2019-2020-2 20175304 Liu Chaoyin "Network Countermeasure Technology" Exp4 Malicious Code Analysis

1 Basic knowledge

1.1 Concept and classification of malicious code

• definition:
  • Also known as malware, it refers to software that runs on users' computers or other terminals without clearly prompting the user or without the user's permission, infringing the user's legal rights.
  • Refers to the computer code that is intentionally compiled or set up, and will pose a threat or potential threat to the network or system.
• feature:
  • Malicious purpose
  • Computer program
  • Effect by execution
• classification:
  • computer virus
  • worm
  • back door
  • Trojan horse
  • Rootkit
  • ...Wait

1.2 Analysis method of malicious code

• Static analysis
• Dynamic Analysis

1.3 Practice goals

• Monitor the operating status of the system to see if any suspicious programs are running.
• To analyze a malware, analyze the backdoor software generated in Exp2 or Exp3; the analysis tool uses native instructions or sysinternals, systracer suite as much as possible .
• Assuming that you feel that your host has a problem in future work, you can use this idea in the experiment, first monitor the entire system to see if suspicious objects can be found, and then further analyze the suspicious objects to confirm their specific behavior and nature.

2 Practice content and steps

2.1 System operation monitoring

2.1.1 Windows scheduled tasks schtasks

Requirements: Use such as scheduled tasks to record every minute what programs are on your computer, and where is the connected external IP. Run it for a while and analyze the file to summarize the analysis results. The goal is to find out all the programs connected to the network, where they are connected, and what they have done (you can only guess if you don't capture packets). Do you think it is appropriate to do so? If you want to further analyze, you can capture packets targeted.

Step1: Enter the following command and record which programs are connected to the network every five minutes. After this command is completed, every five minutes it will monitor which programs are using the network and record the results in the netstatlog.txt file.

schtasks /create /TN 20175304netstat /sc MINUTE /MO 1 /TR "cmd /c netstat -bn > c:\netstatlog.txt"

The following are the meanings of some parameters:

• TN: Task Name, in this case 20175304netstat
• SC: SChedule type, MINUTE in this example, time in minutes
• MO: MOdifier
• TR: Task Run, the command to be run is netstat -bn, b means to display the executable file name, n means to display the IP and port with numbers
• >: Output the result to the netstatlog.txt file under c drive

Step2: Since the recorded time and date cannot be displayed, it may not be convenient for us to judge. If we want to display the date and time, we can use bat batch file to achieve.

①Create a file c: \ netstatlog.bat under the C drive, the content is:

date /t >> c:\netstatlog.txt
time /t >> c:\netstatlog.txt
netstat -bn >> c:\netstatlog.txt

② Open the control panel-> management tools-> task scheduler, find our task20175304netstat

③Select the task, find the operation, click the attribute option in all items

④ find the Actions tab, double-click Details, the original box cmdchange c:\netstatlog.bat.

⑤ Open the c:\netstatlog.txtfile at this time , you can see the time information.

Step3: Import the data to excel

① Open Excel, click the 数据tab 自文本, select the way to obtain external data , select the record connection statusnetstatlog.txt

② Select the separator

③ All separators are selected

④The column data format is acceptable by default, and then click Finish, the data is imported successfully.

⑤ Find the 插入tab and click 数据透视图to generate a pivot chart.

Step4: Analyze statistical data

• Common application software (top five):
  • [vmware.exe]: vmware virtual machine
  • [QQ.exe]：QQ
  • [SearchUI.exe]: Small 娜
  • [QQPCTray.exe]: Tencent computer housekeeper
  • [Wechat.exe]: WeChat
• The remaining trusted processes:
  • [TsService.exe]: background service item of Tencent browser
  • [DownloadSDKServer.exe]: A key process in Thunder download software
  • [DingTalk.exe]: DingTalk
  • [SGTool.exe]: Sogou input method accelerated startup program
  • [360wpsrv.exe]: Executable file of 360 wallpaper
  • [AlibabaProtect.exe]: Alibaba Anti-Spy Module
  • [EXCEL.EXE]: The main program of Microsoft Excel
  • [ncat.exe]: file transfer tool
  • [QQPCRtp.exe]: Tencent computer housekeeper process, the process is to provide real-time protection services for qq computer housekeeper
• Suspicious process:
  • [svchost.exe]: System files in Microsoft Windows operating system

