Link Logger Home ZyXel Banner Binary Visions
Netgear
LinkSYS
Router

Malware Capture
Link Logger for Windows
Home Home Product Info Product Info Download Download/Purchase Support Support  
Link Logger for Windows

NewsLatest News

Screen ShotsScreenshots

Customer CommentsFeedback

Common ScansScans

Additional ResourcesResources

Additional ResourcesMy Articles

My BlogMy Blog

Capture, care and analysis of Malware made easy

Introduction

Note this is a work in progress.

One of the best ways to learn about something is to play with it and see what it does and how it behaves in a controlled environment.  This also applies to learning about worms and viruses, but the problem with doing this is typically the computer you used to experiment with was trashed in the process and rebuilding a computer from scratch can be a huge hassle.  Now if could simply drop the now infected computer in the garbage when you were done playing, and with no cost, then there would be very little preventing you from learning about malware, if you so wished.

What I hope to show you in this article is how to easily and quickly create, setup, capture and do some easy basic forensics on wild malware, and then when you are done, simply drop the infected computer in the great big bit bucket in the sky.  This method will allow you to detect root kits, viruses, worms, adware and spyware, in short all forms of malware.  You will even be able to compare various antivirus products and see which one detects different malware and which don't.  The best part about this is how fast you can setup a new system and the variety of systems you can use as victims; want to play with XP malware, or Win2k malware, no problem..

 

Disclaimer (I'm not kidding)

 Now before we begin you need to understand some of the risks involved, and that while I will try to explain how to safely capture, contain and analyze malware, remember you are playing with malware which is designed to gain access to and infect systems.  So as all security investigators know, bad things can happen and sometime can even happen despite all the precautions taken.  So in short if you hoop your system, I'm sorry, but this is the risk of playing with malware.  Currently I don't know of any malware which can hack through a Virtual PC to the host system, but in security one must consider that anything is possible and then consider how probable it is.  Using Virtualized systems is how most of the professional anti malware shops capture and analyze malware behavior, so in a sense we are going to give you a bit of a peek into the world of professional researchers, sometime even bad things happen to them, so please be warned.

 That said I will hopefully show you a safe way to capture and handle malware which is easier then you might think.

 

Technologies

Given Microsoft software runs most of the desktops and a huge portion of the servers world-wide and if you were a hacker bent on world domination or hacking as many systems possible or stealing as much money as possible wouldn't it be logical to target Microsoft systems?  While I know some different OS/browser users don't like to admit it, every OS/browser has vulnerabilities (yes that includes OSX) and proof of this is available weekly in the US-CERT bulletins for example.  Now given I use my iMac for little more then a music player for one of my kids, the focus of this article is going to be malware for Windows (what version of Windows is up to you as you an use this method with just about any version of Windows).

 Now I like to monitor network traffic so I can see where traffic is coming from and where it is going and then analyze different trends and I do that by using a cheap home router/firewall and Link Logger (note I wrote Link Logger).  The key piece of technology, is the use of a virtual computer and there are generally two players in this technology space, VMWare and Microsoft.  Now while I use VMWare Workstation at work, it costs about $190, but for this article we will use Microsoft�s Virtual PC because it is (get ready for it as it seems strange to say this considering it's a Microsoft product), free.  I use VMWare at work (where I'm a development manager for commercial software and we use virtual systems for testing) as it does have more features like USB support and such, but for what we are going to do Virtual PC is more than ample. NOTE I'm using the Virtual PC 2007 beta version.

 I should point out another reason why I use Link Logger and a firewall as sometimes I�m trying to capture specific malware or attacks, so rather then placing the victim computer in the firewall's DMZ or connecting it directly to the internet where it is exposed to everything, I will just forward only selected ports to the victim system.  So for example I'm only interested in exploits on TCP port 445, I will configure the firewall to forward only port 445 traffic to the victim computer, thereby preventing attacks on other ports from interfering with my honey pots and their intended targets.

Now we are going to do a little something extra and sniff some network packets so we can get a better idea of what scans and attack are going on and how they work.  When I want to get the raw network packets I like to use Packetyzer from Network Chemistry, very nice products.  We can setup the sniffer to capture the traffic going to the victim system so we can see the exploit used to gain entry to the victim and other information.  Currently there have been some problems getting network sniffers to work with Vista, but I have used WireShark and Packetyzer with Vista RTM as long as I was using the latest WinPCap version.

