started, I think, is for me to drop you into
my REMnux virtual machine so that I can show
you a bunch of things. Again, I’m gonna be
spending a lot of time in the virtual machine
during the webcast but don’t worry ’cause
you’ll have screenshots and everything in
the PDF file that we make available to you. So, what I did here is
simply download a copy of the REMnux Virtual Machine. And one of the new things
in the latest distribution of REMnux is how
you can download the virtual machine appliance. Before REMnux was available
either as an ISO file, for a live CD, or as
a proprietary VMware
Virtual Machine. I’m also now making
it available using the open virtualization
format, which makes it easier for you to import this
virtual machine into lots of other virtualization tools
most notably VirtualBox. So now it’s much easier to
use REMnux on VirtualBox. What I did here was
simply load up a copy of the REMnux virtual
machine and I’m going to start it up for you. REMnux ships with
a host-only mode to limit Network
interactions but for this webcast
before starting it up I’m going to turn on
NAT mode because I want to have access to the web
so that I can well download a few tools and
updates, if you will. I’m going to show
it to you shortly. So what kind of
tools do we have here and how do we make use of them? Well, I think it’s
much more enjoyable to talk about tools
in the context of actual real world malware. So, what I did was put together
a bunch of malware samples that I’m gonna use
throughout this webcast. Let me get them here. You can get these samples
as well, if you want, here is the URL. Now, the password is the word wait for it, wait for it. Fruits. So anybody can
download these samples just be very careful
with them because this is real-world malware
that we’re dealing with here and that’s why password
protected with word fruits to avoid accidental
execution, all right. Now, let me take you
for just a couple of minutes, back to my slides. I wanted to mention a
few things regarding how you are able to install
the REMnux virtual appliance. As I said, you can
download, probably that’s the easiest way to
do it, download it in the Open
Virtualization Format and then what are
you using VMware or whether you’re using
VirtualBox you just double-click on that file and
it will allow you to import it into the
proprietary format. Although, keep in
mind, that there seems to be a bug in
Virtual Player where if you double-click on
that Virtual Appliance file it will give you an error. So, if you’re using
VMware Player, rather than
double-clicking on the file that you’ve downloaded
you will need to open it using the VMware
Player interface itself without double-clicking it. Also, you can use
this virtual appliance using KVM virtualization
if you’d like. However, keep in mind that
if you are using CentOS you will be unable to
use the latest version of QMU, that IMG
convert command, because it has a bug in it. You will need to
download the latest copy from the QMU website. Again, if you try to
use QMU for importing this virtual machine
and if you run into any problems, download
the latest version from the website of the
virtualization software or send me an email
I’ll help you out. All right, so now we
know how to get started with REMnux, right,
you can download it as a virtual appliance
for VMware, VirtualBox, it’ll work on Hyper-V,
kind of actually. Let me mention that quickly. If you try to use
Microsoft Hyper-V the virtual machine
itself is recognized, however, Hyper-V uses a
network interface card that Linux doesn’t seem
to recognize very well. I haven’t been able to
get it running in Hyper-V if you are able
to get it running I’d love to hear from
you so that I can share the information
with other people. All right, so now we
know how to get started. Let’s talk about what
is new in REMnux. And again, I’ll be
mentioning a bunch of tools but don’t worry I will show you, I will provide to
you, all the URLs, all of my notes will
be available to you for download after this webcast. We’re gonna post
these slides as well as my full speaker
notes about an hour after the webcast ends so
if you don’t catch a URL don’t worry, that URL
and all the other URLs will be available to you
as part of those PDF notes. So, changes to the existing
tools not a whole lot here. Besides me updating
the core packages that comprise the
operating system I also updated the tools that
you’ve come to know and love. Tools like pdfid and
pdf-parser, tools like SWFTools, NetworkMiner, BIRD-Proxy,
Wireshark, Firefox, XORSearch, DensityScout, too
many tools name here. You can see a full
listing of the tools that I’ve updated if
you look up on my blog the article that I wrote
to outline what’s new in the latest version of REMnux. Some other minor changes
that you might want to keep in mind
involve me replacing the open JDK version of Java
with the Oracle version, Oracle Java 7, seems
to be supported better than open JDK and
is more compatible with tools that I like
to use that require that Java be present. You might be familiar with
the Origami framework, which is an excellent tool
for analyzing PDF files. I’ve updated that
version as well and there are two
minor differences, two minor distinctions,
that you might want to keep in mind with this
latest version of Origami. Let me quickly show
you what these are. The first distinction
is the way that the PDF Extract command works. Now, PDF Extract is very handy, in that you can point
it to a PDF file and it will automatically
extract lots of content that is within the PDF file. Most interestingly,
you’re able to extract the JavaScript that might be
embedded into the PDF file. However, the problem
that I’ve discovered with the latest
version of PDF Extract is that in some cases a
PDF file has been corrupted and so when you run
PDF Extract it fails to properly and decode
the stream and is unable to extract JavaScript. Fortunately, the way
around that, I’ve found is to be very specific
when calling PDF Extract and instead of
saying PDF Extract, extract everything
there is, instead, give it the -j parameter,
which means JavaScript and then even if there
are problems with the other objects as
long as the objects that contain JavaScript
are okay it will be able to extract JavaScript. Now, in this case, for
example, you can see that I have JavaScripts
that have been extracted and placed into this file. Again PDF Extract, not
a new tool on REMnux, but it does operate a
little bit differently when it encounters
corrupted PDF objects. Let me get rid of this
file just to avoid it messing up my environment. All right, something
else that’s new new in Origami framework or rather, not really new
but it’s a nice little tweak. There is a tool that
some people like, it’s called pdfwalker. And pdfwalker is a tool
for interactively examining contents of PDF files. You can look at their structure, you can extract
JavaScript, you can extract other objects that might
be embedded into PDF files and you can do
this using the GUI, that’s what pdfwalker does. The one minor changed,
that is quite nice, for this latest
