HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 48 guests online
 
Free Business and Tech Magazines and eBooks

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Malwarearrow how to find 'interesting' malware samples?
EH-Net
May 25, 2013, 03:04:08 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: how to find 'interesting' malware samples?  (Read 8967 times)
0 Members and 1 Guest are viewing this topic.
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« on: May 11, 2008, 09:55:18 AM »
Peoples,

I've recently put a Nepenthes server into production. There were several reasons for this, from trying to get a better view of what's out there, training resources and just 'for fun' (yes I'm a bit strange).

Unfortunately, the server is being too successful and is providing more samples than I can analyse in the timeframe available. Can anyone provide tips so that I can quickly identify and focus on the 'interesting' samples rather than spend time and resources investigating 'garden variety' malware?

Any advice appreciated, thanks in advance.
RR
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
dean
Guest
« Reply #1 on: May 13, 2008, 12:04:04 PM »
First run the executable through a service like virustotal.com. This will allow you to determine if it has been seen in the wild before and how well detected it is. It will also give you an indication as to it's function. Is it a dropper? If so you might want to run it to see what files it installs.

Also, check the MD5 of the executable on a site like offensivecomputing.net. All malware submissions to the site are named with the MD5 of the file. This will give you an idea of how new the sample is and if anyone has already unpacked and analyzed it.

Are you looking for specific samples or just anything that comes across your honeypot. You might want to modify the config of nepenthes to only simulate certain services on specific OSes. This will reduce some of the data you get. Also, automate your submissions to one of the sandbox analysis sites like Norman. This speeds up initial analysis.

dean
« Last Edit: May 13, 2008, 12:07:56 PM by dean » Logged
shakuni
Jr. Member
**
Offline Offline

Posts: 80


View Profile
« Reply #2 on: May 14, 2008, 02:10:15 AM »
Initially you have to work really hard and analyse as much malware as you can. After some time you'll get a feel about what is interesting and what is not.
Logged
There is no rule, law or tradition that apply universally... including this one.
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« Reply #3 on: May 14, 2008, 03:21:42 AM »
Dean,

thanks for the info, I hadn't come across offensivecomputing.net (looking the link I'm not sure how I've missed it). Hopefully should help me out.

One of the reasons I set the box up was to get a better feel for what is out there and what I'm likely to come up against. In this regard I'd like to collect/log everything that hits my box.

My personal interest in malware is directed towards botnets, so ideally I'd like to limit my actual analysis to these.

From looking through the nepenthes arcitecture I assume that I am correct in my understanding that it emulates specific vulnerabilities? If this is the case how effective is it at finding 'zero-day' malware? How often are new vulnerabilities updated to catch malware using more recent exploits?

Shakumi,
Quote from: shakuni on May 14, 2008, 02:10:15 AM
Initially you have to work really hard and analyse as much malware as you can. After some time you'll get a feel about what is interesting and what is not.
I was afraid someone was going to tell me that Cry
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
dean
Guest
« Reply #4 on: May 14, 2008, 09:15:02 AM »
Nepenthes is a low interaction honeypot. As such it can only simulate known vulnerable services. As it can only simulate a known vuln it will not catch an 0day exploit. What it will capture is the initial network traffic of the exploit before it 'changes direction' and diverges from the vulnerability being emulated. This traffic is captured via the portwatch module. Ideally, you would want a high interaction (actual system) honeypot to see exactly what this malware would attempt to exploit. Look at the genIII honeypot/net from the honeynet project if you want a high interaction honeypot.

Look into the submission module that allows you to submit samples to Norman and CWsandbox automatically. This will speed up initial analysis.

Also, be aware that most malware (even 'unknown' variants) will likely use known exploit(s) to spread. This does not mean that the malware itself is not new. I have a sample currently that after two weeks is still only detected by 5 out of 32 AVs. This sample spread through an sequence of iframes and javascript/VB on about 4 different sites. Multiple known exploits were offered up based on the browser type, OS, 3rd party app, etc... to exploit the system in order to finally download and run it.

A lot of malware (the latest stormworm iteration for example) will use two or more stages to download the malware onto the system. The initial exe can end up being the only way to get the final payload.

