Thursday, August 25, 2011

Malware Analysis Tutorial 1 - VM Based Analysis Platform

Learning Goals:
  1. Configure a virtual machine based experimental platform for malware analysis.
  2. Master basic network sniffing/monitoring skills
This Lesson Can be Used as a Lab Module in:
  1. Computer Networks and Communication Protocols
  2. Operating Systems
Challenge of the day:

          Run the Max++ malware, can you describe its network activities?

DOWNLOADLINK:
For those of you who had trouble with downloading the sample from offensive computing, here is another link:
http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html


Or follow Bonfa's tutoria [1] on the download instructions. Bonfa's tutorial is perfect a general introduction/analysis of Max++.


    1. Introduction

    This tutorial is intended for those who are interested in malware analysis. We take a step-by-step approach to analyzing a malware named ZeroAccess. Giuseppe Bonfa has provided an excellent analysis [1] of the malware. This mini-series will help you to gain hands-on experiences with the analysis. We assume that you have some basic understanding of X86 assembly, debugging, operating systems, and programming language principles. Instructors are welcome to use this tutorial and integrate it in computer science courses such as computer architecture and operating systems. If you are using this material in your classes, we would appreciate if you follow up with a comment on this site and provide some basic information about your course so that we know our tutorial is helpful.

    The purpose of this lesson is to set up a virtual machine based analysis environment. Before rolling up your sleeves, please make sure you have the following:
    1. Windows XP SP2 installation disk (Note: it has to be SP2)
    2. Linux Ubuntu installation disk (the version we use in this tutorial: Ubuntu 10.04 lucid LTS. The version does not really matter)
    3. A computer loaded with XP, with at least 50GB of disk space. (later, we refer to this computer: the "host XP")
    4. High-speed Internet
    5. An account on OffensiveComputing.net (http://www.offensivecomputing.net/)
         If the screen resolution is too small, start the XP guest, and then click the "Install Guest Additions", and then reboot the XP Guest and adjust its screen resolution ("Right click on desktop -> Properties -> Settings").

    2. Software Installation

    We will need to download a number of other open-source/free software tools. The installation process is straightforward and we omit most of the details here. The installation process may take about 5 hours. (Hofstra students can check out DVD images of VBox instances from my office Adams 203.)
    1. Install Oracle Virtual Box v4.04 on your host XP. (http://www.virtualbox.org/).
    2. Create a Windows XP Guest (using your SP2 installation disk. For the VM itself, assign at least 256MB RAM and 10GB disk space.) on VBox manager.(later we refer to this VM instance as "guest XP"). Install the following on your guest XP.
      1. Python 2.7.
      2. Immunity Debugger (http://www.immunityinc.com/products-immdbg.shtml)
      3. IDA Pro Debugger Free Version (http://www.hex-rays.com/idapro/idadown.htm. Note: get the free version but not the evaluation version - it does not allow saving dbg databases)
      4. HxD (a binary editor http://mh-nexus.de/en/hxd/)
      5. * Download the Malware instance of Max++ from OffensiveComputing.net (instructions available in [1]. The file name is "Max++ downloader install_2010". Don't run it!!!)
      6. After the above is done, take a snapshot of the guest SP in VBox. A snapshot allows you to quickly recover to the original status of the system.
    3. On your host XP, install WinDbg (http://msdn.microsoft.com/en-us/windows/hardware/gg463009). You might choose to download the entire XP debugging symbols on your host XP (which might speed up the debugging a little).
    4. Create a Linux Ubuntu Guest (using your Ubuntu 10.04 installation disk. Assign at least 512MB RAM and 10GB disk space) on VBox. Install the following (you can use apt-get or System->Administration->Synaptic Package Manager which has GUI).
      1. Wireshark (a sniffer. "sudo apt-get install wireshark" to install) 
      2. GDB (GNU debugger)
      3. g++ (c++ compiler)
      4. Python

        The current resolution of Linux guest is too small. You can change the screen resolution following the instructions listed on Linux Format Forum [2].
    3. Configuration

    Up to now, both of your VM guests should have Internet access. What we will do next is to configure both instances so that all the traffic from the XP guest will have to go through the Linux guest. On the Linux guest, we use Wireshark to monitor the network traffic of XP guest when the malware is running. The design is shown in the following figure.

    3.1 XP Guest

    Now power off your XP Guest.In VBox manager, right click on the XP Guest and select "Setting". We will set up the network adapters of XP Guest.

