SANS DFIR Webcast – What's New in REMnux v4 for Malware Analysis?

– [Benjamin] Hello everyone and welcome to Digital Forensics and Incident Response webcast What’s New in REMnux v4 for Malware Analysis I’m Benjamin White with SANS Institute and I’ll be moderating this webcast Today’s features speaker is Lenny Zeltzer, Senior Faculty Member of the SANS Institute and Project Management Director for NCR Corp Before I turn things over to Lenny the Q&A portion will take place at the end of the webcast Please feel free to send your questions at any point by using the chat window Right now, I’d like to introduce our featured speaker Lenny Zeltzer – [Lenny] All right, thank you very much for the introduction Ben, and thank everybody for joining I’m very happy to be talking to you about REMnux because while I love tools and there’s a whole lot of new tools, that can be added to the latest version of this distribution I’ll be showing you lots of screenshots, lots of command line parameters and lot’s of live demos We’ll be going pretty fast but don’t worry because you will be able to download all of these slides and all of my speaker notes and all of the hyperlinks and everything else You’ll be able to download them as a PDF file about an hour after this webcast ends So don’t worry if we move too quickly for you to be able to write everything down Not only will you be able to review the recorded version of the webcast, you will also get access to all of my speaker notes All right, so I want to talk about REMnux Of course, REMnux is the Linux distribution that I put together The idea is to have a bunch of tools that are useful for analyzing malware and make it easier for people to get into the world of malware analysis because you don’t have to install this tool, you don’t need to find them, you don’t need to configure them That’s really the biggest benefit to REMnux that I can find Now, all I did is I started with Ubuntu version 11.10 and added a bunch of tools to it The full credit for all the wonderful usefulness of the distribution really goes to the authors of the tools I just put them together But there’s a whole lot of tools to keep track of and that’s why I put together this webcast to focus specifically on those tools that have been added to REMnux in the release that came out in early April, that’s version 4 of the release So I wanted to review with you what are the major changes and also what are some of the tools and how do you use them But if you’re new to REMnux you can certainly download a copy of REMnux on REMnux.org and also you can tune in to a webcast that I recorded previously I’m sure you’ll find it on Google if you look for Malware Analysis Essentials using REMnux All right, so let’s see, what’s the best way to get started? The best way to get started, I think, is for me to drop you into my REMnux virtual machine so that I can show you a bunch of things Again, I’m gonna be spending a lot of time in the virtual machine during the webcast but don’t worry ’cause you’ll have screenshots and everything in the PDF file that we make available to you So, what I did here is simply download a copy of the REMnux Virtual Machine And one of the new things in the latest distribution of REMnux is how you can download the virtual machine appliance Before REMnux was available either as an ISO file, for a live CD, or as a proprietary VMware Virtual Machine I’m also now making it available using the open virtualization format, which makes it easier for you to import this virtual machine into lots of other virtualization tools most notably VirtualBox So now it’s much easier to use REMnux on VirtualBox What I did here was simply load up a copy of the REMnux virtual machine and I’m going to start it up for you REMnux ships with a host-only mode to limit Network interactions but for this webcast before starting it up I’m going to turn on NAT mode because I want to have access to the web so that I can well download a few tools and updates, if you will I’m going to show it to you shortly So what kind of tools do we have here and how do we make use of them? Well, I think it’s much more enjoyable to talk about tools in the context of actual real world malware So, what I did was put together a bunch of malware samples that I’m gonna use throughout this webcast Let me get them here You can get these samples as well, if you want, here is the URL Now, the password is

the word wait for it, wait for it Fruits So anybody can download these samples just be very careful with them because this is real-world malware that we’re dealing with here and that’s why password protected with word fruits to avoid accidental execution, all right Now, let me take you for just a couple of minutes, back to my slides I wanted to mention a few things regarding how you are able to install the REMnux virtual appliance As I said, you can download, probably that’s the easiest way to do it, download it in the Open Virtualization Format and then what are you using VMware or whether you’re using VirtualBox you just double-click on that file and it will allow you to import it into the proprietary format Although, keep in mind, that there seems to be a bug in Virtual Player where if you double-click on that Virtual Appliance file it will give you an error So, if you’re using VMware Player, rather than double-clicking on the file that you’ve downloaded you will need to open it using the VMware Player interface itself without double-clicking it Also, you can use this virtual appliance using KVM virtualization if you’d like However, keep in mind that if you are using CentOS you will be unable to use the latest version of QMU, that IMG convert command, because it has a bug in it You will need to download the latest copy from the QMU website Again, if you try to use QMU for importing this virtual machine and if you run into any problems, download the latest version from the website of the virtualization software or send me an email I’ll help you out All right, so now we know how to get started with REMnux, right, you can download it as a virtual appliance for VMware, VirtualBox, it’ll work on Hyper-V, kind of actually Let me mention that quickly If you try to use Microsoft Hyper-V the virtual machine itself is recognized, however, Hyper-V uses a network interface card that Linux doesn’t seem to recognize very well I haven’t been able to get it running in Hyper-V if you are able to get it running I’d love to hear from you so that I can share the information with other people All right, so now we know how to get started Let’s talk about what is new in REMnux And again, I’ll be mentioning a bunch of tools but don’t worry I will show you, I will provide to you, all the URLs, all of my notes will be available to you for download after this webcast We’re gonna post these slides as well as my full speaker notes about an hour after the webcast ends so if you don’t catch a URL don’t worry, that URL and all the other URLs will be available to you as part of those PDF notes So, changes to the existing tools not a whole lot here Besides me updating the core packages that comprise the operating system I also updated the tools that you’ve come to know and love Tools like pdfid and pdf-parser, tools like SWFTools, NetworkMiner, BIRD-Proxy, Wireshark, Firefox, XORSearch, DensityScout, too many tools name here You can see a full listing of the tools that I’ve updated if you look up on my blog the article that I wrote to outline what’s new in the latest version of REMnux Some other minor changes that you might want to keep in mind involve me replacing the open JDK version of Java with the Oracle version, Oracle Java 7, seems to be supported better than open JDK and is more compatible with tools that I like to use that require that Java be present You might be familiar with the Origami framework, which is an excellent tool for analyzing PDF files I’ve updated that version as well and there are two minor differences, two minor distinctions, that you might want to keep in mind with this latest version of Origami Let me quickly show you what these are The first distinction is the way that the PDF Extract command works Now, PDF Extract is very handy, in that you can point it to a PDF file and it will automatically extract lots of content that is within the PDF file Most interestingly, you’re able to extract the JavaScript that might be embedded into the PDF file However, the problem that I’ve discovered with the latest version of PDF Extract is that in some cases a PDF file has been corrupted

