TekDefense

Friday

Mar222013

Automater added to Kali (The new BackTrack)

Friday, March 22, 2013 at 9:20AM

Update: Automater gets its own project page http://www.tekdefense.com/automater/

I must admit, I am in a bit of shock here. Never did I think I would actually get to have something I developed on the most popular distribution for security professionals. For those who do not know, Kali is the successor to Backtrack, this time fully debian based.

As of 2013/03/22 Automater was added to the Kali repos. What does that mean for you? If you are on Kali or have their repos added as a source you can now apt-get install automater.

Installation of automater on Kali:

In order to ensure you are able to pull automater from Kali you must first update your repos. to do this simply:

apt-get update

Once updated you can install automater with the following command:

apt-get install automater

You can roll both of those commands into one if you like, as seen in the screenshot below.

It is that simple, installation complete. Of course if you are not on kali you can still grab the latest version of automater from Github.

Automater usage:

Once installed via apt-get, automater is placed in /usr/bin/ which is in the PATH. So you can run automater from any directory.

Single target is an ip:

automater -t 66.249.23.64

Single target is a url/domain:

automater -t lovedacha.com

Single target is a shortened url:

automater -e bit.ly/XDlV1q

Target is several IPs and URLs/Domains listed in a file called hosts, outputting to another file called hosts.out:

automater -f hosts -o hosts.out

I have some really fun things planned for automater, such as adding a hash search function. I hope you enjoy.

Admin |

4 Comments |

tagged

Automater,

Kali,

OSINT,

analysis,

backtrack in

News

Sunday

Mar172013

Tektip ep25 - Static Malware Analysis With PEFRAME

Sunday, March 17, 2013 at 11:49AM

In this episode of TekTip we cover using peframe to help with the automating of static analysis of Portable Executable (PE) files. While MASTIFF (which we covered extensively) will determine a file type and then based on the file type run the appropriate tools, peframe focuses specifically on PE files or what we generally consider standard windows executables. This focus allows peframe to pull out some great data that we don't see (at least not yet), in other static analysis frameworks.

Peframe was created by Gianni Amato (@guelfoweb) and added to the CAINE digital forensics distro.

Like MASTIFF peframe at its current release can only run against a single file at a time. The script I wrote to automate running MASTIFF against multiple files could be easily modified to do the same for peframe.

Installation for peframe is simple, just download the zip and extract to the directory you want to run it from, for me I chose /opt/peframe. The only dependencies I am aware of are python 2.7, and peid.

OPTIONS:

-h --help This help

-a --auto Show Auto analysis

-i --info PE file attributes

--hash Hash MD5 & SHA1

--meta Version info & metadata

--peid PE Identifier Signature

--antivm Anti Virtual Machine

--antidbg Anti Debug | Disassembler

--sections Section analyzer

--functions Imported DLLs & API functions

--suspicious Search for suspicious API & sections

--dump Dumping all the information

--strings Extract all the string

--url Extract File Name and Url

--hexdump Reverse Hex dump

--import List Entry Import instances

--export List Entry Export instances

--resource List Entry Resource instances

--debug List Entry DebugData instances

Example Usage:

For must the auto option will pull all the data needed.

tekmalinux@TekMALinux:/opt/peframe$ sudo python peframe.py --auto /opt/malware/e72f79a5399c84f11d954ce59e4186f2

File Name: e72f79a5399c84f11d954ce59e4186f2

File Size: 752424 byte

Compile Time: 2013-02-26 17:35:54

DLL: False

Sections: 5

MD5 hash: e72f79a5399c84f11d954ce59e4186f2

SHA-1 hash: 8ed3ec95756f7be133f3e94309e0d22795f6da75

Packer: Microsoft Visual C++ 8

Anti Debug: Yes

Anti VM: None

File and URL:

FILE: ntdll.dll

FILE: kernel32.dll

FILE: s.dll

FILE: comctl32.dll

FILE: comdlg32.dll

FILE: shell32.dll

FILE: WININET.DLL

FILE: mfcm90.dll

FILE: user32.dll

FILE: ole32.dll

FILE: .com

FILE: .bat

FILE: .exe

FILE: USER32.DLL

FILE: OLEACC.dll

FILE: gdiplus.dll

FILE: RPCRT4.dll

FILE: VERSION.dll

FILE: KERNEL32.dll

FILE: USER32.dll

FILE: GDI32.dll

FILE: COMDLG32.dll

FILE: ADVAPI32.dll

FILE: SHELL32.dll

FILE: COMCTL32.dll

FILE: SHLWAPI.dll

FILE: oledlg.dll

FILE: ole32.dll

FILE: OLEAUT32.dll

FILE: urlmon.dll

FILE: WININET.dll

URL: http://schemas.microsoft.com/SMI/2005/WindowsSettings

FILE: Windows.Com

URL: http://crl.verisign.com/pca3.crl0

URL: https://www.verisign.com/cps0

URL: http://logo.verisign.com/vslogo.gif04

URL: http://ocsp.verisign.com0

URL: http://logo.verisign.com/vslogo.gif0

URL: https://www.verisign.com/rpa

URL: http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

URL: https://www.verisign.com/rpa0

URL: http://ocsp.verisign.com0

URL: http://csc3-2010-aia.verisign.com/CSC3-2010.cer0

URL: https://www.verisign.com/rpa

URL: http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

URL: https://www.verisign.com/rpa0

URL: http://ocsp.verisign.com0

URL: http://csc3-2010-aia.verisign.com/CSC3-2010.cer0

URL: https://www.verisign.com/rpa

URL: https://www.verisign.com/cps0

URL: https://www.verisign.com/rpa0

URL: http://logo.verisign.com/vslogo.gif04

URL: http://crl.verisign.com/pca3-g5.crl04

URL: http://ocsp.verisign.com0

URL: https://www.verisign.com/rpa

Suspicious API Functions:

Func. Name: GetFileAttributesA

Func. Name: GetFileSizeEx

Func. Name: GetModuleHandleW

Func. Name: UnhandledExceptionFilter

Func. Name: IsDebuggerPresent

Func. Name: GetDriveTypeA

Func. Name: GetCommandLineA

Func. Name: GetStartupInfoA

Func. Name: VirtualProtect

Func. Name: VirtualAlloc

Func. Name: ExitThread

Func. Name: CreateThread

Func. Name: FindNextFileA

Func. Name: CreateFileA

Func. Name: FindFirstFileA

Func. Name: GetFileSize

Func. Name: WriteFile

Func. Name: GetModuleFileNameW

Func. Name: GetModuleHandleA

Func. Name: CreateProcessA

Func. Name: GetTempFileNameA

Func. Name: DeleteFileA

Func. Name: CreateDirectoryA

Func. Name: GetTickCount

Func. Name: LoadLibraryA

Func. Name: LoadLibraryA

Func. Name: GetProcAddress

Func. Name: CreateToolhelp32Snapshot

Func. Name: Process32First

Func. Name: Process32Next

Func. Name: OpenProcess

Func. Name: TerminateProcess

Func. Name: GetTempPathA

Func. Name: GetModuleFileNameA

Func. Name: GetVersionExA

Func. Name: Sleep

Func. Name: FindResourceA

Func. Name: LockResource

Func. Name: CreateFileW

Func. Name: GetWindowThreadProcessId

Func. Name: SetWindowsHookExA

Func. Name: RegOpenKeyA

Func. Name: RegCreateKeyExA

Func. Name: RegCloseKey

Func. Name: RegEnumKeyA

Func. Name: RegDeleteKeyA

Func. Name: RegOpenKeyExA

Func. Name: ShellExecuteA

Func. Name: URLDownloadToFileA

Func. Name: InternetConnectA

Func. Name: HttpSendRequestA

Func. Name: InternetReadFile

Func. Name: InternetWriteFile

Func. Name: InternetOpenA

Func. Name: InternetCloseHandle

Func. Name: HttpQueryInfoA

Func. Name: InternetQueryDataAvailable

Func. Name: InternetQueryDataAvailable

Func. Name: InternetCrackUrlA

Suspicious API Anti-Debug:

Anti Debug: UnhandledExceptionFilter

Anti Debug: IsDebuggerPresent

Anti Debug: Process32First

Anti Debug: Process32Next

Anti Debug: TerminateProcess

Anti Debug: GetWindowThreadProcessId

Suspicious Sections:

InternalName: Setup.exe

FileVersion: 2.4.2

CompanyName: DownloadManager

ProductName: DownloadManager.exe

ProductVersion: 2.4.2

FileDescription: DownloadManager

OriginalFilename: Setup.exe

Translation: 0x0409 0x04e4

Now of course, if you don't want all the information that the auto option gives you can run the indivual options themselves. Additionally, you can use the --dump, --strings, --hexdump options to pull out more data if the auto option didn't give you what you want.

Overall, I think peframe is a great tool. While it runs many of the tools that we see in other frameworks it also applies a little analytics to the results pointing out key data like, file names, urls, Anti Forensics techniques, and suspicious API calls.

Admin |

Installing Cuckoo

Tuesday, March 12, 2013 at 5:34PM

In the first post of the Cuckoo Sandbox series, we will cover installation and basic configuration to get you started with automated dynamic malware analysis.

Background

Cuckoobox is an open source platform for automated dynamic analysis written by Claudio Guarnieri (nex) for the Google Summer of Code project in 2010. In 2012, Cuckoo was sponsored by Rapid7's Magnificent7 program "due to [its] innovative approach to traditional malware analysis". Currently Cuckoo can analyze Windows Executables, DLLs, PDF's, Office Docs, and URLs. Each sample to be analyzed is run through its own "clean" virtual machine, execution is tracked, and after completion the virtual machine is reverted back to its original "clean" state. A detailed report of the behavior the sample produced is generated and cataloged for later review. The system is written in Python and is very modular so it could be leveraged in other frameworks as well as extended for additional analysis or reporting.

Installation

Cuckoo has EXCELLENT documentation so check there for any questions that may arise after running through this installation. There is also an IRC channel (#cuckoosandbox on freenode) and community question portal for additional help.

