Assessing the harmfulness of files using sandboxes, Part 2. Analysis offline
So, earlier we got acquainted with the main resources available in the network for analyzing files .
However, in practice there are quite a few cases when using online sandboxes does not allow solving the problem. This may be due to a variety of factors, for example:
- Internet access is difficult
- Online sandboxes are currently overloaded and analysis is critical in time
- Execution in online sandboxes is blocked by the studied file
- It is necessary to fine-tune the file execution mode during the analysis, for example - an increase in the delay time from the start
')
In this case, we come to the aid of an offline solution to the problem.
The essence of the work of almost any sandbox - a restriction of program execution in a controlled environment with virtualization of changes to the system. Of course, the ideal solution to such a task would be to execute code on a virtual machine with the ability to roll back to the snapshot, or on a physical machine with a full sector-by-sector backup of the system with the possibility of the same rollback. And this is absolutely true - analysts all over the world work in the same way, the online sandboxes we have already reviewed are working as well. However, in this case, you must manually remove and analyze memory dumps, examine changes in the system, registry, etc. We will consider several solutions that perform this work automatically. Well, or almost automatically :)
In our review, we will move from simple to complex, from affordable to difficult, and from automatic to manual. It seems to me that with such an approach, people who will become bored will leave and will not lose anything important :)
Complex Buster Sandbox Analyzer + SandboxIE
SandboxIE - perhaps one of the most promising sandbox programs available in the public domain. This is due to a number of factors, not the last of which is the constant support and updating of the program by the author, as well as the availability of a free use case with almost full functionality (in any case, for our purposes it is quite enough). The most important thing is the support in SandboxIE of plug-ins that extend the functionality.
One of these plugins is the Buster Sandbox Analyzer or BSA. This plugin works much like the one already discussed by the CWSandbox - injects a dynamic library into the address space of the process being studied, allowing you to monitor API calls during execution. In addition, the program allows you to track network activity, analyze changed files and other useful things.
To evaluate the performance of this system, we first build it. Additionally, you will need to download these two add-ons on SandboxIE: Block Process Access and Antidel . These plugins allow, on the one hand, to hide from the process being analyzed the presence of other processes outside the sandbox , and on the other hand, to prevent files from being deleted during the work (useful when analyzing some droppers).
Further:
1. Install the SandboxIE.
2. Create an additional sandbox through the Sandbox - Create a new sandbox . I called it BSA - even if you have it for simplicity.
3. Right-click on the BSA sandbox in the list of the program window and select Sandbox Settings .
4. Critical:
Behavior - Display border around window - choose red
Recovery . - Immediate recovery - uncheck And in general, make sure that no folders are in recovery.
Delete - remove all the daws about the deletion.
Restrictions - Internet access - delete all programs until the message “No program can access the Internet” appears. Remember this option - for some malicious programs you will need to open the access, but note that in this case all the passwords and information from the host machine will go to the attacker.
Restrictions - Launch and Run Access - allow all.
Low level access and hardware - all the jackdaws take pictures. This is important, otherwise low-level viruses like TDSS, Mebratix, Mebroot will crawl out of the sandbox into the system.
The remaining options leave the default. In the future, you can customize them to your taste - everything is quite clear there.
5. In the folder where you installed SandboxIE, create a folder Buster Sandbox Analyzer, where we unpack everything downloaded above.
6. Rename the LOG_API.DLL file to whatever you want. I called it LAPI.DLL. Also rename HideDriver.sys.
7. In the main window of the SandboxIE, select Customize - Edit configuration . In the opened text document we find the BSA section right under these letters we add the lines:
Your path, of course, may differ. But the order of injected libraries must be this way !
Now pay attention to the GlobalSettings section, and specifically to the FileRootPath parameter:
(you may differ).
Remember its meaning.
8. Save the text file on the original path. In the main window of SandboxIE, select Customize - Reload configuration .
9. In the main SandboxIE window, select: Configure - Integration into Windows Explorer - Start SandboxIE control - when the program starts in the sandbox and “Run in the sandbox” Actions - add the context menu item “Run in the sandbox” for files and folders.
