Malware Analysis Tutorial 1 - VM Based Analysis Platform

Learning Goals:

1. Configure a virtual machine based experimental platform for malware analysis.
2. Master basic network sniffing/monitoring skills

This Lesson Can be Used as a Lab Module in:

1. Computer Networks and Communication Protocols
2. Operating Systems

Challenge of the day:

          Run the Max++ malware, can you describe its network activities?

DOWNLOADLINK:

For those of you who had trouble with downloading the sample from offensive computing, here is another link:
http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html


Or follow Bonfa's tutoria [1] on the download instructions. Bonfa's tutorial is perfect a general introduction/analysis of Max++.

1. Introduction

This tutorial is intended for those who are interested in malware analysis. We take a step-by-step approach to analyzing a malware named ZeroAccess. Giuseppe Bonfa has provided an excellent analysis [1] of the malware. This mini-series will help you to gain hands-on experiences with the analysis. We assume that you have some basic understanding of X86 assembly, debugging, operating systems, and programming language principles. Instructors are welcome to use this tutorial and integrate it in computer science courses such as computer architecture and operating systems. If you are using this material in your classes, we would appreciate if you follow up with a comment on this site and provide some basic information about your course so that we know our tutorial is helpful.

The purpose of this lesson is to set up a virtual machine based analysis environment. Before rolling up your sleeves, please make sure you have the following:

1. Windows XP SP2 installation disk (Note: it has to be SP2)
2. Linux Ubuntu installation disk (the version we use in this tutorial: Ubuntu 10.04 lucid LTS. The version does not really matter)
3. A computer loaded with XP, with at least 50GB of disk space. (later, we refer to this computer: the "host XP")
4. High-speed Internet
5. An account on OffensiveComputing.net (http://www.offensivecomputing.net/)

     If the screen resolution is too small, start the XP guest, and then click the "Install Guest Additions", and then reboot the XP Guest and adjust its screen resolution ("Right click on desktop -> Properties -> Settings").

2. Software Installation

We will need to download a number of other open-source/free software tools. The installation process is straightforward and we omit most of the details here. The installation process may take about 5 hours. (Hofstra students can check out DVD images of VBox instances from my office Adams 203.)

1. Install Oracle Virtual Box v4.04 on your host XP. (http://www.virtualbox.org/).
2. Create a Windows XP Guest (using your SP2 installation disk. For the VM itself, assign at least 256MB RAM and 10GB disk space.) on VBox manager.(later we refer to this VM instance as "guest XP"). Install the following on your guest XP.
1. Python 2.7.
2. Immunity Debugger (http://www.immunityinc.com/products-immdbg.shtml)
3. IDA Pro Debugger Free Version (http://www.hex-rays.com/idapro/idadown.htm. Note: get the free version but not the evaluation version - it does not allow saving dbg databases)
4. HxD (a binary editor http://mh-nexus.de/en/hxd/)
5. * Download the Malware instance of Max++ from OffensiveComputing.net (instructions available in [1]. The file name is "Max++ downloader install_2010". Don't run it!!!)
6. After the above is done, take a snapshot of the guest SP in VBox. A snapshot allows you to quickly recover to the original status of the system.
3. On your host XP, install WinDbg (http://msdn.microsoft.com/en-us/windows/hardware/gg463009). You might choose to download the entire XP debugging symbols on your host XP (which might speed up the debugging a little).
4. Create a Linux Ubuntu Guest (using your Ubuntu 10.04 installation disk. Assign at least 512MB RAM and 10GB disk space) on VBox. Install the following (you can use apt-get or System->Administration->Synaptic Package Manager which has GUI).
1. Wireshark (a sniffer. "sudo apt-get install wireshark" to install) 
2. GDB (GNU debugger)
3. g++ (c++ compiler)
4. Python
   
   The current resolution of Linux guest is too small. You can change the screen resolution following the instructions listed on Linux Format Forum [2].

3. Configuration

Up to now, both of your VM guests should have Internet access. What we will do next is to configure both instances so that all the traffic from the XP guest will have to go through the Linux guest. On the Linux guest, we use Wireshark to monitor the network traffic of XP guest when the malware is running. The design is shown in the following figure.

3.1 XP Guest

Now power off your XP Guest.In VBox manager, right click on the XP Guest and select "Setting". We will set up the network adapters of XP Guest.

In Network -> Tab "Adapter 1": (1) click the "Enable network adapter" checkbox, and (2) select "Internal Network" for "Attached To". (Note: please make sure to use the default network name "intnet" assigned by the VBox manager.)This allows us to separate the XP Guest from the outside world and connects to an internal network managed by the VBox manager.

