Wednesday, 27 November 2013

Beginning Malware Analysis With Cuckoo

It is all good and well that I have a honeypot set up (even though I am not having the best of luck just yet with it) waiting to catch new malware, but what will I do with it once I have it? Enter cuckoo, "Cuckoo is an open source automated malware analysis system". Cuckoo is the first set of systems that I will set up in order to assist in malware behavioural analysis. This isn't so much about be a "How To" post, there are plenty of other blogs that detail this process step by step, and I have referenced them below, but it is about my journey and the process that I am taking in ramping up my malware analysis skills and in the process I hope to pass on some knowledge to unsuspecting readers.

This is the first time that I am setting up Cuckoo in my lab, so I've found the docs to be highly useful in getting it up and running. I have also listed a few reference blog pages and documents at the end of this post, without those the set up wouldn't have been so easy.

There are a few steps to be taken in order to get Cuckoo up and running;
  1. Get yourself a copy of Linux up and running as the Cuckoo host, I have used Ubuntu server 12.10 running in a VMWare workstation virtual machine. All updates have been applied to Ubuntu before proceeding with the installation;
  2. Install all the prerequisites for Cuckoo, there are quite a few. You also might want to consider install openssh if you want to make life easier and use SSH to administer the virtual machine;
  3. Install Virtualbox and configure the Analysis Guest virtual machines; and
  4. Install Cuckoo and configure to use the appropriate Analysis Guest VMs.
The Cuckoo documentation includes the following diagram that explains the setup extremely well.

Cuckoo virtual network environment - linked from http://docs.cuckoosandbox.org/en/latest/introduction/what/#architecture

1. Building Your Cuckoo Host

Cuckoo documentation recommends Ubuntu as their syntax revolves around that distribution, but realistically your favourite distro will do the job. I used Ubuntu Server 12.10 as I already had a copy of the ISO downloaded, and I did not want the added overhead of using the Desktop version. I've set this up using VMware Workstation. Ensure you give the VM enough disk space as you will be building additional virtual hosts within your Cuckoo Host box.


2. Install The Required Prerequisites for Cuckoo

This is probably the most time consuming part of the whole set-up, Cuckoo has a fair few dependencies that need to be installed before you can continue with the installation of Cuckoo, check the docs for the latest list, but as of writing the post the following packages need to be installed (I've provided code for easy installation and in case I need to come back and redo this part of the lab work);
  • Python 2.7
  • SQLAlchemy
  • tcpdump
$ sudo apt-get install python python-sqlalchemy tcpdump

Python 2.7 is required as Cuckoo is built in python, you'll need this installed to get Cuckoo running, the documentation specifically calls for the current release Python 2.7, so don't grab Python 3 at this stage. SQLAlchemy is also required for Cuckoo to function, and tcpdump needs to be installed and configured to record network traffic during analysis.


2.1 Install The Recommended Packages

The following libraries are not strictly required, but their installation is recommended by the cuckoo team and included in the documentation (referenced here):
  • Dpkt (Highly Recommended): for extracting relevant information from PCAP files.
  • Jinja2 (Highly Recommended): for rendering the HTML reports and the web interface.
  • Magic (Optional): for identifying files’ formats (otherwise use “file” command line utility)
  • Pydeep (Optional): for calculating ssdeep fuzzy hash of files.
  • Pymongo (Optional): for storing the results in a MongoDB database.
  • Yara and Yara Python (Optional): for matching Yara signatures (use the svn version).
  • Bottlepy (Optional): for using the web.py and api.py utilities.
  • Pefile (Optional): used for static analysis of PE32 binaries.
  • Python-pip: to download python modules
  • Subversion: to download additional modules such as Yara
  • Automake: for installing the latest Yara through svn
  • Python-dev: to install yara-python
To make life somewhat easier I have grouped all the recommended packages into one command. You can pick and choose your addons depending on what you'd like. I have chosen to install all of them except KVM.

