Thursday, 9 January 2014

Bright and Shiny - Fakenet

Sooooo bright and shiny always works and when a colleague suggested that i check out Fakenet, I dropped everything else I was doing to take a look ... and thought why not do a follow up blog post on it!

"FakeNet is a tool that aids in the dynamic analysis of malicious software". Fakenet runs inside the guest VM so there is no need for multiple systems to analyse the malware. FakeNet was designed and developed by Andrew Honig. The most current release is 1.0 and that was released in July 2012. There hasn't been much in the way of movement from them since December 2012, but hopefully this isn't the end of Fakenet just yet.

You can download the latest version of Fakenet from Sourceforge and there is also a demo video that you can watch.

First thing is first though, I wanted to set up my analysis virtual machine ready to go. I'm using VMWare Workstation to create the analysis machine with Windows XP SP3. I've created the machine with 2GB RAM (being generous), and only 1 CPU, we're not going to be asking too much of this virtual machine. I've given it a 20GB hard drive that will expand on demand.

It's worthwhile noting here that many malware creators now have implemented virtual machine detection to prevent malware from running in a virtualised environment. There are some steps that you can take to help quieten down your VMware instance. Tom Liston and Ed Skoudis did a night presentation at SANS on the very topic and you can read their paper here and I also just came across a blog post here for hardening Cuckoo against VM aware malware.

At a minimum I was recommended to uninstall VMware tools and change the default MAC address. I've also set the networking to be host only and disabled Automatic Updates to keep the system vulnerable.

So once you have your virtual machine all ready to go, its time to take a look at Fakenet. There is a Readme instruction file included in the zip, some useful information from that file;
The default configuration will modify the DNS settings of the local machine to point to local host.  It will also install hooks into the windows socket interface to redirect traffic destined for hard coded IPs to the local machine. The following services are enabled by the default configuration: 
  • DNS Server on UDP port 53. The DNS server responds to all requests with the IP 127.0.0.1 to redirect all requests to the local machine
  • HTTP Server on TCP ports 80, 8080, and 8000. This responds to all get request with a default file based on the extension of the request
  • HTTPS Server to TCP ports 443 and 8443.  This behaves the same as the HTTP server, but uses SSL
  • SMTP Server on TCP port 25 implemented as a python extension and SMTP over SSL on TCP port 465
  • ICMP Server that listens for ICMP traffic
  • Dummy service that listens on all other ports, autodetects SSL and decrypts if necessary, and outputs the received data to the screen. 

ZeroAccess

So without further delay I have run the ZeroAccess malware I have in Fakenet to see the network activity logged and recorded.

First thing is first, need to start up Fakenet in a command window;
Starting fakenet.exe
Fakenet starts up and loads its services listening and ready. If you open up a web browser you will be redirected to the help file. Now that Fakenet is listening I wanted to run the malware to look at the behaviour as seen by Fakenet.
Running the malware
 Fakenet logs the output in the window, so you can watch it real time. In this instance we see two pieces of information about the malware;
  1. "Redirecting a socket destined for 85.17.239.212 to localhost"; and
  2. "Received new connection on port: 80"
Fakenet output
ZeroAccess is a family of Rootkits known to infect 32-bit and 64-bit Windows operating systems. This particular version is known as Max++ and is used in FakeAV installations and could be used to deliver any kind of malicious applications onto a user's computer.

