REMnux VM Behavioral Analysis Software

In my last post (here) I discussed the various Windows based utilities that I utilize when performing behavioral malware analysis. In this post, I will cover the various utilities that I commonly utilize on the REMnux to perform behavioral analysis.

The first utility that I will discuss is Wireshark (website).  Wireshark is a network packet capture and analysis utility that allows an analyst the ability to preserve and analyze network activity associated with a piece of malware.

In order to start Wireshark on REMnux, open a Terminal shell and type and execute “sudo wireshark”.  The following graphic contains a screenshot of the Terminal shell with the sudo wireshark command:

screen-shot-2016-09-13-at-4-31-25-pm

Following the execution of the command, the Wireshark utility launches.  The following graphic contains a screenshot of the Wireshark utility:

screen-shot-2016-09-13-at-4-41-17-pm

The following graphic contains a screenshot of the Wireshark utility capturing network traffic on the “eth0” interface:

screen-shot-2016-09-13-at-4-32-59-pm

The next set of utilities I will discuss deal with emulating common network services such as DNS, HTTP, SMTP, IRC, FTP, etc.

“fakedns” is a utility that can be utilized to emulate a DNS server.  When running, the fakedns utility will respond to and log DNS requests.  This allows an analyst to identify any DNS requests made by a piece of malware.  The fakedns utility can be started on REMnux by opening a Terminal shell and typing and executing “fakedns”.  The following graphic contains a screenshot of the fakedns utility:

screen-shot-2016-09-14-at-9-17-53-am

“nginx” is utility that can be utilized to emulate a web server.  This will allow the analyst to capture and view any HTTP requests generated by a piece of malware.  The nginx utility can be started on REMnux by opening a Terminal shell and typing and executing “httpd start”.  The following graphic contains a screenshot of the httpd utility:

screen-shot-2016-09-14-at-10-08-59-am

To verify that the nginx is functioning properly, open a web browser on the Windows VM and browse to a website.  Upon browsing, the web browser should display the following:

screen-shot-2016-09-14-at-10-11-52-am

“fakemail” is a utility that can be utilized to emulate an email server.  This allows an analyst the ability to capture and write email messages sent by malware to a file.  The fakemail utility can be started on REMnux by opening a Terminal shell and typing and executing “fakemail.py”.  The analyst must specify the appropriate port number (–port=) and the path to store the email files (–path=</path).  The following graphic contains a screenshot of the fakemail utility help information:

screen-shot-2016-09-14-at-10-23-44-amThe following graphic contains a screenshot of the fakemail utility execution:

screen-shot-2016-09-14-at-10-29-09-am

“ircd” (Internet Relay Chat Daemon) is a utility that can be utilized to emulate an Internet Relay Chat (IRC) server.  This allows an analyst the ability to identify any IRC traffic generated from a piece of malware.  The ircd utility can be started on REMnux by opening a Terminal shell and typing and executing “ircd start”.  The following graphic contains a screenshot of the ircd utility:

screen-shot-2016-09-14-at-10-37-51-am

The final utility I will cover is “INetSim”.  INetSim is a software suite that can be utilized to simulate several common network services. The INetSim utility can be started on REMnux by opening a Terminal shell and typing and executing “inetsim”.  The following graphic contains a screenshot of the INetSim utility:

screen-shot-2016-09-14-at-10-44-42-am

INetSim is a great utility for just immediately starting common network services utilized by malware.  That being said, during malware analysis I tend to like a more controlled approach and only start services one a time as necessary.

It should be noted that the various configuration flies associated with these utilities can be altered to allow for a more granular analysis.  I would recommend testing each utility and reviewing the associated configuration files to understand the various options that are enabled or disabled.

