Thursday, October 18, 2012

Detect changes in Virtual guest after manual malware execution

When working with manual testing/execution of malware. I quickly find myself missing the sandbox reports of changes made to the system which you get if you are using Cuckoo for example.

Sandboxes like Cuckoo are very useful,  but I prefer manual work for certain kinds of tests. It's nice to have several methods available. 

First of I would like to give some credit to a colleague of mine, for inspiring me to solve my need in the way described below, he did something similar in his setup. So thanks! =)

The script included in this post will mount a virtual image be it Virtualbox or KVM/QEMU images using qemu-tools. 

After the image is mounted, Aide which is a file and directory integrity checker
(http://aide.sourceforge.net/). Will identify changes made to the file system. If you like to use Samhain or Tripwire it will most likely work fine as long as you adjust the syntax in the script. 

At first run the script will check if the aide.db exist, if not one will be created and this will be the baseline for further checks. You should of course do this on a clean system.

When you have a baseline db and you have executed your malware sample and are happy with the results. Run the script against the image to see which files has been created and/or modified. Changes are also saved in a log file.

Please install the prerequisite and change paths to fit your environment.

--- script start ---

#!/bin/sh
# Detect which files has been changed and/or added to a vm image. Useful for manual malware 

# detection in a sandbox environment
# v1.0 - mikael keri / @nsmfoo
#
prerequisites: qemu-utils, aide and root access

usage () {
  echo "usage: $0 -i image_name (inkl path) -m mount_dir -a <check|update>"
}

image_name=""
mount_dir=""
while getopts ":i:m:h:a:" option; do
  case $option in
    i)  image_name="$OPTARG" ;;
    m)  mount_dir="$OPTARG" ;;
    a)  aide="$OPTARG" ;;
    h)  usage
        exit 0
        ;;
    :)  echo "Error: requires an argument: $options"
        usage
        exit 1
        ;;
    ?)  echo "Error: unknown option: $options"
        usage
        exit 1
        ;;
  esac
done

if [ -z "$image_name" ]; then
  echo "No image defined"
  usage
  exit 1if [ -z "$mount_dir" ]; then
  echo "No mount directory defined"
  usage
  exit 1
fi

if [ -z "$aide" ]; then
  echo "No Aide command defined - valid values are check or update"
  usage
  exit 1
fi

if [ $aide != "update" -a $aide != "check" ]; then
 echo "Valid Aide arguments are either update or check"
 usage
 exit 1
fi

# remove trailing slash
mount_dir="${mount_dir%/}"

# only load the module once
if [ -z "$(lsmod | grep nbd)" ]; then
 echo -n "Loading kernel module.."
 modprobe nbd
 sleep 5
 echo "finished!"
fi
# mount image
echo -n "Mounting image.."
qemu-nbd -c /dev/nbd0 "$image_name"
sleep 5
mount --read-only /dev/nbd0p1 "$mount_dir"
echo "finished!"

# init the aide db if it does not exsist
 if [ ! -f /usr/local/etc/aide.db ]; then
  echo -n "Aide db does not exist. First run it will take some time .."
  aide -c /usr/local/etc/kvm_aide.conf --init
  cp /usr/local/etc/aide.db.new /usr/local/etc/aide.db
echo "finished!"
  fi

 if [ "$aide" = "check" ]; then
# check for changes
   echo -n "Check for changes.."
   aide -c /usr/local/etc/kvm_aide.conf --check > changes.log
   cat changes.log
   echo "finished!"
 elif [ "$aide" = "update" ]; then
   echo -n "Updating Aide db.."
    aide -c /usr/local/etc/kvm_aide.conf --update

    cp /usr/local/etc/aide.db.new /usr/local/etc/aide.db
 echo "finished!"
 fi

# umount and unload
 echo -n "Cleaning.."
 umount "$mount_dir"
 qemu-nbd -d /dev/nbd0
 echo "finished!"
 

fi

--- script end ---

Example syntax:  ./hash_vm.sh -i /var/lib/libvirt/images/johndoe.qcow2 -m /mnt -a check


/Micke @nsmfoo

Tuesday, October 2, 2012

Modifying VirtualBox settings for malware analysis part 3

 Follow up on my two previous post regarding preparing Virtualbox for malware analysis.

I hope this third post, concludes this research for a while at least ..

Please review the two earlier post before apply the settings below.


Modify the BIOS.

By adding your own DSDT image, you will be able to close a couple of more ways to detect the presence of a virtual machine. And it also makes the guest look a bit more "natural"

Start with generating a DSDT image

    sudo dd if=/sys/firmware/acpi/tables/DSDT of=DSDT.bin

Move the DSDT.bin to somewhere you see fit

   mv DSDT.bin ../VirtualBox VMs <vm name>
   sudo chown <vbox users>.<vbox user> DSDT.bin


Then run the following command to update the config for your guest

    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/acpi/0/Config/CustomTable"    <path to DSDT.bin>

Virtualbox 4.2 also enables the guest to retrieve a few more values from the host. If not set they will contain strings like "Oracle" and "Virtualbox/VBOX"

Start with retrieving some more information from your physical host:
   sudo dmidecode -t2

Sample output:

Base Board Information
    Manufacturer: <Vendor>
    Product Name: <Product>
    Version: Not Available
    Serial Number: <Serial>
    Asset Tag: Not Specified
    Features: None
    Location In Chassis: Not Specified
    Chassis Handle: <Value>
    Type: Unknown
    Contained Object Handles: 0


Set the values using the output above

    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "<Vendor>"
    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "<Product>"
    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "Not Available"
    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial"  "<Serial>"
    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag"  "Not Specified"
    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Not Specified"


Then run dmidecode once more:

    sudo dmidecode -t3

Chassis Information
    Manufacturer: <Vendor>
    Type: Notebook
    Lock: Not Present
    Version: Not Available
    Serial Number: <Serial>
    Asset Tag: No Asset Information
    Boot-up State: Unknown
    Power Supply State: Unknown
    Thermal State: Unknown
    Security Status: Unknown
    OEM Information: 0x00000000
    Height: Unspecified
    Number Of Power Cords: Unspecified
    Contained Elements: 0



Set the values using the output above

    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor"     "<Vendor>"
    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion"    "Not Availible"
    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial"     "<Serial>"
    VBoxManage setextradata "<VM name>"  "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag"   "No Asset Information"


The above settings means that you will have to update the batch script described in previous posts

The script will now look like: 

Replace: VENDOR with your hw vendor

--- start script -------

@reg copy HKLM\HARDWARE\ACPI\DSDT\VBOX__ HKLM\HARDWARE\ACPI\DSDT\WOOT__ /s /f
@reg delete HKLM\HARDWARE\ACPI\DSDT\VBOX__ /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\WOOTBIOS /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\<VENDOR>\VBOXFACP HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\<VENDOR>\WOOTFACP /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\<VENDOR>\VBOXFACP /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\<VENDOR>\VBOXRSDT HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\<VENDOR>\WOOTRSDT /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\<VENDOR>\VBOXRSDT /f

@reg add HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v VideoBiosVersion /t REG_MULTI_SZ /d "VGA BIOS v1.14" /f

----  end of script ---