2019-2020-2 20175315 Chen Yuyang "Network Countermeasure Technology" Exp4 Malicious Code Analysis
1 Practice description
1.1 practical goals
(1) Monitor the running status of your own system to see if suspicious programs are running
(2) When analyzing a malware, analyze the backdoor software generated in Exp2 or Exp3; the analysis tool uses native instructions or sysinternals, systracer suite
(3) Assuming that you feel that your host has a problem in future work, you can use this idea in the experiment to first monitor the entire system to see if suspicious objects can be found, and then further analyze the suspicious objects to confirm their specific behavior and nature
1.2 Basic knowledge
1.2.1 Definition of malicious code
Assuming that you think there is a problem with your host in future work, you can use this idea in the experiment to first monitor the entire system to see if suspicious objects can be found, and then further analyze the suspicious objects to confirm their specific behavior and nature
1.2.2 Malicious code characteristics
The malicious purpose itself is that the computer program takes effect through execution
1.2.3 Malicious code classification
Non-infected dependent malicious code (Trojan horse, logic bomb)
Independent malicious code that does not infect (dropper, multiplier)
Infectious dependent malicious code (virus)
Infectious independent malicious code (worm)
2 System operation monitoring
2.1 Windows scheduled tasks schtasks
Requirements: Use such as scheduled tasks to record every minute what programs are on your computer, and where is the connected external IP. Run it for a while and analyze the file to summarize the analysis results. The goal is to find out all the programs connected to the network, where they are connected, and what they have done (you can only guess if you don't capture packets). Do you think it is appropriate to do so? If you want to further analyze, you can capture packets targeted
Enter the following command and record which programs are connected to the network every minute. After this command is completed, every minute will monitor which programs are using the network, and record the results in the netstatlog.txt file
schtasks /create /TN 20175315netstat /sc MINUTE /MO 1 /TR "cmd /c netstat -bn > c:\netstatlog.txt"
Respectively:
TN
Is the abbreviation of TaskName, the name of the scheduled task we created is netstat5308;
sc
To indicate the timing method, we fill in MINUTE in minutes;
TR
Is Task Run, the command to be run is netstat
bn
, b
Means to display executable file name, n
means to display IP and port with numbers;
>
Represent output redirection, store the output in a c:\netstatlog.txt
file
Create a file c: \ netstatlog.bat under the C drive, the content is:
date /t >> c:\netstatlog.txt time /t >> c:\netstatlog.txt netstat -bn >> c:\netstatlog.txt
Open Control Panel-> Administrative Tools-> Task Scheduler and find the created task
Open the properties and change the original cmd in the box to c: \ netstatlog.bat
Check in the General column: run regardless of whether the user is logged in, run with the highest authority
After waiting for a while, we open the c: \ netstatlog.txt file created earlier, and we can see:
By referring to the blog of "Zhang Jingyu Xuejie", we imported the data in the text into an Excel table and obtained the chart as follows:
As can be seen from the above picture, the most connected is 360, and other software such as qq, WeChat, and the League of Legends game I hung on the computer at the time. . .