10. Start Buster Sandbox Analyzer (manually, from the same folder by running bsa.exe.
11. Select Options - Analysis mode - Manual and Options - Program Options - Windows Shell Intagration - Add right-click action "Run BSA".
Everything is ready for work.
How to use it?
1. Disable resident antivirus (if available).
2. Direct the mouse on the process being studied and click the right button Run BSA . The BSA window opens.
3. Make sure that the Sandbox folder to check line contains a folder that matches the value of the FileRootPath SandboxIE parameter (see above), only BSA is indicated instead of% SANDBOX%. In my case, with the parameter
in BSA should stand
4. Click Start Analysis.
5. Direct the mouse on the process being studied and click the right button Run in the sandbox . In the proposed list of sandboxes choose BSA.
Everything. The process will go. You will see the log of API calls in BSA and the active processes in the main window of SandboxIE. Sometimes the process is complete, then in BSA click Finish Analysis, sometimes - it needs to be nailed to SandboxIE (for example, for file infectors) by selecting the Complete program with the right mouse on the active BSA sandbox.
At the end of the BSA will issue a detailed report on changes in the system, it is also possible through the Viewer to get acquainted with other reports. If you put WinPcap in the system - you can even intercept packets from the sandbox, although there it is not very well organized, no, for example, UDP packet personalization. But if you really want to - you can, but at the same time on the host system you should silence all network applications, especially torrents.
After work, by clicking on the BSA sandbox with the right mouse, you can select View content and examine all files created or modified by the process during the work.
BSA logs and sandbox files are stored until the next launch of a new research process.
It should be noted that a direct analysis of changes made to the system by the studied file is possible. Taking into account that the virtualized registry is stored in C: \ Sandbox \ % SANDBOX% \ RegHive, then it is extremely simple to translate it into a “clear” view with this command script:
Just keep in mind that the DefaultBox will be different for everyone - but we already talked about this above.
The resulting sandbox.reg file will contain all changes made to the registry that are easy to analyze.
The ability of SandboxIE to inject dynamic libraries into a process can be effectively used by malicious code that is executed not in the form of a PE executable file, but in the form of a library injected into the process address space or registered as a service. But this is a completely different and difficult conversation.
ZeroWine
One of the most common ways to automate the study of malicious code is to combine the execution of a number of operations and utilities on a Linux system using Python scripts. This is exactly what Joxean Koret did when creating his ZeroWine project. ZeroWine is an image of the QEmu virtual machine (which, however, can easily be converted to other systems, including VBox and VMWare), built on the basis of Debian. The malicious file can be downloaded via the web interface, as a result of which it runs in the wine environment, its operation is controlled by a number of utilities automated by the Python script. As a result, the user can get information about the called commands, process memory dumps, interception of network packets, etc.
Is ZeroWine-tryouts another “face” of the ZeroWine project? which introduced several additional features.
Unfortunately, the use of wine does not allow you to completely create an environment for malware that would correspond to Windows. As a result, code execution may be completely different, and sometimes it may simply not happen. The author himself points out a number of shortcomings in his program, as well as an easy way to detect the execution in the wine environment from the process being studied. Yes, and the logs presented on screenshots on the author’s website are unlikely to help in understanding the infection mechanism and planning the treatment process, rather, they will be of interest to the analyst who builds a signature or behavioral defense against malware.
From myself I want to add that even though ZeroWine was updated in December of last year, I personally liked the old one (since 2009) ZeroWine-tryout more - maybe because of the more flexible configuration and control of scanning, and maybe because I started it normal, unlike the new version :)
Distributed analysis systems
These are the most serious and complex analytical decisions. Typically, distributed systems are a Linux system that acts as a server, receiving and processing dumps and logs received from an infected Windows system. Such a mechanism can be built in the framework of the interaction of virtual machines or a virtual Windows guest with a Linux host. The last principle is built MINIBIS - you can freely download everything you need to deploy such a system, based on the performance of virtual Windows XP in Ubuntu. Another interesting approach is to use a hypervisor, as in the Ether project .
