- Email: [email protected]
Playing hackers at their own game
FEATURE
Playing hackers at their own game Patrick Snyder, AlienVault To really understand how something is made, you need to take it apart and then put it back together again. Similarly, when it comes to comprehending the damage that a piece of malware could inflict on your network – and to really get inside a hacker’s mindset – it’s important to retrace their steps and find out how a piece of malware really works. But how do you find out how the hackers gained access to your network and – more importantly – how much damage has been done? Reverse engineering a piece of malware can turn it inside-out, providing valuable clues about both an attacker’s techniques and the effectiveness of your own security defences. This is a vital practice for forensic investigators, incident responders, security engineers and IT administrators because it enables them to minutely examine the malicious programs that target and infect their systems.
Different approaches When it comes to reverse engineering a piece of malware, there are several approaches that you can take, depending on both your goals and the nature of the malware sample itself. First, if you’re curious, you can completely reverse engineer
a piece of malware from beginning to end. However, this can take a significant amount of time and so is not typically the preferred method when you’re looking for specific answers. Another approach is to focus just on the exploitation techniques used by a piece of malware. For example, occasionally you will come across a malware sample that is using a new exploitation technique or exploiting a zero-day vulnerability. If you only want to understand the specific exploitation techniques being used, you can ‘timebox’ your analysis and look only at these mechanisms. Yet another approach is to look at new obfuscation techniques. Malware will often try to hide its intentions to make it more difficult to analyse and sometimes an added layer of obfuscation is the only variation. In that case, you can focus on just reverse engineering the new parts of the sample.
One of the most common – and most dangerous – forms of malware that we run into these days is ransomware. This is malicious software that locks and encrypts a victim’s files so that they can no longer be accessed or read. However, often the authors of ransomware can make mistakes when they implement encryption mechanisms. If you focus your research specifically on encryption mechanisms you might be able to discover weaknesses in their implementation, hard-coded keys or weak algorithms, which would allow you to reverse the encryption mechanism being deployed by the ransomware attackers. Another approach can be to look specifically at the command and control communication methods within a piece of malware. Analysts often want to figure out the communication protocol between a piece of malware on the client’s side and a server on the command and control side. The communication protocol can give important clues about the malware’s capabilities.
IDA Pro is one of the best tools for analysing malware.
14
Network Security
November 2016
FEATURE Finally, some analysts examine malware in order to try and work out who is behind it. This is really more of a dark art than an exact science because it usually involves a lot of guesswork, knowledge of malicious hacking teams and looking at more than one piece of malware for connections. For this reason, it’s usually more successful to approach reverse engineering of malware from a broader perspective. Looking at malware samples in bulk and doing a broad-stroke analysis of lots of different malware samples, rather than trying to do a deep dive into a very small area, will typically result in a more useful macro view of the general trends in the threat landscape.
Techniques Static analysis is an important technique to use when examining malware. This is the process of analysing malware or binaries without actually running them. It can be as simple as looking at metadata from a file, but can also involve disassembly or decompilation of malware code to symbolic execution, which is something like the execution of a binary in a virtual rather than real environment. In contrast, dynamic analysis is the process of analysing a piece of malware by running it in a live environment. In this case, you are often looking at the behaviour of the malware and the side effects of what it is doing, often with the help of tools like Process Monitor and Sysmon to identify the artefacts a piece of malware produces after it is run. However, in some cases when you need a faster approach, it might be appropriate to use automated analysis. You need to be very careful with this technique because, as with all automated analyses, things can get missed. If a piece of malware contains anti-debugging routines or anti-analysis mechanisms, you will definitely need to perform a manual analysis. However, the most important thing is to be clear about the specific goal and desired outcome of an analysis, so that you can choose the right tools for the job.
Tools Here is an outline of some of the most common and useful tools that we use for
November 2016
Radare is a free, open-source reversing framework.
analysing malware samples. These will allow you to set up an inexpensive and flexible laboratory to examine the inner workings of malicious software and uncover the characteristics of real-world malware samples.