version of pdfwalker is that now you can
be in any directory and pdfwalker will run properly. In the previous
version, you had to be in a very specific directory
where pdfwalker was installed you’ll not afraid
to run properly. So, other than that, pdfwalker
works as it did before. So, we talked about some
minor changes to Origami, it’s also great and
that Volatility has been very actively developed
and so the latest version of REMnux now includes
the latest stable version of Volatility
version 2.2 and there are a lot of new
features and many plugins have been updated as well. So, usually if you
perform memory forensics using Volatility you want
to have this version. Some of the new features
that have been added to Volatility 2.2
include the ability to examine event logs. So, you can examine
event log information that has been
captured in memory, there are also a bunch
of plugins for examining the Windows GUI, so,
Windows GUI information is of course stored
in memory and so you can use Volatility now to
look at the event hooks that correspond to
the GUI interface. You can attempt to
gather some aspects of what the screen
might have looked like, you can look at clipboard
contents, that’s pretty cool. Also this version of
Volatility introduces very stable support for
Linux memory image analysis which is quite nice as well. So, I’m not going to spend
any more time on Volatility because really
that would justify it’s all its own
webcast and even that’s probably not
gonna be sufficient. But, if you’re new
to Volatility 2.2 take a look at their website
to see what has changed. One other, minor change,
or a relatively minor, I guess from most people’s
perspective is that the mind mapping
software that I had there before called
FreeMind is gone, I couldn’t get it to
run properly anymore, just too many Java
compatibility problems. Instead I’m using
Xmind, which i think is a better tool
prettier and perhaps, slightly more
actively developed. So Xmind is there now
instead of FreeMind. I don’t know how many
people would even notice the difference. One way in which you can
use mind mapping software in REMnux is to
keep track of all of your analysis findings. So, as you’re
examining malware how do you keep track
of all of your notes all of your screenshots,
all of your artifacts. One way to do it is to
use the report template that I created on REMnux
using this mind mapping format and of course you can
load it using Xinds now. It allows you to have an
outline for your future report and there are placeholders
where you might want to save your key
observations, recommendations, file hashes, et cetera. So if you’re new to mind
mapping check this out it’s a great way of
keeping track of all of your analysis findings. We talked about
miscellaneous changes to the distribution and some of the more popular
tools being updated. This includes updates to
Origami, Volatility, Xmind and I also talked
conceptually about the need to be able to perform
memory forensics, perform PDF analysis and
the way in which many people like to keep track of
all of their findings with the help of mind maps. I will be using these
tools and concepts slides as regular checkpoints
throughout this webcast because I’ll be
covering a lot of tools and a lot of concepts
and my hope is that these periodic slides
will help you remember what we’ve just covered. The next topic that I want
to discuss is the tools that I’ve added to REMnux
that make it easier for you to examine obfuscated
data where the attacker may have used XOR
as a very simple way of concealing strings
or binary contents. There are many ways of of
course obfuscating data in code but fortunately for
us many attackers are on the lazy side and use
a very specific approach. They basically take a
1 byte value at random and that one byte
value acts as the key. The value can range
from 0 to 255 in decimal and the attacker uses
the XOR operator to XOR every byte within the
data they need to protect with that selected key value. You see this over and
over again whether you’re looking at PDF
files or web pages or Windows executable,
attackers really like using this approach
and fortunately for us we’ve got some tools that
can help us examine artifacts and brute force
possible key values. So, as I said I’ve got
slides for every single tool I’m going to talk
about together with all of my reference
materials and URLs, but I think it’s a lot
better to look at these tools in action in an actual
REMnux environment. So let me show you a
tool that’s new to REMnux called Xor Brute Forcer
by Jose Miguel Esperanza. Now, this tool is designed
for decoding contents of a file using all possible
one byte XOR values. So, how do you use it? Let’s say we’ve got a file if we want to see
whether it contains any values, any data,
that might have been XOR’d using that algorithm
that I just described. Well, we can tell Xor Brute
Forcer to examine that file, in this case I’m using
this malicious DLL and what it will do,
is it will attempt to decode every single
byte within that file with all possible one
byte long key values and the boolean XOR operator. So, as you can imagine the
output would be huge here so we might want to
say, you know what, I’m going to just
extract strings and save them into a file
that I’m going to call. Now, as I said, this is going
to be doing a lot of work. It’s examining every single bite and it’s trying every
possible one byte long value and it’s using boolean
XOR to create the output. So sometimes this
will take a while, depending on how big is the
file that you’re analyzing. In this case and
again depending on how much RAM you’ve allocated
to your virtual machine this will take a while. One more change, by the way,
that I wanted to mention to you is that before REMnux used
to ship with 256 megs of RAM by default in its
virtual machine and
I’ve doubled that now. In part this is to accommodate the much heavier
memory requirements of the Volatility
plug-in called Malfind that seems to do a lot more
now but require more memory. So now by default with
the REMnux virtual machine you get 512 meg of RAM. If you’ve got more
physical memory, then, you know, the more
you give it the better. Anyway, now that you’ve
extracted the strings you might want to take a look
to see what’s the output. It’s very possible
that the attacker used some other algorithm
to obfuscate the data or maybe he’s not
obfuscating any data at all. So sometimes all you’re gonna
get is just a bunch of noise. And, there’s going to be a
ton of false positives here. Because it’s trying
every possible key value and it’s trying to
decode everything. Now, of course
there’s a whole lot of unobfuscated
information here, that’s what key 00 represents. But then if you go further you can find data
that was obfuscated using key 01 and you’re just looking at this. And all I see here is
just nonsense gibberish, so this is probably not
anything that’s useful here. But I’ve done a bit
more analysis here and let me just
fast forward a bit. It turns out that if you
look at key five you actually see some strings. Now, these strings were