As can be seen from this post, all of the behavioral analysis tools utilized on REMnux involve capturing network traffic and emulating network services so an analyst can identify and analyze network traffic emanating from a piece of malware.  Utilizing the various utilities outlined in this post allows an analyst the ability to identify threat intelligence associated with a malware sample including but not limited to IP addresses/domain names of command and control (C&C) servers, names of files present on C&C servers, and data transmitted (e.g. attempted to transmit) to the C&C servers.  All of the aforementioned information can be extremely useful when responding to an incident as it provides a great set of indicators of compromise (IOCs) that can be utilized to identify other potentially infected systems on a network.  Furthermore, that threat intelligence can in turn be utilized to fortify network defense systems.

Windows VM Behavioral Analysis Software

In my last post (here) I discussed configuring a virtual malware analysis lab. In this post, I will cover the various software utilities that will need to be installed on the Windows VM to perform a behavioral analysis of a piece of malware.

The purpose of a behavioral analysis is to execute the malware and to monitor its interactions with the environment. By doing so, an analyst can gain an initial understanding of what the malware is doing (or attempting to do) as well as identify indicators of compromise (IOCs) that can be utilized to detect other infected systems. Likewise, the intelligence gathered during the behavioral analysis phase should be implemented into network and endpoint defense systems to prevent re-infection by the malware. When performing a behavioral malware analysis, there are several questions that need to be answered:

  • Does the malware modify the file system?
    • Are any files created, deleted, or modified?
  • Does the malware modify the registry?
    • Are any registry keys created, deleted, or modified.
  • Does the malware create any network activity?
    • Are any network connections created, ports opened, data transferred?

Each of the items listed above are crucial pieces of information that we would want to know about a piece of malware. In order to perform a behavioral analysis, we need to have software utilities that monitor the interactions that the malware has with the host operating system.  Therefore, we will need software utilities to monitor file system activity, registry activity, and network activity.

It is important to note that a majority of the software utilities we will be using will be running on the Windows system that will be infected with the malware. This is important because the malware could be designed to interfere with the monitoring software (rootkit). To ensure that the results of the monitoring tools are accurate, I recommend creating an image of the system’s random access memory (RAM) following the execution of the malware. This RAM image can be analyzed on a non-infected system utilizing memory forensic software. This will allow an analyst to validate that the information captured by the monitoring tools is accurate.

The first tool that will be installed is Microsoft’s Process Monitor (Download). The following excerpt was extracted from the Process Monitor website:

“Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.”

Process Monitor is an application that preserves and logs file system activity, registry activity, network activity, and more. If you are familiar with older versions of the Sysinternals Suite, Process Monitor combined the capabilities of Filemon and Regmon into one application.

The following graphic is a screenshot of the Process Monitor application:

proc_mon1

The next tool that will be installed Regshot (Download). Regshot is a utility that is utilized to preserve and compare two separate snapshots of the Windows registry. In malware behavioral analysis, Regshot is utilized to create a snapshot of the clean Windows virtual machine (VM) registry, create a snapshot of the infected Windows VM registry, and compare the two snapshots. Following the comparison process, Regshot generates a log that identifies registry keys and values created, modified, and deleted as well as files created and modified on the file system.

The following graphic is a screenshot of the Regshot application:

regshot

The third tool that will be installed is CaptureBAT (Download). CaptureBAT is a command line behavioral analysis tool that is utilized to preserve and log file system, registry, and network activity. A unique feature of CaptureBAT is that it maintains a copy of any file modified or deleted on the system. Malware will often modify legitimate files or create temporary files and purge them shortly after execution. With CaptureBAT, an analyst will have a copy of the modified or “deleted” files for analysis.

The following graphic is a screenshot of the CaptureBAT application (Command: CaptureBAT.exe –h):

capture_bat

The fourth tool that will be installed is Process Hacker (Download). Process Hacker is an application that is similar to the Windows Task Manager, but far superior. On all of my Windows systems, I replace the Task Manager with Process Hacker.  Process Hacker has numerous capabilities but the benefit to malware analysis is color-coded process information (color codes new processes, terminated processes, etc.), process parent child relationships, process network activity, handle and service information. Process Hacker is an extremely useful tool as it allows an analyst the ability to visually see if malicious process spawns a child process as well as if the malicious process is generating any network activity. For additional information on Process Hacker, see Jason Fossen’s Windows Exploratory Surgery With Process Hacker presentation slide deck.