“Analysts often want to figure out the communication protocol between a piece of malware on the client’s side and a server on the command and control side. The communication protocol can give important clues about the malware’s capabilities” IDA Pro is a really good tool for analysing various samples of malware with diverse backgrounds.1 It also has a good add-on called HEX Rays Decompiler, which can convert assembly language into more easily read pseudocode. It can help you in understanding the functionality of the code more quickly than looking at assembly language. When you open a sample in IDA Pro, you see the entry point of the malware. It also has a graph view and you can switch between both hex code and the graph view. It will give you a quick representation of the mapping of the flow
of execution as well. It has an SDK you can use to develop plug-ins and automate and extract some of the useful information. IDA Pro also has a Python API if you prefer Python. And the tool has debugging functionality, but mainly it is used for static reverse engineering of malware. Also very useful is Radare2, a free open source reversing framework.2 Debuggers such as the GNU Project Debugger (GDB), WinDbg and Wind River are invaluable.3-5 For Windows samples, PEiD, PEStudio, Personal Editor 32 (PE32) tools are great. You can also use these tools on executables and get some initial classification of your samples.6-8 Tools such as Strings, File and Otool can help you initially find the platform of the sample. If you look at some snapshots of these tools, they can tell you where the entry point of that sample is, what section and if the sample is packed. They can also detect more than 100 packers, as well as decrypters and compilers. Generally, when we get a bunch of samples or an archive of samples from an open-source feed, we use a file utility to find out if the file is a regular executable, say for a Windows platform or OS X or Linux, or just a text file or a script. Immunity Debugger is another popular debugger.9 If you open a sample in Immunity Debugger, it will give you an
Network Security
15
FEATURE alert saying that the sample is packed and will ask if you want to proceed with the analysis. If you continue the analysis, you see an entry point, which is where it pushes all of the registers to the stack. You can use this debugger to step through the execution of the sample to see the unpacked sample in memory. You can continue analysing the samples step-by-step and use the debuggers in the tool for finding the malware’s activities and the effects it has on the system.
“The most important thing is to be clear about the specific goal and desired outcome of an analysis, so that you can choose the right tools for the job” For capturing network traffic, pretty much everyone uses Wireshark or Tcpdump.10,11 For monitoring the activity on the system, you can use System Monitor and Regshot.12 Sandboxes are another important step in reverse engineering malware, as often there are functionalities that a malware sample won’t exhibit unless it is running in a suitable environment. One sandbox, Malwr, from the creators of Cuckoo Sandbox, allows you to submit a sample and run it inside a VM.13 You can then run the various dynamic analysis tools and static analysis tools referenced above and turn your results into a nice, readable report. Another sandbox that is relatively new is Hybrid-Analysis.14 It is made by Payload Security and it functions in a very similar way to Malwr. But Payload Security has some of its own custom sandboxes running that may or may not be based on Cuckoo. Another new contender is DeepViz.15 DeepViz is being developed very actively, with new features added on a regular basis. While DeepViz is very similar to other sandboxes, sometimes it is beneficial to submit the same sample to multiple sandboxes to see if the behaviour matches up or if it reacts differently in different environments. This brings us to Cuckoo.16 Cuckoo is a malware analysis system. It contains many different tools, including some of the dynamic and static analysis tools 16
Network Security
mentioned earlier. Also, it is free with no strings attached. While other sandboxes might be free, you are obliged to share your data by using them. However, if you set up Cuckoo on your own system, you can keep everything localised without sharing, especially if you are analysing something you don’t want the world to know about yet. Open Threat Exchange (OTX), AlienVault’s crowd-sourced platform for threat intelligence sharing, is another key component in malware analysis.17 The documentation centre allows you to find out more about how it works and you can also get information in the AlienVault forums. There is also a section specifically for OTX where you can see example pulses.
Conclusion Understanding the capabilities of malware is critical to an organisation’s ability to derive threat intelligence, respond to information security incidents and fortify its defences. Malware analysis can help incident responders assess the severity and repercussions of a situation that involves malicious software so that they can plan their recovery accordingly. Forensic investigators can use it to learn about the key characteristics of malware discovered during the examination and to establish Indicators of Compromise (IOCs) for scoping and containing the incident. For anyone involved in protecting their organisation from cyber-attacks, the practice of reverse engineering malware offers an opportunity to get inside the mind of an attacker. As any military strategist will tell you, if you know your enemy and you know yourself, then you have nothing to fear from attacks. Through malware analysis, you can gain vital insights into malware behaviour that can enable you to detect threats more effectively and mitigate damage when a security breach occurs.
