Danielle Eve’s Guide to Reverse Engineering Malware – Day 4: Looking at Behavioral Data (RegShot, ProcDot, Wireshark)

procdot-snippet

danieve

 

Notes from the Girl

Well it’s been a bit of a long haul these past couple of months.  After the recent round of layoffs at my employer, I’m currently acting as Director of application ops for our corporate systems (accounting and HR) rather than doing IR.  If this continues long term, my skills will get seriously rusty.  I am starting to see accounting ledger sheets in my sleep.

In any event, on the more personal side of things, I’ve gone back to Blonde hair rather than the darker color I had switched to in March (the darker shown in the picture).  My wife, Reg (short for Regina), has made it clear that the color was too dark for me.  I’m just happy that she expressed an opinion.  We’re still rocking and rolling.  It’s always awesome to see love take a front seat to fear.  Speaking of which, what’s up with these bathroom laws people?  I just wanna pee.  Like a woman.  I don’t want to be in the men’s room.  This crap is silly.  Well, I hope the good people of North Carolina and Mississippi (as of this writing) are prepared to have men like Buck Angel in the women’s restroom.  If you don’t know who Buck Angel is, google it.

If “peeping Tom’s” are your concern, make it a crime to peek at someone in the restroom. Oh, wait, that’s already a crime in both North Carolina and Mississippi (GSNC § 14-202, MSC § 97-29-61).  If rape is your concern, I have to tell you, any transwoman who has been on HRT for more than a month hasn’t a hope in hell of being able to rape anyone.  Wait, rape is illegal too, in North Carolina and Mississippi even.  So what were these bathroom bills supposed to prevent?  Nothing that wasn’t already illegal.  The reality is that they are designed to make transition as uncomfortable as possible for transwomen.  Not for transmen mind you.  Again, go look at Buck Angel.  Who is going to challenge him in the men’s room?

All in all, the last two months have been a little depressing.  But, I am surviving.  As my mother and step-mother have both told me many times, this, too, shall pass.

Oh, one other thing, my Faerie Lanterns turned out great.  My daughter stole them for her room.  Grrr. . . .

On with this week’s discussion. Interpreting ProcDot, RegShot, and Wireshark data from our behavioral capture.

Looking at ProcDot, RegShot, and Wireshark Data

Last week, we launched brbbot.exe in order to get some data.  Unfortunately, this didn’t result in any real information on the network, but we did see some behaviors associated in our Process Monitor capture that showed up in ProcDot when we analyzed the results.  Part of this information showed some registry changes, new files, and a few other things.  Unfortunately, we didn’t do a careful registry capture that would allow us to see the changes clearly.  However, not to worry, this week, we’re going to make that happen.  So, go ahead, if you haven’t already, revert your Windows Reverse Engineering VM to the known good state.  Next, you’ll want to change your network properties as follows (I’m using Argon Network Switcher for convenience, but you can set these values in the control panel just as easily).

argon

Now, start your Remnux installation as well and make sure it’s reverted to the most recent known good snapshot.  Now, in Remnux, open a terminal window and type myip.  You should see something like the screenshot below.

myip

If you don’t have 192.168.244.129 as your IP on your remnux workstation, then make sure you change it.  You can do so with the following command:
sudo ifconfig eth0 192.168.244.129 netmask 255.255.255.0

Right, now, like last time (Day 4), go back to your windows reversing workstation and start process hacker, wireshark.  Your screen should look something like this:

ph-ws-screen-cap

Now fire up regshot and click 1st shot and select Shot.  Regshot creates a lot of noise in procmon and the number of entries will likely crash procmon on our VM given our limited resources.

regshot1

Now, start your wireshark capture and procmon like we did last time and right click brbbot.exe and click Run As Administrator.  We’ll let that run for about 3 minutes and then we’ll kill it by right clicking in Process Hacker and selecting Terminate.

Now, let’s stop our captures and save our procmon and wireshark data.  Don’t forget to save the procmon data as a csv and not PML.  Close Procmon and Wireshark.  Once you’ve verified that brbbot.exe is no longer executing, close Process Hacker.  Now, in RegShot, click 2nd shot.  Then click copare.  This will open up notepad and give you a listing of changed registry keys since the 1st shot.  Minimize this and keep it handy, we’ll be referring to it soon.  Go ahead and load up your brbbot captures in procdot and we’ll see what we get.  You should see something like what is below.

brbbot-procdot

 

You’ll notice a few things.  Indicated in the upper right corner of our procdot screen, right after it started, BRBBot created a new file in C:\Windows\System32 called brbbot.exe.  This is actually a copy of the program itself to be used for later purposes.  This is good to know as it can be used as an IOC (Indicator of Compromise).