The following graphic is a screenshot of the Process Hacker application:

process_hacker

The last tool that will be installed is ProcDOT (Download). ProcDOT is a utility developed by Christian Wojner that ingests the CSV output of Process Monitor and a network packet capture (PCAP) file and creates a visual interactive graph of the data. The interactive graph allows an analyst to view the data visually which is always helpful.

The following graphic is a screenshot of the ProcDOT application:

proc_dot

These are the main Windows based tools that I utilize when performing a behavioral analysis. I’m planning a few future posts to cover the capabilities of each tool individually, but in my next post I will cover some of the REMnux utilities that I commonly use in conjunction with the Windows tools outlined here to perform malware behavioral analysis.

 

Virtual Malware Analysis Lab Configuration

In order to effectively analyze a piece of malware, an analyst must have a lab environment to perform both behavioral and static analysis. When building a lab environment, there are a few key items to take into consideration. First, should the environment be physical or virtual. There are pros and cons to each, but I’m not going to cover them here. The second consideration (and it is crucial) is to determine how the lab environment will be isolated to prevent the malware from spreading to unintended systems. I can’t stress enough the importance of isolation…the last thing you want is to unleash malware within your corporate environment (management frowns upon this). A third consideration is the operating systems utilized in the environment. While a majority of malware I run into in my daily work is Microsoft Windows based, there is plenty of *nix based malware in the wild. Furthermore, malware can behave differently based on the operating system as well as the service pack and patch levels of the system.

Now that the key considerations have been reviewed, it is time to design and configure our malware analysis lab. In this post we will cover the configuration of a virtual lab environment consisting of two machines, the first running Lenny Zelster’s REMnux and the second running a variant of Microsoft Windows. If you haven’t heard of REMnux, I highly suggest heading over to https://remnux.org and spending some time reviewing the site. I also recommend reading Lenny’s blog as well https://zeltser.com/blog/. As for a description of REMnux, the following language was taken from the REMnux website:

“REMnux® is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It strives to make it easier for forensic investigators and incident responders to start using the variety of freely-available tools that can examine malware, yet might be difficult to locate or set up.”

 Now it’s time to design and configure the malware lab environment. The lab environment will consist of a MacBook Pro (Physical Host) running two virtual machines (REMnux and MS Windows 8) in VMware Fusion. The following graphic illustrates the architecture of the virtual malware lab:

network_architecture

The network configuration for each virtual machine is arbitrary, other than the fact that the Default Gateway of the Windows system needs to be the same address as the IP Address of the REMnux system. This will direct all network traffic emanating from the Windows system to the REMnux system for preservation and analysis.

The first virtual machine that will be setup will be the REMnux system. There are two methods for installing REMnux, downloading the virtual appliance (OVA format) or installing Ubuntu 14.04 x64 and executing the REMnux installation script. I prefer the installation script method so that is what I typically use. The installation script also allows you to combine the software and settings of REMnux with SANS SIFT. The combination of both distros gives you a powerhouse forensicating system.

The REMnux documentation recommends utilizing this following version of Ubuntu 14.04. Once the 64bit version of Ubuntu 14.04 is installed, REMnux can be installed by executing the following command from the terminal:

wget –quiet -O – https://remnux.org/get-remnux.sh | sudo bash

Upon the installation of REMnux, the virtual machine network adapter needs to be configured to host-only networking mode via VMware’s settings. VMware’s website lists the following description for host-only networking mode:

“When you use this type of network connection, the virtual machine is connected to your Mac on a virtual private network, which is not generally visible outside your Mac. Multiple virtual machines configured with host-only networking on the same Mac are on the same network and can see each other.”