Setting up a virtual PC is actually really easy, and if you can install an OS on a new computer, then you can setup a Virtual PC, as that is really all you are doing when you create a Virtual PC.  If you want to know how to setup a basic Virtual PC I have some detailed instructions with screen shots here that you can follow.

Now the question as to what host OS to use, meaning what OS should we install the virtual systems on.  I have used XP Professional in the past, but now we have Microsoft Vista which is by design a much more secure OS, so we will use that as our host system, but if all you have is XP, no problem the steps in this article are the same.  The question of what we will use for our victim's OS is dependent on what you are researching, but for the purposes of this article we will use a totally unpatched version of XP SP1, meaning no service packs or patches.  On our local ISP this means this system will be infected within 10 minutes of being exposed to the internet.

So putting all these tools and a couple of others that I will mention later we will have a rather surprisingly complete malware capture and analysis setup.

 

Setup

 Microsoft's Virtual PC has some very nice features for what we want to do, so let me explain what they are and how to set them up.  When I build a Virtual PC I save the 'fresh install state' (before applying any patches), then I change the write permissions on the virtual hard drive to read only.  What this does is protects your clean install from accidental corruption and therefore allows you to use this image over and over again.  To build a fully patched system I copy the fresh install directory rename everything, startup this new Virtual PC and then apply all the patches.  So lets start with a fresh install of XP SP1a.

 

 First ensure that the original disk is write protected.

 

Now we are going to create what is called a Differencing Disk in Virtual PC and the idea behind this is you start with an existing virtual disk (our OS fresh install disk) and then create a new virtual disk that uses the initial disk as a starting point but then writes all changes to a separate file such that the original disk is never changed.  So go to the tool bar in the Virtual PC Console and select File -> Virtual Disk Wizard and select 'Create a new virtual disk' and then 'A virtual hard disk' and give it a name and a location, then select 'Differencing' and make the parent the fresh install disk (that we write protected), select Finish and we should now have a new virtual hard drive that is basically a clone of our fresh install.

 

Select our desired victim OS

 

But we want to change what it uses for the system drive so we create a new virtual disk for it.

 

I like to put it in the same directory so I know what it is later.

This is the key step in that we want a Differencing disk.

Use the clean fresh install as our starting point.

 We now want to use our newly created victim disk so we setup our target system to use it.

Now we have our victim system ready to go.

 OK now that we have our victim ready to go, there are a couple of things we need to do to protect our host from attack.  Typically when a system is infected they tend to scan the local network looking for other vulnerable systems, which means that our infected client is likely to scan/attack our host system so we need to ensure that it is safe.  I run a fully patched Vista system as my host and ensure the internal Vista firewall is running and blocking all traffic from our victim.  This should be enough to protect the host system from any external network based attack.

 I should also point out that I don't install the Virtual Machine Additions when setting up a virtual system for use in malware capture and analysis.  The Virtual Machine Additions allow the host and virtual system some forms of communication such as the clipboard and such, and while being very handy, I'd recommend that you want as thick and strong a wall as possible between the virtual victim and the host system so don't install the additions when planning on using the virtual system for malware capture and analysis.

Now for this example we want to capture the network traffic so we can see the exploit (if one is used) to break into the system, so we will be running Packetyzer, but to minimize all the traffic we will be seeing we will setup a capture filter such that only traffic to and from our victim will be captured.  So start the Virtual PC and login (we logged in as Admin as we really want to get infected) and run ipconfig so we can see what the system IP address is.

 

Now we setup our packet sniffer such that it will only capture the traffic we are interested in (remember to leave Packetyzer in promiscuous mode).

Setup the capture filter

 

Capture

Now that we have setup our system, we can now configure our network to expose the victim and start capturing malware.  As I mentioned before if I was trying to capture a particular exploit or worm, I would configure the firewall to only forward selected port traffic to my victim system, but for this article we will place the victim system in the firewall's DMZ so it will get the full gamut of network based attacks.

 

For this test we are using a Netgear FVS318v3 with Link Logger.

 

Analysis

Once again all the infected systems on our local ISP have not failed to deliver and within minutes our victim system is totally owned, and we captured everything.