and so when you run PDF Extract it fails to properly and decode the stream and is unable to extract JavaScript Fortunately, the way around that, I’ve found is to be very specific when calling PDF Extract and instead of saying PDF Extract, extract everything there is, instead, give it the -j parameter, which means JavaScript and then even if there are problems with the other objects as long as the objects that contain JavaScript are okay it will be able to extract JavaScript Now, in this case, for example, you can see that I have JavaScripts that have been extracted and placed into this file Again PDF Extract, not a new tool on REMnux, but it does operate a little bit differently when it encounters corrupted PDF objects Let me get rid of this file just to avoid it messing up my environment All right, something else that’s new new in Origami framework or rather, not really new but it’s a nice little tweak There is a tool that some people like, it’s called pdfwalker And pdfwalker is a tool for interactively examining contents of PDF files You can look at their structure, you can extract JavaScript, you can extract other objects that might be embedded into PDF files and you can do this using the GUI, that’s what pdfwalker does The one minor changed, that is quite nice, for this latest version of pdfwalker is that now you can be in any directory and pdfwalker will run properly In the previous version, you had to be in a very specific directory where pdfwalker was installed you’ll not afraid to run properly So, other than that, pdfwalker works as it did before So, we talked about some minor changes to Origami, it’s also great and that Volatility has been very actively developed and so the latest version of REMnux now includes the latest stable version of Volatility version 2.2 and there are a lot of new features and many plugins have been updated as well So, usually if you perform memory forensics using Volatility you want to have this version Some of the new features that have been added to Volatility 2.2 include the ability to examine event logs So, you can examine event log information that has been captured in memory, there are also a bunch of plugins for examining the Windows GUI, so, Windows GUI information is of course stored in memory and so you can use Volatility now to look at the event hooks that correspond to the GUI interface You can attempt to gather some aspects of what the screen might have looked like, you can look at clipboard contents, that’s pretty cool Also this version of Volatility introduces very stable support for Linux memory image analysis which is quite nice as well So, I’m not going to spend any more time on Volatility because really that would justify it’s all its own webcast and even that’s probably not gonna be sufficient But, if you’re new to Volatility 2.2 take a look at their website to see what has changed One other, minor change, or a relatively minor, I guess from most people’s perspective is that the mind mapping software that I had there before called FreeMind is gone, I couldn’t get it to run properly anymore, just too many Java compatibility problems Instead I’m using Xmind, which i think is a better tool prettier and perhaps, slightly more actively developed So Xmind is there now instead of FreeMind I don’t know how many people would even notice the difference One way in which you can use mind mapping software in REMnux is to keep track of all of your analysis findings So, as you’re examining malware how do you keep track of all of your notes all of your screenshots, all of your artifacts One way to do it is to use the report template that I created on REMnux using this mind mapping format and of course you can load it using Xinds now It allows you to have an outline for your future report and there are placeholders where you might want to save your key observations, recommendations, file hashes, et cetera So if you’re new to mind mapping check this out it’s a great way of keeping track of all of your analysis findings We talked about miscellaneous changes to the distribution and some of the more popular tools being updated This includes updates to Origami, Volatility, Xmind and I also talked conceptually about the need to be able to perform memory forensics, perform PDF analysis and the way in which many people like to keep track of all of their findings with the help of mind maps I will be using these tools and concepts slides as regular checkpoints throughout this webcast because I’ll be covering a lot of tools