About the author Patrick Snyder joined AlienVault (www. alienvault.com) as senior manager of the Labs team in 2015. His extensive
background includes a strong focus on security research and malware analysis as well as more general IT experience in software development, implementation and technical support. He works with the Labs team to identify and analyse global threats and vulnerabilities and transform raw threat data into actionable threat intelligence.
References 1. ‘IDA: About’. Hex-Rays. Accessed Oct 2016. www.hex-rays.com/products/ida/. 2. Radare. Accessed Oct 2016. http:// radare.org/r/. 3. GDB: The GNU Project Debugger, home page. Accessed Oct 2016. 4. ‘Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)’. Microsoft. Accessed Oct 2016. https://msdn.microsoft.com/ en-us/library/windows/hardware/ ff551063(v=vs.85).aspx. 5. Wind River, home page. Accessed Oct 2016. www.windriver.com. 6. PEiD, home page. Aldeid. Accessed Oct 2016. www.aldeid.com. 7. PEStudio, home page. Accessed Oct 2016. www.winitor.com. 8. Personal Editor 32/64, home page. Accessed Oct 2016. www.pe32.com. 9. Debugger, home page. Immunity. Accessed Oct 2016. www.immunityinc.com/products/debugger/. 10. Wireshark, home page. Accessed Oct 2016. hwww.wireshark.org. 11. Tcpdump, home page. Accessed Oct 2016. www.tcpdump.org. 12. Regshot, home page. Accessed Oct 2016. https://sourceforge.net/projects/regshot/. 13. Malwr, home page. Accessed Oct 2016. http://malwr.com. 14. Hybrid-Analysis, home page. Payload Security. Accessed Oct 2016. www. hybrid-analysis.com. 15. DeepViz, home page. Accessed Oct 2016. www.deepviz.com. 16 Cuckoo Sandbox, home page. Accessed Oct 2016. https://github. com/cuckoosandbox/cuckoo. 17. Open Threat Exchange, home page. AlienVault. Accessed Oct 2016. www.alienvault.com/open-threatexchange.
November 2016
Playing hackers at their own game Patrick Snyder, AlienVault To really understand how something is made, you need to take it apart and then put it back together again. Similarly, when it comes to comprehending the damage that a piece of malware could inflict on your network – and to really get inside a hacker’s mindset – it’s important to retrace their steps and find out how a piece of malware really works. But how do you find out how the hackers gained access to your network and – more importantly – how much damage has been done? Reverse engineering a piece of malware can turn it inside-out, providing valuable clues about both an attacker’s techniques and the effectiveness of your own security defences. This is a vital practice for forensic investigators, incident responders, security engineers and IT administrators because it enables them to minutely examine the malicious programs that target and infect their systems.
Different approaches When it comes to reverse engineering a piece of malware, there are several approaches that you can take, depending on both your goals and the nature of the malware sample itself. First, if you’re curious, you can completely reverse engineer
a piece of malware from beginning to end. However, this can take a significant amount of time and so is not typically the preferred method when you’re looking for specific answers. Another approach is to focus just on the exploitation techniques used by a piece of malware. For example, occasionally you will come across a malware sample that is using a new exploitation technique or exploiting a zero-day vulnerability. If you only want to understand the specific exploitation techniques being used, you can ‘timebox’ your analysis and look only at these mechanisms. Yet another approach is to look at new obfuscation techniques. Malware will often try to hide its intentions to make it more difficult to analyse and sometimes an added layer of obfuscation is the only variation. In that case, you can focus on just reverse engineering the new parts of the sample.
One of the most common – and most dangerous – forms of malware that we run into these days is ransomware. This is malicious software that locks and encrypts a victim’s files so that they can no longer be accessed or read. However, often the authors of ransomware can make mistakes when they implement encryption mechanisms. If you focus your research specifically on encryption mechanisms you might be able to discover weaknesses in their implementation, hard-coded keys or weak algorithms, which would allow you to reverse the encryption mechanism being deployed by the ransomware attackers. Another approach can be to look specifically at the command and control communication methods within a piece of malware. Analysts often want to figure out the communication protocol between a piece of malware on the client’s side and a server on the command and control side. The communication protocol can give important clues about the malware’s capabilities.