However, if you decided to tackle this issue seriously - the most correct approach is to build your own system based on two physical machines. At the same time, the Linux-system usually works in the role of a network connection emulator and an information processing end station, and Windows - as a test base on which malicious code runs. Both ready-made solutions, such as Truman , and examples of Linux systems, such as REMnux and SIFT Workstation, are freely distributed on the network.
Of course, you yourself can create any similar system based on your favorite Linux distribution (I highly recommend Ubuntu, but not because I am a fan of it, but because unfortunately specialized software has been sharpened for Debian, and now it is almost always under Ubuntu), adding to it necessary software and scripts in the image and likeness described above or in my own mind. However, the description of the creation of such systems is extremely difficult and time consuming, so I will give a number of references to projects that may be interesting and useful in such work.
- Invisible proxy server for intercepting and analyzing http / https traffic used to communicate with C & C and download modules. Example - Burp Suite .
- Internet simulator, for example INetSim .
- Centralized image recovery system, for example FOG .
- System analysis of memory dumps, the best IMHO here Volatality Framework .
- Antivirus system ClamAV to automate the classification of malware found. I deliberately do not write commercial antiviruses not because of the conviction that ClamAV is better (which is not true), but because of the possibility of adding my own signatures to ClamAV, which is not the case in commercial versions. In a pinch, you can use YARA for the same purpose.
- Utilities for analyzing and deobfuscating JS, PDF, Flash, java-scripts, parsing the Windows file system, working with file signatures and unpacking - all this is in large quantities on the network, it is impossible to describe everything and is always a matter of taste. In particular, a number of such utilities are mentioned on the site of the REMnux project and is included in its composition.
On this optimistic note, I finish (?) My opus, if any questions arise - I will be happy to unsubscribe in the comments. Thanks to those who have received it and read it to the end :)
However, in practice there are quite a few cases when using online sandboxes does not allow solving the problem. This may be due to a variety of factors, for example:
- Internet access is difficult
- Online sandboxes are currently overloaded and analysis is critical in time
- Execution in online sandboxes is blocked by the studied file
- It is necessary to fine-tune the file execution mode during the analysis, for example - an increase in the delay time from the start
')
In this case, we come to the aid of an offline solution to the problem.
The essence of the work of almost any sandbox - a restriction of program execution in a controlled environment with virtualization of changes to the system. Of course, the ideal solution to such a task would be to execute code on a virtual machine with the ability to roll back to the snapshot, or on a physical machine with a full sector-by-sector backup of the system with the possibility of the same rollback. And this is absolutely true - analysts all over the world work in the same way, the online sandboxes we have already reviewed are working as well. However, in this case, you must manually remove and analyze memory dumps, examine changes in the system, registry, etc. We will consider several solutions that perform this work automatically. Well, or almost automatically :)
In our review, we will move from simple to complex, from affordable to difficult, and from automatic to manual. It seems to me that with such an approach, people who will become bored will leave and will not lose anything important :)
Complex Buster Sandbox Analyzer + SandboxIE
SandboxIE - perhaps one of the most promising sandbox programs available in the public domain. This is due to a number of factors, not the last of which is the constant support and updating of the program by the author, as well as the availability of a free use case with almost full functionality (in any case, for our purposes it is quite enough). The most important thing is the support in SandboxIE of plug-ins that extend the functionality.
One of these plugins is the Buster Sandbox Analyzer or BSA. This plugin works much like the one already discussed by the CWSandbox - injects a dynamic library into the address space of the process being studied, allowing you to monitor API calls during execution. In addition, the program allows you to track network activity, analyze changed files and other useful things.
To evaluate the performance of this system, we first build it. Additionally, you will need to download these two add-ons on SandboxIE: Block Process Access and Antidel . These plugins allow, on the one hand, to hide from the process being analyzed the presence of other processes outside the sandbox , and on the other hand, to prevent files from being deleted during the work (useful when analyzing some droppers).
Further:
1. Install the SandboxIE.
2. Create an additional sandbox through the Sandbox - Create a new sandbox . I called it BSA - even if you have it for simplicity.
3. Right-click on the BSA sandbox in the list of the program window and select Sandbox Settings .
4. Critical:
Behavior - Display border around window - choose red
Recovery . - Immediate recovery - uncheck And in general, make sure that no folders are in recovery.