2.2 sysmon tool
Requirement: Install and configure the sysmon tool in sysinternals, set a reasonable configuration file, and monitor the suspicious behavior of the main things of your host
Download the sysmon tool
Create a configuration file sysmon.xml, write the following instructions in the file:
<Sysmon schemaversion="4.23"> <!-- Capture all hashes --> <HashAlgorithms>*</HashAlgorithms> <EventFiltering> <!-- Log all drivers except if the signature --> <!-- contains Microsoft or Windows --> <DriverLoad onmatch="exclude"> <Signature condition="contains">microsoft</Signature> <Signature condition="contains">windows</Signature> </DriverLoad> <NetworkConnect onmatch="exclude"> <Image condition="end with">iexplorer.exe</Image> <SourcePort condition="is">137</SourcePort> <SourceIp condition="is">127.0.0.1</SourceIp> </NetworkConnect> <NetworkConnect onmatch="include"> <DestinationPort condition="is">5334</DestinationPort> <DestinationPort condition="is">80</DestinationPort> <DestinationPort condition="is">443</DestinationPort> </NetworkConnect> <CreateRemoteThread onmatch="include"> <TargetImage condition="end with">explorer.exe</TargetImage> <TargetImage condition="end with">svchost.exe</TargetImage> <TargetImage condition="end with">winlogon.exe</TargetImage> <SourceImage condition="end with">powershell.exe</SourceImage> </CreateRemoteThread> </EventFiltering> </Sysmon>
Open cmd as administrator and install using the command Sysmon.exe -i sysmon.xml
This completes the installation. After that we open Computer Management> Event Viewer> Application and Service Log> Microsoft> Sysmon> Operational
Here we see the earliest log in the timeline is to find the sysmon.xml configuration file we created
3 Malware analysis
3.1
Use the backdoor generated in Experiment 3 to connect back to the virtual machine.
Open the event viewer, and after refreshing, you can find the relevant message that we found the backdoor that has just been run according to the running time.
Here we also carried out a packet capture, and the reconnection that was in progress after the packet capture started. You can see that the three handshake is completed in the figure below.
Here we go back to kali again. Use webcam_snap to take a picture, you can see a few more records in the event viewer immediately. There is one such:
The full name of conhost.exe appearing here is Console Host Process, which is the host process of the command line program. Simply put, he is a new console application processing mechanism introduced by Microsoft for security reasons. Werfault.exe also appeared. This process is a program for error reporting that comes with the windows system.
Due to the reasons at home, the experiment time span is relatively long, so some screenshots are omitted here, I hope the teacher understands!
3.2 Static analysis
(1) Use VirusTotal to analyze malicious programs
As shown above, you can see the details in the detail, such as the summary value of three algorithms, file type, file format
(2) Use PEiD to analyze malware
Detection of unpacked backdoor programs
Detection of backdoor program with compressed shell
Detection of encryption shell backdoor program
It can be seen from the figure that the backdoor file with the compressed shell can be detected, but the backdoor file with the encrypted shell cannot be detected.
Click the Task viewer to view the process. We can see that when executing the backdoor program, we can also find that there will be many .DLL
files, that is, dynamic link library.
3.2 Dynamic analysis (SysTracer tool)
First install and download Sys Tracer
Click to create a snapshot, I created three for comparison, namely:
Snapshot # 1: do nothing
Snapshot # 2: Run the backdoor program and successfully bounce the connection
Snapshot # 3: Run the webcam_snap command
The following is a comparison chart:
Here is after we run the backdoor program to bounce the connection, we can see that we have added the backdoor5315.exe that we implanted, and added and deleted many files.
Changes to the registry file
Added a lot of dll files
4 Question answer
(1) If you suspect malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor and what method to use to monitor
Answer: 1. Use schtasks to monitor the machine, and arrange the monitoring records after the machine runs for a period of time. 2. Use Sysmon, configure the options you want to view, such as network connection, registry information, etc., and view and analyze through the generated logs. 3. You can also use Systracer to directionally record the "running" comparison of the current running process, and then determine whether there is any behavior to add or delete the registry.
(2) If you have determined that there is a problem with a program or process, what tools do you have to get further information about it
Answer: Use Wireshark for packet capture analysis and monitor the communication process between it and the host; use the systracer tool to perform related analysis and view its modifications to the registry and files.
5 Experimental thoughts
This experiment is simpler than the previous ones, but the more important thing is that the comparative analysis requires me to take it seriously. The hard part for me is that there is a lot of data and it is difficult to find the exact desired data. It is also a big problem to get the data analysis. Although it is indeed a bit tiring to do, this tiredness also made me understand the malicious code better. Then because of some things at home, the time span of this experiment is relatively large, and some places are missing details. I apologize to the teacher here.