and a lot of concepts and my hope is that these periodic slides will help you remember what we’ve just covered The next topic that I want to discuss is the tools that I’ve added to REMnux that make it easier for you to examine obfuscated data where the attacker may have used XOR as a very simple way of concealing strings or binary contents There are many ways of of course obfuscating data in code but fortunately for us many attackers are on the lazy side and use a very specific approach They basically take a 1 byte value at random and that one byte value acts as the key The value can range from 0 to 255 in decimal and the attacker uses the XOR operator to XOR every byte within the data they need to protect with that selected key value You see this over and over again whether you’re looking at PDF files or web pages or Windows executable, attackers really like using this approach and fortunately for us we’ve got some tools that can help us examine artifacts and brute force possible key values So, as I said I’ve got slides for every single tool I’m going to talk about together with all of my reference materials and URLs, but I think it’s a lot better to look at these tools in action in an actual REMnux environment So let me show you a tool that’s new to REMnux called Xor Brute Forcer by Jose Miguel Esperanza Now, this tool is designed for decoding contents of a file using all possible one byte XOR values So, how do you use it? Let’s say we’ve got a file if we want to see whether it contains any values, any data, that might have been XOR’d using that algorithm that I just described Well, we can tell Xor Brute Forcer to examine that file, in this case I’m using this malicious DLL and what it will do, is it will attempt to decode every single byte within that file with all possible one byte long key values and the boolean XOR operator So, as you can imagine the output would be huge here so we might want to say, you know what, I’m going to just extract strings and save them into a file that I’m going to call Now, as I said, this is going to be doing a lot of work It’s examining every single bite and it’s trying every possible one byte long value and it’s using boolean XOR to create the output So sometimes this will take a while, depending on how big is the file that you’re analyzing In this case and again depending on how much RAM you’ve allocated to your virtual machine this will take a while One more change, by the way, that I wanted to mention to you is that before REMnux used to ship with 256 megs of RAM by default in its virtual machine and I’ve doubled that now In part this is to accommodate the much heavier memory requirements of the Volatility plug-in called Malfind that seems to do a lot more now but require more memory So now by default with the REMnux virtual machine you get 512 meg of RAM If you’ve got more physical memory, then, you know, the more you give it the better Anyway, now that you’ve extracted the strings you might want to take a look to see what’s the output It’s very possible that the attacker used some other algorithm to obfuscate the data or maybe he’s not obfuscating any data at all So sometimes all you’re gonna get is just a bunch of noise And, there’s going to be a ton of false positives here Because it’s trying every possible key value and it’s trying to decode everything Now, of course there’s a whole lot of unobfuscated information here, that’s what key 00 represents But then if you go further you can find data that was obfuscated using key 01 and you’re just looking at this And all I see here is just nonsense gibberish, so this is probably not anything that’s useful here But I’ve done a bit more analysis here and let me just fast forward a bit It turns out that if you look at key five you actually see some strings Now, these strings were not visible in clear text but this tool was able to brute-force the key value and it’s now telling us that there are a bunch of strings here embedded into this executable and they’re protected using hexadecimal key five using the XOR algorithm So, that’s pretty good the only problem is that there’s a lot of noise A lot of noise in XOR Brute Forcer

and so you might wonder is there another way to sift through the strings that are embedded into the file to eliminate some of that noise With this in mind I wanted to introduce you to another tool that is new to REMnux and this one’s called Brutexor or sometimes it’s also called iheartXOR this is a tool by Alexander Hanel Here is that tool in action, Brutexor, once again you point it to the file that you want it to examine and you tell it give me the strings Now, what this tool does, is it also, just like XOR Brute Forcer tries to brute force all possible key values, but it is a little bit smarter at what it is trying to decode It looks for what might be a meaningful string and only will try to decode those values And as a result it runs faster and you get less noise Now, there’s still a whole lot of noise here but now if you scroll through, you will eventually get to something that looks readable which indicates that indeed it was able to successfully decode some contents Let’s see, it’s in there somewhere and since I’ve done this analysis before I know that with the key five, so I’ll be able to eventually get to some readable ASCII contents So now you had two new tools added to REMnux that support XOR decoding One is called XOR Brute Forcer, the other one is called Brutexor Both perform similar tasks but Brutexor has a bit more smarts at being able to eliminate some of the noise Now, you might be familiar with another very popular tool that has been present on REMnux since the very beginning That’s a tool by Didier Stevens called XORSearch That’s a very handy tool, the biggest limitation of that tool is that you have to know what string to look for before you could find it That’s the big limitation of XORSearch But, with Xor Brute Forcer and Bruteoxr, as you can see, you don’t need to know what you’re looking for as long as you’re willing to sift through the noise in the hopes of finding a string that appears readable to you So, there’s one more tool related to XOR operations that I wanted to share with you and this one is a tool that was written by Glenn Edwards and it’s called NoMoreXOR This tool attempts to guess XOR key values that are 256 bytes long So, not just one byte long key values but there is someone out there that of course uses longer keys and Glenn Edwards put together this tool to show you how you might be able to find those longer key values I’m gonna show you this tool in action by looking at one sample that, as it turns out, actually contains embedded information that has been protected using a XOR key that’s 256 bytes long So, let me see I’m telling it that the output should be saved into this file and I wanted to analyze this pear.doc Now, this was a malicious Microsoft Word document that was used as part of a targeted attack and I’m not going to give you of course the full background on this nor would we analyze all aspects of this document in this webcast But, if you’ve done some work you might say there seems to be some embedded code that I can’t see in clear text, how might the attacker have encoded it? And you try a whole lot of things And if you try NoMoreXOR it would end up actually trying several promising-looking keys and eventually it will produce what it believes is meaningful, decoded object that was XOR’d within pear.doc using a XOR key that’s 256 bytes long Now, you might wonder how does it know when it found meaningful data or meaningful code, well the approach I think is quite clever When thinking about this from the tools perspective you’re trying to brute-force all possible key values that produces a lot of output and now a script that’s intelligent needs to be able to examine that output and determine whether it’s meaningful or whether it’s gibberish because this content was not meant to be decoded using this key So what this tool NoMoreXOR does is it uses Yara and it scans the output using Yara and if it notices that one of the Yara signatures