Delete - remove all the daws about the deletion.
Restrictions - Internet access - delete all programs until the message “No program can access the Internet” appears. Remember this option - for some malicious programs you will need to open the access, but note that in this case all the passwords and information from the host machine will go to the attacker.
Restrictions - Launch and Run Access - allow all.
Low level access and hardware - all the jackdaws take pictures. This is important, otherwise low-level viruses like TDSS, Mebratix, Mebroot will crawl out of the sandbox into the system.
The remaining options leave the default. In the future, you can customize them to your taste - everything is quite clear there.
5. In the folder where you installed SandboxIE, create a folder Buster Sandbox Analyzer, where we unpack everything downloaded above.
6. Rename the LOG_API.DLL file to whatever you want. I called it LAPI.DLL. Also rename HideDriver.sys.
7. In the main window of the SandboxIE, select Customize - Edit configuration . In the opened text document we find the BSA section right under these letters we add the lines:
InjectDll=C:\Program Files\SandboxIE\Buster Sandbox Analyzer\sbiextra.dll
InjectDll=C:\Program Files\SandboxIE\Buster Sandbox Analyzer\antidel.dll
InjectDll=C:\Program Files\SandboxIE\Buster Sandbox Analyzer\LAPI.dll
OpenWinClass=TFormBSA
Your path, of course, may differ. But the order of injected libraries must be this way !
Now pay attention to the GlobalSettings section, and specifically to the FileRootPath parameter:
FileRootPath=C:\Sandbox\%SANDBOX%
(you may differ).
Remember its meaning.
8. Save the text file on the original path. In the main window of SandboxIE, select Customize - Reload configuration .
9. In the main SandboxIE window, select: Configure - Integration into Windows Explorer - Start SandboxIE control - when the program starts in the sandbox and “Run in the sandbox” Actions - add the context menu item “Run in the sandbox” for files and folders.
10. Start Buster Sandbox Analyzer (manually, from the same folder by running bsa.exe.
11. Select Options - Analysis mode - Manual and Options - Program Options - Windows Shell Intagration - Add right-click action "Run BSA".
Everything is ready for work.
How to use it?
1. Disable resident antivirus (if available).
2. Direct the mouse on the process being studied and click the right button Run BSA . The BSA window opens.
3. Make sure that the Sandbox folder to check line contains a folder that matches the value of the FileRootPath SandboxIE parameter (see above), only BSA is indicated instead of% SANDBOX%. In my case, with the parameter
FileRootPath=C:\Sandbox\%SANDBOX%
in BSA should stand
C:\Sandbox\BSA
4. Click Start Analysis.
5. Direct the mouse on the process being studied and click the right button Run in the sandbox . In the proposed list of sandboxes choose BSA.
Everything. The process will go. You will see the log of API calls in BSA and the active processes in the main window of SandboxIE. Sometimes the process is complete, then in BSA click Finish Analysis, sometimes - it needs to be nailed to SandboxIE (for example, for file infectors) by selecting the Complete program with the right mouse on the active BSA sandbox.
At the end of the BSA will issue a detailed report on changes in the system, it is also possible through the Viewer to get acquainted with other reports. If you put WinPcap in the system - you can even intercept packets from the sandbox, although there it is not very well organized, no, for example, UDP packet personalization. But if you really want to - you can, but at the same time on the host system you should silence all network applications, especially torrents.
After work, by clicking on the BSA sandbox with the right mouse, you can select View content and examine all files created or modified by the process during the work.
BSA logs and sandbox files are stored until the next launch of a new research process.
It should be noted that a direct analysis of changes made to the system by the studied file is possible. Taking into account that the virtualized registry is stored in C: \ Sandbox \ % SANDBOX% \ RegHive, then it is extremely simple to translate it into a “clear” view with this command script:
REG LOAD HKLM\uuusandboxuuu C:\Sandbox\ DefaultBox \RegHive
REG EXPORT HKLM\uuusandboxuuu C:\Sandbox\sandbox.reg
REG UNLOAD HKLM\uuusandboxuuu
Just keep in mind that the DefaultBox will be different for everyone - but we already talked about this above.