not visible in clear text but this tool was able to
brute-force the key value and it’s now telling us
that there are a bunch of strings here embedded
into this executable and they’re protected
using hexadecimal key five using the XOR algorithm. So, that’s pretty
good the only problem is that there’s a lot of noise. A lot of noise in
XOR Brute Forcer and so you might wonder
is there another way to sift through the
strings that are embedded into the file to eliminate
some of that noise. With this in mind I
wanted to introduce you to another tool that
is new to REMnux and this one’s called
Brutexor or sometimes it’s also called iheartXOR this is a tool by Alexander Hanel. Here is that tool
in action, Brutexor, once again you
point it to the file that you want it to examine and you tell it
give me the strings. Now, what this tool
does, is it also, just like XOR Brute Forcer
tries to brute force all possible key values, but
it is a little bit smarter at what it is trying to decode. It looks for what might
be a meaningful string and only will try to
decode those values. And as a result it runs faster and you get less noise. Now, there’s still a
whole lot of noise here but now if you scroll through, you will eventually
get to something that looks readable which
indicates that indeed it was able to successfully
decode some contents. Let’s see, it’s
in there somewhere and since I’ve done
this analysis before I know that with the key five, so I’ll be able
to eventually get to some readable ASCII contents. So now you had two new
tools added to REMnux that support XOR decoding. One is called XOR Brute Forcer, the other one is
called Brutexor. Both perform similar tasks but Brutexor has a bit more
smarts at being able to eliminate some of the noise. Now, you might be
familiar with another very popular tool
that has been present on REMnux since
the very beginning. That’s a tool by Didier
Stevens called XORSearch. That’s a very handy tool,
the biggest limitation of that tool is that you
have to know what string to look for before
you could find it. That’s the big
limitation of XORSearch. But, with Xor Brute
Forcer and Bruteoxr, as you can see, you
don’t need to know what you’re looking for
as long as you’re willing to sift through the
noise in the hopes of finding a string that
appears readable to you. So, there’s one more tool
related to XOR operations that I wanted to share
with you and this one is a tool that was
written by Glenn Edwards and it’s called NoMoreXOR. This tool attempts to
guess XOR key values that are 256 bytes long. So, not just one byte
long key values but there is someone out
there that of course uses longer keys
and Glenn Edwards put together this
tool to show you how you might be able to find
those longer key values. I’m gonna show you
this tool in action by looking at one sample
that, as it turns out, actually contains
embedded information that has been protected
using a XOR key that’s 256 bytes long. So, let me see. I’m telling it that
the output should be saved into this file and I
wanted to analyze this pear.doc. Now, this was a malicious
Microsoft Word document that was used as part
of a targeted attack and I’m not going to
give you of course the full background on
this nor would we analyze all aspects of this
document in this webcast. But, if you’ve done
some work you might say there seems to be
some embedded code that I can’t see in
clear text, how might the attacker have encoded it? And you try a whole
lot of things. And if you try NoMoreXOR
it would end up actually trying several
promising-looking keys and eventually it will
produce what it believes is meaningful, decoded
object that was XOR’d within pear.doc using a XOR
key that’s 256 bytes long. Now, you might wonder
how does it know when it found meaningful
data or meaningful code, well the approach I
think is quite clever. When thinking about this
from the tools perspective you’re trying to brute-force
all possible key values that produces a lot of output and now a script that’s
intelligent needs to be able to
examine that output and determine whether
it’s meaningful or whether it’s gibberish
because this content was not meant to be
decoded using this key. So what this tool NoMoreXOR does is it uses Yara and it
scans the output using Yara and if it notices that
one of the Yara signatures gets a match it will
assume that we must have decoded contents using a
proper key, isn’t that clever. In this case the Yara rule
that was hit was embedded EXE. In other words, it seems that
this malicious Word document contains an embedded
executable that was XOR’d using a 256 byte
long key, now we know what that key probably
was, it was brute forced using NoMoreXOR and
we even extracted the embedded data
or the embedded code so that we can
analyze it further. Now, think about this how
from the two perspectives. One is, it’s wonderful
to have a ready-made tool available to you
for cases like this. But I would say that
the value of a tool for which you can
view the source code is little more than that,
the value of the tool for people who are
able to write scripts who can do a bit of
coding, the value is is in taking an idea
that was implemented as part of this tool
and then perhaps taking it further can
you think of smarter ways of brute forcing key
values, of eliminating noise from the output this approach. This approach that
Glenn is implementing using Yara, I think,
is very clever. Are there better ways? Well, that’s why
we’ve got source code to these tools, these are
mostly written in Python. I hope some people
in the community will get new ideas
from, produce new tools. Where I give the authors of
these tools some feedback. So we talked about
a bunch of tools that have been added
to REMnux and these are focused on analyzing
XOR encoded data or code, and I talked
about the tools that have been added
and those tools that have existed there before. There are some
additional tools that you might find useful
when doing this analysis such as xortool and, I’m not gonna get into them at this point. I also briefly
showed you earlier a text editor that’s
built into REMnux, SciTE. You notice that I was
using SciTE to look at the output of the
files that were produced. So a bunch of tools
that I highly recommend you experiment with and
perhaps get some ideas from. The next topic I
wanted to cover is a new feature of
REMnux that allows you to run Windows tools in
the Linux environment. Of course, the full credit for
this capability goes to Wine. Wine is what many
people call an emulator for Microsoft Windows,
in other words, you’re able to run Windows tools
inside a Linux environment. And while you cannot run the most sophisticated Windows
programs within Wine, some of the simpler
programs run pretty well. At this point I installed
Wine within REMnux and I added two
malware analysis tools that a lot of people
know, use and love. Of course, you can
add some others if you got other
favorite Windows tools. But the two tools that
I am focused on were OfficeMalScanner and Mazilla. So, let me quickly show