$ sudo apt-get install python-dpkt python-jinja2 python-magic python-pymongo mongodb python-bottle python-pefile python-pip subversion automake python-dev git libcap2-bin unzip


2.2 Installing Yara and Yara Python

YARA is a tool aimed at helping malware researchers to identify and classify malware samples. Yara needs to be installed before Yara Python and can be obtained in the following way;

$ sudo apt-get install libpcre3 libpcre3-dev
$ wget https://yara-project.googlecode.com/files/yara-1.7.tar.gz
$ tar -zxvf yara-1.7.tar.gz
$ cd  yara-1.7
$ ./configure
$ make
$ make check
$ sudo make install

now to install yara-python

$ cd ..
$ wget https://yara-project.googlecode.com/files/yara-python-1.7.tar.gz
$ tar -zxvf yara-python-1.7.tar.gz
$ cd yara-python-1.7
$ python setup.py build
$ sudo python setup.py install

To check its installed correctly

$ python
>>> import yara
>>> yara.Error

<class 'yara.Error'>

In some operating systems (e.g: Ubuntu) you can get an error message like this one:

Traceback (most recent call last):
  File "<stdin>", line 1, in ?
ImportError: libyara.so.0: cannot open shared object file: No such file or directory

If you get the previous error you should add the path /usr/local/lib to the loader
configuration file:

$ sudo su
$ echo "/usr/local/lib" >> /etc/ld.so.conf

$ ldconfig


2.3 Installing ssdeep and Pydeep

$ wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.10/ssdeep-2.10.tar.gz
$ tar -xvzf ssdeep-2.10.tar.gz
$ cd ssdeep-2.10
$ ./configure
$ make
$ sudo make install

$ cd ..
$ wget https://github.com/kbandla/pydeep/archive/master.zip
$ unzip master.zip
$ cd pydeep-master
$ python setup.py build
$ sudo python setup.py build install

2.4 Configuring tcpdump

I have already chosen to install tcpdump earlier in the process, but we want the cuckoo user to be able to run tcpdump without elevated privileges, so we need to modify the tcpdump running privileges.
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
$ getcap /usr/sbin/tcpdump

3. Install Virtualbox

There is a very detailed and fantastic blog post over on Santi's blog that details setting up Virtualbox on Ubuntu, I'll only be repeating his process, so credit where credit is due and go and check out his work over here.

Note: I skipped doing "apt-get dist-upgrade" as there seem to be some issues with the Virtualbox repository for 13.10 and I had errors installing and using Virtualbox installed this way, so I kept my distro at 12.10 for the installation.

Update: As there are a couple of changes to some of the steps taken (for example phpvirtualbox has moved) I will include the steps I took here for future reference. I also used the latest version of Virtualbox for my Ubuntu distribution, not the one from the Ubuntu Repositories;

Firstly making sure i can set up a shared folder between my host computer and the cuckoo server (accepting the defaults);
$ sudo vmware-config-tools.pl

Now I want to set up the repository for the VirtualBox downloads site
$ sudo vi /etc/apt/sources.list
added deb http://download.virtualbox.org/virtualbox/debian quantal contrib
$ wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -

$ sudo apt-get update
$ sudo apt-get install virtualbox-4.1 dkms

Check the version of virtualbox installed
$ vboxmanage -v
mine is 4.1.28r89849

Install the extensions pack that will allow remote access to the host machines
$ wget http://download.virtualbox.org/virtualbox/4.1.28/Oracle_VM_VirtualBox_Extension_Pack-4.1.28-89849.vbox-extpack
sudo vboxmanage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.1.28-89849.vbox-extpack

Add cuckoo user to the vbox usergroup
$ sudo usermod -a -G vboxusers cuckoo

$ id cuckoo


3.1 Setting up the virtual guests

Now to begin installation of the Analysis Guest Machine, we're going to set up WindowsXP with SP3 on it with 1 Gig of RAM, and 10GB Harddrive space;
$ vboxmanage createvm --name "WindowsXP-1" --ostype WindowsXP --register  
$ vboxmanage modifyvm "WindowsXP-1" --memory 1000 --acpi on --boot1 dvd --nic1 nat --hwvirtex off
$ vboxmanage createhd --filename "WinXP-1.vdi" --size 10000  
$ vboxmanage storagectl "WindowsXP-1" --name "IDE Controller" --add ide --controller PIIX4  
$ vboxmanage storageattach "WindowsXP-1" --storagectl "IDE Controller" --port 0 --device 0 --type hdd --medium "WinXP-1.vdi"
$ vboxmanage storageattach "WindowsXP-1" --storagectl "IDE Controller" --port 0 --device 1 --type dvddrive --medium /mnt/hgfs/share_name/windowsxp.iso 

Once the setup is complete we can start the virtual machine
$ vboxheadless --startvm "WindowsXP-1" &

vboxheadless started and listening for RDP connections
Open up RDP (or your choice) and connect to the Linux host on 3389 to complete the installation of Windows XP.