Also, it added itself to the HKLM\Microsoft\Widnows\CurrentVersion\Run registry key.  This gives it an autostart.  It also created C:\Windows\System32\config\SOFTWARE.LOG2.  This is an indication of the modifications to the software hive.  The registry system creates backups when the registry is modified.

We can also see that it created brbconfig.tmp and modified several other registry entries.  We’ll come back to brbconfig.tmp, but let’s look at the registry changes.  Lucky for us, we actually have registry captures to see the changes.

As you can see the below registry key was created:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brbbot: "C:\Windows\system32\brbbot.exe"

This is to survive reboot.

There were several other keys touched.  Go through each one in your registry and your regshot data and see if you can find out what was changed on each one, if anything.  Also, at the end of the regshot data is a listing of files that were modified or created.  A couple of things to note, brbbot.exe looks at the ProxyEnable and the ProxyBypass settings.  It’s probably a good bet that it will set a bypass if ProxyEnable is set to 1.  That’s just hypothetical, but if you want to find out, restore your initial known good snapshot, set an internet proxy in your internet options and re-run the same test.  Let me know how it turns out.

Okay, so you can also look at brbconfig.tmp.  Unfortunately, opening it in notepad or in Notepad++ yields very little value.  Looks like it may be encrypted.  You may want to save that file on a thumb drive or something because we’ll be coming back to it in a later adventure.

Next time, we’ll look at gathering network data that actually means something and how to use our REMnux tools to “feed” malware what it thinks is good network traffic.

Danielle Eve’s Guide to Malware Reverse Engineering Day 3: Installing Windows for REM

Prologue from the Girl

withbadge

The Holiday break is over and we are now on with mighty joint!  Sigh, no one makes movies like Mel Brooks.

Anyway, in deference to my wife and daughter who just weren’t ready for the social stress of me presenting female at the family gathering, I spent 6 miserable days in Atlanta as “the reluctant drag king.”  I will NEVER do that again.  I have come way too far.  It’s hard on them I know, but the reality is that we have all resolved to stay together through this.  We all have a lot of adjusting to do.  That being said, they are the greatest just for trying to make this work and I love them with all of my heart.  My boys too.

On the lighter side, our CIO and HR department sent me flowers about a week after I started transitioning in the workplace.  It really was amazing.

We have gone to see The Force Awakens twice since my last post.  Yay!!! Rey is cool.  I think I’m in love with Daisy Ridley, in a movie star kind of way.  I think she put Finn in the friend zone at the end, so there may be hope. Ha ha. . . I’m pretty sure she’s straight.  Not to mention I’m married and I like having a head on my shoulders.

 

Moving on to our topic at hand, Installing Windows on our system for reverse engineering.

Installing Windows on our Virtual Box Setup

A couple of items of note.  When we create this windows virtual machine we need to start the process using NAT networking.  This is important for a few reasons.  First and foremost, we need to activate windows.  Secondly, we have some tools that we need to download and install.  Patching the system isn’t my primary concern as we will be using generally “off-line” anyway.  The scope of these tutorials is to focus on malicious binary analysis.  Web based exploits like cross-site scripting (XSS) and JavaScript obfuscation will wait for a later date.

Go ahead and create a new virtual machine in VirtualBox.  I call mine REM Windows 8.  I chose Windows 8 (64-bit).  We’ll assume that you are using Windows 8 64-bit for the purposes of this tutorial.  The same essential approach applies to Windows 10 as well in terms of Machine set up.  Obviously, you would choose Windows 10 in that case.

windows-8-vm-create-1

I have a copy of the Windows 8.1 Pro ISO as I purchased that from Microsoft.  If you haven’t had a chance to create a Windows 8.1 ISO, you’ll need to do so from a Microsoft Windows machine.  If you don’t have one, go to a friend’s house.  You can use the Windows Media created located at the following address to create your ISO.

http://windows.microsoft.com/en-us/windows-8/create-reset-refresh-media

Go ahead and give the VM 2 GB of RAM.  You shouldn’t need much more than that to do effective reverse engineering.  If so, you can always increase it later.  If you don’t have much RAM in your reversing workstation, then there will be performance degradation as the host system will swap your VM processes to disk in order to accommodate larger RAM settings.

windows-8-vm-create-2.png

For the hard disk, choose Create virtual hard disk now.  Don’t worry about where it says 25.00GB, we’ll be setting the hard disk size later.

windows-8-vm-create-3.png

I choose VDI format for the disk.  This is the native image format for VirtualBox.  I typically choose it in this instance to make sure that any future releases that may have new goodies we can do with the disk are compatible.  You can choose VMDK if you want a VMWare compatible disk, but I don’t see any value in this instance.  If you want to move the VM, you can export it to an OVA.

windows-8-vm-create-4

I typically choose dynamically allocated for the disk, this incurs a minor performance hit during processing, but allows us to create the disk quickly and for our purposes, the performance hit is negligible.

windows-8-vm-create-5

Finally, I am going to select 100GB in this instance for the disk size.  Mind you virtual box will only allocate what is needed as it is used because we selected dynamic allocation.

windows-8-vm-create-6

And Click Create.