    In Network -> Tab "Adapter 1": (1) click the "Enable network adapter" checkbox, and (2) select "Internal Network" for "Attached To". (Note: please make sure to use the default network name "intnet" assigned by the VBox manager.)This allows us to separate the XP Guest from the outside world and connects to an internal network managed by the VBox manager.

    Then we will enable a serial port for WinDbg. The setting is shown as below. Note that it is important to set up the Port/File Path "\\.\pipe\com_11" and the simulate the port as "Host Pipe".







    Vt-x is a special CPU technology that is used to support virtualization. In Virtual Box, you have to enable it, otherwise hardware breakpoints will not work. Later you will see that the Max++ malware smartly takes advantage of hardware BP for hijacking system calls and it relies on hardware BP - you have to enable the Vt-x, as shown in the following figure.



    3.2 Linux Guest

    We now set up the Linux guest as the gateway computer of the internal network (power off the VBox instance first). It will have two adapters: one connects to the internal network and the other connects to the outside.The following figure shows the setting of the first adapter (Internal Network). In adapter 2, sets the network type ("Attached To") to "NAT". As you know, NAT stands for Network Address Translation. This provides a further layer protection of our VM instances.

    Note: click the "Advanced" key and make sure that the "Adapter Type" is "Intel Pro/1000". Also change the last two digits of the MAC address to "01" (so that we can easily identify it as Adapter 1 later); similarly change the last two digits of the MAC of the second adapter to "02". If you are using VBox 4.1.0 or later, in the Advanced tab, there is an additional checkbox for "Promiscuous" mode, select "allow for all" (so that all traffic will be intercepted).


     Now reboot the Linux Ubuntu guest. We need to configure it as a gateway computer. Follow the instructions below:
    1. Start a terminal window and type "ifconfig" to get the information of all available adapters. You should be able to see three of them, e.g., in my case "eth1", "eth2", and "lo" (the local loophole interface). If you look at their MAC addresses, you can verify that they are the ones that we set in the VBox manager earlier. Let us assume "eth1" corresponds to the adapter "xx...:01" and "eth2" corresponds to adapter "xx...:02".
    2. System -> Preference -> Network Connections. First delete all existing network connections, and set up the first wireless connection following the figures below (use 169.254.236.100 as the static IP). Note that you can get the Gateway for it should be "0.0.0.0" (make sure to hit enter when you finish typing 0.0.0.0 in the third cell - the GUI of Ubuntu has some problems - if you don't hit enter, it will forget the entry you just added), because this is the link to the local internal network and the computer itself is the gateway. Similarly, set up the second wired connection (for the NAT connection), but this time, use DHCP for assigning the IP addresses. Here we are lazy to use the Ubuntu GUI. There are equivalent ifconfig commands for achieving the above if you are interested in exploring by yourself.


        3. Now now set up the IP forwarding. Create a file named "network.sh" and "chmod 755 network.sh". The shell script consists of three commands as shown below:

      sudo sysctl -w net.ipv4.ip_forward=1
     sudo iptables -P FORWARD ACCEPT
     sudo iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

     The first is to enable the ip_forward features of the ipv4 stack in the Linux kernel. The second is to set up the internal firewall called "iptables" to allow forwarding packets. The third is to add a post routing tool and forward all packets to eth2 (note: eth2 is your outlink which corresponds to adapter 2. On your system, it may be a different name).

    3.3 Reconfigure XP Guest

    Now we go back and reset the XP Guest so that it has the Internet access via the Ubuntu guest. Do a "nslookup www.google.com" in your Ubuntu guest and find out DNS server used. Then go to the XP Guest -> Control Panel -> Network Connections -> Right Click (Properties) -> TCP/IP (Properties) -> set the static IP to 169.254.236.200 and set the gateway computer to 169.254.236.100. Set up the DNS server correspondingly. Start a browser and you will NOT have the Internet access yet!.

       You need to go back to the Ubuntu guest and  "sudo ./network.sh".  Then you can verify that your XP guest now has the Internet access. Again, "sudo wireshark " you can intercept all the traffic from/to the XP guest (note: when wireshark is started, be sure to click ok on the dialog it pops - otherwise your wireshark is frozen).

    4. Challenge of the Day and Conclusion

    We have successfully constructed a simple analysis environment for Max++. Using the Linux Ubuntu Guest, we can intercept all the packets sent by the malware. The virtual machine technology has provided us the great benefits of quick restoration if any system is broken.