2.1.2 sysmon

• Requirement: Install and configure the sysmon tool in sysinternals, set a reasonable configuration file, and monitor the suspicious behavior of the main things of your host. The analysis of the actual log also needs to exert its own creativity , combined with the previously learned knowledge such as linux text processing instructions. The difficulty of analysis lies in analysing the law from a large amount of data and finding out the problems. This all depends on further processing of results filtering, statistics, classification, etc., which depends on what you will use.
• Reference: schtask and sysmon application guide

Step1: In the official website to download the tool sysmon

Step2: Create a configuration file sysmon.xml, write the following instructions in the file:

<Sysmon schemaversion="4.12">
  <!-- Capture all hashes -->
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    <DriverLoad onmatch="exclude">
      <Signature condition="contains">microsoft</Signature>
      <Signature condition="contains">windows</Signature>
    </DriverLoad>
    
    <NetworkConnect onmatch="exclude">
      <Image condition="end with">chrome.exe</Image>
      <Image condition="end with">iexplorer.exe</Image>
      <SourcePort condition="is">137</SourcePort>
      <SourceIp condition="is">127.0.0.1</SourceIp>
    </NetworkConnect>

    <CreateRemoteThread onmatch="include">
      <TargetImage condition="end with">explorer.exe</TargetImage>
      <TargetImage condition="end with">svchost.exe</TargetImage>
      <TargetImage condition="end with">winlogon.exe</TargetImage>
      <SourceImage condition="end with">powershell.exe</SourceImage>
    </CreateRemoteThread>
  </EventFiltering>
</Sysmon>

Step3: Open the command line as an administrator and Sysmon.exe -i sysmon.xmlinstall sysmon using instructions . After entering the command, a box will pop up, click Agreeto install.

The installation is successful, and the version number is 4.23.

Step4: Modify the configuration file

• The updated version number is 4.23
• Add monitoring service to ports 5304, 443, 80

<Sysmon schemaversion="4.23">
  <!-- Capture all hashes -->
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    <DriverLoad onmatch="exclude">
      <Signature condition="contains">microsoft</Signature>
      <Signature condition="contains">windows</Signature>
    </DriverLoad>
    
    <NetworkConnect onmatch="exclude">
      <Image condition="end with">iexplorer.exe</Image>
      <SourcePort condition="is">137</SourcePort>
      <SourceIp condition="is">127.0.0.1</SourceIp>
    </NetworkConnect>

    <NetworkConnect onmatch="include"> 
      <DestinationPort condition="is">5304</DestinationPort>     
      <DestinationPort condition="is">80</DestinationPort>      
      <DestinationPort condition="is">443</DestinationPort>    
    </NetworkConnect>

    <CreateRemoteThread onmatch="include">
      <TargetImage condition="end with">explorer.exe</TargetImage>
      <TargetImage condition="end with">svchost.exe</TargetImage>
      <TargetImage condition="end with">winlogon.exe</TargetImage>
      <SourceImage condition="end with">powershell.exe</SourceImage>
    </CreateRemoteThread>
  </EventFiltering>
</Sysmon>

Step5: The configuration file should be updated after modification, the instruction is:sysmon.exe -c sysmon.xml

Step6: View the log.

① Enter in the search box of the start menu to eventopen the event viewer.

② in 应用程序和服务日志the next view Microsoft->Windows->Sysmon->Operational.

③ Run the backdoor file generated in Experiment 2 and obtain the Windows command line in the kali virtual machine.

④ At this time, you can view the log of the backdoor file.

• Process creation log:

The following information can be obtained from the figure:

• Image: G: \ ncat \ 20175304_backdoor.exe

• Description: ApacheBench command line utility

• Product: Apache HTTP server

• Network connection logs generated after reconnecting:

The following information can be obtained:

• Program: G: \ ncat \ 20175304_backdoor.exe

• Protocol: tcp

• Source IP address: 192.168.0.107 (Windows IP)

• Target IP address: 127.0.0.1. (Kali's IP)

• Destination port: 5304

2.2 Malware analysis

Requirements: Analyze the software when ①starting the connection back, ②installing to the target machine, ③other arbitrary operations (such as process migration or screen capture, the important thing is that you are interested) The backdoor software

(1) What registry entries are read, added, and deleted

(2) Which files have been read, added and deleted

(3) What external IPs are connected and what data is transmitted (capture analysis)

This experiment focuses on " analysis ", not "how to use a certain software". The team leader and the person in charge of the project require a little more detail, and others can focus on the analysis.