Windows XP installation
This could take a while remember .....

Once the operating system installation has finished we need to do a few things to get the guest ready for analysis.

3.1.1 Set up shared folders between the cuckoo host and the analysis guest. 
Turn off the virtual machine for this;
$ vboxmanage controlvm "WindowsXP-1" poweroff  
$ mkdir -p /home/cuckoo/shares/WindowsXP-1  
$ vboxmanage sharedfolder add "WindowsXP-1" --name "WindowsXP-1" --hostpath /home/cuckoo/shares/WindowsXP-1 --automount  
$ vboxmanage sharedfolder add "WindowsXP-1" --name setup --hostpath /home/cuckoo/shares/setup --automount --readonly  
$ vboxmanage modifyvm "WindowsXP-1" --nictrace1 on --nictracefile1 /home/cuckoo/shares/WindowsXP-1/dump.pcap 

3.1.2 Install Guest Additions on WindowsXP
You're going to notice that it is fairly painful trying to navigate with the mouse in the virtual machine, so we need to install the guest additions;
$ cd /home/cuckoo/shares/WindowsXP-1
$ wget http://download.virtualbox.org/virtualbox/4.1.12/VBoxGuestAdditions_4.1.12.iso

3.1.3 Start the virtual machine and connect with RDP 

$ vboxheadless --startvm "WindowsXP-1" &  

3.1.4 Mount the ISO file in Windows XP
Mount the Guest Additions ISO in Windows XP and follow the installation prompts.

$ vboxmanage storageattach "WindowsXP-1" --storagectl "IDE Controller" --port 0 --device 1 --type dvddrive --medium /home/cuckoo/shares/WindowsXP-1/VBoxGuestAdditions_4.1.12.iso

Enjoy the use of your mouse again.


4. Finally ready to install Cuckoo

Now we have our requirements and optional extras installed plus VirtualBox and a Windows XP virtual machine, it's time to get to business and install cuckoo itself. 

$ cd /home/cuckoo
$ sudo git clone git://github.com/cuckoobox/cuckoo.git

4.1 Preparing the virtual guest

A few final tasks remain to get the Windows XP guest ready for cuckoo, we need to install the cuckoo agent and make sure it starts up on reboot and install any vulnerable applications you like, then we'll take a snapshot.

4.1.1 Configure the host only adapter
At this point i refer back to Santi's blog post and his steps for configuring the host only adapter. We have the shared folder set up, so any additional packages that need to be installed from this point on can be downloaded on the cuckoo server;
$ vboxmanage hostonlyif create 
$ vboxmanage controlvm "WindowsXP-1" poweroff   
$ vboxmanage modifyvm "WindowsXP-1" --nic1 hostonly  
$ vboxmanage modifyvm "WindowsXP-1" --hostonlyadapter1 vboxnet0  
$ vboxheadless --startvm WindowsXP-1 & 


4.1.2 Set up gateway and DNS on Windows XP guest
Need to set up the default gateway and DNS on the Windows guest so that we can get external access for things like VirusTotal;
  • My network is 192.168.56.0/24 so I'll set my default route to 192.168.56.1
  • I'll use the Google DNS of 8.8.8.8
ipconfig
While I'm here I'm also going to ensure that the Windows firewall is disabled and automatic updates are switched off.

4.1.3 Install the cuckoo agent in Windows XP guest
In order for cuckoo to work its magic we need to install Python for Windows as well as install the cuckoo agent and set it to autorun on startup;
On the cuckoo server;
$ cd /home/cuckoo/shares/setup
$ wget  http://python.org/ftp/python/2.7.6/python-2.7.6.msi
$ wget http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe
$ cp /home/cuckoo/cuckoo/agent/agent.py /home/cuckoo/shares/setup

On the Windows XP guest;
  • Install Python for Windows
  • Install PIL for Windows
  • Copy agent.py to C:\Python27\agent.pyw
  • Add the following registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: Name:'Agent' Type:'REG_SZ' Data:"C:\Python27\agent.pyw"
Upon restart we should see the agent listening on port 8000.

