When working with manual testing/execution of malware. I quickly find myself missing the sandbox reports of changes made to the system which you get if you are using Cuckoo for example.
Sandboxes like Cuckoo are very useful, but I prefer manual work for certain kinds of tests. It's nice to have several methods available.
First of I would like to give some credit to a colleague of mine, for inspiring me to solve my need in the way described below, he did something similar in his setup. So thanks! =)
The script included in this post will mount a virtual image be it Virtualbox or KVM/QEMU images using qemu-tools.
After the image is mounted, Aide which is a file and directory integrity checker
(http://aide.sourceforge.net/). Will identify changes made to the file system. If you like to use Samhain or Tripwire it will most likely work fine as long as you adjust the syntax in the script.
At first run the script will check if the aide.db exist, if not one will be created and this will be the baseline for further checks. You should of course do this on a clean system.
When you have a baseline db and you have executed your malware sample and are happy with the results. Run the script against the image to see which files has been created and/or modified. Changes are also saved in a log file.
Please install the prerequisite and change paths to fit your environment.
--- script start ---
#!/bin/sh
# Detect which files has been changed and/or added to a vm image. Useful for manual malware
# detection in a sandbox environment
# v1.0 - mikael keri / @nsmfoo
# prerequisites: qemu-utils, aide and root access
usage () {
echo "usage: $0 -i image_name (inkl path) -m mount_dir -a <check|update>"
}
image_name=""
mount_dir=""
while getopts ":i:m:h:a:" option; do
case $option in
i) image_name="$OPTARG" ;;
m) mount_dir="$OPTARG" ;;
a) aide="$OPTARG" ;;
h) usage
exit 0
;;
:) echo "Error: requires an argument: $options"
usage
exit 1
;;
?) echo "Error: unknown option: $options"
usage
exit 1
;;
esac
done
if [ -z "$image_name" ]; then
echo "No image defined"
usage
exit 1if [ -z "$mount_dir" ]; then
echo "No mount directory defined"
usage
exit 1
fi
if [ -z "$aide" ]; then
echo "No Aide command defined - valid values are check or update"
usage
exit 1
fi
if [ $aide != "update" -a $aide != "check" ]; then
echo "Valid Aide arguments are either update or check"
usage
exit 1
fi
# remove trailing slash
mount_dir="${mount_dir%/}"
# only load the module once
if [ -z "$(lsmod | grep nbd)" ]; then
echo -n "Loading kernel module.."
modprobe nbd
sleep 5
echo "finished!"
fi
# mount image
echo -n "Mounting image.."
qemu-nbd -c /dev/nbd0 "$image_name"
sleep 5
mount --read-only /dev/nbd0p1 "$mount_dir"
echo "finished!"
# init the aide db if it does not exsist
if [ ! -f /usr/local/etc/aide.db ]; then
echo -n "Aide db does not exist. First run it will take some time .."
aide -c /usr/local/etc/kvm_aide.conf --init
cp /usr/local/etc/aide.db.new /usr/local/etc/aide.db
echo "finished!"
fi
if [ "$aide" = "check" ]; then
# check for changes
echo -n "Check for changes.."
aide -c /usr/local/etc/kvm_aide.conf --check > changes.log
cat changes.log
echo "finished!"
elif [ "$aide" = "update" ]; then
echo -n "Updating Aide db.."
aide -c /usr/local/etc/kvm_aide.conf --update
cp /usr/local/etc/aide.db.new /usr/local/etc/aide.db
echo "finished!"
fi
# umount and unload
echo -n "Cleaning.."
umount "$mount_dir"
qemu-nbd -d /dev/nbd0
echo "finished!"
fi
--- script end ---
Example syntax: ./hash_vm.sh -i /var/lib/libvirt/images/johndoe.qcow2 -m /mnt -a check
/Micke @nsmfoo
No comments:
Post a Comment