File Details from Malwr.com

FILE NAMEMax_2010.exe
FILE SIZE79360 bytes
FILE TYPEPE32 executable (GUI) Intel 80386, for MS Windows
MD5d8f6566c5f9caa795204a40b3aaaafa2
SHA1d0b7cd496387883b265d649e811641f743502c41
SHA256d22425d964751152471cca7e8166cc9e03c1a4a2e8846f18b665bb3d350873db
SHA51261f02a95e403c6d780e4caced6c8a98ab9dfb0b7c430fedb4b8cd6995d07835d1d0c734bc9d9da5113d77889980416ab675c376473b6c947cad074e6b6b19bb7
CRC324D43189E
SSDEEP1536:w//jgpLYTE5UYieY+mEUVQ3+HT5j6iNMNBjswlkRskteF:y/kpLYTEMeTmEUVQ3+HZVuNBFMe
YARANone matched
When this piece of malware is executed, the first thing we see is a beacon sent out to 85.17.239.212; presumably a "hello I'm here" (as outlined in Dr Fu's Security Blog - Section 10. Contact Malicious Server), as well as a connection to intensedive.com on port 80 with a GET request to download the FakeAV application;
"GET /install/setup.php?m=000c299b60aa&i=1&id=110001800 HTTP/1.1\\r\\n" 

The picture below shows an excerpt from Wireshark showing the traffic captured.
Packet capture details in wireshark
I uploaded the same executable to www.malwr.com to compare the results from Cuckoo to Fakenet for network behaviours. Interestingly only the initial beacon to 85.17.239.212 seems to be detected.
Results from www.malwr.com

Agobot

Agoboto is an IRC bot for Win32 systems. There are several thousand variants of Agobot. Once again I uploaded the same executable to www.malwr.com as i used in my Fakenet sandbox to compare the network results.

File Details from malwr.com

FILE NAMEBackdoor.Win32.Agobot.015.b
FILE SIZE104448 bytes
FILE TYPEPE32 executable (GUI) Intel 80386, for MS Windows
MD58987f0f70625ad4e35f0442f29ba7345
SHA16186307cb3476c9a15b94e7e3cdbcf1e121519d9
SHA2565be2043a0ba5e8ba3cc5a51395d6ba98a1dbe01361087eba944cd4abe2a25434
SHA5124a915f09102c8402bdd6559686ba577c485302b426b7629b270170868402cd8f36e716eaa7c18eb524cbe6d0f874338eaf1735e98e640508d880e6a051b6b665
CRC32CE090985
SSDEEP3072:7d67S/yCT7t+deNbh3UgDIhWp2eI9rrpVZzz7pMP:7d6O/H7Mde5dUgDI82nVZn7O
YARANone matched
From malwr.com we can see that a connection to "bots.unixcon.net" is attempted (pictured below).

What is nice about the information that Fakenet has given us is that we see the connection is made over TCP port 9900.
Agobot information from Fakenet
We can also see the information that is sent to the IRC server in cleartext;
NICK icglgj
USER icglgj XXXXXX-5730C82D server :icglgj
QUIT :Bye!

as well as

NICK qmjvf
USER qmjvf XXXXXX-5730C82D server :qmjvf

This information is very handy, and of course you can collect the packets if you have your own setup of Cuckoo to play with and capture. Perhaps I'll cover that next time.

Wednesday, 27 November 2013

Beginning Malware Analysis With Cuckoo

It is all good and well that I have a honeypot set up (even though I am not having the best of luck just yet with it) waiting to catch new malware, but what will I do with it once I have it? Enter cuckoo, "Cuckoo is an open source automated malware analysis system". Cuckoo is the first set of systems that I will set up in order to assist in malware behavioural analysis. This isn't so much about be a "How To" post, there are plenty of other blogs that detail this process step by step, and I have referenced them below, but it is about my journey and the process that I am taking in ramping up my malware analysis skills and in the process I hope to pass on some knowledge to unsuspecting readers.

This is the first time that I am setting up Cuckoo in my lab, so I've found the docs to be highly useful in getting it up and running. I have also listed a few reference blog pages and documents at the end of this post, without those the set up wouldn't have been so easy.

There are a few steps to be taken in order to get Cuckoo up and running;
  1. Get yourself a copy of Linux up and running as the Cuckoo host, I have used Ubuntu server 12.10 running in a VMWare workstation virtual machine. All updates have been applied to Ubuntu before proceeding with the installation;
  2. Install all the prerequisites for Cuckoo, there are quite a few. You also might want to consider install openssh if you want to make life easier and use SSH to administer the virtual machine;
  3. Install Virtualbox and configure the Analysis Guest virtual machines; and
  4. Install Cuckoo and configure to use the appropriate Analysis Guest VMs.
The Cuckoo documentation includes the following diagram that explains the setup extremely well.