you these tools in action. OfficeMalScanner is a
tool by Frank Boldewin and it’s a toolkit for
examining malicious Microsoft Office documents
and it is quite awesome. If you point it to a file that you think might be suspicious, like this malicious
office document, well, it turned out to be malicious. Maybe first you want to know
info, give me some info. Is this indeed an
office document or not? Well, it will parse the
file and it will tell you that it looks like it
follows the Excel structure and there are no
Visual Basic macros. If it found macros, it would
have extracted them for you. Now, if you want to look for
other malicious artifacts within this document
you use the scan command and the scan command will
look for malicious shellcode. It will look for embedded
office documents, will look for
embedded windows files and it will look for
embedded flash programs. In this case it appears
that pear.doc contains an embedded Flash
file and remember this is the same malicious
Office document that I used previously
with the help of NoMoreXOR, I extracted what appear to
be embedded binary code. So this is quite a nasty file that you can analyze
further if you’d like. Now, you might use
a tool like SWFDump which is installed on REMnux
to examine this SWF file. Another component of the
OfficeMalScanner toolkit is the utility called RTFScan. This one examines
files they’re formatted using rich text format. So, for example, here’s
a malicious RTF file that I’m scanning using RTFScan and I need to tell
it what to do. The command should be scan
and now it will examine what is within this
RTF file and carve out what appears to be a
malicious artifact. In this case, within
this RTF file, there is an embedded executable that RTFScan
automatically located and extracted for me so that
I can analyze it further. It’s very convenient,
but up until now you have to run these tools
on a Windows environment. Well now, thanks
Wine, OfficeMalScanner and the tools that
comprise the toolkit can run just natively
where it appears to run natively within REMnux. Another tool that I added
to the toolkit, now that we can run Windows programs
within REMnux is Malzilla. Malzilla is a popular
tool for those who like analyzing
malicious web pages using a graphical
user interface. The tool hasn’t been
updated for a few years, but it’s got its
fans and so I thought I’d make it available
within REMnux. For instance, you can
go to the Decoder tab, you can right click
there to load, a perhaps obfuscated
JavaScript file that you might want to analyze. Well, let’s take a look
at this clump of JS. Now, the one thing about
Malzilla running on Linux is that it presents to
you the ASCII contents in a very wide font I couldn’t
find a way to correct this. But if you’re looking at this
using a normal text viewer you would see this is an
obfuscated JavaScript. And you might wonder,
what’s so important that it needs to be obfuscated. Well, there are several ways of deobfuscating
malicious javascript. one way to do this is to load
the script into Malzilla. Malzilla, by the way, is
written by Bojan Spasic, and you click the
run script button and it will try to deobfuscate
it for you automatically and if you double
click on the results of the run you get this output. And though it’s a
little bit hard to read because of the wide font if
you look at this carefully you now see a URL that
is probably malicious that you might want to
investigate further. So that’s the magic of
Malzilla, lots of ways of deobfuscating
JavaScript in REMnux. This is just one tool there
is now new to your toolkit and normally you would
run Malzilla on Windows, but hey now you can run
it on Linux if you prefer to do that your work
within a Linux environment. So, we talked about
a bunch of tools that can run on REMnux
with the help of Wine even though these tools
are native to Windows. OfficeMalScanner,
RTFScan and Malzilla. And of course we
talked about the need to know how to analyze
malicious Office documents including Word and
RTF files, as well as we need to
deobfuscate JavaScript that you would often find
within malicious web pages and malicious PDF
document files. The next set of tools that
I want to discuss deals with utilities that
are new to REMnux that allow you to examine
Windows executable files inside a Linux environment. Now, there are several
tools like this. Some of them have been
present on REMnux already and I’m not gonna
talk about that. Instead, I wanna talk
about some new ones and let me take you
into my virtual machine to show this to you. Of course, since you’ll
be able to download my full spot slides
and speaker notes you’ll have a full set of
reference materials available for you so there is no need
to write down your notes if you don’t want to. The tool that I wanted
to introduce you to you right now
is called ExeScan. ExeScan written by
Amit Malek is designed for statically examining
a Windows executable. So, for example I’m
going to point it on to a file called Croker.exe and what this tool will do, is it will
examine, well, first of all, capture the hash
of the executable. It will then attempt
to identify a packer so it has a database
of signatures it can use for
identifying which packer may have been used to
protect this executable. It will show you the
sections of the executable and very handily, it will
examine the import table looking for references
to dangerous API calls. And this is one way in which
you can examine an executable if you’re wondering is
this a malicious one or not and be able to
get a general sense for the capabilities
of the program. Sometimes this works
better than other times but it’s handy to
be able to do so using some static analysis
without even trying to run the program. Now, ExeScan can do
this quite easily now. There’s just this one
problem with ExeScan that I wanted you to know about, and it’s a strange problem
and the strange problem that I’ve encountered
is that sometimes it deletes the file
after analyzing it. I suspect it’s
some kind of a bug. So, keep this in mind if
you’re going to run ExeScan make sure you backup the
file that you’re scanning before scanning it with ExeScan. Or, better yet, find the bug,
fix it, let the author know and maybe we’re all
going to be better off. Another tool that I
wanted you to keep in mind that’s new to REMnux
for analyzing static, for statically analyzing
Windows executables is pev, P-E-V, is a
collection of several tools, written by Fernando Mercês
for examining various aspects of Windows executables. Now, these are little utilities that are very handy for doing
one or more specific tasks. So, for example, if
you wanted to calculate a hash of an executable,
you can use pehash. If you wanted to check
whether an executable has been packed
you can use pepack, if you wanted to
read certain aspects of the PE header, the
Windows executable, you can use readpe. So, let me show you
some of these tools, not all of them, but at
least some of them in action. For instance, let’s say
we want to use a tool that’s a part of
this pev toolkit and this thing is
called pescan, P-E scan. Now, I’m going to say examine