gets a match it will assume that we must have decoded contents using a proper key, isn’t that clever In this case the Yara rule that was hit was embedded EXE In other words, it seems that this malicious Word document contains an embedded executable that was XOR’d using a 256 byte long key, now we know what that key probably was, it was brute forced using NoMoreXOR and we even extracted the embedded data or the embedded code so that we can analyze it further Now, think about this how from the two perspectives One is, it’s wonderful to have a ready-made tool available to you for cases like this But I would say that the value of a tool for which you can view the source code is little more than that, the value of the tool for people who are able to write scripts who can do a bit of coding, the value is is in taking an idea that was implemented as part of this tool and then perhaps taking it further can you think of smarter ways of brute forcing key values, of eliminating noise from the output this approach This approach that Glenn is implementing using Yara, I think, is very clever Are there better ways? Well, that’s why we’ve got source code to these tools, these are mostly written in Python I hope some people in the community will get new ideas from, produce new tools Where I give the authors of these tools some feedback So we talked about a bunch of tools that have been added to REMnux and these are focused on analyzing XOR encoded data or code, and I talked about the tools that have been added and those tools that have existed there before There are some additional tools that you might find useful when doing this analysis such as xortool and xxxswf.py, I’m not gonna get into them at this point I also briefly showed you earlier a text editor that’s built into REMnux, SciTE You notice that I was using SciTE to look at the output of the files that were produced So a bunch of tools that I highly recommend you experiment with and perhaps get some ideas from The next topic I wanted to cover is a new feature of REMnux that allows you to run Windows tools in the Linux environment Of course, the full credit for this capability goes to Wine Wine is what many people call an emulator for Microsoft Windows, in other words, you’re able to run Windows tools inside a Linux environment And while you cannot run the most sophisticated Windows programs within Wine, some of the simpler programs run pretty well At this point I installed Wine within REMnux and I added two malware analysis tools that a lot of people know, use and love Of course, you can add some others if you got other favorite Windows tools But the two tools that I am focused on were OfficeMalScanner and Mazilla So, let me quickly show you these tools in action OfficeMalScanner is a tool by Frank Boldewin and it’s a toolkit for examining malicious Microsoft Office documents and it is quite awesome If you point it to a file that you think might be suspicious, like this malicious office document, well, it turned out to be malicious Maybe first you want to know info, give me some info Is this indeed an office document or not? Well, it will parse the file and it will tell you that it looks like it follows the Excel structure and there are no Visual Basic macros If it found macros, it would have extracted them for you Now, if you want to look for other malicious artifacts within this document you use the scan command and the scan command will look for malicious shellcode It will look for embedded office documents, will look for embedded windows files and it will look for embedded flash programs In this case it appears that pear.doc contains an embedded Flash file and remember this is the same malicious Office document that I used previously with the help of NoMoreXOR, I extracted what appear to be embedded binary code So this is quite a nasty file that you can analyze further if you’d like Now, you might use a tool like SWFDump which is installed on REMnux to examine this SWF file Another component of the OfficeMalScanner toolkit is the utility called RTFScan This one examines files they’re formatted using rich text format

So, for example, here’s a malicious RTF file that I’m scanning using RTFScan and I need to tell it what to do The command should be scan and now it will examine what is within this RTF file and carve out what appears to be a malicious artifact In this case, within this RTF file, there is an embedded executable that RTFScan automatically located and extracted for me so that I can analyze it further It’s very convenient, but up until now you have to run these tools on a Windows environment Well now, thanks Wine, OfficeMalScanner and the tools that comprise the toolkit can run just natively where it appears to run natively within REMnux Another tool that I added to the toolkit, now that we can run Windows programs within REMnux is Malzilla Malzilla is a popular tool for those who like analyzing malicious web pages using a graphical user interface The tool hasn’t been updated for a few years, but it’s got its fans and so I thought I’d make it available within REMnux For instance, you can go to the Decoder tab, you can right click there to load, a perhaps obfuscated JavaScript file that you might want to analyze Well, let’s take a look at this clump of JS Now, the one thing about Malzilla running on Linux is that it presents to you the ASCII contents in a very wide font I couldn’t find a way to correct this But if you’re looking at this using a normal text viewer you would see this is an obfuscated JavaScript And you might wonder, what’s so important that it needs to be obfuscated Well, there are several ways of deobfuscating malicious javascript one way to do this is to load the script into Malzilla Malzilla, by the way, is written by Bojan Spasic, and you click the run script button and it will try to deobfuscate it for you automatically and if you double click on the results of the run you get this output And though it’s a little bit hard to read because of the wide font if you look at this carefully you now see a URL that is probably malicious that you might want to investigate further So that’s the magic of Malzilla, lots of ways of deobfuscating JavaScript in REMnux This is just one tool there is now new to your toolkit and normally you would run Malzilla on Windows, but hey now you can run it on Linux if you prefer to do that your work within a Linux environment So, we talked about a bunch of tools that can run on REMnux with the help of Wine even though these tools are native to Windows OfficeMalScanner, RTFScan and Malzilla And of course we talked about the need to know how to analyze malicious Office documents including Word and RTF files, as well as we need to deobfuscate JavaScript that you would often find within malicious web pages and malicious PDF document files The next set of tools that I want to discuss deals with utilities that are new to REMnux that allow you to examine Windows executable files inside a Linux environment Now, there are several tools like this Some of them have been present on REMnux already and I’m not gonna talk about that Instead, I wanna talk about some new ones and let me take you into my virtual machine to show this to you Of course, since you’ll be able to download my full spot slides and speaker notes you’ll have a full set of reference materials available for you so there is no need to write down your notes if you don’t want to The tool that I wanted to introduce you to you right now is called ExeScan ExeScan written by Amit Malek is designed for statically examining a Windows executable So, for example I’m going to point it on to a file called Croker.exe and what this tool will do, is it will examine, well, first of all, capture the hash of the executable It will then attempt to identify a packer so it has a database of signatures it can use for identifying which packer may have been used to protect this executable It will show you the sections of the executable and very handily, it will examine the import table looking for references to dangerous API calls And this is one way in which you can examine an executable if you’re wondering is this a malicious one or not and be able to get a general sense for the capabilities of the program Sometimes this works better than other times but it’s handy to be able to do so using some static analysis without even trying to run the program Now, ExeScan can do this quite easily now There’s just this one problem with ExeScan