Cuckoo virtual network environment - linked from http://docs.cuckoosandbox.org/en/latest/introduction/what/#architecture

1. Building Your Cuckoo Host

Cuckoo documentation recommends Ubuntu as their syntax revolves around that distribution, but realistically your favourite distro will do the job. I used Ubuntu Server 12.10 as I already had a copy of the ISO downloaded, and I did not want the added overhead of using the Desktop version. I've set this up using VMware Workstation. Ensure you give the VM enough disk space as you will be building additional virtual hosts within your Cuckoo Host box.


2. Install The Required Prerequisites for Cuckoo

This is probably the most time consuming part of the whole set-up, Cuckoo has a fair few dependencies that need to be installed before you can continue with the installation of Cuckoo, check the docs for the latest list, but as of writing the post the following packages need to be installed (I've provided code for easy installation and in case I need to come back and redo this part of the lab work);
  • Python 2.7
  • SQLAlchemy
  • tcpdump
$ sudo apt-get install python python-sqlalchemy tcpdump

Python 2.7 is required as Cuckoo is built in python, you'll need this installed to get Cuckoo running, the documentation specifically calls for the current release Python 2.7, so don't grab Python 3 at this stage. SQLAlchemy is also required for Cuckoo to function, and tcpdump needs to be installed and configured to record network traffic during analysis.


2.1 Install The Recommended Packages

The following libraries are not strictly required, but their installation is recommended by the cuckoo team and included in the documentation (referenced here):
  • Dpkt (Highly Recommended): for extracting relevant information from PCAP files.
  • Jinja2 (Highly Recommended): for rendering the HTML reports and the web interface.
  • Magic (Optional): for identifying files’ formats (otherwise use “file” command line utility)
  • Pydeep (Optional): for calculating ssdeep fuzzy hash of files.
  • Pymongo (Optional): for storing the results in a MongoDB database.
  • Yara and Yara Python (Optional): for matching Yara signatures (use the svn version).
  • Bottlepy (Optional): for using the web.py and api.py utilities.
  • Pefile (Optional): used for static analysis of PE32 binaries.
  • Python-pip: to download python modules
  • Subversion: to download additional modules such as Yara
  • Automake: for installing the latest Yara through svn
  • Python-dev: to install yara-python
To make life somewhat easier I have grouped all the recommended packages into one command. You can pick and choose your addons depending on what you'd like. I have chosen to install all of them except KVM.

$ sudo apt-get install python-dpkt python-jinja2 python-magic python-pymongo mongodb python-bottle python-pefile python-pip subversion automake python-dev git libcap2-bin unzip


2.2 Installing Yara and Yara Python

YARA is a tool aimed at helping malware researchers to identify and classify malware samples. Yara needs to be installed before Yara Python and can be obtained in the following way;

$ sudo apt-get install libpcre3 libpcre3-dev
$ wget https://yara-project.googlecode.com/files/yara-1.7.tar.gz
$ tar -zxvf yara-1.7.tar.gz
$ cd  yara-1.7
$ ./configure
$ make
$ make check
$ sudo make install

now to install yara-python

$ cd ..
$ wget https://yara-project.googlecode.com/files/yara-python-1.7.tar.gz
$ tar -zxvf yara-python-1.7.tar.gz
$ cd yara-python-1.7
$ python setup.py build
$ sudo python setup.py install

To check its installed correctly

$ python
>>> import yara
>>> yara.Error

<class 'yara.Error'>

In some operating systems (e.g: Ubuntu) you can get an error message like this one:

Traceback (most recent call last):
  File "<stdin>", line 1, in ?
ImportError: libyara.so.0: cannot open shared object file: No such file or directory