IDA Pro is one of the best tools for analysing malware.
14
Network Security
November 2016
FEATURE Finally, some analysts examine malware in order to try and work out who is behind it. This is really more of a dark art than an exact science because it usually involves a lot of guesswork, knowledge of malicious hacking teams and looking at more than one piece of malware for connections. For this reason, it’s usually more successful to approach reverse engineering of malware from a broader perspective. Looking at malware samples in bulk and doing a broad-stroke analysis of lots of different malware samples, rather than trying to do a deep dive into a very small area, will typically result in a more useful macro view of the general trends in the threat landscape.
Techniques Static analysis is an important technique to use when examining malware. This is the process of analysing malware or binaries without actually running them. It can be as simple as looking at metadata from a file, but can also involve disassembly or decompilation of malware code to symbolic execution, which is something like the execution of a binary in a virtual rather than real environment. In contrast, dynamic analysis is the process of analysing a piece of malware by running it in a live environment. In this case, you are often looking at the behaviour of the malware and the side effects of what it is doing, often with the help of tools like Process Monitor and Sysmon to identify the artefacts a piece of malware produces after it is run. However, in some cases when you need a faster approach, it might be appropriate to use automated analysis. You need to be very careful with this technique because, as with all automated analyses, things can get missed. If a piece of malware contains anti-debugging routines or anti-analysis mechanisms, you will definitely need to perform a manual analysis. However, the most important thing is to be clear about the specific goal and desired outcome of an analysis, so that you can choose the right tools for the job.
Tools Here is an outline of some of the most common and useful tools that we use for
November 2016
Radare is a free, open-source reversing framework.
analysing malware samples. These will allow you to set up an inexpensive and flexible laboratory to examine the inner workings of malicious software and uncover the characteristics of real-world malware samples.
“Analysts often want to figure out the communication protocol between a piece of malware on the client’s side and a server on the command and control side. The communication protocol can give important clues about the malware’s capabilities” IDA Pro is a really good tool for analysing various samples of malware with diverse backgrounds.1 It also has a good add-on called HEX Rays Decompiler, which can convert assembly language into more easily read pseudocode. It can help you in understanding the functionality of the code more quickly than looking at assembly language. When you open a sample in IDA Pro, you see the entry point of the malware. It also has a graph view and you can switch between both hex code and the graph view. It will give you a quick representation of the mapping of the flow
of execution as well. It has an SDK you can use to develop plug-ins and automate and extract some of the useful information. IDA Pro also has a Python API if you prefer Python. And the tool has debugging functionality, but mainly it is used for static reverse engineering of malware. Also very useful is Radare2, a free open source reversing framework.2 Debuggers such as the GNU Project Debugger (GDB), WinDbg and Wind River are invaluable.3-5 For Windows samples, PEiD, PEStudio, Personal Editor 32 (PE32) tools are great. You can also use these tools on executables and get some initial classification of your samples.6-8 Tools such as Strings, File and Otool can help you initially find the platform of the sample. If you look at some snapshots of these tools, they can tell you where the entry point of that sample is, what section and if the sample is packed. They can also detect more than 100 packers, as well as decrypters and compilers. Generally, when we get a bunch of samples or an archive of samples from an open-source feed, we use a file utility to find out if the file is a regular executable, say for a Windows platform or OS X or Linux, or just a text file or a script. Immunity Debugger is another popular debugger.9 If you open a sample in Immunity Debugger, it will give you an
Network Security
15
FEATURE alert saying that the sample is packed and will ask if you want to proceed with the analysis. If you continue the analysis, you see an entry point, which is where it pushes all of the registers to the stack. You can use this debugger to step through the execution of the sample to see the unpacked sample in memory. You can continue analysing the samples step-by-step and use the debuggers in the tool for finding the malware’s activities and the effects it has on the system.