 

When your victim system starts scanning out, then that is a pretty good indicator that it has been owned.

  First let's see what was changed on our system (note I didn't do a reboot so there could be some nasties waiting for a restart to install, but we should see those).  Since we used a differencing disk, we should be able to compare that disk with the original clean disk.  NOTE I built a differencing disk for the original disk as a security precaution, as I did with my Vista analysis disk. 

 

 So using a tool called WinDiff which is available as part of Microsoft's free Platform SDKs we can compare the clean disk to the infected disk and get a list of all the files which are new, delete or have otherwise been changed.

 

Ever wondered why cleaning an infected system can be so difficult, there are literally hundreds of files that our attacker either added or changed all over the place.

We can also use WinDiff to show us what has changed in a file.

 So here we see that our attacker has inserted an object into all our html files, such that when the page is viewed, the attacker executes more malware.

 If we try to view one of the malware exe's in WinDiff, OneCare notes it as malware and stops it.

 

 Well it certainly appears our bad boy was definitely a very busy bad boy and has totally owned our victim.

 So submitting one of the suspect files to Kaspersky it would appear we have a nasty case of Net-Worm.Win32.Allapple.a

 

We could run a number of different scanners if we wished to do a comparison of the detection rates of the different scanners, but a couple of things to note.  First the infected registry, is not the active registry, but all malware files are accessible and visible (meaning if they were hidden by a root kit, they are not hidden anymore), so a scanner should have a shot at all the files.

For fun I let OneCare scan the infected disk and the result was:

 Now while it reported one infection it removed hundreds of files.

 I wasn't expecting it to do anything about the modified html files, as I would expect it to clean out the registry.  So I restarted the victim system and tried to open one of the modified htm files and got the following error:

 

 So while the system appears to be cleaned up, there are still some lingering after effects as I would have expected.

 Looking at the Packetyzer captures we can see a number of different attempts to exploit various vulnerabilities including this winner:

 

 So we have a pretty good coverage of everything our malware did and all from the safety of a virtual system.

 Now if we wanted to disassemble some of the malware we could and further learn about the malware, or we could have simply left the infected system running longer so we could see what else the infection would have done or what the botmaster had in plan for our victim, but I wanted to show some other examples of how using this system can help you understand malware.

 

Botnets

Huge armies of bots seems to be a frequent topic in security news, but using this system, we can capture the DNS request to get the botnet command and control center, for example when we restarted an infected system we see a DNS call looking for the IP address for dcz.anxau.com, followed by a IRC connection to that IP address on port 65267 (note IRC is normally on 6667, but as shown it can be configured to use other ports), looking into the packets we can get the userid and password for the C&C as well as other information, so for example the conversation our victim had with the C&C was:

NICK USA|879260
USER bqvvafgq 0 0 :USA|879260
:dcz2.convicts.in.au NOTICE USA|879260 :*** If you are having problems connecting due to ping timeouts, please type /quote pong EE86FDB7 or /raw pong EE86FDB7 now.
PING :EE86FDB7
PONG :EE86FDB7
:dcz2.convicts.in.au 001 USA|879260 :Welcome to the irc.convicts.in.au IRC Network USA|879260!bqvvafgq@S0106000fb5a0d56b.cg.shawcable.net
:dcz2.convicts.in.au 002 USA|879260 :Your host is dcz2.convicts.in.au, running version Unreal3.2-beta19
:dcz2.convicts.in.au 003 USA|879260 :This server was created Sun Feb 8 18:58:31 2004
:dcz2.convicts.in.au 004 USA|879260 dcz2.convicts.in.au Unreal3.2-beta19 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzN
:dcz2.convicts.in.au 005 USA|879260 MAP KNOCK SAFELIST HCN MAXCHANNELS=10 MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=20 AWAYLEN=307 :are supported by this server
:dcz2.convicts.in.au 005 USA|879260 WALLCHOPS WATCH=128 SILENCE=5 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=be,kfL,l,psmntirRcOAQKVGCuzNSM NETWORK=irc.convicts.in.au CASEMAPPING=ascii :are supported by this server
:dcz2.convicts.in.au 422 USA|879260 :MOTD File is missing
:USA|879260 MODE USA|879260 :+i
JOIN #dcz r00t
:USA|879260!bqvvafgq@S0106000fb5a0d56b.cg.shawcable.net JOIN :#dcz
:dcz2.convicts.in.au 332 USA|879260 #dcz :`root.start dcom135 300 5 0 -r -b -s
:dcz2.convicts.in.au 333 USA|879260 #dcz ROCK 1166026999
:dcz2.convicts.in.au 353 USA|879260 @ #dcz :USA|879260 @dcz
:dcz2.convicts.in.au 366 USA|879260 #dcz :End of /NAMES list.
USERHOST USA|879260
MODE USA|879260 -xt
JOIN #dcz r00t
USERHOST USA|879260
MODE USA|879260 -xt
JOIN #dcz r00t
USERHOST USA|879260
MODE USA|879260 -xt
JOIN #dcz r00t
:dcz2.convicts.in.au 302 USA|879260 :USA|879260=+bqvvafgq@S0106000fb5a0d56b.cg.shawcable.net
:dcz2.convicts.in.au NOTICE USA|879260 :Setting/removing of usermode(s) 'BRxp' has been disabled.
:dcz2.convicts.in.au 302 USA|879260 :USA|879260=+bqvvafgq@S0106000fb5a0d56b.cg.shawcable.net
:dcz2.convicts.in.au NOTICE USA|879260 :Setting/removing of usermode(s) 'BRxp' has been disabled.
:dcz2.convicts.in.au 302 USA|879260 :USA|879260=+bqvvafgq@S0106000fb5a0d56b.cg.shawcable.net
:dcz2.convicts.in.au NOTICE USA|879260 :Setting/removing of usermode(s) 'BRxp' has been disabled.
PING :dcz2.convicts.in.au
PONG :dcz2.convicts.in.au
PING :dcz2.convicts.in.au
PONG :dcz2.convicts.in.au
 

And our victim did as it was told and started scanning systems on our ISP local subnet on TCP port 135 looking for systems which it could exploit via a DCOM at a rate of approximately 800,000 scans per hour (that's likely to chew up some bandwidth).

 

Root Kits

 Root Kits are a popular subject as when a hacker installs a root kit your operating system is no longer yours, and it will hide from you files, processes, etc that the hacker wants hidden from your view.  So for example I infected a system with HackerDefender which is a well known Root Kit.  I then enabled it to hide some files and a directory, such that when you try to view it in Windows Explorer or using a dir from within a command shell, everything is invisible, in effect the root kit is now 'working' to hide stuff from the user.  Now if we mount that differencing disk and the clean disk as we did above and do a WinDiff on it, the root kit becomes clearly visible again.

 

Now you see it.

 

Now you don't

And now you see it again.

 Using virtual systems with virtual disks is a great way to capture and analyze malware as it can't hide from you and using tools like WinDiff allows you to see everything the malware has done to files and such, quickly and easily.

When you are finished playing you simply delete your 'vicitim' Differencing Disk and then you can build a new Difference Disk next time you wish to hunting for malware within seconds so you are always ready to go malware hunting.

 

Conclusion

 Hopefully I've given you enough information and examples to get you started on how to capture, analyze, and understand malware using this simple system.  Of course there is much more that can be done, but the idea here was to give a brief introduction, and allow you to take the ball and run with it.  A couple of things to note, first virtual systems love memory, so don't chintz on the memory in your system, and second have fun but be careful.  As use of VM becomes more common I expect that one day someone will find an exploit that will let them attack the host from the client, so be careful and understand the risks and keep up to date with your patches.

 Of course you can experiment with all sorts of malware.  For example you can take email attachments and run them in a virtual victim, or browse sites which attempt to use browser exploits, and you can capture and easily analyze what malware does, how it tried to gain access to your system etc and when you are done, just delete the differencing disk and your back to a clean system.

 Now some people will no doubt argue that malware can detect when it is being run on a virtual system, and I would agree with that 100%, but most malware doesn�t check if its being run on a virtual pc, in fact very few do, so for all intents and purposes a virtual system is good enough for what we are doing (I do have a number of real systems which I use for honeypots when needed, but I'd rather use a virtual system for a number of reasons).  Virtual PC vendors have never made the claim that it is impossible not to detect the virtualness of their VMs, but there are ways to make it more difficult for malware to detect VM as well (see http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf for example).

 

Page last updated on January 03, 2007