2.2.1 Static analysis

There are mainly the following analysis methods:

• File scanning (VirusTotal, VirusScan tool, etc.)
• File format recognition (peid, file, FileAnalyzer tools, etc.)
• String extraction (Strings tool, etc.)
• Disassembly (GDB, IDAPro, VC tools, etc.)
• Decompile (REC, DCC, JAD tools, etc.)
• Logical structure analysis (Ollydbg, IDAPro tools, etc.)
• Packing and unpacking (UPX, VMUnPacker tools, etc.)

I mainly choose the following methods and tools for analysis

(1) File scanning (VirusTotal): detection rate 54/72

You can see the following information from the detailed information in the figure below:

• The file is an ApacheBench command line utility

• Notes licensed under the Apache License Version 2.0 (hereinafter referred to as "License"); you cannot use this file unless the license is met. You can obtain a copy of the license at http://www.apache.org/licenses/License-2.0. Unless required by applicable law or written consent, the software distributed under the license is distributed "as is" without any express Or implied warranties or conditions. Please refer to the license for the specific language that controls the permissions and restrictions under the license.

  

(2) File format recognition (peid tool)

PEiD (PE Identifier) ​​is a well-known shell checking tool. Its powerful function can detect almost all shells, and its number has exceeded 470 types and signatures of PE files.

• Scan the unpacked backdoor file: The main function of PEiD is to check the shell, so this backdoor file has not been detected by it.

(3) Decompilation and disassembly (PE Explorer tool)

PE Explorer is a powerful visual Delphi, C ++, VB program parser, which can quickly decompile 32-bit executable programs and modify their resources. The software supports plug-ins. You can enhance the functions of the software by adding plug-ins. The original company bundled UPX unpacking plug-ins, scanners and disassemblers in the tool, which is very easy to use.

• File header information: it seems useless

• Called DDL file: The DDL file viewed with PE Explorer is more detailed than the one I just saw with peid, it indicates which functions are called by the DDL file
  

• Version information: Many of the contents here have actually been seen in previous log files and on the VirusTotal website

• Data directories, section headers, debugging information, etc. are of little significance to the analysis, so no screenshot

2.2.2 Dynamic analysis

There are mainly the following methods:

• Snapshot comparison (SysTracer, Filesnap, Regsnap tools, etc.)
• Packet capture analysis (WireShark tool, etc.)
• Behavior monitoring (Filemon, Regmon, ProcessExplorer tools, etc.)
• Sandbox (NormanSandbox, CWSandbox tools, etc.)
• Dynamic trace debugging (Ollydbg, IDAPro tools, etc.)

(1) Packet capture analysis (WireShark tool)

• dirPackets captured after input

You can see the source IP, destination IP, source port, destination port, and transmitted data from the data packet.

• mkdir testPackets captured after input

3 Question answer

3.1 If you suspect malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor and what method to use for monitoring.

Use the Windows-scheduled task schtasks to record every minute, and then import the results into EXCEL to see which processes account for more and whether it is a suspicious process. After selecting the more suspicious, you can analyze these suspicious processes after narrowing the scope. Static analysis: VirusTotal and VirusScan are more convenient for scanning; dynamic analysis: SysTracer tool can create snapshots and compare and analyze different snapshots.

3.2 If it has been determined that there is a problem with a program or process, what tools do you have to get further information about it?

• Use sysmon to view which log files the process created
• Use Wireshark to capture packets, you can see what data is transmitted by the process

4 Experimental experience

This experiment is very maneuverable and needs to be completed in conjunction with previous experiments. Because the previous file was useless for a long time, some have been deleted and need to be completed again. And the specific operation of these software used in this experiment is not very well understood, so it took a long time. However, through this experiment, I have a certain understanding of the analysis of malicious code, how to solve the malicious code and how to prevent the malicious code.