Now, before we start up the vm, we need to open the settings and make two changes.

  • Change the Networking to NAT. windows-8-vm-create-7
  • Attach the Windows 8 ISO to the virtual machine so it boots and installs windows 8.windows-8-vm-create-8windows-8-vm-create-9

Installing Windows 7/8/10

I will NOT go through the details of the windows installation for two reasons.  One, this is a vanilla installation, it shouldn’t require rocket science.  Two, if you can’t handle a basic windows installation inside of Virtual Box, then these guides probably aren’t for you.  We’re going to get into advanced topics in these guides like assembly, code obfuscation, and data/code encryption.  You really need to have a solid background in computing to do this.  I recommend some background in forensics or at least some training.

I use the local username of REM for the windows username by the way.

Make sure you have your activation key handy, you are in NAT networking mode, and you activate the system.  This last is vitally important as we only want to do this once.  Once windows is installed, we’re going to download the tools listed below.

Reversing Software

Java 1.7
http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html#jdk-7u80-oth-JPR

ExeInfo PE
http://sourceforge.net/projects/exeinfope/files/

Capture Bat
https://www.honeynet.org/node/315

OllyDbg (get both versions 1 and 2)
http://www.ollydbg.de/

Scylla
https://tuts4you.com/download.php?view.3503

CFF Explorer
http://www.ntcore.com/exsuite.php

RegShot
http://sourceforge.net/projects/regshot/

Fiddler
http://www.telerik.com/fiddler

Bintext
http://www.mcafee.com/us/downloads/free-tools/bintext.aspx

Process Hacker
http://processhacker.sourceforge.net/

SSView
http://www.mitec.cz/ssv.html

Process Monitor
https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

PE Studio
https://www.winitor.com/

ProcDot
http://www.procdot.com/

Mandiant Redline
https://www.fireeye.com/services/freeware/redline.html

HashTab
http://implbits.com/products/hashtab/

SetDLLCharacteristics
http://blog.didierstevens.com/2010/10/17/setdllcharacteristics/

ActivePython
http://www.activestate.com/activepython

IDA Pro Freeware

https://www.hex-rays.com/products/ida/support/download_freeware.shtml

Firefox

https://www.mozilla.org/en-US/firefox/new/

Wireshark

http://www.wireshark.org/

Update:  I missed a few dependencies.

GraphViz

http://graphviz.org

WinDump

http://winpcap.org/windump

 

Once we’ve activated the system and downloaded the tools above, go ahead and install the VirtualBox Additions per the VirtualBox instructions.

Now, set the networking to internal, use the name “intnet” for the network name.

windows-8-vm-create-10

Once you’ve done that, go ahead and create your clean snapshot.

windows-8-vm-create-11

Aaaaaaand. . . .you’re done.  Next time, we’ll look at some basic behavioral analysis techniques.

 

Danielle Eve’s Guide to Malware Reverse Engineering – Day 2: Installing REMNUX

Prologue from the Girl

Well, I had to delay this article for some weeks due to the fact that I’ve been absolutely swamped at work.  Today is the 6th of December. 2015 and I’m 1 week away from going full time as a woman at my current job.  Staples has been quite the inclusive environment.  I’ve been treated with the utmost of respect by everyone there and several people are excited to see how things turn out for me.  The company has made sure that everyone at the home office is aware of my transition and that I’m to be treated with respect.  It’s nice to see that some things can change.  Well, without further or due, on to Day 2, setting up the REMNUX system for our cheapo reverse engineering environment.

Installing and Setting Up REMNUX

Last time we went through the motions of prepping our Linux host system as the foundation for our Malware Reverse Engineering Lab (henceforth, just “the lab”).  In addition, we installed VirtualBox as our virtual machine platform.

This week, we’re going to install the first real component of the lab.  Competent reverse engineers will use many tools available on multiple platforms, primarily Linux and Windows.  Fortunately for us, on the Linux side, our pal Lenny Zeltser and his buddy David Westcott have put together REMNUX.  REMNUX is a free Linux based distro for analyzing and reverse engineering malware.  Why, you may ask, are we installing a Linux based setup in a VM on a Linux system?  The reason is simple, we need isolated systems for reverse engineering.