this executable file called let’s see, which
one should I scan. I’m going to scan
Kiwi.exe let’s say. Well, we’ve scanned it and
now we have a general sense for what’s within
this executable. For example, we can see
that it doesn’t have any TLS callback functions
which can sometimes indicate that the executable we’re
scanning is malicious. Well, let’s see if this
executable is packed for that we can use
the pepack command. Looks like we’ve identified a
packer, it’s called Armadillo. OK, very interesting,
how about the hash of this executable. Now we’ve got our
hashes if we wanted to use that for some point. And then let’s say we wanted
to read certain aspects of the PE header
of this executable, like the sections and
other information. Well, readpe is the
command that will give us that information. Now, sometimes you
get something useful out of this, sometimes you
get no insights at all. But it’s handy to know about these various
miscellaneous executables that are now available to you
as part of the pev toolkit for analyzing Windows
executables from
the command line. Now, another tool that I
wanted to mention to you that you might find useful
for examining malicious code within a Linux environment,
this one is called dism-this. It’s written by Alexander
Hanel and the tool is designed for
locating, analyzing and extracting shellcode
embedded in files. Now, it’s not a
fully automated tool so you still need to do
quite a bit of thinking but it will help you
determine whether you’ve found the
shellcode or not. Let me show you how you
might use a tool like this. I’m going to take you
into my environment. Now for this sample
I’m going to be looking at a malicious Flash program called mango.swf. And one way in which you
can analyze Flash programs is to use a tool
that’s a part of REMnux it’s not new, you’ve
had it before. It’s called SWFDump. I can use SWFDump to
extract a whole lot of information
about a SWF program and save that into a text file. Let’s use SciTE to examine
the output of SWFDump and what I’m doing
here is I’m looking for any kind of an anomaly. For example, look at
this, there’s a tag that’s built into
the Flash program called DEFINEBITSJPEG and
you’re supposed to use this tag to embed a jpeg image
inside the executable. But this does not
look like an image because it has references
to various ASCII streams like executable names and URLs. Most likely this is
not an image at all and I’m theorizing that
maybe this is shellcode. And now the question is
is this indeed shellcode? And if it were shellcode
how would I disassemble it to analyze its capabilities. Now it might take a bit of
time to examine this blob of information to determine
where my shellcode arrives. For example here I
see a bunch of 90s that follow cc cc cc and
so I would form one theory that the shellcode
begins here at 90 90 60. Now, again, just a theory
and we don’t really have time at all within
this webcast to talk about how in great
detail you would find an analyze shellcode but
I do want to show you a bunch of tools that can
assist in this process. For example there is
a tool called Radare that has been a part
of the REMnux distro for a while and
Radare is a very handy command-line hex viewer,
editor and disassembler. For example you can tell Radare using the -x command to look for the following
sequence of hex bytes within the executable. And it finds them and
it creates a bookmark for them called hit01. Then I can go
there and I can say why don’t you show me,
print, what’s there and disassemble it and I’m
saying disassemble 30 commands, and now I’ve disassembled
what I think is shellcode and now if I know
how to read assembly I can determine whether this
is indeed shellcode or not. So this is the some shellcode
analysis using tools that have been a part
of REMnux for a while and the tool that I wanted
to show you in this context is new to REMnux that’s
what I mentioned earlier it’s called dism-this
and dism-this allows you to look at where you
think shellcode began and though I cleared the
screen quite quickly, Radare showed me that it
thought the shellcode begins at the offset 3E and I can
say why don’t you disassemble 36 bytes there and not
only try to disassemble that shellcode for me, I
could see this in Radare, so this in itself is not new. What’s nice about
this in this is that it also shows you the
results of some analysis where it tells you
some information about what it had just
disassembled so that you as a skilled
analyst can determine whether this is indeed shellcode or maybe you’re just
trying to disassemble some junk that’s
not shellcode at all and it’s not meant
to be disassembled. So how can you make
that determination? What the tool does
is it counts for you how many infrequent or rare
instructions were seen. The idea is that if you’re
trying to disassemble a set of bytes there
are not representative of instructions if you’re
trying to disassemble something that’s not meant
to be disassembled, then you can
encounter a whole lot of unusual infrequent
instructions and that would be your indicator
that you’re not looking at the right place. Similarly, the tool
counts references to segment registers
which should be rare as well as references
to static offsets which should be rare unless
you’re examining shellcode. Now, this tool sometimes
works very well, sometimes the information
that it gives me isn’t all that useful but
the idea is wonderful. Perform some automated
analysis that gives an analyst a few
metrics that the analyst can use to determine
whether he or she is looking at the right
place of the malicious file. And that is quite
a wonderful idea that I think warrants
some more experimentation. So staying within the context of examining malicious
Windows executables in a Linux environment
I wanted to introduce another tool to
you called Disitool and it’s written
by Didier Stevens. And Disitool is designed to
manipulate digital signatures embedded inside
Windows executables. Now, you may have seen the trend that a lot of targeted attacks
involve signed executables. In some cases attackers
have been known to steal a digital
certificate from one company and use it to digitally
sign their malware and if an executable
is digitally signed it is much less
likely to be blocked by our anti-malware tools. So, let’s say you’ve
got this executable and you’re wondering is
it actually digitally
signed at all. Specifically, I’m
examining for this sample the executable kiwi.exe. Now, here’s one way in
which you could determine whether the executable
is digitally signed on REMnux using tools
that have been installed in REMnux before. The tool is called Hiew and
Hiew is a command-line tool there is a hex editor
designed specifically for malware analysis. I’m going to load
Kiwi into Hiew. Now, Hiew has a
lot of capabilities I’m not going to
get into all of them you should definitely
check out Hiew on the web if you’re new to this tool. But what I want to use
Hiew for, specifically, is to look at a
particular data structure within the optional
PE header fields. So, I’m going to say