If you get the previous error you should add the path /usr/local/lib to the loader
configuration file:

$ sudo su
$ echo "/usr/local/lib" >> /etc/ld.so.conf

$ ldconfig


2.3 Installing ssdeep and Pydeep

$ wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.10/ssdeep-2.10.tar.gz
$ tar -xvzf ssdeep-2.10.tar.gz
$ cd ssdeep-2.10
$ ./configure
$ make
$ sudo make install

$ cd ..
$ wget https://github.com/kbandla/pydeep/archive/master.zip
$ unzip master.zip
$ cd pydeep-master
$ python setup.py build
$ sudo python setup.py build install

2.4 Configuring tcpdump

I have already chosen to install tcpdump earlier in the process, but we want the cuckoo user to be able to run tcpdump without elevated privileges, so we need to modify the tcpdump running privileges.
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
$ getcap /usr/sbin/tcpdump

3. Install Virtualbox

There is a very detailed and fantastic blog post over on Santi's blog that details setting up Virtualbox on Ubuntu, I'll only be repeating his process, so credit where credit is due and go and check out his work over here.

Note: I skipped doing "apt-get dist-upgrade" as there seem to be some issues with the Virtualbox repository for 13.10 and I had errors installing and using Virtualbox installed this way, so I kept my distro at 12.10 for the installation.

Update: As there are a couple of changes to some of the steps taken (for example phpvirtualbox has moved) I will include the steps I took here for future reference. I also used the latest version of Virtualbox for my Ubuntu distribution, not the one from the Ubuntu Repositories;

Firstly making sure i can set up a shared folder between my host computer and the cuckoo server (accepting the defaults);
$ sudo vmware-config-tools.pl

Now I want to set up the repository for the VirtualBox downloads site
$ sudo vi /etc/apt/sources.list
added deb http://download.virtualbox.org/virtualbox/debian quantal contrib
$ wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -

$ sudo apt-get update
$ sudo apt-get install virtualbox-4.1 dkms

Check the version of virtualbox installed
$ vboxmanage -v
mine is 4.1.28r89849

Install the extensions pack that will allow remote access to the host machines
$ wget http://download.virtualbox.org/virtualbox/4.1.28/Oracle_VM_VirtualBox_Extension_Pack-4.1.28-89849.vbox-extpack
sudo vboxmanage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.1.28-89849.vbox-extpack

Add cuckoo user to the vbox usergroup
$ sudo usermod -a -G vboxusers cuckoo

$ id cuckoo


3.1 Setting up the virtual guests

Now to begin installation of the Analysis Guest Machine, we're going to set up WindowsXP with SP3 on it with 1 Gig of RAM, and 10GB Harddrive space;
$ vboxmanage createvm --name "WindowsXP-1" --ostype WindowsXP --register  
$ vboxmanage modifyvm "WindowsXP-1" --memory 1000 --acpi on --boot1 dvd --nic1 nat --hwvirtex off
$ vboxmanage createhd --filename "WinXP-1.vdi" --size 10000  
$ vboxmanage storagectl "WindowsXP-1" --name "IDE Controller" --add ide --controller PIIX4  
$ vboxmanage storageattach "WindowsXP-1" --storagectl "IDE Controller" --port 0 --device 0 --type hdd --medium "WinXP-1.vdi"
$ vboxmanage storageattach "WindowsXP-1" --storagectl "IDE Controller" --port 0 --device 1 --type dvddrive --medium /mnt/hgfs/share_name/windowsxp.iso 

Once the setup is complete we can start the virtual machine
$ vboxheadless --startvm "WindowsXP-1" &

vboxheadless started and listening for RDP connections
Open up RDP (or your choice) and connect to the Linux host on 3389 to complete the installation of Windows XP.

Windows XP installation
This could take a while remember .....

Once the operating system installation has finished we need to do a few things to get the guest ready for analysis.