As with the MASTIFF installation I am assuming a base installation of Ubuntu 12.10. As always the first step I perform is ensure that I have a fully updated system and have openssh installed for remote management.

sudo apt-get update; sudo apt-get upgrade -y; sudo apt-get dist-upgrade -y; sudo apt-get autoremove -y; sudo apt-get install openssh-server -y; sudo shutdown -r now later

Next we will begin the installation of the required dependencies.

sudo apt-get install python python-dev python-sqlalchemy python-dpkt python-jinja2 python-magic python-pymongo python-bottle -y

It is also recommended to install python-pefile, this could be accomplished by installing pefile from the apt repo or from source. I mention this as MASTIFF required pefile to be built from source. If both applications will be installed on the same machine I recommend going with the source option.

PEfile from APT

sudo apt-get install python-pefile

PEfile from source

cd /opt

svn checkout http://pefile.googlecode.com/svn/trunk/ pefile

cd /opt/pefile

python setup.py build

sudo python setup.py build install

Next we need to install pydeep for ssdeep fuzzy hashes of samples.

sudo apt-get install build-essential git libpcre3 libpcre3-dev libpcre++-dev -y

cd /opt/

wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.9/ssdeep-2.9.tar.gz

tar -xvzf ssdeep-2.9.tar.gz

rm -f ssdeep-2.9.tar.gz

mv ssdeep-2.9 ssdeep

cd /opt/ssdeep/

./configure

make

sudo make install

sudo ldconfig

cd /opt/

git clone https://github.com/kbandla/pydeep.git pydeep

cd /opt/pydeep/

https://github.com/kbandla/pydeep.git

python setup.py build

sudo python setup.py install

Yara and Yara Python also need to be installed for Yara signature analysis.

sudo apt-get install automake -y

cd /opt

svn checkout http://yara-project.googlecode.com/svn/trunk/ yara

cd /opt/yara

sudo ln -s /usr/bin/aclocal-1.11 /usr/bin/aclocal-1.12

./configure

make

sudo make install

cd yara-python

python setup.py build

sudo python setup.py install

We need to install tcpdump in order to dump network traffic occurring during analysis.

sudo apt-get install tcpdump

To ensure we do not need to run Cuckoo as root we need to set Linux capabilities for tcpdump.

sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Since Cuckoo leverages virtualization we will need to install a virtualization hypervisor. Since version 0.4 Cuckoo has been architecturally independent from the virtualization software. This means Cuckoo can leverage KVM, Virtualbox, or VMware as the hypervisor and could potentially be extended for use with other hypervisors. That being said THIS guide will focus on installation with VirtualBox for simplicity. However, there are pros and cons for each hypervisor that need to be taken into account for your specific environment. The following will document installing the latest version (as of this writing) of VirtualBox.

sudo apt-get install libqt4-opengl libsdl1.2debian -y

wget http://download.virtualbox.org/virtualbox/4.2.8/virtualbox-4.2_4.2.8-83876~Ubuntu~quantal_amd64.deb

wget http://download.virtualbox.org/virtualbox/4.2.8/Oracle_VM_VirtualBox_Extension_

Pack-4.2.8-83876.vbox-extpack

sudo dpkg -i virtualbox-4.2_4.2.8-83876~Ubuntu~quantal_amd64.deb

sudo VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.2.8-83876.vbox-extpack

sudo /etc/init.d/vboxdrv setup

Now that VirtualBox is installed, create a user for cuckoo to utilize

sudo useradd cuckoo

sudo usermod -g vboxusers cuckoo

Now we are ready to pull down Cuckoo

git clone https://github.com/cuckoobox/cuckoo.git cuckoo

Thats it! Now we need to configure Cuckoo and create some analysis VMs. Change directories into /opt/cuckoo/conf. You will notice there are a few files, we will concern ourselves with three of them: cuckoo.conf, virtualbox.conf, and reporting.conf. First up cuckoo.conf - there is not much to change here if you are working with VirtualBox. The only thing you will need to do is specify some database credentials if you want to utilize something other than the default sqlite. I prefer mysql so I will install and configure that.

sudo apt-get install mysql-server python-mysqldb -y

mysql -u root -p

create database cuckoo;

grant all privileges on cuckoo.* to cuckoo@localhost identified by 'Cuck00@n@lyst!' ;

flush privileges;

quit;

Once mysql is installed edit cuckoo.conf to reflect the database connection parameters you configured above, in this add mysql://cuckoo:Cuck00@n@lyst!@localhost/cuckoo to the connection line under database.

Next we will look at virtualbox.conf.

[virtualbox]

mode = gui

path = /usr/bin/VBoxManage

machines = cuckoonode01, cuckoonode02, cuckoonode10,cuckoonode20

[cuckoonode01]

label = cuckoonode01

platform = windows

ip = 192.168.56.101

[cuckoonode02]

label = cuckoonode02

platform = windows

ip = 192.168.56.102

[cuckoonode10]

label = cuckoonode10

platform = darwin

ip = 192.168.56.110

[cuckoonode20]

label = cuckoonode20

platform = linux

ip = 192.168.56.120

The mode defaults to gui which means that you will be able to see the VirtualBox guest as the malware is executed. This option can also be changed to headless if you do not wish to see the VM. Next you will see the virtual machines directive. This is a comma separated list for each virtual machine that will be defined beneath the virtual machine list. Finally the details of the individual VMs are supplied. Platform can be either Windows, Darwin, or Linux. The IP address of the VM MUST be static as cuckoo needs to know this prior to booting the machine.