Hiew show me contents of a PE header and I’m
looking specifically in the area where I
know there should be an entry related
to digital signage. The header is called
optional_header.datadirectory And, by the way, Hiew
is wonderful in that if you start typing
you can press tab and it will autocomplete. Now, this is the data structure within the PE header that
contains a lot of fields and the one that I’m
looking at or the one that I’m looking for
is called security. This is the field that
should contain a pointer to the digital certificate
that might be embedded into this executable if
it were digitally signed. And here I have
the security entry within this structure and
I’m looking at its size. If it’s a non-zero
size then most likely this executable has
been digitally signed. So this is how you can look
at a Windows executable using Hiew to determine
whether the executable has been digitally
signed or not. Look at contents of this
field within the PE header and look at the
security data structure to see if it contains
a non-zero size. But there’s a better way now. There’s a better way
thanks to the tool that Didier created and
the tool’s called Disitool. Disitool can extract digital certificates from malicious files. Now, if you point
it to a file that has not been digitally
signed, let’s say, I pointed to, oh I
don’t know, hubert.dll. Well, it’s not digitally signed and it gives me an error saying that, yeah,
I couldn’t do that. File source is not signed. But if I point it to
a file that turns out to be digitally signed,
in this case Kiwi, I’m going to say save the
output into a Kiwi-sig.der no error, no error
means that it probably was digitally signed
and this a tool was able to extract the certificate. It uses the DER format for
creating the resulting file. Now, you can look at the
resulting file using strings and you can learn
a whole lot about who the certificate
might have belonged to and who it was
digitally signed by. But here’s a command
that you can use to take that DER
formatted certificate and convert it into a text file. This is hard to
remember, I know, but don’t worry as
I said you’re going to get full slides
on my speaker notes as a follow up to this session. So, I’m using OpenSSL to
convert that DER formatted file into a text file. And now if I look at it I
can actually read contents of the digital certificate
that we extracted from this Windows executable
and that’s pretty handy. So, I talked about
a number of tools that have been added to
REMnux for the purposes of analyzing malicious Windows
executables, statically, while staying within
the Linux environment. And here’s just a
summary of all the tools that I had mentioned. Some of these are
new to REMnux some of these have been there before. The best way to get
to know these tools of course is to
experiment which is why I hope you download
that malware archive that I’m using for this
demo and experiment, while being carefully not to
inadvertently infect yourself. But there are some other tools
and I couldn’t categorize under any other
heading but other. Other new tools that I
wanted to tell you about. A bunch of other
tools that I think you will find pretty useful,
so let me talk about those. The first tool that I
want to mention to you is called Autorule and Autorule
is a tool by Joxean Koret. And Autorule is designed
for examining a set of files and automatically
extracting binary patterns from those files to
create signatures for them and it will use the Yara
format for creating signatures. Let me show you what this
tool looks like in action. So let’s see. The tool is installed on REMnux. To run it you type usr
local Autorule tester. Then you point it at the
location where a bunch of malicious files
reside and your hope is that these files might
somehow be related together so that there will be
one or more signatures that the tool will
automatically create for you for automatically
spotting these types of files in the future. So what I have here
is a bunch of samples that I obtained from
the set of files that Mandiant analyzed
when it was publishing its report called APT1. Now, Mandiant classified
these as a set of malicious executables
called mapiget. I’ve got two of those
files in this directory but I’m now pointing to. And now the tool runs
and diff’s those files and it automatically
creates this set of Yara signatures for me
and generates the rules. Now of course what I should
have done is actually save this into a file
I’m going to call this mapiget.yara
and my hope is that what I’ve just done
is created a signature for this malware called mapiget. Now what I can do
next is point Yara which is a tool that has
been a part of REMnux for a while, and Yara
is a signature scanner. I’m gonna tell Yara
to use this signature that was just
automatically created and I’m going to tell it to
examine another directory. Now, I’ve got another
couple of mapiget files that I obtained from
Contagio, another source. Notice that I generated
this signature by scanning one set
of mapiget files and now I’m telling
Yara to examine another set of mapiget
files and I’m checking to see whether the
signature will work. Well, look at this it
was able to scan contents of this folder that
contains two executables and it’s successfully
identified one of those executables as yet
another mapiget variant. Now there are actually
two mapiget variants there so the automation isn’t perfect,
there’s one mapiget file that it failed to identify,
but still it’s pretty good. It’s pretty good,
if nothing else, than to demonstrate this concept for automatically
generating signatures in the Yara format. I think if this tool
as a proof-of-concept. It does give you a lot
of false positives, especially because as
part of its signature it oftentimes includes set
of consecutive zero bytes which are very common in
files that are executable and PDF files and Word documents so a lot of false
positives, but as a concept it’s very nice and
something that you might be willing to take
and then improve upon. That’s how we all
get better right, somebody gets an
idea creates a tool, we either contribute
to that tool or provide our own tool
that expands upon that idea and in the long term
we’re all better off because now we have
a bunch of tools that can help us do
malware analysis better than we could let’s
say a year ago. All right, well
what else what else can I show you about REMnux
in the miscellaneous category. Well, there is one handy tool that I really like
it’s called Exif. Exif is a tool by Phil
Harvey and ExifTool is designed for reading, writing and editing meta
information in files of all sorts of
different file types. Now this tool is
probably best known for accessing meta
information within image files like PNGs and JPEGs
and GIF files, but it can handle many
more formats relevant to malware analysts as well. For example, look I
can point this tool to a Word document
and it tells me that this is a Word
document and gives me some meta information about it. Or I can point this
tool to a SWF file and it tells me a whole