3.1.1 Set up shared folders between the cuckoo host and the analysis guest. 
Turn off the virtual machine for this;
$ vboxmanage controlvm "WindowsXP-1" poweroff  
$ mkdir -p /home/cuckoo/shares/WindowsXP-1  
$ vboxmanage sharedfolder add "WindowsXP-1" --name "WindowsXP-1" --hostpath /home/cuckoo/shares/WindowsXP-1 --automount  
$ vboxmanage sharedfolder add "WindowsXP-1" --name setup --hostpath /home/cuckoo/shares/setup --automount --readonly  
$ vboxmanage modifyvm "WindowsXP-1" --nictrace1 on --nictracefile1 /home/cuckoo/shares/WindowsXP-1/dump.pcap 

3.1.2 Install Guest Additions on WindowsXP
You're going to notice that it is fairly painful trying to navigate with the mouse in the virtual machine, so we need to install the guest additions;
$ cd /home/cuckoo/shares/WindowsXP-1
$ wget http://download.virtualbox.org/virtualbox/4.1.12/VBoxGuestAdditions_4.1.12.iso

3.1.3 Start the virtual machine and connect with RDP 

$ vboxheadless --startvm "WindowsXP-1" &  

3.1.4 Mount the ISO file in Windows XP
Mount the Guest Additions ISO in Windows XP and follow the installation prompts.

$ vboxmanage storageattach "WindowsXP-1" --storagectl "IDE Controller" --port 0 --device 1 --type dvddrive --medium /home/cuckoo/shares/WindowsXP-1/VBoxGuestAdditions_4.1.12.iso

Enjoy the use of your mouse again.


4. Finally ready to install Cuckoo

Now we have our requirements and optional extras installed plus VirtualBox and a Windows XP virtual machine, it's time to get to business and install cuckoo itself. 

$ cd /home/cuckoo
$ sudo git clone git://github.com/cuckoobox/cuckoo.git

4.1 Preparing the virtual guest

A few final tasks remain to get the Windows XP guest ready for cuckoo, we need to install the cuckoo agent and make sure it starts up on reboot and install any vulnerable applications you like, then we'll take a snapshot.

4.1.1 Configure the host only adapter
At this point i refer back to Santi's blog post and his steps for configuring the host only adapter. We have the shared folder set up, so any additional packages that need to be installed from this point on can be downloaded on the cuckoo server;
$ vboxmanage hostonlyif create 
$ vboxmanage controlvm "WindowsXP-1" poweroff   
$ vboxmanage modifyvm "WindowsXP-1" --nic1 hostonly  
$ vboxmanage modifyvm "WindowsXP-1" --hostonlyadapter1 vboxnet0  
$ vboxheadless --startvm WindowsXP-1 & 


4.1.2 Set up gateway and DNS on Windows XP guest
Need to set up the default gateway and DNS on the Windows guest so that we can get external access for things like VirusTotal;
  • My network is 192.168.56.0/24 so I'll set my default route to 192.168.56.1
  • I'll use the Google DNS of 8.8.8.8
ipconfig
While I'm here I'm also going to ensure that the Windows firewall is disabled and automatic updates are switched off.

4.1.3 Install the cuckoo agent in Windows XP guest
In order for cuckoo to work its magic we need to install Python for Windows as well as install the cuckoo agent and set it to autorun on startup;
On the cuckoo server;
$ cd /home/cuckoo/shares/setup
$ wget  http://python.org/ftp/python/2.7.6/python-2.7.6.msi
$ wget http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe
$ cp /home/cuckoo/cuckoo/agent/agent.py /home/cuckoo/shares/setup

On the Windows XP guest;
  • Install Python for Windows
  • Install PIL for Windows
  • Copy agent.py to C:\Python27\agent.pyw
  • Add the following registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: Name:'Agent' Type:'REG_SZ' Data:"C:\Python27\agent.pyw"
Upon restart we should see the agent listening on port 8000.