The last configuration file we need to concern ourselves with is the reporting.conf. This file contains the format of the reports that will be produced upon completion of analyzing a sample. By default the only output options that are enabled are jsondump and reporthtml. This is enough to produce a nice web report but I also like to enable the hpfclient option as well. If you haven't heard about hpfeeds, it is definitely worth the research. Setting up hpfeeds will be the topic of another blog post in the near future.

We are now done with the configuration of CuckooBox. We still need to build an analysis platform prior to submitting any samples. The installation and configuration of a "victim" machine / analysis platform is outside of the scope of this blog post. I will however briefly describe the steps necessary to build out a functioning VM for use in Cuckoo.

Install Windows XP SP3 or Windows 7 with UAC disabled
Disable Windows Firewall
Configure the network
- Set a static IP address in the network range of the vboxnet0 (default host only network)
- Configure iptables
  - sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
  - sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  - sudo iptables -A POSTROUTING -t nat -j MASQUERADE
- Enable forwarding
  - sudo sysctl -w net.ipv4.ip_forward=1
  - sudo sysctl -p
Rename VM based on virtualbox.conf
Install Python 2.7
Install Python Imaging Library 1.7 for Python 2.7
Install additional software (not required but recommended)
- Microsoft Office
- Adobe Reader
- Additional browsers
- etc
Install the Cuckoo agent.py
- Download from \\vboxsvr\ TEMPORARY share (remove prior to snapshot)
- cd /opt/cuckoo/agent; python -m SimpleHTTPServer - and download to VM
- Save/Rename agent.py to agent.pyw if you do not want the terminal window present
Execute agent.pyw
Snapshot the VM
- VBoxManage snapshot "cuckoonode01" take "pristine" --pause
- VBoxManage controlvm "cuckoonode01" poweroff
- VBoxManage snapshot "cuckoonode01" restorecurrent

We are now done with the first analysis platform. To save time, this process can be simplified to a clone operation. Once the clone of the template is complete you will need to make a few small modifications:

Rename the VM (based on virtualbox.conf)
ReIP the machine (based on virtualbox.conf)
Stop the process associated with agent.py and reexecute agent.pyw
Take a new "pristine" snapshot using the steps outlined above

For the next step I recommend installing tmux or screen to manage cuckoo in one terminal (especially if you are remotely managing the machine).

sudo apt-get install tmux -y

tmux

cd /opt/cuckoo

Next start cuckoo with the following

python cuckoo.py

If you do not receive any errors and the status message indicates one or more VMs are loaded you are good to go. Open another screen in tmux (<ctrl>+b).

cd /opt/cuckoo/utils

python web.py

This should launch a web server on port 8080 for all interfaces. The web utility is a simple interface that will allow you to view the reports of submitted samples (clicking browse) and will also let you submit individual samples for processing. If you are adding multiple samples for processing it is best to utilize the submit.py utility. By default you can submit:

Windows PEs
DLLs
PDFs
Office Documents
URLs

usage: submit.py [-h] [--url] [--package PACKAGE] [--custom CUSTOM]

[--timeout TIMEOUT] [--options OPTIONS] [--priority PRIORITY]

[--machine MACHINE] [--platform PLATFORM] [--memory]

[--enforce-timeout]

target

positional arguments:

target URL, path to the file or folder to analyze

optional arguments:

-h, --help show this help message and exit

--url Specify whether the target is an URL

--package PACKAGE Specify an analysis package

--custom CUSTOM Specify any custom value

--timeout TIMEOUT Specify an analysis timeout

--options OPTIONS Specify options for the analysis package (e.g.

"name=value,name2=value2")

--priority PRIORITY Specify a priority for the analysis represented by an

integer

--machine MACHINE Specify the identifier of a machine you want to use

--platform PLATFORM Specify the operating system platform you want to use

(windows/darwin/linux)

--memory Enable to take a memory dump of the analysis machine

--enforce-timeout Enable to force the analysis to run for the full

timeout period

The options above provide a lot of flexibility to script the submission process, but it is as simple as

python submit.py --url http://www.tekdefense.com

python submit.py malware.exe

python submit.py malware.pdf

python submit.py malware.doc

Simple right? The above would have produced 4 entries in the submission queue. If there are more entries in the queue than machines available for processing, the sample will be submitted as soon as a VM is freed up and returned to its pristine state. It is also possible to pass a directory containing samples to submit.py. This will cause all samples contained within the directory to be processed. It is very powerful when used in conjunction with delete_original = on in the cuckoo.conf. Adding a large number of samples to the directory and deleting them after processing (copies are contained in storage/analyses/<sample number>). This approach is nice when using something like maltrieve and cron.

Another nice utility is community.py also found in /opt/cuckoo/utils which will allow you to download the community signatures, machine manager, reporting, and processing modules.

