Malware Analysis Using REMnux

0
13126

 

This article explores malware analysis using the open source tool REMnux. It begins with the basics of malware, how it functions, the steps to building a malware analysis kit and then moves on to a detailed tutorial on REMnux.

 

‘Malware is an intrusive software which includes computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware…’– –Wikipedia
In laymen’s terms, malware is defined as any code that performs hazardous activity to the computer. It might be an executable with unknown functionality.

Figure .Taxonomy
Figure 1: Taxonomy of malware

How malware functions

It is target-specific: Today’s zero day exploits are very specific to a target and are hard to identify using traditional security solutions.
Data exfiltration: Data leakage/data extrusion is unauthorised transfer, copying or retrieval of data from a computer or server.

fig2
Figure 2: Splash screen of REMnux

The Remote Administration Tool (RAT)
A RAT is malicious software that hides itself and gives full control to the attacker, remotely. Generally, a RAT gives access to the system, whereby the attacker can perform such remote activities as triggering the camera, installing rootkits and key loggers, and even grab screenshots or turn a system on/off.

3
Figure 3: Screenshot of Pescanner- metadata information

General behaviour
Generally, malware hides itself and runs in the background monitoring all the processes, while communicating with the command and control server outside the network. The behaviour of malware is target-specific and influenced by the following four major characteristics.

Initial infection vector: Initial infection vector is defined as how the malware reaches the system in the first place —delivery can be through a USB stick, browser based downloads, any shared pools, etc.

4
Figure 4: Screenshot of Pescanner- address with MD5 Hash

Rubric: The actions the malware carries out after infection and the footprint it leaves in the log are studied via dynamic malware analysis, but zero day exploits can be unique in nature and remain undetected.

Proliferation mechanism: Generally, propagation of such malicious software depends upon what type it is—if it is a worm, it exploits a known vulnerability. If it is a rootkit, it infects files at the root of the drives and adds autorun.ini. If it is a Trojan, it hides itself or binds itself to any dll in system 32 and adds to the startup process. Hence, learning the propagation mechanism of a given type of malware is very important during analysis.

5
Figure 5: Screenshot of Pescanner- DLL imports

Persistence mechanism: Malware is highly persistent and there are ‘n’ number of ways to infect Windows based machines. Identifying highly persistent malware is a lot tougher than the traditional malware.

Malware with multiple functions
Malware can possess two or more functionalities with equal threat and persistent levels, and such malware is identified as ‘hybrid’.
For example,

  • Trojan + Ransom = Hybrid Trojan
  • Trojan + RAT = RAT
  • P2P + Worm = Worm

Steps to building a malware analysis toolkit
The three steps needed to build an analysis toolkit are described below.

6
Figure 6: Screenshot of Pescanner- entry point information

Create and allocate a safe environment for analysis: The conventional way of examining malicious programs involves infecting a system with the malware and learning about its behaviour using appropriate monitoring tools. This requires a sandbox or virtual machine (VM) in order to investigate the behaviour without affecting the real production bed.

7
Figure 7: Screenshot of Pestr

Sandbox the system from the production environment: Running multiple VMs inside the sandbox helps to analyse the malware which seeks replication or interaction with other systems. Another useful feature of a VM is that an instant snapshot of the system can be recorded along with the system states (before and after infection of the system). In sandboxing, you can install as much RAM and memory, because some intelligent malware can detect its running state inside the VM.

8
Figure 8: Screenshot of Pyew

Install a behaviour analysis tool: Before testing the malware in the sandbox, it is preferable to install appropriate monitoring tools, some of which are discussed in this article.

REMnux: A Linux reverse engineering toolkit
This article is primarily about the REMnux distro. This is a free Linux toolkit used for reverse engineering malicious software. It is bundled with various forensic investigation tools. The distro is based on Ubuntu, and it analyses both Linux and Windows based malware, examining obfuscated code, suspicious documents, etc. It can be freely downloaded from https://remnux.org/ as an OVA file, which can be imported directly into any virtual machine. A Docker image is also available for this distro in the same link.
Let’s now go through a tutorial on inspecting executables and file properties using REMnux.

9
Figure 9: Screenshot of Readpe

Pescanner: To inspect any files, malicious software or suspicious content in the form of portable executables files like .exe, .msi, .so, etc, use the following command:

pescanner <filename>

The usage is:

pescanner osfy.exe

Pestr: To inspect for encrypted strings in PE files, use the following command:

pestr <filename>

The usage is:

pestr osfy.exe

Pyew: This is widely used for code analysis, for which you need to issue the following command:

pyew <filename>

The usage is:

pyew osfy.exe

Readpe: This is used to extract file header information from portable executables, for which the command is as follows:

readpe <filename>

The usage is:

readpe osfy.exe

Signsrch: This is used to search for various signatures with specific options. For example, if my requirement is to extract an RVA (relative virtual address) from PE files instead of the offset address, I would use the following command:

signsrch <option> <file1>......<file n>

The usage is:

signsrch -e osfy.exe
10
Figure 10: Screenshot of Signsrch

Peframe: This is used to extract file information, the packer method, digital signatures, suspicious API, metadata information, etc, by issuing the following command:

peframe <filename>

The usage is:

peframe osfy.exe
11
Figure 11: Screenshot of Peframe

Pedump: This is a very effective tool to investigate file signatures, file imports, file resources, software watermarking, etc, in great depth. The following command is used:

pedump -option <filename>

The usage is:

pedump -deep osfy.exe

Some of the popular open source malware analysis tools are:
1) Cuckoo – http://www.cuckoosandbox.org/
2) Buster Sandbox Analyzer – http://bsa.isoftware.nl/
3) Malheur – http://www.mlsec.org/malheur/
4) REMnux – https://remnux.org/
5) Anubis – http://anubis.iseclab.org/
6) Malwr – https://malwr.com/
7) Eureka – http://eureka.cyber-ta.org/
8) Threat Expert – http://www.threatexpert.com/submit.aspx

LEAVE A REPLY

Please enter your comment!
Please enter your name here