It should be noted that while configuring the virtual machine with host-only networking will reduce the risk of infecting the host operating system, there is always the possibility that the malware could exploit a vulnerability within the virtualization software allowing the malware to “escape” the virtual machine and potentially infect the host system. That being said, it is always a good idea to perform malware analysis on non-production system that can easily be wiped if necessary.

The following screenshot depicts the REMnux virtual machine being configured to use host-only networking:

remnux_vm_network_config

The REMnux virtual machine should also be configured with an appropriate amount of RAM. The REMnux documentation specifies at least 1GB, but I typically allocate 4-8GB depending on the type of malware analysis I am performing.

Upon completion of the initial REMnux virtual machine configuration, we need to boot the REMnux system and configure the network settings. As specified in the lab architecture diagram above, the REMnux system will be configured with the following network settings:

  • IP Address: 192.168.180.128
  • Subnet Mask: 255.255.255.0
  • Default Gateway: 192.168.180.1

First configure the system IP Address and Subnet Mask by executing the following command from the terminal:

  • sudo ifconfig eth0 192.168.180.128 netmask 255.255.255.0

Next, configure the default gateway by executing the following command from the terminal:

  • sudo route add default gw 192.168.180.1 eth0

The following screenshot depicts the REMnux system network configuration:

remnux_network_config

Once REMnux is installed and the network settings are properly configured, I recommend creating a snapshot of the virtual machine. This will grant the ability to return the REMnux system to this default state should the system become corrupted or tainted at a later point in time. In the event the virtualization software utilized does not offer snapshot capabilities, I recommend shutting down the system and creating a duplicate copy of the virtual machine.

Now that the REMnux virtual machine is configured, it is time to configure the Windows system. The version of Windows does not matter, however it is always good to have multiple virtual machines running various versions of Windows at various service packs and patch levels. As mentioned previously, malware can interact differently with a system depending on the OS version and patch levels.

Upon the installation of Windows, the virtual machine network adapter needs to be configured to host-only networking mode via VMware’s settings. The following screenshot depicts the Windows virtual machine being configured to use host-only networking:

Win_vm_network

The Windows virtual machine should also be configured with an appropriate amount of RAM, I typically allocate 4-8GB depending on the type of malware analysis I am performing.

Upon completion of the initial Windows virtual machine configuration, we need to boot the Windows system and configure the network settings. As specified in the lab architecture diagram above, the Windows system will be configured with the following network settings:

  • IP Address: 192.168.180.129
  • Subnet Mask: 255.255.255.0
  • Default Gateway: 192.168.180.128
  • Preferred DNS Server: 192.168.180.128

To configure the Windows network settings, access the Internet Protocol Version 4 (TCP/IPv4) settings of the Ethernet network adapter.

The following screenshot depicts the Windows system network configuration:

windows_network_config

Upon configuration of the Windows network settings, validate the Windows system can communicate with the REMnux system by pinging the IP Address (192.168.180.128) of the REMnux system from the Windows command prompt. The following graphic depicts the ping command being executed from the Windows command prompt:

ping

As can bee seen from the screenshot above, the Windows system is able to successfully communicate with the REMnux system.

Once the Windows virtual machine has been successfully configured, I recommend creating a snapshot of the virtual machine. This is especially important on the Windows system, as malware will be executed on the system and we will want the ability to return the system to a clean state. In the event the virtualization software utilized does not offer snapshot capabilities, I recommend shutting down the system and creating a duplicate copy of the virtual machine.

At this point, we have a basic virtual lab environment to perform malware analysis. Additional systems can easily be added to the environment by spinning up additional virtual machines and configuring the network settings to match the IP scheme utilized.

In my next post, I will discuss what software to install on the Windows virtual machine in order to perform malware behavioral analysis.