The resulting sandbox.reg file will contain all changes made to the registry that are easy to analyze.
The ability of SandboxIE to inject dynamic libraries into a process can be effectively used by malicious code that is executed not in the form of a PE executable file, but in the form of a library injected into the process address space or registered as a service. But this is a completely different and difficult conversation.
ZeroWine
One of the most common ways to automate the study of malicious code is to combine the execution of a number of operations and utilities on a Linux system using Python scripts. This is exactly what Joxean Koret did when creating his ZeroWine project. ZeroWine is an image of the QEmu virtual machine (which, however, can easily be converted to other systems, including VBox and VMWare), built on the basis of Debian. The malicious file can be downloaded via the web interface, as a result of which it runs in the wine environment, its operation is controlled by a number of utilities automated by the Python script. As a result, the user can get information about the called commands, process memory dumps, interception of network packets, etc.
Is ZeroWine-tryouts another “face” of the ZeroWine project? which introduced several additional features.
Unfortunately, the use of wine does not allow you to completely create an environment for malware that would correspond to Windows. As a result, code execution may be completely different, and sometimes it may simply not happen. The author himself points out a number of shortcomings in his program, as well as an easy way to detect the execution in the wine environment from the process being studied. Yes, and the logs presented on screenshots on the author’s website are unlikely to help in understanding the infection mechanism and planning the treatment process, rather, they will be of interest to the analyst who builds a signature or behavioral defense against malware.
From myself I want to add that even though ZeroWine was updated in December of last year, I personally liked the old one (since 2009) ZeroWine-tryout more - maybe because of the more flexible configuration and control of scanning, and maybe because I started it normal, unlike the new version :)
Distributed analysis systems
These are the most serious and complex analytical decisions. Typically, distributed systems are a Linux system that acts as a server, receiving and processing dumps and logs received from an infected Windows system. Such a mechanism can be built in the framework of the interaction of virtual machines or a virtual Windows guest with a Linux host. The last principle is built MINIBIS - you can freely download everything you need to deploy such a system, based on the performance of virtual Windows XP in Ubuntu. Another interesting approach is to use a hypervisor, as in the Ether project .
However, if you decided to tackle this issue seriously - the most correct approach is to build your own system based on two physical machines. At the same time, the Linux-system usually works in the role of a network connection emulator and an information processing end station, and Windows - as a test base on which malicious code runs. Both ready-made solutions, such as Truman , and examples of Linux systems, such as REMnux and SIFT Workstation, are freely distributed on the network.
Of course, you yourself can create any similar system based on your favorite Linux distribution (I highly recommend Ubuntu, but not because I am a fan of it, but because unfortunately specialized software has been sharpened for Debian, and now it is almost always under Ubuntu), adding to it necessary software and scripts in the image and likeness described above or in my own mind. However, the description of the creation of such systems is extremely difficult and time consuming, so I will give a number of references to projects that may be interesting and useful in such work.
- Invisible proxy server for intercepting and analyzing http / https traffic used to communicate with C & C and download modules. Example - Burp Suite .
- Internet simulator, for example INetSim .
- Centralized image recovery system, for example FOG .
- System analysis of memory dumps, the best IMHO here Volatality Framework .
- Antivirus system ClamAV to automate the classification of malware found. I deliberately do not write commercial antiviruses not because of the conviction that ClamAV is better (which is not true), but because of the possibility of adding my own signatures to ClamAV, which is not the case in commercial versions. In a pinch, you can use YARA for the same purpose.
- Utilities for analyzing and deobfuscating JS, PDF, Flash, java-scripts, parsing the Windows file system, working with file signatures and unpacking - all this is in large quantities on the network, it is impossible to describe everything and is always a matter of taste. In particular, a number of such utilities are mentioned on the site of the REMnux project and is included in its composition.
On this optimistic note, I finish (?) My opus, if any questions arise - I will be happy to unsubscribe in the comments. Thanks to those who have received it and read it to the end :)
Source: https://habr.com/ru/post/114450/
All Articles