At this point I am going to create a snapshot of the virtual machine and I'm ready to start using cuckoo to analyse some malware!
$ vboxmanage snapshot "WindowsXP-1" take "WindowsXP-1Snap01" --pause
$ VBoxManage controlvm "WindowsXP-1" poweroff

$ VBoxManage snapshot "WindowsXP-1" restorecurrent
$ VBoxManage showvminfo "WindowsXP-1" | grep State


Need to configure the cuckoo conf file to look for the correct virtual machines
$ sudo vi /home/cuckoo/cuckoo/conf/virtualbox.conf
  • Change mode from gui to headless
  • Change the name of he machines to match
  • Change the name of the heading to match your virtual machine name
  • Change the label
  • Ensure that the IP address matches
Configure the Cuckoo Host IP forwarding and firewall filters;
$ sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT  
$ sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT  
$ sudo iptables -A POSTROUTING -t nat -j MASQUERADE  
$ sudo sysctl -w net.ipv4.ip_forward=1  
Add these commands to /etc/rc.local file to be executed every time the server wakes up or restarts.

Now we can see if Cuckoo starts up happily and if you do you should see something similar to the picture below
$ cd /home/cuckoo/cuckoo
$ python cuckoo.py

Cuckoo successfully running


References



Monday, 28 October 2013

No bees to my honeypot

So unlike the girl on the left here it seems that my honeypot as yet isn't enticing enough to warrant a look. Since I set the honeypot up a few weeks ago all I have seen is port scans checking the SSH port is open.
This has also tied in with some work travel and responsibilities, but hopefully this week I will get some time to set up Kippo Graph and look at ways of making my server look more enticing and at least warrant a brute force attempt against it!

Tuesday, 8 October 2013

Enabling MySQL Logging for Kippo

At the moment my SSH honeypot isn't getting a large amount of hits, the only interactions thus far have been with what would seem to be port scanners where the connections are made and dropped within a few sections and no user interaction. I have changed the default root password from "123456" to "Password1!" and changed the hostname from "nas3" to "Dev-server" in an effort to disguise it a little bit more.

The flat log files produced by Kippo are a good start, but the later version of Kippo come with the ability to log directly into a MySQL database which will allow for more powerful integration with other data as well as give the ability to extract information more easily, so while I wait for further interactions on my Honeypot, now would be a good time to continue optimisation and automation of the process so I'm set up for the long haul. Luckily the later version of Kippo are ready to log straight to SQL with minimal configuration and instructions are provided on the Kippo project page.

Saturday, 5 October 2013

Automating the Kippo review process - Part 1


With time being a commodity I do not have a lot of, it has quickly become apparent that the enthusiasm that I now have for logging in and checking my Kippo honeypot everyday will eventually wane. While Googling around for some ideas on what to look for and running Kippo I came across this blog post "Reviewing Kippo Logs" and the author Andrew Waite has provided his script to provide a daily review of Kippo logs via email, and I will look at customising this script to run on my honeypot.

Friday, 4 October 2013

Honeypots for blondes, Part 1

This is the first time I am setting up a honeypot, and I'll be taking my time and going through two different set-ups. Firstly I'll set-up and play around with Kippo, and then once that is up and running I'm going to also install dionaea.

"Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker". 

I'm not hiding from the Feds ... I promise!

... otherwise known as "Setting up PuTTY for use with Tor".

Sometimes, just sometimes, you do have something to hide, and in my case right now it's my IP address. There are times when you just don't want your home IP address being logged on a server somewhere, for someone not so very nice to find. This is the case for me as I am setting up a honeypot, and in case of the worst happening (my instance gets p0wned) I don't want my home IP address littered throughout the logs. So, to get around this I am connecting with PuTTY using a Tor proxy to anonymise my IP address. So before any of you start to think up your witty "Tor isn't really anonymous" comments for the sections below .. let me stop you .. I am not using Tor to completely anonymise my actions, but so that the IP address logged on my honeypot system is not my own .. for my own (paranoid) protection. For more information on Tor and internet privacy, you can see their website.