Tag Archives: Malware

Apkscan: Live Android Malware Analysis

February 22, 2013 17:47 | 2 Comments |

Sick AndroidMobile devices are more and more seen as nice targets from attackers’ point of view. Which is easily understandable: the market is exploding and people still don’t realize that a mobile device is not only a mobile “phone” but a mobile “computer” with an operating system, I/Os and… applications! The mobile OS landscape is spread over two systems: iOS (Apple) and Android. Apple is renowned to lock its market share and keep a good control on it, even if they’ve a glitch from time to time. To install an application on your iPhone/iPad, go to the AppStore. Of course, if you jailbreak your device, they are alternative stores but let’s assume that you’re a good boy/girl!

Android is more open and, next to the official store (Google Play), many alternative sources of applications are available to us. Some of them suffer of a total lack of control and we are not always sure that the downloaded application is safe. The first reflex when you install an Android application is to check its permissions. Why a game should have access to your full addressbook and be allowed to send SMS or perform calls? This looks suspicious!

Android-Permission

(Click to enlarge)

But what about the example of a small game requiring Internet access? This could seems legit to allow communications to the outside world: To upload scores, to download new maps or levels. But “Internet access” is very (too?) broad. Are you sure that some data could not be leaked? The only way to test the Internet traffic generated is to install the application on a test device and sniff your Wireless traffic… Easy if you are a techie! Otherwise, install the app and cross your fingers?

I won’t discuss here the process of malware analysis… Just a reminder: you have two major ways to do this: the static or behavioral analysis. With the first one, you analyze the provided binary and try to guess how it works (ex: by doing reverse-engineering). In the second one, you execute the code and collect as much information as possible like files accessed/created, DNS requests, network traffic, etc. This is performed in a safe environment (a sandbox).

For a while, there exists solutions to perform like a life analyze of regular (read: “for Wintel architecture“) pieces of malware. Some are commercial, others are open source (like Cuckoo). But what about Android applications? nViso, a young company founded by a group of Belgian Infosec professionals/enthusiasts, is working on a project called “Apkscan“. APK is the file format used to distributed Android applications. Yesterday, during a SANS@Night session in Brussels, Daan Raman demonstrated his tool:

apkscan Screenshot

As you can see it uses the same phylosophy as regular malware analysis tools: You submit a suspicious file, it executes it and generates a nice report. Both static and behavioral analyzis are performed. The report contains a static analyze, the permissions extracted from the Android manifest XML file, a Virustotal output, URLs found and behavioral analyze. The tool is still being developed but works quite well. I had the opportunity to submit some samples. Check out the two generated reports (a good and a bad one). The tool should be made publicly available soon. Great job!

Posted in: Malware, Mobile Devices, Security | Tagged: , , ,

Scanning Malicious URLs in One Mouse Click

February 8, 2013 16:59 | 8 Comments |

X-Ray ScannerSince it’s already Friday, just before leaving for the weekend, here is a quick hack for all MacOS X infosec guys… and the others! I’m not afraid to admit it: I’m lazy! We are using computers all day long and they have been created (usually ;-) to automate tasks. Let them do  our boring job…

One of the  recurring tasks I perform multiple times a day is scanning URLs for malicious code. We all read daily plenty of information which contains URLs (mail, PDFs, Office documents). Call me paranoid but I prefer to scan them before suffering an unexpected behavior just with a mouse click! I’m a fan of the online service called urlQuery for this task:

“urlQuery.net is a service for detecting and analyzing web-based malware. It provides detailed information about the activities a browser does while visiting a site and presents the information for further analysis.”

Submit your URL and a report will be generated with the complete analyze of the code and objects downloaded. Why not automate the submission of URLs to urlQuery?

OS X comes with nice tools to automate a lot of stuff. I recommand to have a look at Automator and AppleScript. They can be used to create personalized services which are available in any application via a righ-click and chosing “Services“.

Let’s create a new service called “Analyze with urlQuery“. Launch Automator:

  • Select Library > Utilities > Run AppleScript
  • Define the parameters:
    Service receives selected: “URLs” in “any application
    Input is “only URLs”
  • Create the AppleScript below
  • Save

The AppleScript is really simple: It opens a new tab in the first Google Chrome window, connect to urlquery.net, fill the form with the (malicious) URL and submit it!

on run {input, parameter}
    set url0 to "http://urlquery.net"
    set input0 to (input as string)
    tell application "Google Chrome"
        reopen
        activate
        tell window 1
            make new tab with properties {URL:url0}
        end tell
    delay 2
    end tell
    tell application "Google Chrome" to activate
    tell application "System Events"
        keystroke input0
        keystroke return
    end tell
    return input
end run

Once created, a new service will be available in your applications like Mail:

urlQuery Service

(Click to enlarge)

Simple and convenient! A big thank to @_coreDump for his precious help to fix my AppleScript code!