that I wanted you to know about, and it’s a strange problem and the strange problem that I’ve encountered is that sometimes it deletes the file after analyzing it I suspect it’s some kind of a bug So, keep this in mind if you’re going to run ExeScan make sure you backup the file that you’re scanning before scanning it with ExeScan Or, better yet, find the bug, fix it, let the author know and maybe we’re all going to be better off Another tool that I wanted you to keep in mind that’s new to REMnux for analyzing static, for statically analyzing Windows executables is pev, P-E-V, is a collection of several tools, written by Fernando Mercês for examining various aspects of Windows executables Now, these are little utilities that are very handy for doing one or more specific tasks So, for example, if you wanted to calculate a hash of an executable, you can use pehash If you wanted to check whether an executable has been packed you can use pepack, if you wanted to read certain aspects of the PE header, the Windows executable, you can use readpe So, let me show you some of these tools, not all of them, but at least some of them in action For instance, let’s say we want to use a tool that’s a part of this pev toolkit and this thing is called pescan, P-E scan Now, I’m going to say examine this executable file called let’s see, which one should I scan I’m going to scan Kiwi.exe let’s say Well, we’ve scanned it and now we have a general sense for what’s within this executable For example, we can see that it doesn’t have any TLS callback functions which can sometimes indicate that the executable we’re scanning is malicious Well, let’s see if this executable is packed for that we can use the pepack command Looks like we’ve identified a packer, it’s called Armadillo OK, very interesting, how about the hash of this executable Now we’ve got our hashes if we wanted to use that for some point And then let’s say we wanted to read certain aspects of the PE header of this executable, like the sections and other information Well, readpe is the command that will give us that information Now, sometimes you get something useful out of this, sometimes you get no insights at all But it’s handy to know about these various miscellaneous executables that are now available to you as part of the pev toolkit for analyzing Windows executables from the command line Now, another tool that I wanted to mention to you that you might find useful for examining malicious code within a Linux environment, this one is called dism-this It’s written by Alexander Hanel and the tool is designed for locating, analyzing and extracting shellcode embedded in files Now, it’s not a fully automated tool so you still need to do quite a bit of thinking but it will help you determine whether you’ve found the shellcode or not Let me show you how you might use a tool like this I’m going to take you into my environment Now for this sample I’m going to be looking at a malicious Flash program called mango.swf And one way in which you can analyze Flash programs is to use a tool that’s a part of REMnux it’s not new, you’ve had it before It’s called SWFDump I can use SWFDump to extract a whole lot of information about a SWF program and save that into a text file Let’s use SciTE to examine the output of SWFDump and what I’m doing here is I’m looking for any kind of an anomaly For example, look at this, there’s a tag that’s built into the Flash program called DEFINEBITSJPEG and you’re supposed to use this tag to embed a jpeg image inside the executable But this does not look like an image because it has references to various ASCII streams like executable names and URLs Most likely this is not an image at all and I’m theorizing that maybe this is shellcode And now the question is is this indeed shellcode? And if it were shellcode how would I disassemble it to analyze its capabilities Now it might take a bit of time to examine this blob of information to determine where my shellcode arrives For example here I see a bunch of 90s that follow cc cc cc and so I would form one theory that the shellcode begins here at 90 90 60

Now, again, just a theory and we don’t really have time at all within this webcast to talk about how in great detail you would find an analyze shellcode but I do want to show you a bunch of tools that can assist in this process For example there is a tool called Radare that has been a part of the REMnux distro for a while and Radare is a very handy command-line hex viewer, editor and disassembler For example you can tell Radare using the -x command to look for the following sequence of hex bytes within the executable And it finds them and it creates a bookmark for them called hit01 Then I can go there and I can say why don’t you show me, print, what’s there and disassemble it and I’m saying disassemble 30 commands, and now I’ve disassembled what I think is shellcode and now if I know how to read assembly I can determine whether this is indeed shellcode or not So this is the some shellcode analysis using tools that have been a part of REMnux for a while and the tool that I wanted to show you in this context is new to REMnux that’s what I mentioned earlier it’s called dism-this and dism-this allows you to look at where you think shellcode began and though I cleared the screen quite quickly, Radare showed me that it thought the shellcode begins at the offset 3E and I can say why don’t you disassemble 36 bytes there and not only try to disassemble that shellcode for me, I could see this in Radare, so this in itself is not new What’s nice about this in this is that it also shows you the results of some analysis where it tells you some information about what it had just disassembled so that you as a skilled analyst can determine whether this is indeed shellcode or maybe you’re just trying to disassemble some junk that’s not shellcode at all and it’s not meant to be disassembled So how can you make that determination? What the tool does is it counts for you how many infrequent or rare instructions were seen The idea is that if you’re trying to disassemble a set of bytes there are not representative of instructions if you’re trying to disassemble something that’s not meant to be disassembled, then you can encounter a whole lot of unusual infrequent instructions and that would be your indicator that you’re not looking at the right place Similarly, the tool counts references to segment registers which should be rare as well as references to static offsets which should be rare unless you’re examining shellcode Now, this tool sometimes works very well, sometimes the information that it gives me isn’t all that useful but the idea is wonderful Perform some automated analysis that gives an analyst a few metrics that the analyst can use to determine whether he or she is looking at the right place of the malicious file And that is quite a wonderful idea that I think warrants some more experimentation So staying within the context of examining malicious Windows executables in a Linux environment I wanted to introduce another tool to you called Disitool and it’s written by Didier Stevens And Disitool is designed to manipulate digital signatures embedded inside Windows executables Now, you may have seen the trend that a lot of targeted attacks involve signed executables In some cases attackers have been known to steal a digital certificate from one company and use it to digitally sign their malware and if an executable is digitally signed it is much less likely to be blocked by our anti-malware tools So, let’s say you’ve got this executable and you’re wondering is it actually digitally signed at all Specifically, I’m examining for this sample the executable kiwi.exe Now, here’s one way in which you could determine whether the executable is digitally signed on REMnux using tools that have been installed in REMnux before The tool is called Hiew and Hiew is a command-line tool there is a hex editor designed specifically for malware analysis I’m going to load Kiwi into Hiew Now, Hiew has a lot of capabilities I’m not going to get into all of them you should definitely check out Hiew on the web if you’re new to this tool But what I want to use Hiew for, specifically, is to look at a particular data structure within the optional PE header fields So, I’m going to say Hiew show me contents

