tirsdag 4. desember 2012

Ruby and Yara on Debian environment

I am currently working on a yara project in ruby, and i just wanted to do a quick documentation on how to install yara to use with ruby on a debian environment. This post assumes you have a working ruby installation on your system.

Requirements

Repository

  • G++ & pcre library
  • Build Essentials
  • G++
  • Libpcre3
  • Libpcre3-dev

sudo apt-get install build-essentials g++ libpcre3 libpcre3-dev

Yara

Go to Yara project site and download yara source code, extract and compile it. (currently it is at version 1.6.)
cd yara-source/
./configure && make && sudo make install

Installation

Yara ruby-gem

sudo gem install yara

I then tried to load the library in IRB but ended up with this error 
irb(main):001:0> require 'yara'
LoadError: libyara.so.0: cannot open shared object file: No such file or directory - /var/lib/gems/1.9.1/gems/yara-1.6.0/lib/yara_native.so
from <internal:lib/rubygems/custom_require>:29:in `require'
from <internal:lib/rubygems/custom_require>:29:in `require'
from /var/lib/gems/1.9.1/gems/yara-1.6.0/lib/yara.rb:18:in `<top (required)>'
from <internal:lib/rubygems/custom_require>:33:in `require'
from <internal:lib/rubygems/custom_require>:33:in `rescue in require'
from <internal:lib/rubygems/custom_require>:29:in `require'
from (irb):1
from /usr/bin/irb1.9.1:12:in `<main>'


Library problems


libyara.so.0 is located in /usr/local/lib/libyara.so.0. To fix this added path to /etc/ld.so.conf and ran ldconfig
sudo sh -c "echo '/usr/local/lib' >> /etc/ld.so.conf" && sudo ldconfig


mandag 3. desember 2012

A botnets compromise - Pt 1

Like i have stated in earlier posts, i tried Dionaea Honeypot to receive malware samples during my studies.
I decided to do a live analysis of one sample i received - which i ran on a highly monitored network with a OpenBSD transparent bridge acting as a honeywall to log and control network traffic.
While i analyzed the network traffic i realized the malware infected the machine with several different specimens of malicious software.
In this post i will do both static and dynamic analysis on each of the received specimens to determine what characteristics, how they work together (and how to remove them safely). As these samples are all old when i write this post one could easily use a anti-virus scanner to remove them. C&C represented here are also no longer alive.

The exploit used to compromise the honeypot was MS08-67 a well known vulnerability which was critical to windows systems. It used this vulnerability to download H2.exe and this is the file i ran on the malware-lab environment.
 To extract files from the network dump i used Wireshark, the file-streams are shown below.


 Downloaded files

Static Analysis

I tried out Yara to find out whether the file was packed or not and yara was not able to identify a packer on the files except from Bren.exe. 
As i had done some research on the binary received on my honeypot once before during my studies i knew that this was packed with a unknown packer, but for the rest of the files i did not have a clue but one would assume they were packed as well.
I will only display Virustotal information and Fileinfo / Imports information on each file in this Part of the blog. 

VirusTotal Information


#
Filename
File type
1
PE32 executable (GUI) Intel 80386, for MS Windows
2
PE32 executable (GUI) Intel 80386, for MS Windows
3

PE32 executable (GUI) Intel 80386, for MS Windows
4
PE32 executable (GUI) Intel 80386, for MS Windows
5
PE32 executable (GUI) Intel 80386, for MS Windows
6
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
7
PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
8
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Window


File info & Imports

I played around with Ruby and Metasm to extract imports table and other information from the files, alternatively one could use objdump but it is very verbose. All of the files used alot off imports to either unpack it self or as anti-debugging as one will see in the pictures i took from a CLI using the tool i made in ruby.
I will not comment on all of these pictures, but one can see hints in some of the sections that the files might be packed. Some funky sizes and addresses is one good hint, indeed.


h2.exe



There was quite a huge list of imports this file uses. Up on first glance i would believe some of these functions are used to confuse the analyst and some used to unpack this file.

The section ".cod\x1F\x1F" is suspicious and with strings i can confirm that this file is packed.


As this blog-post it not about unpacking malicious software nor analyse them i will continue this post in a Part2 - where i will perform Static and Dynamic analysis on the unpacked files.



søndag 2. desember 2012

Malare - A malware database.

Since i activated my honeypot i have received a lot of different malware, which I at one point should analyse. But the more malicious software i got the harder it is to have control over what files i had analysed, where they came from, where they connect to and so on.

To help me organize files i decided to make a malware database with the help of Ruby Programming language and Sqlite to create a SQL database - and named the project Malare.

With malare i wanted to store malware-samples with wanted information as well as save the binary in its filesystem. To begin with i added features to add samples, remove samples and search the database for a certain keyword. It will store both the database and samples in ~/Desktop/malare and the information i wanted to store in Malare's malware database is
  • Filename
  • Source from where you got it from
  • Domainname of Command & Control Server (C&C)
  • IP address to the C&C (Optional)
  • Notes (optional)
Malare's help screen.

With that tool i could easily keep track of malware samples. One could also make malare to add samples directly into malare as they got downloaded by Dionaea honeypot. 

I added two options to display results stored in the database, -l (--list) would list all samples stored in the database, and -s (--search) one could search for samples based on either md5sums, c&c or filename.
Below is a sanitized version of the --list option, as one can see i have added a few samples into Malare.

--list option

Below i demonstrate a search based on a filename.

--search option

I have a few other ideas on how to further develop this project and make analysis more easy, but for now this is works pretty good.  Download the project from https://github.com/eugynon/malare.