Posted in: Apple, Malware, Websites | Tagged: , ,

Malicious DNS Traffic: Detection is Good, Proactivity is Better

January 28, 2013 23:57 | 10 Comments |

Google Malware WarningIt looks that our beloved DNS protocol is again the center of interest for some security $VENDORS. For a while, I see more and more the expression “DNS Firewall” used in papers or presentations. It’s not a new buzz… The DNS protocol is well-known to be a excellent vector of infection and/or data exfiltration. But what is a “DNS firewall” or “Strong DNS Resolver“?

Read More →

Posted in: Malware, Net, OSSEC, Security | Tagged: , , ,

Cuckoo 0.5 on OS X Mountain Lion

December 31, 2012 11:26 | 23 Comments |

Christmas CuckooClaudio Guarnieri and his developers gave us a great gift to finish the year. A few days before Christmas, they released the version 0.5 of Cuckoo, the open source malware analysis system. What’s new in this release? Plenty of nice stuffs! I won’t review there here, have a look at the blog post published to announce this new release. While enjoying some holidays, I took the time to upgrade my Cuckoo environment. Basically, I’m running two different Cuckoo instances: one linked to my CuckooMX script to automate the analysis of attachments extracted from my SMTP flows. And one running on my Macbook for on-demand analysis and while I’m on the road. In the Cuckoo documentation, Ubuntu is referenced as the reference platform but it does not mean that other operating systems can’t run Cuckoo! Here are some information I would like to share if you plan to install Cuckoo on Mac OS X.

I’m running Mountain Lion (10.8.1) on my Macbook. The good news: Python 2.7 is the default version enabled on Mac OS and is recommended to run Cuckoo. The installation is pretty straight forward: deploy the tar ball in your preferred directory and review the *.conf files in the conf/ directory. But the very first (and critical!) step is to have a valid Python and libraries environment. First, check that your active version of Python is 2.7:

snowwhite:~ xavier$ python -V
Python 2.7.2

Than install the required Python decencies. To manage my Python libraries, I’m using the easy_install script. In my environment, I had to install the following ones:

snow-white:~ xavier$ easy_install sqlalchemy
snow-white:~ xavier$ easy_install Jinja2
snow-white:~ xavier$ easy_install Bottle

The last library is required by web.py (the Cuckoo web front-end). Since version 0.4, Cuckoo completely changed the way it analyses the network traffic. Today, it uses tcpdump to capture packets and generate a .cap file. Then, the content is analysed with the dpkt library. I was not able to install it via easy_install. Just download the latest version and install it manually:

snow-white:~ xavier$ wget \
'http://dpkt.googlecode.com/files/dpkt-1.7.tar.gz'
snow-white:~ xavier$ python setup.py install

Once Cuckoo installed, you must prepare your virtual machine(s) to analyse malwares. The documentation is very clear but only the network configuration is a little bit tricky. There are two main requirements:

  • Cuckoo must talk with the virtual machine. A Python script is running on the guest to handle XMLRPC requests.
  • Cuckoo must be able to see (and capture) all the traffic generated by the guest.

If you travel a lot like me, you must have an easy setup which will work in all environment. The best way to setup the network connectivity for your guest is the “host-only” networking feature (I’m using VirtualBox, please refer to your other virtualisation environment to find the corresponding connectivity). By definition, a “host only” network permits only traffic across multiple guests and the host using a private subnet. How to allow a guest to access the Internet? If it’s easy in a Linux environment (using IPtables), how to achieve the same with OS X? No stress, it’s also easy!

First, make your OS act as a router:

snow-white:~ xavier$ sudo sysctl -w net.inet.ip.forwarding=1

Then, enable NAT. No need to play with firewall rules on OS X, there is a nice daemon which takes care of this job. Note: ‘en0‘ is the interface used to get your Internet connectivity, change it to yours if different.

snow-white:~ xavier$ sudo natd -interface en0

Finally, add a firewall rules:

snow-white:~ xavier$ sudo ipfw add divert natd ip from \
any to any via en0

Boot your guest and try to access the Internet, it works! My ‘host-only’ network interface is vboxnet0. Inspect the traffic with tcpdump, you must see all the traffic between the guest and the Internet. Two important remarks:

  • For security reasons, I do not execute the commands above at boot time. I prefer to start a small script before launching Cuckoo. Having your OS X acting permanently as a router is not recommended.
  • When you will analyze malwares, some malicious traffic could potentially be sent outside your OS X via the same network interface used for your regular traffic. This could make your OS X detected as “malicious” and generate alerts or unsuspected behaviors like being completely banned from the network! Don’t do this on a corporate LAN.

