Thursday, October 18, 2012

Detect changes in Virtual guest after manual malware execution

When working with manual testing/execution of malware. I quickly find myself missing the sandbox reports of changes made to the system which you get if you are using Cuckoo for example.

Sandboxes like Cuckoo are very useful,  but I prefer manual work for certain kinds of tests. It's nice to have several methods available. 

First of I would like to give some credit to a colleague of mine, for inspiring me to solve my need in the way described below, he did something similar in his setup. So thanks! =)

The script included in this post will mount a virtual image be it Virtualbox or KVM/QEMU images using qemu-tools. 

After the image is mounted, Aide which is a file and directory integrity checker
(http://aide.sourceforge.net/). Will identify changes made to the file system. If you like to use Samhain or Tripwire it will most likely work fine as long as you adjust the syntax in the script. 

At first run the script will check if the aide.db exist, if not one will be created and this will be the baseline for further checks. You should of course do this on a clean system.

When you have a baseline db and you have executed your malware sample and are happy with the results. Run the script against the image to see which files has been created and/or modified. Changes are also saved in a log file.

Please install the prerequisite and change paths to fit your environment.

--- script start ---

#!/bin/sh
# Detect which files has been changed and/or added to a vm image. Useful for manual malware 

# detection in a sandbox environment
# v1.0 - mikael keri / @nsmfoo
#
prerequisites: qemu-utils, aide and root access

usage () {
  echo "usage: $0 -i image_name (inkl path) -m mount_dir -a <check|update>"
}

image_name=""
mount_dir=""
while getopts ":i:m:h:a:" option; do
  case $option in
    i)  image_name="$OPTARG" ;;
    m)  mount_dir="$OPTARG" ;;
    a)  aide="$OPTARG" ;;
    h)  usage
        exit 0
        ;;
    :)  echo "Error: requires an argument: $options"
        usage
        exit 1
        ;;
    ?)  echo "Error: unknown option: $options"
        usage
        exit 1
        ;;
  esac
done

if [ -z "$image_name" ]; then
  echo "No image defined"
  usage
  exit 1if [ -z "$mount_dir" ]; then
  echo "No mount directory defined"
  usage
  exit 1
fi

if [ -z "$aide" ]; then
  echo "No Aide command defined - valid values are check or update"
  usage
  exit 1
fi

if [ $aide != "update" -a $aide != "check" ]; then
 echo "Valid Aide arguments are either update or check"
 usage
 exit 1
fi

# remove trailing slash
mount_dir="${mount_dir%/}"

# only load the module once
if [ -z "$(lsmod | grep nbd)" ]; then
 echo -n "Loading kernel module.."
 modprobe nbd
 sleep 5
 echo "finished!"
fi
# mount image
echo -n "Mounting image.."
qemu-nbd -c /dev/nbd0 "$image_name"
sleep 5
mount --read-only /dev/nbd0p1 "$mount_dir"
echo "finished!"

# init the aide db if it does not exsist
 if [ ! -f /usr/local/etc/aide.db ]; then
  echo -n "Aide db does not exist. First run it will take some time .."
  aide -c /usr/local/etc/kvm_aide.conf --init
  cp /usr/local/etc/aide.db.new /usr/local/etc/aide.db
echo "finished!"
  fi

 if [ "$aide" = "check" ]; then
# check for changes
   echo -n "Check for changes.."
   aide -c /usr/local/etc/kvm_aide.conf --check > changes.log
   cat changes.log
   echo "finished!"
 elif [ "$aide" = "update" ]; then
   echo -n "Updating Aide db.."
    aide -c /usr/local/etc/kvm_aide.conf --update

    cp /usr/local/etc/aide.db.new /usr/local/etc/aide.db
 echo "finished!"
 fi

# umount and unload
 echo -n "Cleaning.."
 umount "$mount_dir"
 qemu-nbd -d /dev/nbd0
 echo "finished!"
 

fi

--- script end ---

Example syntax:  ./hash_vm.sh -i /var/lib/libvirt/images/johndoe.qcow2 -m /mnt -a check


/Micke @nsmfoo

No comments:

Post a Comment