At this point I am going to create a snapshot of the virtual machine and I'm ready to start using cuckoo to analyse some malware!
$ vboxmanage snapshot "WindowsXP-1" take "WindowsXP-1Snap01" --pause
$ VBoxManage controlvm "WindowsXP-1" poweroff

$ VBoxManage snapshot "WindowsXP-1" restorecurrent
$ VBoxManage showvminfo "WindowsXP-1" | grep State


Need to configure the cuckoo conf file to look for the correct virtual machines
$ sudo vi /home/cuckoo/cuckoo/conf/virtualbox.conf
  • Change mode from gui to headless
  • Change the name of he machines to match
  • Change the name of the heading to match your virtual machine name
  • Change the label
  • Ensure that the IP address matches
Configure the Cuckoo Host IP forwarding and firewall filters;
$ sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT  
$ sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT  
$ sudo iptables -A POSTROUTING -t nat -j MASQUERADE  
$ sudo sysctl -w net.ipv4.ip_forward=1  
Add these commands to /etc/rc.local file to be executed every time the server wakes up or restarts.

Now we can see if Cuckoo starts up happily and if you do you should see something similar to the picture below
$ cd /home/cuckoo/cuckoo
$ python cuckoo.py

Cuckoo successfully running


References



Monday, 28 October 2013

No bees to my honeypot

So unlike the girl on the left here it seems that my honeypot as yet isn't enticing enough to warrant a look. Since I set the honeypot up a few weeks ago all I have seen is port scans checking the SSH port is open.
This has also tied in with some work travel and responsibilities, but hopefully this week I will get some time to set up Kippo Graph and look at ways of making my server look more enticing and at least warrant a brute force attempt against it!

Tuesday, 8 October 2013

Enabling MySQL Logging for Kippo

At the moment my SSH honeypot isn't getting a large amount of hits, the only interactions thus far have been with what would seem to be port scanners where the connections are made and dropped within a few sections and no user interaction. I have changed the default root password from "123456" to "Password1!" and changed the hostname from "nas3" to "Dev-server" in an effort to disguise it a little bit more.

The flat log files produced by Kippo are a good start, but the later version of Kippo come with the ability to log directly into a MySQL database which will allow for more powerful integration with other data as well as give the ability to extract information more easily, so while I wait for further interactions on my Honeypot, now would be a good time to continue optimisation and automation of the process so I'm set up for the long haul. Luckily the later version of Kippo are ready to log straight to SQL with minimal configuration and instructions are provided on the Kippo project page.

Saturday, 5 October 2013

Automating the Kippo review process - Part 1


With time being a commodity I do not have a lot of, it has quickly become apparent that the enthusiasm that I now have for logging in and checking my Kippo honeypot everyday will eventually wane. While Googling around for some ideas on what to look for and running Kippo I came across this blog post "Reviewing Kippo Logs" and the author Andrew Waite has provided his script to provide a daily review of Kippo logs via email, and I will look at customising this script to run on my honeypot.

Friday, 4 October 2013

Honeypots for blondes, Part 1

This is the first time I am setting up a honeypot, and I'll be taking my time and going through two different set-ups. Firstly I'll set-up and play around with Kippo, and then once that is up and running I'm going to also install dionaea.

"Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker". 

I'm not hiding from the Feds ... I promise!

... otherwise known as "Setting up PuTTY for use with Tor".

Sometimes, just sometimes, you do have something to hide, and in my case right now it's my IP address. There are times when you just don't want your home IP address being logged on a server somewhere, for someone not so very nice to find. This is the case for me as I am setting up a honeypot, and in case of the worst happening (my instance gets p0wned) I don't want my home IP address littered throughout the logs. So, to get around this I am connecting with PuTTY using a Tor proxy to anonymise my IP address. So before any of you start to think up your witty "Tor isn't really anonymous" comments for the sections below .. let me stop you .. I am not using Tor to completely anonymise my actions, but so that the IP address logged on my honeypot system is not my own .. for my own (paranoid) protection. For more information on Tor and internet privacy, you can see their website.