Please post your comments or tips to use Cuckoo in an OS X environment! Happy New Year and happy malware analysis!

Posted in: Apple, Cuckoo, Malware, Security, Software | Tagged: , , , ,

The Social Impact of Malware Infections

December 23, 2012 17:48 | 3 Comments |

I have a virusI just had a good experience today about the “social impact” of malware infections and I would like to share it with you. For most infosec people, it is part of the game to play the fireman for family and friends when they are in trouble with their computer. The term “computer” is used by them as a generic term and includes the hardware, the software, the Internet connectivity, mailboxes, etc. Today it was again my turn to be contacted by a friend who received a “strange message” on his screen. That’s also typical, people see always strange message and even to not try to read and understand them! My wife picked up the call and said that my friend looked very affected and asked to call back asap…

Read More →

Posted in: Malware, People / Places, Security, Social Engineering | Tagged: , , ,

Cuckoo: Increasing the Power of Malware Behavior Reporting With Signatures

July 27, 2012 21:00 | 4 Comments |

Brain AnalyzeThe new version (0.4) of Cuckoo, the open source  malware analysis system has been released this week. That’s a great news! The list of changes and new features is very impressive. So big that an upgrade is not recommended. In my case, I just installed a brand new Cuckoo instance. It was much easier and save me some nightmares. I still need to upgrade the instance running on my Macbook pro, I hope it will run also very smoothly. Some of the most significant changes are:

  • Brand new  base code
  • Support for KVM
  • Support for YARA & VirusTotal
  • New post-analysis modules
  • Behavioral signatures

The last feature is really what I was expecting for my CuckooMX project! It is now very simple to detect malware behavior just by creating some Python classes. You are free to perform any tasks in the classes: send emails, write in databases, communicate with other processes, … In my case, It will now help me to handle properly the quarantine with suspicious emails.

How does it work? Here is a first example. Malwares make extensive usage of domain names to communicate with C&C or to download software components. Some malwares have a list of hundreds domains they use randomly. It could be very interesting to detect if a program tried to communicate with one of those domains. Cuckoo already analyzes the DNS requests performed. We just have to check if the resolve FQDN are considered as suspicious. The good news: We can find on the Internet free lists of domains or IP addresses which are known as malicious. Such domains list is available on malwaredomains.com.

The following Python class is called by Cuckoo during the reporting phase. It loops through the DNS request captured during the analyze and try to match a malicious domain. If it’s the case, it reports a event of severity level “3″ (between 1 – low and 3 – high).

import fileinput
from lib.cuckoo.common.abstracts import Signature
# Load the list of malicious domains
domains = []
for domain in fileinput.input(['/data/cuckoo/conf/malicious-domains.txt']):
    domains.append(domain.rstrip())

class ResolveMaliciousDomain(Signature):
    name = "resolve_malicious_domain"
    description = "Try to resolve a malicious domain name"
    severity = 3
    category = ["generic"]
    authors = ["Xavier Mertens <xavier(at)rootshell(dot)be>"]
    def run(self, results):
        for fqdn in results["network"]["dns"]:
            for d in domains:
                if fqdn["hostname"].find(d) >= 0:
                    return True
        return False

Copy this code in your “$CUCKOO_HOME/modules/signatures directory” and restart the Cuckoo main process. To generate the “malicious-domains.txt” file, just use a crontab:

wget -o /dev/null -O - http://mirror1.malwaredomains.com/files/domains.txt | \
awk -F '\t' '{ print $3 }' >/data/cuckoo/conf/malicious-domains.txt

Give some food to Cuckoo and if you are lucky, you will see a result like this:

Matching Signature

(Click to enlarge)

Today, a discussion started on the Cuckoo mailing list about signatures. Now that custom signatures can be quickly added to Cuckoo, isn’t time to start building a community and creating a central repository for signatures? I’m sure that malware analysts have plenty of suspicious behaviors to monitor. Some examples out of my bag:

  • Creation of an executable file in a user document folder
  • Files creation or modification
  • Starting a process from a user home folder
  • Spawning new processes
  • Deleting itself
  • Slowing down using mutliple sleep()
  • Testing the presence of a debugger
  • Code injection into another process
  • Registering a file as auto-start
  • Modifying registries or system configuration to enable auto start capability
  • Modifying Windows registries
  • Changing the proxy settings in Internet explorer
  • Modifying the network connection settings for Internet explorer
  • Using POST methods in HTTP
  • Visiting an unregistered domain
  • Downloading executable files with an incorrect file extension
  • Using very short HTTP headers
  • HTTP requests with non-standard User-Agent
  • Performing a failed HTTP connection
  • Visiting a malicious domain (done ;-) )
  • Visiting a Fast flux domain
  • Visiting a recently registered domain
  • Changing the security settings of Internet Explorer
  • Visiting a known dynamic DNS domain
  • Connecting to unusual TCP/UDP ports
  • Connecting to a malicious IP address
  • Using a heap spray attack
  • Accessing Internet Explorer cookies
  • Communicating over the loopback interface
  • Listing the running processes
  • Trying a network outbound connection

Personally, I’m ready to invest some time to help building this! I’m dreaming of a huge community like the one active with Nmap scripts! Comments? Idea?

Posted in: Cuckoo, Malware, Security, Software | Tagged: , , ,

Procrastination is Bad! (Also in Information Security)

July 9, 2012 20:25 | Leave a Comment |

ProcrastinationToday was the last day of activity of the FBI servers which replaced the rogue DNS used by the DNSChanger malware. They allowed people infected by the virus to continue to work “as usual“. I won’t come back on this very long story. You should be back from a trip to Mars if you are not aware of what happened. But this is a good opportunity to talk about “procrastination“. Wikipedia defines it as: “the act of voluntarily putting off a task despite consciously knowing that one will be worse off for having done so“. In other words, people tend to replace boring tasks by funny ones.

The DNSChanger story is a very good example of procrastination. First, people are failing to protect their computer. Setup backup & restore procedures, installing patches, updating softwares… These are so boring tasks! Let him who never clicked on “Upgrade Later” cast the first hard drive!

Then, once the FBI seized the rogue servers, why did they install servers with the same IP address? Ok… Instead of preventing thousands of people to surf the web, they allowed more time to people to fix their owned system. But for lot of them, they just postponed the problem. By stopping the DNS immediately, more people could be affected but sometimes an electroshock can have a positive effect.

According to security blogs (like the one of F-Secure), the shutdown of the servers is effective and did not produce major outages. Major ISPs deployed their own servers to make the life of infected people easier. It is a good thing? How much time money was spent to permit lazy people to access the Internet? This survey result says all. If procrastination is bad in the “real life“, it is also in information security! Install patches in no time, do not postpone your backups, upgrade, upgrade and … upgrade!

Posted in: Security | Tagged: , , ,

CuckooMX: Automating Email Attachments Scanning with Cuckoo

June 20, 2012 21:14 | 13 Comments |

Today,  classic anti-virus protections are not enough reliable to protect against modern malwares. To have a better understanding and, if possible, block them, it’s best to execute the code in a safe environment and to analyze its behaviour. Does it create new processes or files, are outbound connections performed via suspicious domains or IP addresses? Does it implement hooks? This method of performing malware analysis in a sandbox is more and more common. As usual, they are vendors providing nice solutions (but often very expensive) and free (open source) alternatives. The most popular is called Cuckoo. I won’t explain in details what is Cuckoo and how it works. The project maintainer (Claudio Guarnieri) made a great presentation during the last Hack in the Box in Amsterdam. His slides are available here. Of course, I’m a Cuckoo user! I use malwr.com but I also have my local Cuckoo instance running on my Macbook with my own guest images.

If the method looks sexy, the day-to-day usage of sandboxes remains a pain! You need to grab a copy of the malware, transfer it to the sandbox, execute it, wait (!) and interpret the results. We need more automation! Today, emails remain a key attack vector to distribute malwares but also they are spread using documents (PDF, Office, Flash), as explained in this Sophos blog post “The Rise of Document-base Malware“. Yes, I’m a lazy guy and I would like to have all documents passing through my MTA being automatically analyzed by Cuckoo. They’re commercial solutions which achieve this. I’m currently playing with some in my job but they are really expensive. Why not try to do the same with free software?  That’s the purpose of this project called “CuckooMX“.

Read More →

Posted in: Security, Software | Tagged: , , , ,