Cuckoo is an awesome product well worth the small amount of time you will need to invest to get it installed and configured. The amount of data that can be attained with it is astonishing and it can definitely help to speed up some of that analysis or at least help in determining which samples you should devote more of your precious time to.

Cheers

Joshua Gauthier |

Installing MASTIFF

Sunday, March 10, 2013 at 2:09PM

So we have talked about using SecShoggoth 's MASTIFF (here, here, and here), but haven't really gone through the installation. Here goes...

I am assuming a base installation of Ubuntu 12.10 (because its easy and you can run it free on AWS). The first thing that we should do is update the base OS and install ssh for remote management.

sudo apt-get update; sudo apt-get upgrade -y; sudo apt-get dist-upgrade -y; sudo apt-get autoremove -y; sudo apt-get install openssh-server -y; sudo shutdown -r now later

Once that is back online we will begin installing the necessary packages for MASTIFF. I am running through the dependencies as they are introduced in the documentation. First lets get the python dependencies out of the way, as well as an editor (nano is fine...albeit evil)

sudo apt-get install python python-dev python-magic python-sqlite python-setuptools python-pip build-essential vim -y

Install yapsy from pip

sudo pip install yapsy

Now, I tend to pull the majority of my software to /opt out of habit. You do not need to do the same but if you change the location be sure to update to commands below. First I will ensure that the user and group that I am currently using have access to /opt so I can write to that directory.

sudo chown -R `whoami`:`groups | awk '{print $1}'` /opt

Install TrID, download and run the TrID database updater.

cd /opt

mkdir /opt/trid

cd /opt/trid

wget wget http://mark0.net/download/trid_linux.zip

unzip trid_linux.zip

rm -f unzip trid_linux.zip

chmod +x trid

wget http://goo.gl/RQXV8

unzip RQXV8

rm -f RQXV8

chmod +x tridupdate.py

python tridupdate.py

*Note* if you are running this on a 64 bit machine you will need to install ia32-libs

sudo aptitude install ia32-libs

Next we will pull the dependencies down for ssdeep and pyssdeep and then install those packages

sudo apt-get install subversion libpcre3 libpcre3-dev libpcre++-dev -y

cd /opt/

wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.9/ssdeep-2.9.tar.gz

tar -xvzf ssdeep-2.9.tar.gz

rm -f ssdeep-2.9.tar.gz

mv ssdeep-2.9 ssdeep

cd /opt/ssdeep

./configure

make

sudo make install

sudo ldconfig

svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeep

cd /opt/ssdeep/pyssdeep

python setup.py build

sudo python setup.py install

Next up is automake and yara:

sudo apt-get install automake -y

cd /opt

svn checkout http://yara-project.googlecode.com/svn/trunk/ yara

cd /opt/yara

sudo ln -s /usr/bin/aclocal-1.11 /usr/bin/aclocal-1.12

./configure

make

sudo make install

cd yara-python

python setup.py build

sudo python setup.py install

Now install simplejson from soure (NOT the APT repo)

sudo apt-get install git -y

cd /opt

git clone https://github.com/simplejson/simplejson simplejson

cd /opt/simplejson

python setup.py build

sudo python setup.py build install

Pull down Didier Stevens awesome pdf tools

mkdir /opt/pdftools

cd /opt/pdftools

wget http://didierstevens.com/files/software/pdf-parser_V0_3_9.zip

unzip pdf-parser_V0_3_9.zip

rm -f pdf-parser_V0_3_9.zip

chmod +x pdf-parser.py

wget http://didierstevens.com/files/software/pdfid_v0_0_12.zip

unzip pdfid_v0_0_12.zip

rm -f pdfid_v0_0_12.zip

chmod +x pdfid.py

Exiftool

cd /opt

wget http://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-9.22.tar.gz

tar -xvzf Image-ExifTool-9.22.tar.gz

rm Image-ExifTool-9.22.tar.gz

mv Image-ExifTool-9.22 exiftool

PE-File (again NOT from the apt repo)

cd /opt

svn checkout http://pefile.googlecode.com/svn/trunk/ pefile

cd /opt/pefile

python setup.py build

sudo python setup.py build install

Disitool

mkdir /opt/disitool

cd /opt/disitool

wget http://www.didierstevens.com/files/software/disitool_v0_3.zip

unzip disitool_v0_3.zip

rm disitool_v0_3.zip

Openssl

sudo apt-get install openssl -y

pyOLEScanner

mkdir /opt/pyOLEScanner

cd /opt/pyOLEScanner

wget https://github.com/Evilcry/PythonScripts/raw/master/pyOLEScanner.zip

unzip pyOLEScanner.zip

rm pyOLEScanner.zip

chmod +x pyOLEScanner.py

Distorm

cd /opt

svn checkout http://distorm.googlecode.com/svn/trunk/ distorm

cd /opt/distorm

python setup.py build

sudo python setup.py build install

And finally MASTIFF itself

cd /opt

wget http://downloads.sourceforge.net/project/mastiff/mastiff/0.5.0/mastiff-0.5.0.tar.gz

tar -xvzf mastiff-0.5.0.tar.gz

rm mastiff-0.5.0.tar.gz

mv mastiff-0.5.0/ mastiff

cd /opt/mastiff

sudo make install

Now that MASTIFF is good to go we will want to ensure that the config file is created / edited properly. Ensure that you read through the config file as you will want to add the appropriate VirusTotal API key. Also if you installed the dependencies to different locations now is the time to correct those paths.

