Assignment 1 - Malware Forensics last edited by Patrick 3 months ago Malware Analysis CET4862 Network Forensics and Incident Response Background: You're a contractor working at the prestigious firm of Palindrome Consulting, Inc 575 Tattarrattat Drive Oktahatko, FL 32423 Page history Your boss, Erica Wilde, has assigned to you a case to analyze two files of a questionable nature. Law enforcement recovered the files from a workstation at Reynholm Industries after their IT department noticed curious traffic across their network originating from the workstation. The lead investigator indicated that his team believes the software was the origin of this traffic after a cursory look, but has contacted Palindrome to identify specifically what the software is and how it works. Your task: Conduct both a static and dynamic analysis of the two files. Report the procedures you used, the results, and, if it is in fact malware, the possible legal implications of the files use. (That's in bold for a reason and still some leave this out!) IMPORTANT For this assignment, you'll want either a 32-bit version of Linux or some 32-bit libraries installed otherwise running a 64-bit version of Linux when trying to perform the dynamic analysis will result in an error message such as "unable to execute ./foo: No such file or directory" even when foo is in their path. You can either use a 32-bit Linux or install some 32-bit shared libraries which have worked in the past: sudo aptitude install libc6:i386 (in Mint). If you're using Ubuntu or CentOS, you can use the apt or yum package manager in place of aptitude. Conduct your analysis within a virtual machine only. DO NOT download or extract these files to any computer belonging to Daytona State College. If you do, I will disavow all knowledge of you. "Who? Huh! I don't recall them being in my class." If, IF, the files are malware, let's just say they may be gimped, but make sure that the VM you use for the analysis is set to a host-only based network after you download the files to your VM just in case. As a bonus, that's good incident response and forensic practice as you do not know what the software would do once executed. Deliverable: Conduct your analysis and provide a written report (.pdf preferred or .doc format). • Analysis Overview • Written in non technical terms which describes the purpose of the software and the legal implications of someone having and using the software. Provide an example or two of incidents where such software has been used. This section should be titled "Analysis Overview." Technical Section • A complete, specific, and detailed explanation of the results of your static and dynamic analysis. • Do not include all of the results for the longer, more detailed results such as Isof and strace, but a few screenshots that point out the 'interesting' parts of the results that assisted you in identifying what the software does (open ports? open files? etc.). This section should be titled 'Technical Section.' • For each command you run you need to describe • What you were doing • Why you were doing it / what was the objective • An interpretation of the results. • If you just provide a screenshot of your commands and results with no interpretation, you get zero credit. Interpretation matters. • Example Report of Malware Analysis by Dr. Craiger for the GIAC SANS Certified Forensic Examiner certification. • I don't expect 26 pages, but I expect you to provide a thorough and clearly understandable report covering both static and dynamic analysis./nSetup Steps - Do the following from within your VM 1. You're in your VM, right? Right! 2. Download your files. i. This ASC file is an encrypted ASCII armored zip file 3. These files may or may not be malware and that is up to you to prove or disprove 4. Extract these files from inside your VM otherwise they will likely be flagged and removed immediately by any AV worth their salt Hints i. Forget you read that in regards to point 3. 5. To extract: i. Check to see if you have GPG installed. It is installed by default with Mint. a. Run: which gpg ii. If it's installed GOTO iii else GOTO iia a. Install it: sudo aptitude install gnupg iii. Decrypt the file: gpg -d 4862.a1.gpg > 4862.a1.zip a. You'll need the 'password'. Nudge, nudge, wink, wink, say no more. iv. Once decrypted, unzip the file: unzip 4862.a1.zip.zip 6. You should have three files and one directory: binary/bar binary/foo and /binary/md5.hashes i. Huzzah! 7. Now, set your VM to host-only! i. You have malware on your system. a. Or do you? 8. Begin your dynamic and static analysis • You may be inclined to hash the files and search for them. I did! ⚫ I wouldn't blindly trust the results, but it's your grade on the line not mine • Results from strings and Isof/netstat/strace will be very helpful. References • Malware Forensics (the book PDF) - right click and choose "Save As" • Dr. Craiger's GCFA certification report that includes malware analysis. Writing a non technical summary Your non technical summary should use little-to-no technical terms. This can be difficult, but not impossible, to do when a technical event is involved. Here is an excerpt from the Washington Post about the Heartbleed SSL issue. Note that they do a fantastic job of explaining the technical issue with mostly every day, non- technical terms Q: What is SSL?. A: It stands for Secure Socket Layer. It is the technology for establishing an encrypted link between a Web server and a browser. This link ensures that all data passed between the Web server and browsers remain private. "Open" SSL simply means that the code is freely available. It's the "s" in "https" that is supposed to stand for "secure." Unlike Web sites that begin with "http," "https" sites have a lock in browser address bars. "That lock is supposed to signal that third parties won't be able to read any information you send or receive. Under the hood, SSL accomplishes that by transforming your data into a coded message that only the recipient knows how to decipher," explains Vox's Timothy Lee. "If a malicious party is listening to the conversation, it will only see a seemingly random string of characters, not the contents of your emails, Facebook posts, credit card numbers, or other private information."

Fig: 1

Fig: 2