    You should now make a snapshot of both the XP and Ubuntu guest systems.

    Finally, the challenge of the day:

              Run the Max++ malware, can you describe its network activities?





    References
    [1] Guiseppe Bonfa, "Step-by-Step Reverse Engineering Malware: ZeroAccess / Max++ / Smiscer Crimeware Rootkit", Available at http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/

    [2] udroomla , "How To Increase Screen Resolution with VirtualBox and Ubuntu", Available at http://www.linuxformat.com/forums/viewtopic.php?t=6438




    Copyright. 2011. Dr. Xiang Fu. Department of Computer Science, Hofstra University.
    GNU Generic Public License V3.

    80 comments:

    1. Very nice saga on malware analysis, & solid stuff. Please, keep posting ;)

      ReplyDelete
    2. awesome work bro . . i never found such a detailed tutorial on this topic on the net even when my google fu is good :D . . thanx for sharing . . plz keep this updated

      regards
      avinash

      ReplyDelete
    3. very good post there bro, very detailed....i'm reading it now :)

      many thanks for this, i'm sure will share it to others as for sure all goes in your credit :)

      ReplyDelete
    4. why is necessary to have exactly Windows XP with SP2?

      ReplyDelete
    5. Because the malware (Max++) we are analyzing works on SP2 (somehow on my SP3 it did not work).

      ReplyDelete
    6. I see, thanks for explanation. I found one mistake in article, s/first wireless connection/first wired connection/ .

      And many thanks for great work, I am spending about two days with your tutorials and by reading articles :)

      ReplyDelete
    7. Hi,
      Very good blog post I love your site keep up the great posts.

      ReplyDelete
    8. hi Nice article..
      For practical purpose i want to ask can i implement it using both XPSp2 machine as VMware Machine because i have either Win7 Or Linux OS on my Laptop..

      regards
      neo_panky

      ReplyDelete
    9. We did use xpsp2 as the host machine, if that's your question.

      VBox runs well on win7 64bit and linux ubuntu, as we tested.

      The image itself (must be xpsp2).

      ReplyDelete
    10. Hi guys. Do you know if it is true that some kind of malwares detect that they are running into a VM platform and just don't do anything? For example to avoid Malware detectors like FireEye which runs over VM?

      Thanks!

      ReplyDelete
    11. Theoretically it's very easy to do so. VM such as VirtualBox have running processes named "VBox ..." on the VM instance. Malware could simply do a examination of the running processes in the system and would be able to know.

      ReplyDelete
    12. Can i use all three as a VMware Virtual Machine ?
      Means XP host machine u r telling can we use as virtual Machine

      ReplyDelete
    13. Never tried it, but it should be ok.

      ReplyDelete
    14. hi Xiang Fu...
      Sorry to disturb u agian.. one more problem in my setup
      i have system with Intel P7450 processor which does not support vt-x.

      can i set Hardware break point without its support in virtual machine?

      thanks in advance

      ReplyDelete
    15. Last time I tried, it does not work in VBox 4.1.x. You can make an experiment though.

      ReplyDelete
    16. Standalone version of windbg is available at http://code.msdn.microsoft.com/debugtoolswindows/Release/ProjectReleases.aspx?ReleaseId=4911

      ReplyDelete
    17. This comment has been removed by the author.

      ReplyDelete
      Replies
      1. um.. this trace mean that i have had silly question..
        sorry.. ; )

        Delete
    18. This comment has been removed by the author.

      ReplyDelete
    19. really great stuff here but i would love to know if u need to have an understanding of assembly language and scripting to be very good in malware ayalysis

      ReplyDelete
    20. Yes, assembly language (x86) is a must.

      ReplyDelete
    21. Hi,

      OffensiveComputer.net doesn't seem to be up anymore.
      Even their twitter is down.

      Any suggestions on how to get around this issue?

      Thanks!

      ReplyDelete
    22. ^^
      Sorry, I meant offensivecomputing.

      ReplyDelete
    23. I don't know if this is the same one, but I found at least a version of MAX++ here...

      http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/max-downloader-install_2010/

      Thank you Dr. Fu for such an excellent resource!! I look forward to going through this over the weekend :-)

      ReplyDelete
    24. You got to check the MD5 checksum and see if this is the right version.

      Strangely, offsensivecomputing.net is not up these two weeks.

      ReplyDelete
    25. Hello Dr Fu,

      Is there an alternative to the offensivecomputing.net account?