mkdir /etc/mastiff

cd /etc/mastiff

cat > /opt/mastiff/mastiff.conf.TEST <<EOF

# This is the configuration file for mastiff.

#

# Comments are preceded by a # or ;

#

[Dir]

# log_dir is the base directory where the logs generated will

# be placed in.

#log_dir = /usr/local/mastiff/log

log_dir = ./work/log

# plugin_dir is a list of directories plugins may be present in.

# should be comma-separated.

plugin_dir = ./plugins, /etc/mastiff

[Misc]

# verbose = [on|off]

verbose = off

[Sqlite]

# Sqlite database options

# db_file = Name of the database file

db_file = mastiff.db

[File ID]

# trid is the location of the TrID binary

# trid_db is the location of the TrID database

#trid = /usr/local/bin/trid

trid = /opt/trid/trid

#trid_db = /usr/local/etc/triddefs.trd

trid_db = /opt/trid/triddefs.trd

[Embedded Strings Plugin]

# Options for the Embedded Strings Plugin.

# strcmd is the path to the strings command

strcmd = /usr/bin/strings

[VirusTotal]

# Options for the VirusTotal Submission Plug-in.

# api_key is your API key from virustotal.com

# - Leave this empty if you wish to disable this plug-in

api_key = GET_YOUR_OWN

# submit [on|off] - submit binary to VirusTotal

submit = off

[pdfid]

# Options to run Didier Stevens pdfid.py script

# pdfid_cmd = Path to the pdfid.py script

# - Leave blank if you want the script disabled.

# pdfid_opts = Options for program.

# - Do not put multiple options in quotes.

# Note: pdfid.py has bugs that may cause errors when examining

# malformed PDFs when using the -e option.

pdfid_cmd = /opt/pdftools/pdfid.py

#pdfid_opts = -e

pdfid_opts =

[pdf-parser]

# Options to run Didier Stevens pdf-parser.py script

# pdf_cmd = Path to pdf-parser.py.

pdf_cmd = /opt/pdftools/pdf-parser.py

[PDF Metadata]

# Options for PDF Metadata script

# exiftool = path to exitfool

exiftool = /opt/exiftool/exiftool

[yara]

# Options for the Yara signature plug-in

# yara_sigs = Base path to Yara signatures. This path will be recursed

# to find additional signatures.

# Leave blank to disable the plug-in.

yara_sigs = /opt/yara

[Digital Signatures]

# Options to extract the digital signatures

#

# disitool - path to disitool.py script.

# openssl - path to openssl binary

disitool = /opt/disitool/disitool.py

openssl = /usr/bin/openssl

[Office Metadata]

# Options for Office Metadata script

# exiftool = path to exitfool

exiftool = /opt/exiftool/exiftool

[Single-Byte Strings]

# options for single-byte string extraction plug-in

# length - Minimum length to extract

length = 3

# raw - print raw characters instead of formatted ones (e.g. \\n vs. \n)

raw = False

[ZipExtract]

# options for Zip archive file extraction plug-in

# enabled: [on|off] - Extract files or not

# password: Password to use for zip file. OK to leave blank.

enabled = on

password = infected

[Office pyOLEScanner]

# olecmd = Path to pyOLEScanner.py

olecmd=/opt/pyOLEScanner/pyOLEScanner.py

EOF

Now testing MASTIFF out is as simple as:

cd /opt/mastiff

zwned@malwr:/opt/mastiff$ python mas.py /opt/mastiff/tests/test.exe

[2013-03-10 15:11:47,324] [INFO] [Mastiff] : Starting analysis on /opt/mastiff/tests/test.exe

[2013-03-10 15:11:47,326] [INFO] [Mastiff.Init_File] : Analyzing /opt/mastiff/tests/test.exe.

[2013-03-10 15:11:47,326] [INFO] [Mastiff.Init_File] : Log Directory: ./work/log/c69ffb3057b2077fcaecc99b9f16c7c8

[2013-03-10 15:11:47,417] [INFO] [Mastiff.DB.Insert] : Adding ['Generic', 'EXE']

[2013-03-10 15:11:47,506] [INFO] [Mastiff.Analysis] : File categories are ['Generic', 'EXE'].

[2013-03-10 15:11:47,507] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-03-10 15:11:47,521] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-03-10 15:11:47,602] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-03-10 15:11:47,602] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-03-10 15:11:47,681] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-03-10 15:11:47,681] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-03-10 15:11:48,717] [INFO] [Mastiff.Plugins.VirusTotal.submit] : Submission disabled. Not sending file.

[2013-03-10 15:11:48,717] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-03-10 15:11:48,722] [INFO] [Mastiff.Plugins.Resources] : Starting execution.

[2013-03-10 15:11:48,774] [INFO] [Mastiff.Plugins.Single-Byte Strings] : Starting execution.

[2013-03-10 15:11:48,813] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.