of a PE header and I’m looking specifically in the area where I know there should be an entry related to digital signage The header is called optional_header.datadirectory And, by the way, Hiew is wonderful in that if you start typing you can press tab and it will autocomplete Now, this is the data structure within the PE header that contains a lot of fields and the one that I’m looking at or the one that I’m looking for is called security This is the field that should contain a pointer to the digital certificate that might be embedded into this executable if it were digitally signed And here I have the security entry within this structure and I’m looking at its size If it’s a non-zero size then most likely this executable has been digitally signed So this is how you can look at a Windows executable using Hiew to determine whether the executable has been digitally signed or not Look at contents of this field within the PE header and look at the security data structure to see if it contains a non-zero size But there’s a better way now There’s a better way thanks to the tool that Didier created and the tool’s called Disitool Disitool can extract digital certificates from malicious files Now, if you point it to a file that has not been digitally signed, let’s say, I pointed to, oh I don’t know, hubert.dll Well, it’s not digitally signed and it gives me an error saying that, yeah, I couldn’t do that File source is not signed But if I point it to a file that turns out to be digitally signed, in this case Kiwi, I’m going to say save the output into a Kiwi-sig.der no error, no error means that it probably was digitally signed and this a tool was able to extract the certificate It uses the DER format for creating the resulting file Now, you can look at the resulting file using strings and you can learn a whole lot about who the certificate might have belonged to and who it was digitally signed by But here’s a command that you can use to take that DER formatted certificate and convert it into a text file This is hard to remember, I know, but don’t worry as I said you’re going to get full slides on my speaker notes as a follow up to this session So, I’m using OpenSSL to convert that DER formatted file into a text file And now if I look at it I can actually read contents of the digital certificate that we extracted from this Windows executable and that’s pretty handy So, I talked about a number of tools that have been added to REMnux for the purposes of analyzing malicious Windows executables, statically, while staying within the Linux environment And here’s just a summary of all the tools that I had mentioned Some of these are new to REMnux some of these have been there before The best way to get to know these tools of course is to experiment which is why I hope you download that malware archive that I’m using for this demo and experiment, while being carefully not to inadvertently infect yourself But there are some other tools and I couldn’t categorize under any other heading but other Other new tools that I wanted to tell you about A bunch of other tools that I think you will find pretty useful, so let me talk about those The first tool that I want to mention to you is called Autorule and Autorule is a tool by Joxean Koret And Autorule is designed for examining a set of files and automatically extracting binary patterns from those files to create signatures for them and it will use the Yara format for creating signatures Let me show you what this tool looks like in action So let’s see The tool is installed on REMnux To run it you type usr local Autorule tester Then you point it at the location where a bunch

of malicious files reside and your hope is that these files might somehow be related together so that there will be one or more signatures that the tool will automatically create for you for automatically spotting these types of files in the future So what I have here is a bunch of samples that I obtained from the set of files that Mandiant analyzed when it was publishing its report called APT1 Now, Mandiant classified these as a set of malicious executables called mapiget I’ve got two of those files in this directory but I’m now pointing tester.py to And now the tool runs and diff’s those files and it automatically creates this set of Yara signatures for me and generates the rules Now of course what I should have done is actually save this into a file I’m going to call this mapiget.yara and my hope is that what I’ve just done is created a signature for this malware called mapiget Now what I can do next is point Yara which is a tool that has been a part of REMnux for a while, and Yara is a signature scanner I’m gonna tell Yara to use this signature that was just automatically created and I’m going to tell it to examine another directory Now, I’ve got another couple of mapiget files that I obtained from Contagio, another source Notice that I generated this signature by scanning one set of mapiget files and now I’m telling Yara to examine another set of mapiget files and I’m checking to see whether the signature will work Well, look at this it was able to scan contents of this folder that contains two executables and it’s successfully identified one of those executables as yet another mapiget variant Now there are actually two mapiget variants there so the automation isn’t perfect, there’s one mapiget file that it failed to identify, but still it’s pretty good It’s pretty good, if nothing else, than to demonstrate this concept for automatically generating signatures in the Yara format I think if this tool as a proof-of-concept It does give you a lot of false positives, especially because as part of its signature it oftentimes includes set of consecutive zero bytes which are very common in files that are executable and PDF files and Word documents so a lot of false positives, but as a concept it’s very nice and something that you might be willing to take and then improve upon That’s how we all get better right, somebody gets an idea creates a tool, we either contribute to that tool or provide our own tool that expands upon that idea and in the long term we’re all better off because now we have a bunch of tools that can help us do malware analysis better than we could let’s say a year ago All right, well what else what else can I show you about REMnux in the miscellaneous category Well, there is one handy tool that I really like it’s called Exif Exif is a tool by Phil Harvey and ExifTool is designed for reading, writing and editing meta information in files of all sorts of different file types Now this tool is probably best known for accessing meta information within image files like PNGs and JPEGs and GIF files, but it can handle many more formats relevant to malware analysts as well For example, look I can point this tool to a Word document and it tells me that this is a Word document and gives me some meta information about it Or I can point this tool to a SWF file and it tells me a whole lot of information about this Flash program So not a big deal, I suppose, in the grand scheme of things but very convenient to have this tool called ExifTool to gather meta information about the files that we’re examining Now if you think about the kinds of tools that I’ve been showing to you I’ve been talking about a lot of static analysis tools The tool that can locate obfuscated contents, a tool that can extract meta information, a tool that can extract certificates Wouldn’t it be nice if we could just automate the execution of those tools And that’s what we can do with a help of a framework called MASTIFFs that was created by Tyler Hudak MASTIFF is designed as a framework for automating static malware analysis Now, the version of the framework that’s a part