      Thanks

      ReplyDelete
    26. Check here: but I haven't verified if they have the exact same version:

      http://zeltser.com/combating-malicious-software/malware-sample-sources.html

      ReplyDelete
      Replies
      1. Could you, perhaps, provide an MD5/SHA1 hash of the sample you are using?

        Thanks!

        Delete
    27. Follow Bonfa's tutorial [1], you can find the MD5 below:

      MD5: d8f6566c5f9caa795204a40b3aaaafa2

      SHA1: d0b7cd496387883b265d649e811641f743502c41

      SHA256: d22425d964751152471cca7e8166cc9e03c1a4a2e8846f18b665bb3d350873db

      ReplyDelete
    28. Download link:

      http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html

      ReplyDelete
    29. In my network with subnet mask 255.255.0.0 doesn't work, guest XP can't access to internet, but with 255.255.255.0 of course yes. Maybe this can be a problem for someone else.

      BTW very good job Dr Fu. I read many tutorial of series.

      ReplyDelete
    30. Hi Iam newbie , need help in configuring the network connection in ubutu, while adding new network connection using manually what to enter in DNS server and search domain. unable to get through this stage.

      ReplyDelete
    31. and please provide both the ubutu network configuration setup(Manual(1) and NAT(2) connection)

      ReplyDelete
    32. For DNS server in network configuration, use the same setting as your host.

      ReplyDelete
    33. For ubuntu network configuration, see section 3.2.
      For the image configuration, simply create to interfaces, one for internal net and one for NAT.

      ReplyDelete
    34. I have made bridge connection for both the VM and host, and able to ping from all to all, is it ok or should I configure for NAT in virtual box?

      ReplyDelete
    35. It's OK. NAT is just for playing it safe (so the outside could not see your VM instance)

      ReplyDelete
    36. Hi Dr. Fu,
      For downloading max++ in offensivecomputing.net , we need to get registered, but don't see any registration link.Please help how to get registered in offensivecomputing.net.I have downloaded malware sample from mila's blog anyway.But need to get registered in offensivecomputing.net.

      ReplyDelete
    37. Hi Offsenivecomputing was down for a while since April, check it back again.

      You can also try the following link: http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html

      ReplyDelete
    38. I need the password for open it...
      I have ready my lab. Who can give, please!!!

      ReplyDelete
    39. Offensivecomputing is up now, but don't see link for registration

      ReplyDelete
    40. Hi Driang the password for the Max++ is infected666X. Where X is the last character of the file you downloaded.If the file name is abc.exe then the password is infected666c.

      ReplyDelete
    41. what should we see as the results of the Wireshark sniffing ?

      ReplyDelete
    42. offensivecomputing is up again. Register and search for ZeroAccess you should be able to find it. See the instructions for the zip password.

      ReplyDelete
    43. You should see packets sent to intensivedive.com and some other IP addresses, requesting for install.php etc.

      ReplyDelete
    44. thanks for this great article. But must your host PC be XP i am planning on using a windows 7

      ReplyDelete
    45. Win7 either 32bit or 64bit as host is fine, verified with my students.

      ReplyDelete
    46. a Registered User must send me an invitation to be able to register on offensivecomputing?

      ReplyDelete
    47. I didn't find the place to register on offensivecomputing.

      ReplyDelete
    48. Why not check the webmaster of offensivecomputing

      ReplyDelete
    49. I tried running the sample but got exception with code:0xc0000005. I have replicated the setup not sure what went wrong.

      ReplyDelete
      Replies
      1. Make sure that you are not running it with the DEBUG mode (or with WinDbg attached).

        Delete
    50. If you have problems with offensivecomputing registration, you can download Max++ sample from here: http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/max-downloader-install_2010/

      Password: infected

      Bye.=)

      ReplyDelete
    51. Dr. Fu,
      Just checked the Offensive Computing website and they are currently not accepting new accounts (10/25), is there a way around this? Do you or anyone you/on here know when new accounts will be able to be created?

      ReplyDelete
    52. The perfect gay sizegenetics gets underway with the perfect male sizegenetics who will perform this for you. You'll want to make it a point that you choose to get suitable guy for ones job so which you simply may not be disappointed making use of results. The great thing about hiring someone from an agency to give you a male sizegenetics is for which you get to choose who you'd like for any job. There can be photos which you simply can visit that show the men whom are performing the services and what they charge. It is possible to take your pick from those you like after you study locations and in addition the photos.
      http://buysizegeneticsonline.tumblr.com/

      ReplyDelete
    53. Dr. Fu,

      Can Ubuntu be used for the host pc? Our analysis computers have Ubuntu as the host with Remnux and WinXP/Win7 guests.