[2013-03-10 15:11:48,926] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.

[2013-03-10 15:11:48,975] [INFO] [Mastiff.Plugins.Digital Signatures] : No signature on the file.

[2013-03-10 15:11:48,976] [INFO] [Mastiff.Analysis] : Finished analysis for /opt/mastiff/tests/test.exe.

zwned@malwr:/opt/mastiff$ python mas.py /opt/mastiff/tests/test.pdf

[2013-03-10 15:12:36,299] [INFO] [Mastiff] : Starting analysis on /opt/mastiff/tests/test.pdf

[2013-03-10 15:12:36,299] [INFO] [Mastiff.Init_File] : Analyzing /opt/mastiff/tests/test.pdf.

[2013-03-10 15:12:36,300] [INFO] [Mastiff.Init_File] : Log Directory: ./work/log/3f53a4bf0097f9075ff641b03bb176f5

[2013-03-10 15:12:36,381] [INFO] [Mastiff.DB.Insert] : Adding ['PDF', 'Generic']

[2013-03-10 15:12:36,468] [INFO] [Mastiff.Analysis] : File categories are ['PDF', 'Generic'].

[2013-03-10 15:12:36,469] [INFO] [Mastiff.Plugins.pdf-parser] : Starting execution.

[2013-03-10 15:12:36,470] [INFO] [Mastiff.Plugins.pdf-parser.uncompress] : Uncompressing PDF.

[2013-03-10 15:12:36,563] [INFO] [Mastiff.Plugins.pdf-parser.get_objects] : Extracting interesting objects.

[2013-03-10 15:12:37,532] [INFO] [Mastiff.Plugins.PDF Metadata] : Starting execution.

[2013-03-10 15:12:37,643] [INFO] [Mastiff.Plugins.pdfid] : Starting execution.

[2013-03-10 15:12:37,729] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-03-10 15:12:37,741] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-03-10 15:12:37,819] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-03-10 15:12:37,820] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-03-10 15:12:37,909] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-03-10 15:12:37,910] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-03-10 15:12:38,386] [INFO] [Mastiff.Plugins.VirusTotal.submit] : Submission disabled. Not sending file.

[2013-03-10 15:12:38,386] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-03-10 15:12:38,392] [INFO] [Mastiff.Analysis] : Finished analysis for /opt/mastiff/tests/test.pdf.

zwned@malwr:/opt/mastiff$ python mas.py /opt/mastiff/tests/test.doc

[2013-03-10 15:12:53,882] [INFO] [Mastiff] : Starting analysis on /opt/mastiff/tests/test.doc

[2013-03-10 15:12:53,883] [INFO] [Mastiff.Init_File] : Analyzing /opt/mastiff/tests/test.doc.

[2013-03-10 15:12:53,883] [INFO] [Mastiff.Init_File] : Log Directory: ./work/log/759f7e53f54df03f2ae06fcec25e8ac3

[2013-03-10 15:12:53,973] [INFO] [Mastiff.DB.Insert] : Adding ['Generic', 'Office', 'ZIP']

[2013-03-10 15:12:54,076] [INFO] [Mastiff.Analysis] : File categories are ['Generic', 'Office', 'ZIP'].

[2013-03-10 15:12:54,078] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-03-10 15:12:54,088] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-03-10 15:12:54,167] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-03-10 15:12:54,167] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-03-10 15:12:54,234] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-03-10 15:12:54,234] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-03-10 15:12:55,239] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-03-10 15:12:55,244] [INFO] [Mastiff.Plugins.Office pyOLEScanner] : Starting execution.

[2013-03-10 15:12:57,497] [INFO] [Mastiff.Plugins.Office Metadata] : Starting execution.

[2013-03-10 15:12:57,681] [INFO] [Mastiff.Plugins.ZipInfo] : Starting execution.

[2013-03-10 15:12:57,682] [INFO] [Mastiff.Plugins.ZipExtract] : Starting execution.

[2013-03-10 15:12:57,683] [INFO] [Mastiff.Plugins.ZipExtract] : Password "infected" will be used for this zip.

[2013-03-10 15:12:57,683] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting [Content_Types].xml.

[2013-03-10 15:12:57,683] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting _rels/.rels.

[2013-03-10 15:12:57,684] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting theme/theme/themeManager.xml.

[2013-03-10 15:12:57,684] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting theme/theme/theme1.xml.

[2013-03-10 15:12:57,685] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting theme/theme/_rels/themeManager.xml.rels.

[2013-03-10 15:12:57,685] [INFO] [Mastiff.Analysis] : Finished analysis for /opt/mastiff/tests/test.doc.

zwned@malwr:/opt/mastiff$ python mas.py /opt/mastiff/tests/test.

test.doc test.exe test.pdf test.zip

zwned@malwr:/opt/mastiff$ python mas.py /opt/mastiff/tests/test.zip

[2013-03-10 15:13:22,856] [INFO] [Mastiff] : Starting analysis on /opt/mastiff/tests/test.zip

[2013-03-10 15:13:22,870] [INFO] [Mastiff.Init_File] : Analyzing /opt/mastiff/tests/test.zip.