“The most important thing is to be clear about the specific goal and desired outcome of an analysis, so that you can choose the right tools for the job” For capturing network traffic, pretty much everyone uses Wireshark or Tcpdump.10,11 For monitoring the activity on the system, you can use System Monitor and Regshot.12 Sandboxes are another important step in reverse engineering malware, as often there are functionalities that a malware sample won’t exhibit unless it is running in a suitable environment. One sandbox, Malwr, from the creators of Cuckoo Sandbox, allows you to submit a sample and run it inside a VM.13 You can then run the various dynamic analysis tools and static analysis tools referenced above and turn your results into a nice, readable report. Another sandbox that is relatively new is Hybrid-Analysis.14 It is made by Payload Security and it functions in a very similar way to Malwr. But Payload Security has some of its own custom sandboxes running that may or may not be based on Cuckoo. Another new contender is DeepViz.15 DeepViz is being developed very actively, with new features added on a regular basis. While DeepViz is very similar to other sandboxes, sometimes it is beneficial to submit the same sample to multiple sandboxes to see if the behaviour matches up or if it reacts differently in different environments. This brings us to Cuckoo.16 Cuckoo is a malware analysis system. It contains many different tools, including some of the dynamic and static analysis tools 16
Network Security
mentioned earlier. Also, it is free with no strings attached. While other sandboxes might be free, you are obliged to share your data by using them. However, if you set up Cuckoo on your own system, you can keep everything localised without sharing, especially if you are analysing something you don’t want the world to know about yet. Open Threat Exchange (OTX), AlienVault’s crowd-sourced platform for threat intelligence sharing, is another key component in malware analysis.17 The documentation centre allows you to find out more about how it works and you can also get information in the AlienVault forums. There is also a section specifically for OTX where you can see example pulses.
Conclusion Understanding the capabilities of malware is critical to an organisation’s ability to derive threat intelligence, respond to information security incidents and fortify its defences. Malware analysis can help incident responders assess the severity and repercussions of a situation that involves malicious software so that they can plan their recovery accordingly. Forensic investigators can use it to learn about the key characteristics of malware discovered during the examination and to establish Indicators of Compromise (IOCs) for scoping and containing the incident. For anyone involved in protecting their organisation from cyber-attacks, the practice of reverse engineering malware offers an opportunity to get inside the mind of an attacker. As any military strategist will tell you, if you know your enemy and you know yourself, then you have nothing to fear from attacks. Through malware analysis, you can gain vital insights into malware behaviour that can enable you to detect threats more effectively and mitigate damage when a security breach occurs.
About the author Patrick Snyder joined AlienVault (www. alienvault.com) as senior manager of the Labs team in 2015. His extensive
background includes a strong focus on security research and malware analysis as well as more general IT experience in software development, implementation and technical support. He works with the Labs team to identify and analyse global threats and vulnerabilities and transform raw threat data into actionable threat intelligence.
References 1. ‘IDA: About’. Hex-Rays. Accessed Oct 2016. www.hex-rays.com/products/ida/. 2. Radare. Accessed Oct 2016. http:// radare.org/r/. 3. GDB: The GNU Project Debugger, home page. Accessed Oct 2016. 4. ‘Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)’. Microsoft. Accessed Oct 2016. https://msdn.microsoft.com/ en-us/library/windows/hardware/ ff551063(v=vs.85).aspx. 5. Wind River, home page. Accessed Oct 2016. www.windriver.com. 6. PEiD, home page. Aldeid. Accessed Oct 2016. www.aldeid.com. 7. PEStudio, home page. Accessed Oct 2016. www.winitor.com. 8. Personal Editor 32/64, home page. Accessed Oct 2016. www.pe32.com. 9. Debugger, home page. Immunity. Accessed Oct 2016. www.immunityinc.com/products/debugger/. 10. Wireshark, home page. Accessed Oct 2016. hwww.wireshark.org. 11. Tcpdump, home page. Accessed Oct 2016. www.tcpdump.org. 12. Regshot, home page. Accessed Oct 2016. https://sourceforge.net/projects/regshot/. 13. Malwr, home page. Accessed Oct 2016. http://malwr.com. 14. Hybrid-Analysis, home page. Payload Security. Accessed Oct 2016. www. hybrid-analysis.com. 15. DeepViz, home page. Accessed Oct 2016. www.deepviz.com. 16 Cuckoo Sandbox, home page. Accessed Oct 2016. https://github. com/cuckoosandbox/cuckoo. 17. Open Threat Exchange, home page. AlienVault. Accessed Oct 2016. www.alienvault.com/open-threatexchange.
November 2016