lot of information about this Flash program. So not a big deal, I
suppose, in the grand scheme of things but very
convenient to have this tool called ExifTool to
gather meta information about the files that
we’re examining. Now if you think about
the kinds of tools that I’ve been showing to you I’ve been talking about a
lot of static analysis tools. The tool that can locate
obfuscated contents, a tool that can extract
meta information, a tool that can
extract certificates. Wouldn’t it be nice if
we could just automate the execution of those tools. And that’s what we
can do with a help of a framework called MASTIFFs that was created by Tyler Hudak. MASTIFF is designed
as a framework for automating static
malware analysis. Now, the version of the
framework that’s a part of REMnux is a little
bit old because last week or so, Tyler released an
updated version of this tool. In the instructions for, or
in the notes for this webcast I will give you a very
detailed instructions for how to update your
distribution of MASTIFF to get the latest
and greatest version. But I’ve taken a
YouTube snap shot that I’ve already
created where I have the latest version
of the toolkit and now let me just
quickly show you how to really run it. I’m going to say
MASTIFF, that’s how you run the MASTIFF toolkit. Then I point it to
usr local etc MASTIFF which is the config file
that’s present on REMnux. Then I point it to the
directory that I want to scan. Now, this tool can scan
a whole lot of files. It has a built-in
queuing mechanism and the wonderful thing
about the MASTIFF framework is that it is trying
to be very smart about applying only the
appropriate plug-ins for statically analyzing
executables given for other files given
that file’s file type. So if it determines
that it’s examining a Windows executable it
will use one set of plugins. If, on the other
hand, it determines that it is analyzing
a Word document it will use another
set of plugins. So what you get as
the result is a set of information that has been
extracted from the files, but the information is relevant
for that specific file type. And so if you want to
see the output of MASTIFF on REMnux you can go
under var logs MASTIFF and this is where you
can see it’s saving the output it’s run. Now, you can go into any
one of these directories. Let’s look at… There’s this one file,
let’s say this one and we can see that
it copied into here the executable that was scanned and it pulled out a bunch
of information using PE info and check this out it
was even able to extract the digital certificate
that you might recall we previously located as
being embedded into this file. So just one example of
the kind of information that you can get using MASTIFF
in an automated manner. Very handy for analyzing
a large data set. Now, there’s one other tool
that I wanted to mention to you. This is a tool that
you can use for well making sense of the
data that you’ve gathered on a Windows system. So, ProcDOT is the
tool and it’s created by Christian Wojner. And ProcDOT is designed
for correlating data that was captured by
Microsoft’s Process Manager tool with the contents of a
PCAP, packet capture file. The idea is you would
infect a Windows system with a malicious
executable while having process monitoring
and while having a network sniffer
running like Wireshark and then you can
load those log files into ProcDOT and it will
create an interactive, color-coded graph
that highlights the meaningful events
and lets you navigate that data visually
which in many cases is much more effective
than navigating the flat, text-based
log file that you might have gathered using
Process Monitor alone. And ProcDOT is installed
on REMnux although today Christian released
the latest build of this tool so if
you’re using REMnux you might want to update
your copy of ProcDOT and in the notes they’ll
make available to you after this webcast I will have
very detailed instructions for how to very easily
update your copy of ProcDOT. Once you want load
this on REMnux you’ll be able to load the
Procon or Process Monitor intro log file below
the PCAP file and then regenerate
the graph for you that you’ll be able to analyze. And then, perhaps lastly, as
we are running out of time I wanted to mention a number of of functions that are
available to you now thanks to some work
that by Fernando Mercês. He created, what he
calls, hack-functions which are just a bunch
of bash shell functions that you can use in your
terminal window on REMnux. Now these functions
are not loaded into your environment by
default, but you can use the source command on REMnux
to load those functions and now you can perform
a whole lot of operations right from your command line. These operations include
the ability to convert from one decimal
base to another, you can convert
characters and strings across various encodings. There are some functions
specific to obfuscation and encryption, lots
of different functions. Perhaps too many for us to
go through on this webcast so I’m not even going to try. Instead, I’m going to point
you to the reference page that is available on REMnux. The original instructions
were in Portuguese, I use that in Google
Translate to convert them into English for those
of you who prefer to read in English so
definitely check out these functions they
might save you some time as you perform your work
on the command prompt. As you can see lots of
tools built into REMnux including those that I
would classify as being in the miscellaneous category, including Autorule and
ExifTool and MASTIFF and ProcDOT and hack-functions and of course I’ve also
mentioned some other tools that have been present
on REMnux already that I highly recommend
you experiment with. And this is, as much
as I prepared for you in terms of providing
an overview of the tools that are built into
REMnux that are new to the latest release
of REMnux, the best way to learn these is to
experiment with malware and experiment with these tools and I hope that
I’ve provided you with starting point for
getting to know REMnux and becoming a better
malware analyst. If you’re interested
in becoming better at malware analysis as
well as other aspects of malware forensics
well I suggest you check out the
various webcasts that SANS has put together. Some of these have been
previously recorded others are coming up over
the next couple of months so check out this link to
the malware related webcasts. Also if you’re new to
REMnux, definitely check out the checklist or the cheat
sheet that I put together that documents some of the
most commonly used commands on REMnux and of
course my hope is that if you find this
topic interesting then perhaps you will attend
the reverse engineering malware course that I teach
together with my colleagues at SANS Institute and
of course we make heavy use of REMnux as well
as various other tools and techniques
throughout the course. And so folks this is all
what I’ve prepared for you I will stick around
to see if you’ve got any more questions,
otherwise, please feel free to reach out to me
by email, on Twitter, and I hope to see you at one.