/dean
Logged
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« Reply #5 on: May 14, 2008, 09:32:19 AM »
Dean,

thanks for the additional pointers (from previous forum threads I had a feeling you would be the man with the information Wink ).

I'll take a better look submission module. The server was built following the guide from the ShadowServer Foundation (found here), whilst I now have a working honeypot I'm still new to this aspect of malware research.

Following your previous advice I went over to offensive computing to search the database for my binaries but non have been found (searched via md5). I'm assuming that this is a normal state of affairs rather than me just getting a large volume of interesting and unknown malware strains?

I'm working on my possibly incorrent understanding. For downloading the final payload from multi-stage malware is this something that can be automated through high-interaction honeypots, or is this typically something that would be gained via behavioural analysis in a lab?

Thanks again for the assistance and apologises for the n00by questions.
RR
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
dean
Guest
« Reply #6 on: May 15, 2008, 09:56:39 AM »
A common theme in malware today is dynamic code generation and custom packing. All this is automated now. One interesting example I found was a site that dynamically generated malicious javascript and shellcode when it was accessed. Each visit would produce code with unique variables and even the shellcode was changed each time.

This might be why your examples are not showing up on offensivecomputing. One char different will change the hash.

Run your samples through:

Virustotal
Norman Sandbox
CWsandbox

if they have been submitted before the sites will let you know. If not an analysis will be done automatically.

A high intereaction honeypot will execute the malware and if that malware is a dropper for additional malware then that will also be downloaded and installed.

I would suggest reading up on the various types of honeypots available, including client honeypots. Also, realize that if you run a high interaction honeypot that the potential for it to be used to attack another host is there.

http://www.securityfocus.com/infocus/1897/1 <-- this is not a bad intro to the different options available to you.
Logged
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« Reply #7 on: May 17, 2008, 02:29:54 AM »
I'll take another look at the submission modules (thought I had configured the norman sandbox module but I must have an error in my config somewhere Sad ).

The article you linked was an interesting read, I've now got a long list of new bookmarks for further research. Unfortunately I am currently unable to implement a high-interaction machine as I only have authorisation for this project providing I can ensure that it will not be able to have a negative impact on the rest of my environment, hence the original choice of low-interaction.

Thanks again for the assistance, hopefully I'll have some interesting findings to share soon
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
xmachine
Newbie
*
Offline Offline

Posts: 7


View Profile WWW
« Reply #8 on: June 03, 2008, 02:31:14 PM »
If you want to make this process more exciting, treat it as hunting. Have you watched AVP (Aliens vs Predators). After you got the sample from Nepenthes, you can run it inside a "controlled" and "restricted" network. Then use some sniffing/ids/ips/av tools to observe the life-cycle of the malware, from infection to detection. With this you can build a strong skills about malwares analysis and how to build defenses. For more infomation about manual malware analysis, give it a try here:

http://extremesecurity.blogspot.com/2008/02/analyze-malware-infections-on-your-own.html

http://extremesecurity.blogspot.com/2008/02/analyze-malware-infections-on-your-own_10.html

http://extremesecurity.blogspot.com/2008/02/malwares-containment-basics.html

http://extremesecurity.blogspot.com/2008/02/malwares-containment-level-ii.html

http://extremesecurity.blogspot.com/2008/03/malwares-containment-quarantine.html

Don't Try This At Your Work

http://extremesecurity.blogspot.com
Logged
Do it securely, or not at all

http://extremesecurity.blogspot.com

Symantec STS
don
Editor-In-Chief
Administrator
Hero Member
*****
Offline Offline

Posts: 4169


Editor-In-Chief


View Profile WWW
« Reply #9 on: June 03, 2008, 03:55:01 PM »
Your participation is much appreciated, but this is now your 3rd post and in each one you only offer links to your blog. While I realize that marketing makes the world go 'round, let's not treat EH-Net as your own marketing arm.

Looking forward to your continued contributions,
Don
Logged
CISSP, MCSE, CSTA, Security+ SME
oneeyedcarmen
Full Member
***
Offline Offline

Posts: 233


Klaatu, Borada,Necktie?


View Profile
« Reply #10 on: June 04, 2008, 07:28:38 AM »
Don will be leaving us soon to become the next Secretary of State  Grin
Logged
Reluctant CISSP, Certified ASS
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.067 seconds with 24 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.