Having a VM allows us to do things like snapshot known clean setups.  Viruses that infect the BIOS of a system have no power in a VM as well, at least, in general.  Tools like fakedns or honeyd, which will discuss in later posts also don’t run easily on Windows, if at all.  Those same tools can create havoc on a live network as well.  Face it, all of our actual RE work will be done in the lab, isolated.

Getting REMNUX

Fortunately for us, REMNUX is available as a download from sourceforge as an OVA.  For the uninitiated, an OVA is a Virtual Machine format that allows us to import the REMNUX distro and get started immediately.

You can download the latest REMNUX OVA file from https://remnux.org.  I’ve provided a link the most recent as of this writing below.

http://sourceforge.net/projects/remnux/files/version6/remnux-6.0-ova-public.ova/download

Just paste the above link into Firefox and have at it.  It will download to the Downloads directory on our lab system.  The download is about 2GB’s, so we should be good for disk space.  Fortunately, the REMNUX tools don’t require a lot of memory or even much in the way of CPU resources.  Once downloaded, as with all tools, verify the hash.  As of this writing, the current hash is C26BE9831CA414F5A4D908D793E0B8934470B3887C48CFE82F86943236968AE6.

Installing REMNUX

The installation of REMNUX is fairly straight forward.  First of all, fire up VirtualBox.  You can do so by opening up a terminal session and typing Virtual Box, or you can use the menu system to do so within Ubuntu by clicking on the Search icon in the Launcher and typing VirtualBox in the search bar as shown below.

 

Screenshot from 2015-12-06 16^%46^%22

Clicking on the VirtualBox Icon or starting it from the terminal will bring up the VirtualBox window.

Screenshot from 2015-12-06 16^%42^%50

Once VirtualBox is launched go to File->Import Virtual Appliance and the following window will appear.

Screenshot from 2015-12-06 16^%43^%10

Select the location where you downloaded the REMNUX ova.  The file name should be remnux-6.0-ova-public.ova.  For me this happened to be in /home/dani/Downloads/remnux-6.0-ova-public.ova.  Then, click next.

Screenshot from 2015-12-06 16^%44^%07

In the Appliance Settings screen, I took the normal defaults provided by the OVA, however I did tell the system to re-initialize the MAC address of all network cards.  I did this for two reasons.  One, if I decide for some reason that I need a second REMNUX system on my network, I don’t want a mac collision.  Secondly, by reinitializing the mac address, it keeps malware from potentially recognizing the system as it was delivered.  It’s a long shot that malware would go through all of the trouble to look for a MAC address on the local network or as its gateway (which REMNUX will be for many samples), but given how easy it is to avoid that anti-detection mechanism, I might as well.

Well, go ahead and click import.

Screenshot from 2015-12-06 16^%44^%20

Have a snack, cup of coffee, play a round of hearthstone, or whatever suits you when bored.  In a bit, your REMNUX installation is ready.

Screenshot from 2015-12-06 16^%46^%37

We still have one more step to execute before we can really get going with our REMNUX environment.  You will want to install the VirtualBox guest additions.  Depending on how you installed VirtualBox they will be located in different locations.  In my case, they are located in /usr/share/virtualbox.

So, click on your REMNUX VM and then click settings.  Click the Storage menu to the left and then add a DVD-ROM device by clicking on the add icon in the Storage window.

Screenshot from 2015-12-06 17^%29^%24

Then click on the DVD-ROM drop down to the right and select the VBoxGuestAdditions.iso from the appropriate location.  It will either be in /usr/share/virtualbox folder or /opt/virtualbox/additions folder.

Go ahead and start REMNUX.

REMNUX will start and bring you to a terminal window.  Execute the following commands to complete the VirtualBox Guest Additions installation.


sudo mount /mnt/cdrom
cd /mnt/cdrom
sudo ./VBoxLinuxAdditions.run
reboot

This will install the Virtual Box Additions and then reboot the REMNUX system.

Screenshot from 2015-12-06 17^%40^%09

Last but not least, we’ll need to create a clean snapshot of the system.  This is done by clicking on our VM from the VirtualBox window and selecting the snapshot button in the upper right.  You can then click the create snapshot button.  Alternatively, you can type Shift+Ctrl+S.

Screenshot from 2015-12-06 18^%24^%05

Give the snapshot a name that describes what it is, such as “Clean State”.

Screenshot from 2015-12-06 18^%24^%17

The snapshot will show up in the snapshot list.