– Okay, at this point I’d like to start a Q&A
session for the webcast. Lenny, the first question
is, what’s the best way to transfer malware files
between Windows 7 host and REMnux VM? Couldn’t set up
shared folders in VM assuming networking
could be host-only. – [Lenny] So, there
are several ways of transferring files in and
out of the REMnux environment by far my favorite way
of transferring files in and out is to use
SFTP and this way you don’t have to deal with NetBIOS, you don’t need to
setup shared folders. Even though I suspect you
can do something like that but I’ve never really tried it, and in fact I don’t even
think Samba is installed in REMnux so I’m not sure
shared folders would work. My recommendation is
to use the ssh d daemon that’s installed
into REMnux and first you would need to do
sshd start the stack, that’s that it’s just h d start, and then you would
use a tool like SFTP, there are lots of SFTP
clients to get files in and out of REMnux,
I think that’s the best way to do it and that’s
what I typically do. And again, it’s all it’s
all about the convenience and your your working style
maybe you prefer something else but I suggest checking out SFTP. – [Benjamin] Okay,
the next question is does REMnux contain any tool
for Android malware analysis or mobile malware
analysis in general? – [Lenny] REMnux is not
being designed specifically for analyzing Android
malware and it in part it’s because I frankly
don’t have the expertise to go beyond a few
very basic steps when it comes to
analyzing Android malware, and some of that has to do with just decompiling the Java files that oftentimes comprise
Android-based malware and on REMnux there is a
very handy java decompiler called Jad and another
one called JD-GUI that you can use
for that purpose. But, for performing
further malware analysis of REMnux or rather on
REMnux of Android malware, let me see, there
was just a write up that I saw that I posted
on my Twitter stream a couple days ago,
hold on a second. I can’t find it anymore huh,
it’s in there somewhere. There it is, hold on
let me let me share the link with everybody. So, this is a little
write-up that was put together by Alonzo Marives. and he took REMnux as well
as another Linux distribution that’s maintained by
several SANS instructors, I mean mainly Kevin
Johnson called Mobi Sec and he showed them
the fact of how you can bring up a
REMnux virtual machine for emulating some services
and then he brought up the Mobi Sec
virtual machine which is designed for analyzing
mobile code and then he used the two
distro’s together to
analyze mobile malware. So maybe that’s something that
would be of interest to you. – [Benjamin] Okay, next
question is in general. Is the VMware REMnux corrupted? I tried to download
I’m getting errors I’m trying to extract the files. – [Lenny] If you’re
trying to download REMnux and you’re getting
errors, I’m not sure what I can assist
without knowing which specific errors
you’re getting. I can tell you
that I’ve been able to successfully
download all files and be able to extract them. I would check the
md5 hash of the files that you’re getting
and you can download the REMnux files
from SourceForge and if you look at I list there the hashes of the
files that you must, that you should be able to get. And if the hashes
don’t match then maybe there’s a file transfer
error somewhere. Also it could be a problem
with the extraction utility that you’re using
so if you’re using something like WinZip try
something like 7-zip perhaps, to see if you get
better results. Otherwise, if you’re
trying to download, let’s say, the proprietary
VMware formatted version of the virtual
appliance maybe instead try to use the open
format virtual machine to see if that one
works better for you. – [Benjamin] Our
next question is I’m sure like the
others in the field that I’m not the only person
who has built handy scripts. How can we as peers
share the tools we create for possible
inclusion into REMnux? – [Lenny] You know
that’s a great question because it comes down to
how the the challenges that any where anyone
has, in any community, whether it’s security
or butterfly enthusiasts about how do you
exchange knowledge and improve by jointly
collaborating on projects and it’s oftentimes
hard to do so. In many ways what
I’m trying to do with the REMnux distribution is
act as a funnel mechanism so that whenever
people create wonderful and useful tools I
try to do my part by spreading the word
around them, about them and documenting them
in my blog sometimes and including them in REMnux. But to answer the
question very tactically if you felt created
or know of a tool that you would like to
recommend for including in REMnux just send me
a note and I will take a look at it and if
it works as advertised and if it fits the objective
of the REMnux distribution which is malware analysis
then I’ll gladly include it. So please send me a note
on Twitter or by email. – [Benjamin] All right,
the next question is from an instructor. Do you know of
any good exercises that are progressive
in difficulty which I can use as background for training folks in analysis? – [Lenny] The finding
exercises for educating people about malware analysis is
difficult and time-consuming. That’s because there’s a
whole lot of malware out there but finding a sample that
doesn’t overwhelm the student and also only shows
what is relevant and doesn’t leave much room
for distractions is hard. And I don’t have any
specific sources in mind besides just looking for
malware and analyzing it and just a whole
lot of time spent on trial and error
unfortunately. Otherwise, I don’t
know if I could point to a sort of challenges
that could be used for this purpose it’s just
a bunch of trial and error and finding that sample that
demonstrates specifically the point that you as an
instructor trying to make. – [Benjamin] And for
our last question has the REMnux cheatsheet
been updated recently? – [Lenny] I have not
had a chance to update the REMnux cheatsheet
to include the new tools that I’ve added to version
four of the distro. It’s something that’s
on my to-do list, as you can see there’s
a whole lot of tools that I will include
there, but I just haven’t had a chance to do so,
but hope to be able to do so in the
next month or so. Thanks for the
reminder actually. – [Benjamin] It appears
we have one more question. What is a good piece of malware to start analyzing for a newbie? – [Lenny] A good malware to
start analyzing for a newbie? Well, it depends on
where your strengths are and what aspect of
malware analysis is most interesting to you. My recommendation
would be to start with that aspect that is
most, a bit easiest for you. But one that builds
upon the strengths that you already have,
and that kind of sample and that kind of area
is going to be different from one person to another. But I can point you to a webcast that I recorded earlier
that talks about one sample and I walk you through
the various steps of examining examining
the piece of malware using all the debug and
let me see if I have a link to that recorded webcast. It’s called something like Getting Started with
Malware Analysis so there it is,
hold on I found it. So this is a webcast that
I recorded a while back and my recommendation is to
use that particular sample that I’m analyzing and
if you need a copy, send me an email
and maybe that’s a good starting point for you. Again, depends on. (audio dropping) And strengths are. Another starting point
might be the various samples that I talked about
in this webcast and you’re welcome
to download a copy of that malware
archive from the URL that we’ll make available to you as part of the notes shortly
after this webcast ends. And also, I did
conduct another webcast that introduced people to
malware analysis using REMnux and there I mentioned a
whole other set of samples that you might want to
start experimenting with. – [Benjamin] All right, appears
we have one last question. Are there any tools on
REMnux that specific checks for VM detection routines
in PE and DLL files? – [Lenny] So, there are
several tools in REMnux that perform some static
analysis of malware and they look for risky
Windows API calls. I mentioned a couple
of tools like this on this webcast,
another tool like this it’s called P scanner that
can identify suspicious DLL or the suspicious API calls. However, for detecting
virtualization itself you need to look beyond
API calls and you’d want to look at a set of specific
assembly instructions and all that is to say but
I don’t have a specific tool like that that goes to look for that particular
pattern or patterns. You’ve got tools that
look at API calls, you’ve got tools
that look at strings and sometimes you
can tell that malware might be looking to
identify security tools by just a set of strings
that you see embedded into that executable. But looking specifically
for ways in which the virtualization is detected,
not that I can think of. – [Benjamin] All right, that
will conclude our Q&A session. I’d like to thank
you so much Lenny for your great
presentation for bringing this content to
the SANS community. To our audience we greatly
appreciate you listening in. For a schedule of all upcoming
and archived SANS webcasts visit Until next time, take
care, and we hope to have you back again
for the next SANS webcast.


Leave a Reply

Your email address will not be published. Required fields are marked *