Then we will enable a serial port for WinDbg. The setting is shown as below. Note that it is important to set up the Port/File Path "\\.\pipe\com_11" and the simulate the port as "Host Pipe".

Vt-x is a special CPU technology that is used to support virtualization. In Virtual Box, you have to enable it, otherwise hardware breakpoints will not work. Later you will see that the Max++ malware smartly takes advantage of hardware BP for hijacking system calls and it relies on hardware BP - you have to enable the Vt-x, as shown in the following figure.

3.2 Linux Guest

We now set up the Linux guest as the gateway computer of the internal network (power off the VBox instance first). It will have two adapters: one connects to the internal network and the other connects to the outside.The following figure shows the setting of the first adapter (Internal Network). In adapter 2, sets the network type ("Attached To") to "NAT". As you know, NAT stands for Network Address Translation. This provides a further layer protection of our VM instances.

Note: click the "Advanced" key and make sure that the "Adapter Type" is "Intel Pro/1000". Also change the last two digits of the MAC address to "01" (so that we can easily identify it as Adapter 1 later); similarly change the last two digits of the MAC of the second adapter to "02". If you are using VBox 4.1.0 or later, in the Advanced tab, there is an additional checkbox for "Promiscuous" mode, select "allow for all" (so that all traffic will be intercepted).

 Now reboot the Linux Ubuntu guest. We need to configure it as a gateway computer. Follow the instructions below:

1. Start a terminal window and type "ifconfig" to get the information of all available adapters. You should be able to see three of them, e.g., in my case "eth1", "eth2", and "lo" (the local loophole interface). If you look at their MAC addresses, you can verify that they are the ones that we set in the VBox manager earlier. Let us assume "eth1" corresponds to the adapter "xx...:01" and "eth2" corresponds to adapter "xx...:02".
2. System -> Preference -> Network Connections. First delete all existing network connections, and set up the first wireless connection following the figures below (use 169.254.236.100 as the static IP). Note that you can get the Gateway for it should be "0.0.0.0" (make sure to hit enter when you finish typing 0.0.0.0 in the third cell - the GUI of Ubuntu has some problems - if you don't hit enter, it will forget the entry you just added), because this is the link to the local internal network and the computer itself is the gateway. Similarly, set up the second wired connection (for the NAT connection), but this time, use DHCP for assigning the IP addresses. Here we are lazy to use the Ubuntu GUI. There are equivalent ifconfig commands for achieving the above if you are interested in exploring by yourself.

    3. Now now set up the IP forwarding. Create a file named "network.sh" and "chmod 755 network.sh". The shell script consists of three commands as shown below:

  sudo sysctl -w net.ipv4.ip_forward=1
 sudo iptables -P FORWARD ACCEPT
 sudo iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

 The first is to enable the ip_forward features of the ipv4 stack in the Linux kernel. The second is to set up the internal firewall called "iptables" to allow forwarding packets. The third is to add a post routing tool and forward all packets to eth2 (note: eth2 is your outlink which corresponds to adapter 2. On your system, it may be a different name).

3.3 Reconfigure XP Guest

Now we go back and reset the XP Guest so that it has the Internet access via the Ubuntu guest. Do a "nslookup www.google.com" in your Ubuntu guest and find out DNS server used. Then go to the XP Guest -> Control Panel -> Network Connections -> Right Click (Properties) -> TCP/IP (Properties) -> set the static IP to 169.254.236.200 and set the gateway computer to 169.254.236.100. Set up the DNS server correspondingly. Start a browser and you will NOT have the Internet access yet!.

   You need to go back to the Ubuntu guest and  "sudo ./network.sh".  Then you can verify that your XP guest now has the Internet access. Again, "sudo wireshark " you can intercept all the traffic from/to the XP guest (note: when wireshark is started, be sure to click ok on the dialog it pops - otherwise your wireshark is frozen).

4. Challenge of the Day and Conclusion

We have successfully constructed a simple analysis environment for Max++. Using the Linux Ubuntu Guest, we can intercept all the packets sent by the malware. The virtual machine technology has provided us the great benefits of quick restoration if any system is broken.

You should now make a snapshot of both the XP and Ubuntu guest systems.

Finally, the challenge of the day:

          Run the Max++ malware, can you describe its network activities?

References
[1] Guiseppe Bonfa, "Step-by-Step Reverse Engineering Malware: ZeroAccess / Max++ / Smiscer Crimeware Rootkit", Available at http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/

[2] udroomla , "How To Increase Screen Resolution with VirtualBox and Ubuntu", Available at http://www.linuxformat.com/forums/viewtopic.php?t=6438




Copyright. 2011. Dr. Xiang Fu. Department of Computer Science, Hofstra University.
GNU Generic Public License V3.