of REMnux is a little bit old because last week or so, Tyler released an updated version of this tool In the instructions for, or in the notes for this webcast I will give you a very detailed instructions for how to update your distribution of MASTIFF to get the latest and greatest version But I’ve taken a YouTube snap shot that I’ve already created where I have the latest version of the toolkit and now let me just quickly show you how to really run it I’m going to say MASTIFF, that’s how you run the MASTIFF toolkit Then I point it to usr local etc MASTIFF which is the config file that’s present on REMnux Then I point it to the directory that I want to scan Now, this tool can scan a whole lot of files It has a built-in queuing mechanism and the wonderful thing about the MASTIFF framework is that it is trying to be very smart about applying only the appropriate plug-ins for statically analyzing executables given for other files given that file’s file type So if it determines that it’s examining a Windows executable it will use one set of plugins If, on the other hand, it determines that it is analyzing a Word document it will use another set of plugins So what you get as the result is a set of information that has been extracted from the files, but the information is relevant for that specific file type And so if you want to see the output of MASTIFF on REMnux you can go under var logs MASTIFF and this is where you can see it’s saving the output it’s run Now, you can go into any one of these directories Let’s look at There’s this one file, let’s say this one and we can see that it copied into here the executable that was scanned and it pulled out a bunch of information using PE info and check this out it was even able to extract the digital certificate that you might recall we previously located as being embedded into this file So just one example of the kind of information that you can get using MASTIFF in an automated manner Very handy for analyzing a large data set Now, there’s one other tool that I wanted to mention to you This is a tool that you can use for well making sense of the data that you’ve gathered on a Windows system So, ProcDOT is the tool and it’s created by Christian Wojner And ProcDOT is designed for correlating data that was captured by Microsoft’s Process Manager tool with the contents of a PCAP, packet capture file The idea is you would infect a Windows system with a malicious executable while having process monitoring and while having a network sniffer running like Wireshark and then you can load those log files into ProcDOT and it will create an interactive, color-coded graph that highlights the meaningful events and lets you navigate that data visually which in many cases is much more effective than navigating the flat, text-based log file that you might have gathered using Process Monitor alone And ProcDOT is installed on REMnux although today Christian released the latest build of this tool so if you’re using REMnux you might want to update your copy of ProcDOT and in the notes they’ll make available to you after this webcast I will have very detailed instructions for how to very easily update your copy of ProcDOT Once you want load this on REMnux you’ll be able to load the Procon or Process Monitor intro log file below the PCAP file and then regenerate the graph for you that you’ll be able to analyze And then, perhaps lastly, as we are running out of time I wanted to mention a number of of functions that are available to you now thanks to some work that by Fernando Mercês He created, what he calls, hack-functions which are just a bunch of bash shell functions that you can use in your terminal window on REMnux Now these functions are not loaded into your environment by default, but you can use the source command on REMnux to load those functions and now you can perform a whole lot of operations right from your command line These operations include the ability to convert from one decimal base to another, you can convert characters and strings across various encodings There are some functions specific to obfuscation

and encryption, lots of different functions Perhaps too many for us to go through on this webcast so I’m not even going to try Instead, I’m going to point you to the reference page that is available on REMnux The original instructions were in Portuguese, I use that in Google Translate to convert them into English for those of you who prefer to read in English so definitely check out these functions they might save you some time as you perform your work on the command prompt As you can see lots of tools built into REMnux including those that I would classify as being in the miscellaneous category, including Autorule and ExifTool and MASTIFF and ProcDOT and hack-functions and of course I’ve also mentioned some other tools that have been present on REMnux already that I highly recommend you experiment with And this is, as much as I prepared for you in terms of providing an overview of the tools that are built into REMnux that are new to the latest release of REMnux, the best way to learn these is to experiment with malware and experiment with these tools and I hope that I’ve provided you with starting point for getting to know REMnux and becoming a better malware analyst If you’re interested in becoming better at malware analysis as well as other aspects of malware forensics well I suggest you check out the various webcasts that SANS has put together Some of these have been previously recorded others are coming up over the next couple of months so check out this link to the malware related webcasts Also if you’re new to REMnux, definitely check out the checklist or the cheat sheet that I put together that documents some of the most commonly used commands on REMnux and of course my hope is that if you find this topic interesting then perhaps you will attend the reverse engineering malware course that I teach together with my colleagues at SANS Institute and of course we make heavy use of REMnux as well as various other tools and techniques throughout the course And so folks this is all what I’ve prepared for you I will stick around to see if you’ve got any more questions, otherwise, please feel free to reach out to me by email, on Twitter, and I hope to see you at one – Okay, at this point I’d like to start a Q&A session for the webcast Lenny, the first question is, what’s the best way to transfer malware files between Windows 7 host and REMnux VM? Couldn’t set up shared folders in VM assuming networking could be host-only – [Lenny] So, there are several ways of transferring files in and out of the REMnux environment by far my favorite way of transferring files in and out is to use SFTP and this way you don’t have to deal with NetBIOS, you don’t need to setup shared folders Even though I suspect you can do something like that but I’ve never really tried it, and in fact I don’t even think Samba is installed in REMnux so I’m not sure shared folders would work My recommendation is to use the ssh d daemon that’s installed into REMnux and first you would need to do sshd start the stack, that’s that it’s just h d start, and then you would use a tool like SFTP, there are lots of SFTP clients to get files in and out of REMnux, I think that’s the best way to do it and that’s what I typically do And again, it’s all it’s all about the convenience and your your working style maybe you prefer something else but I suggest checking out SFTP – [Benjamin] Okay, the next question is does REMnux contain any tool for Android malware analysis or mobile malware analysis in general? – [Lenny] REMnux is not being designed specifically for analyzing Android malware and it in part it’s because I frankly don’t have the expertise to go beyond a few very basic steps when it comes to analyzing Android malware, and some of that has to do with just decompiling the Java files that oftentimes comprise Android-based malware and on REMnux there is a very handy java decompiler called Jad and another one called JD-GUI that you can use for that purpose But, for performing further malware analysis of REMnux or rather on REMnux of Android malware, let me see, there was just a write up that I saw that I posted on my Twitter stream a couple days ago, hold on a second I can’t find it anymore huh, it’s in there somewhere There it is, hold on let me let me share the link with everybody So, this is a little write-up that was