      Looks like a great series.

      Thanks for your work!

      ReplyDelete
      Replies
      1. Yes, Ubuntu would be fine. I ran classes with 60+ students using these images, all fine. Host OS includes Winxp, win7, win8, Linux all variations. All fine.

        The only thing you need is to enable Vt-X support on your BIOS. Otherwise, hardware breakpoint is not going to work.

        Delete
    54. Hi Dr. Xiang,

      I have done all the steps above, just would like to know somethings:
      1- Can Max++ malware infect the linux os?
      2- is this attack is what is known as Virtual Machine escapes?
      Thanks alot

      ReplyDelete
      Replies
      1. 1. as far as I know, No, it could not infect Linux OS.
        2. this one does not escape from VM, but there are known techniques to break out of the VM, or at least know that it's running in a VM.

        Delete
      2. Thanks Dr.Xiang,
        Can you explain these techniques for me please?
        Thanks

        Delete
    55. This comment has been removed by the author.

      ReplyDelete
    56. dont work for me. I also tried to use netmask as 255.255.255.0, same result. here is a screenshot with some settings
      http://i.imgur.com/1W3KGln.jpg

      ReplyDelete
    57. http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/max-downloader-install_2010/ i dont know how to run MAX++ in this link :(

      ReplyDelete
    58. Thank you Dr.Xiang for this tutorial/post. Because of this, I get to learn about basic network sniffing/monitoring skills. Hopefully I cant master it soon. Thanks again.

      ReplyDelete
    59. I appreciate the effort and time you have spent in making and preparing this post. There are lots of sites/ articles about malware analysis over the web but s=most of them are rather suspicious. I seldom give credits for good work but I think I gotta give this time to you. Information and instructions are very well presented. Thanks

      ReplyDelete
    60. I love this site Dr. Fu. I went through all of the steps from your site and Created an Ubuntu guest and an XP guest on two separate occasions. However, I am not able to access the internet on XP guest. Has anyone come across this problem also? I am very eager to run the malware and do analysis.

      ReplyDelete
    61. Very Nice!!

      You have post great information. I am regular reader of blog. Right Now Malware Reverse Engineering is provided better protection technique from virus and real time hacker to protect your personal information.Data security is necessary for everyone.

      Keep up sharing....

      ReplyDelete
    62. Hi how do i set up the IP forwarding. Create a file named "network.sh" and "chmod 755 network.sh....

      ReplyDelete
      Replies
      1. Yes on your Ubuntu vm use a editor like leafpad and enter the info he provided:

        sudo sysctl -w net.ipv4.ip_forward=1
        sudo iptables -P FORWARD ACCEPT
        sudo iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

        And save it as network.sh, then open a terminal change directory to where that file is and type "chmod 755 network.sh" (without qoutes) then after your XP guest is started in the Ubuntu terminal type "./network.sh" and you should be good to go.

        Delete
    63. fuck did everything wasted a lot of time can ping but have no fucking internet on the xp, also tried with win7 and the same issue fuck

      ReplyDelete
      Replies
      1. Sorry its me again everything works, if it doesnt for you check whether your mac ending 01 is actually eth1 and 02 is eth2

        Delete
    64. Dr. Fu, I would edit the tutorial on the guest setup for DNS and just put 8.8.8.8 for Google there.

      V/R,
      Don

      ReplyDelete
      Replies
      1. can u please tell me how to open max++ file because zip file i downloaded from above mentioned link is zero byte and i not able to open in immunity debugger ?

        Delete
    65. How to config network configuration using vmware workstation?

      ReplyDelete
    66. Good first tutorial, all works fine with little adaptation (my host OS is a Debian ;) ).

      It could be a good idea to show the network activity of the malware and to comment it. I saw some DNs and TCP packets but i don"t known their meanings.

      ReplyDelete
    67. The only thing that could be seen nowadays is 3 connection attempts to 94.75.199.163:8083.

      ReplyDelete
    68. What should i set up the DNS server correspondingly ? from "3.3 Reconfigure XP Guest"

      ReplyDelete
    69. I met the problem, too, and my friend recommended to go to www.funkinyes.com, they helped me resolve the problem quickly.really a good experience to share. good luck.

      ReplyDelete