Screenshot from 2015-12-06 18^%24^%29

Congratulations, step 2 of our lab environment is completed.

 

 

Next time, installing our Microsoft Windows reverse engineering virtual machine.

Danielle Eve’s Guide to Malware Reverse Engineering – Day 1

Day 1 – Building Your Lab on a Budget

Prologue from the Girl

So, I’ve been working on my GIAC Certified Reverse Engineer certification via the SANS Forensic 610 track.  It’s an interesting course to be sure and Lenny Zeltser gives good instruction.  I have had years of experience in development and I would encourage anyone interested in reverse engineering to get a good foundation in a higher level programming language such as C# or C++.  Nothing too in-depth, but enough to know how to make an API call or two to open a file on disk and/or store a registry entry without using the .Net assemblies.  Understanding C/C++ loops, memory management, etc. is helpful as well.  It just makes it easier to understand.  Having been in IT for 28, almost 29, years. . . Crap. . . I’ve been in IT longer than any of my children have been alive.  Anyway, having been in IT for 28 years, I already had a good foundation in Assembly and computer science as well, so I am able to enjoy the course work in a more nuanced way than I think I would have otherwise in my career.  That being said, I realized that the material that I’m taking at 90 miles an hour to prepare for the exam might be better doled out in small measured doses for folks taking it on much earlier in their career, especially if they haven’t had any mid-level language development experience.

This series of posts will focus weekly on first setting up the lab and then each week we will focus on a different vital tool to be used in reversing systems.  The entire series will be focused on free or open source tools wherever possible.  In fact, the only thing we’ll be buying for the lab is a single copy of Windows, available for less than $100.00.

Again, they’ll be short bite sized chunks.  Something you could read in 10 minutes and execute in less than hour with a good internet connection.

So, without further or do. . .

Build the Lab Foundation on a Shoe String

If you’re going to build out a reverse engineering lab, you need to start with some basics.  First and foremost, you do NOT need a bunch of computers, one will do nicely.  Having multiple machines, firewalls and switches can be helpful, but to be clear, it’s not necessarily required and in some instances can be very unwieldy.  You will need, at minimum, one copy of Windows 7, 8, or 10.  Any of them will do.  You could use Windows XP as well, but it given that there has been a lot more adoption of Windows 7 to date, a Windows 7 minimum is what I would recommend.

In today’s posting, we’re going to build out our host environment and get set up for the virtual machines we’ll load later.

For a host environment, I prefer using Ubuntu Linux for various reasons.  Primarily, most of the malware I’m going to be reverse engineering will be windows malware and it keeps my host system more protected if the malware tries to exit the virtualized environment.

Our hardware host will be running Ubuntu.  I prefer to install from USB.  For this we will be using Ubuntu 14.04.3 LTS (Long Term Support), the current Ubuntu LTS distribution as of this writing, though you could probably use an Ubuntu 15.x version, I am not testing that at this time, maybe later.

I’m using the 64-bit version that you can get from http://www.ubuntu.com/download/desktop.

To create a bootable USB stick, follow the following instructions (assuming you’re building the stick on Windows).  http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows

Follow the standard Ubuntu installation defaults.  Follow these instructions, but be sure you leave at least 100GB of free disk space for your virtual machines, you’ll need 2. http://www.ubuntu.com/download/desktop/install-ubuntu-desktop

Installing Virtual Box 5 on Ubuntu 14.04.3

Installing Virtual Box 5 on Ubuntu 14.04.3 is trivially easy in most respects.  First order of business, make sure your Ubuntu instance is up to date.  Open a terminal window and execute the following:

sudo apt-get update

This will update your list of available packages.  Then you need to update your VM with:

sudo apt-get upgrade

The system will list the packages to be upgraded and prompt you with the following:

After this operation, 10.4 MB of additional disk space will be used. Do you want to continue? [Y/n]

Enter “Y” and press enter.

It’s important to keep your system patched anyway.  Finding security professionals with unpatched production systems is like nails on the chalkboard. Grrr… how embarrassing.

While virtual box is available as an Ubuntu package, I’ve seen some issues getting it stalled via the Ubuntu repositories, so I like to download it from Virtualbox from scratch.  You can do this from https://www.virtualbox.org/wiki/Linux_Downloads.

Click on the Ubuntu AMD64 link for “Trusty”.  Execute the following:

sudo dpkg -i Downloads/virtualbox-5.0_5.0.10-104061~Ubuntu~trusty_amd64.deb

Once installation completes, you’ll be ready for the next step, installing REMNUX, the reverse engineering toolkit on linux.