[2013-03-10 15:13:22,871] [INFO] [Mastiff.Init_File] : Log Directory: ./work/log/033d488bbe65e8aececb2c55bdfbc2fd

[2013-03-10 15:13:23,035] [INFO] [Mastiff.DB.Insert] : Adding ['Generic', 'ZIP']

[2013-03-10 15:13:23,106] [INFO] [Mastiff.Analysis] : File categories are ['Generic', 'ZIP'].

[2013-03-10 15:13:23,107] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-03-10 15:13:23,115] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-03-10 15:13:23,178] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-03-10 15:13:23,178] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-03-10 15:13:23,238] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-03-10 15:13:23,238] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-03-10 15:13:23,440] [INFO] [Mastiff.Plugins.VirusTotal.submit] : Submission disabled. Not sending file.

[2013-03-10 15:13:23,440] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-03-10 15:13:23,445] [INFO] [Mastiff.Plugins.ZipInfo] : Starting execution.

[2013-03-10 15:13:23,446] [INFO] [Mastiff.Plugins.ZipExtract] : Starting execution.

[2013-03-10 15:13:23,447] [INFO] [Mastiff.Plugins.ZipExtract] : Password "infected" will be used for this zip.

[2013-03-10 15:13:23,447] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting test.bin.

[2013-03-10 15:13:23,447] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting test.txt.

[2013-03-10 15:13:23,448] [INFO] [Mastiff.Analysis] : Finished analysis for /opt/mastiff/tests/test.zip.

If you did not receive any errors / warnings you should be good to go. Now that MASTIFF is up and running we can download MASTIFF2HTML on Github.

wget https://raw.github.com/1aN0rmus/TekDefense/master/MASTIFF2HTML.py

chmod +x MASTIFF2HTML.py

python MASTIFF2HTML.py -f /opt/mastiff/work/log/ -d mastiff.db

cd /opt/mastiff/work/log/www/

python -m SimpleHTTPServer

Now if you browse to 127.0.0.1:8000/mastiff.html you should be seeing the results for your analysis.

If you run into any issues... please leave a comment so we can address / update as necessary.

Cheers

Joshua Gauthier |

12 Comments |

tagged

Install,

MASTIFF,

Malware,

Malware analysis in

News

Sunday

Mar102013

Tektip ep24 - Moloch

Sunday, March 10, 2013 at 1:03PM

Before getting into Moloch, I wanted to take a moment to say thank you to everyone who has putting the word out there on Automater lately. Automater has got a lot of recognition lately (thanks Reddit), which has been very motivating.

In this episode of Tektip, we take a closer look at one of the most exciting projects showed at Shmoocon 2013, Moloch.

A description of Moloch from their Github page:

"Moloch is an open source, large scale IPv4 packet capturing (PCAP), indexing and database system. A simple web interface is provided for PCAP browsing, searching, and exporting. APIs are exposed that allow PCAP data and JSON-formatted session data to be downloaded directly. Simple security is implemented by using HTTPS and HTTP digest password support or by using apache in front. Moloch is not meant to replace IDS engines but instead work along side them to store and index all the network traffic in standard PCAP format, providing fast access. Moloch is built to be deployed across many systems and can scale to handle multiple gigabits/sec of traffic."

A bit about the creators from the Shmoocon Speakers page:

"Andy Wick and Eoin Miller are members of AOL’s Computer Emergency Response Team. Andy Wick has more than 15 years of development experience at AOL. He has recently come into the CERT group and has begun developing tools for defense and forensics. Eoin Miller specializes in using IDS and full packet capture systems to identify drive by exploit kits and the traffic that feeds them (malvertising in particular). He regularly contributes the developed signatures to EmergingThreats/OISF and other groups."

Now I have put a lot of time into MASTIFF lately and haven't had a chance to get Moloch installed and configured properly quite yet. Luckily, the securabit.com team has given me access to their lab, where they have Moloch built out, along with many other products. A huge thank you to them, especially Mike Bailey (@mpbailey1911) who took the time to get Moloch installed and configured, with a decent amount of traffic pumping through it.

The version of Moloch I am using for this video is 0.7.3. Moloch gives the user an efficient method of browsing, querying, exporting, and visualizing packet data. Some commercial products I would say are similar in function are NetScout, NetWitness, and Cascade.

The power of Moloch, at least for what I will be using it for is the ability to have immediate access to traffic data and pcaps that match custom filters based on fields that are not normally available as a queryable field, such as http header information. As Moloch uses a syntax for filters very similar to wireshark, network analysts will quickly adapt to the product. On the visualization side, there is a maltego like feel. It shows how IP Addresses and ports relate to each other based on the data you have filtered on.

As Moloch is still early in development I expect the product will evolve to incorporate even more features. My current Moloch wish list is:

Groups: Have the ability to create groups of IPs, Services, tags, and then query on those groups. An example is create a group for all of your DNS servers and then write a filter to the effect of "IP Source of Not 'DNS Servers' to External on UDP/53"
Save Filters: Would be nice to be able to save filters for future use.
Share saved filters: Share filters with other users.

Enjoy of the screenshots, and check out the video for a more in-depth look.