put together by Alonzo Marives and he took REMnux as well as another Linux distribution that’s maintained by several SANS instructors, I mean mainly Kevin Johnson called Mobi Sec and he showed them the fact of how you can bring up a REMnux virtual machine for emulating some services and then he brought up the Mobi Sec virtual machine which is designed for analyzing mobile code and then he used the two distro’s together to analyze mobile malware So maybe that’s something that would be of interest to you – [Benjamin] Okay, next question is in general Is the VMware REMnux corrupted? I tried to download I’m getting errors I’m trying to extract the files – [Lenny] If you’re trying to download REMnux and you’re getting errors, I’m not sure what I can assist without knowing which specific errors you’re getting I can tell you that I’ve been able to successfully download all files and be able to extract them I would check the md5 hash of the files that you’re getting and you can download the REMnux files from SourceForge and if you look at REMnux.org I list there the hashes of the files that you must, that you should be able to get And if the hashes don’t match then maybe there’s a file transfer error somewhere Also it could be a problem with the extraction utility that you’re using so if you’re using something like WinZip try something like 7-zip perhaps, to see if you get better results Otherwise, if you’re trying to download, let’s say, the proprietary VMware formatted version of the virtual appliance maybe instead try to use the open format virtual machine to see if that one works better for you – [Benjamin] Our next question is I’m sure like the others in the field that I’m not the only person who has built handy scripts How can we as peers share the tools we create for possible inclusion into REMnux? – [Lenny] You know that’s a great question because it comes down to how the the challenges that any where anyone has, in any community, whether it’s security or butterfly enthusiasts about how do you exchange knowledge and improve by jointly collaborating on projects and it’s oftentimes hard to do so In many ways what I’m trying to do with the REMnux distribution is act as a funnel mechanism so that whenever people create wonderful and useful tools I try to do my part by spreading the word around them, about them and documenting them in my blog sometimes and including them in REMnux But to answer the question very tactically if you felt created or know of a tool that you would like to recommend for including in REMnux just send me a note and I will take a look at it and if it works as advertised and if it fits the objective of the REMnux distribution which is malware analysis then I’ll gladly include it So please send me a note on Twitter or by email – [Benjamin] All right, the next question is from an instructor Do you know of any good exercises that are progressive in difficulty which I can use as background for training folks in analysis? – [Lenny] The finding exercises for educating people about malware analysis is difficult and time-consuming That’s because there’s a whole lot of malware out there but finding a sample that doesn’t overwhelm the student and also only shows what is relevant and doesn’t leave much room for distractions is hard And I don’t have any specific sources in mind besides just looking for malware and analyzing it and just a whole lot of time spent on trial and error unfortunately Otherwise, I don’t know if I could point to a sort of challenges that could be used for this purpose it’s just a bunch of trial and error and finding that sample that demonstrates specifically the point that you as an instructor trying to make – [Benjamin] And for our last question has the REMnux cheatsheet been updated recently? – [Lenny] I have not had a chance to update the REMnux cheatsheet to include the new tools that I’ve added to version four of the distro It’s something that’s on my to-do list, as you can see there’s a whole lot of tools that I will include there, but I just haven’t had a chance to do so, but hope to be able to do so in the next month or so Thanks for the reminder actually – [Benjamin] It appears we have one more question What is a good piece of malware to start analyzing for a newbie? – [Lenny] A good malware to start analyzing for a newbie? Well, it depends on where your strengths are and what aspect of malware analysis is most interesting to you

My recommendation would be to start with that aspect that is most, a bit easiest for you But one that builds upon the strengths that you already have, and that kind of sample and that kind of area is going to be different from one person to another But I can point you to a webcast that I recorded earlier that talks about one sample and I walk you through the various steps of examining examining the piece of malware using all the debug and let me see if I have a link to that recorded webcast It’s called something like Getting Started with Malware Analysis so there it is, hold on I found it So this is a webcast that I recorded a while back and my recommendation is to use that particular sample that I’m analyzing and if you need a copy, send me an email and maybe that’s a good starting point for you Again, depends on (audio dropping) And strengths are Another starting point might be the various samples that I talked about in this webcast and you’re welcome to download a copy of that malware archive from the URL that we’ll make available to you as part of the notes shortly after this webcast ends And also, I did conduct another webcast that introduced people to malware analysis using REMnux and there I mentioned a whole other set of samples that you might want to start experimenting with – [Benjamin] All right, appears we have one last question Are there any tools on REMnux that specific checks for VM detection routines in PE and DLL files? – [Lenny] So, there are several tools in REMnux that perform some static analysis of malware and they look for risky Windows API calls I mentioned a couple of tools like this on this webcast, another tool like this it’s called P scanner that can identify suspicious DLL or the suspicious API calls However, for detecting virtualization itself you need to look beyond API calls and you’d want to look at a set of specific assembly instructions and all that is to say but I don’t have a specific tool like that that goes to look for that particular pattern or patterns You’ve got tools that look at API calls, you’ve got tools that look at strings and sometimes you can tell that malware might be looking to identify security tools by just a set of strings that you see embedded into that executable But looking specifically for ways in which the virtualization is detected, not that I can think of – [Benjamin] All right, that will conclude our Q&A session I’d like to thank you so much Lenny for your great presentation for bringing this content to the SANS community To our audience we greatly appreciate you listening in For a schedule of all upcoming and archived SANS webcasts visit SANS.org/webcasts Until next time, take care, and we hope to have you back again for the next SANS webcast