[malware] Viper

マルウェア管理、解析フレームワーク
http://viper-framework.readthedocs.org/en/latest/index.html
Viper is a binary analysis and management framework.

sudo apt-get install gcc python-dev python-pip

sudo pip install SQLAlchemy PrettyTable python-magic

tar -zxvf ssdeep-2.12.tar.gz
cd ssdeep-2.12/
./configure && make
 sudo make install
sudo pip install pydeep

sudo apt-get install python-socksipy

git clone https://github.com/botherder/viper
sudo pip install -r requirements.txt

./viper.py

■データ移行は「viper/projects」内のファイルをコピーする。
■「20141215」フォルダのファイル読込、タグ「xxxxxx」付け
viper > store -f /home/ubuntu/Malware/20141215 -t [xxxxxx]

nginx,elasticsearch,kibanaインストール

==============================================================
nginxのインストール
#vi /etc/yum.repos.d/nginx.repo

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/5/$basearch/
gpgcheck=0
enabled=1

# yum update
# yum search nginx
# yum install nginx
# service nginx start
# curl 127.0.0.1
# chkconfig nginx on

==============================================================
JAVAのインストール
# java -version
# yum remove java
# yum install java-1.7.0-openjdk.i386

==============================================================

elasticsearch インストール
# wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.3.4.tar.gz
# tar zxvf elasticsearch-1.3.4.tar.gz
# mv elasticsearch-1.3.4 /opt/
# /opt/elasticsearch-1.3.4/bin/elasticsearch
# curl 127.0.0.1:9200
{
"status" : 200,
"name" : "Aleksander Lukin",
"version" : {
"number" : "1.3.4",
"build_hash" : "a70f3ccb52200f8f2c87e9c370c6597448eb3e45",
"build_timestamp" : "2014-09-30T09:07:17Z",
"build_snapshot" : false,
"lucene_version" : "4.9"
},
"tagline" : "You Know, for Search"
}

==============================================================

kibanaのインストール

# wget https://download.elasticsearch.org/kibana/kibana/kibana-3.1.1.tar.gz
# tar zxvf kibana-3.1.1.tar.gz
# mv kibana-3.1.1 /opt/
# vi config.js
elasticsearch: "http://IP_address:9200",

# vi /etc/nginx/conf.d/default.conf
location / {
root /opt/kibana-3.1.1/;
index index.html index.htm;
}

==============================================================
nginx 再起動

#service nginx restart

==============================================================
logstashのインストール
wget https://download.elasticsearch.org/logstash/logstash/logstash-1.4.2.tar.gz

tar zxvf logstash-1.4.2.tar.gz
wget http://logstash.net/docs/1.4.2/tutorials/10-minute-walkthrough/apache-elasticsearch.conf
bin/logstash agent -f apache-elasticsearch.conf web
nc localhost 3333 < apache_log.2

[Memory Forensics] メモリフォレンジック

lsass.exeの正しい位置
winlogon.exe
   |
    --- lsass.exe
    --- services.exe
         |
          --- Process_A.exe
          --- Process_B.exe
          --- Process_B.exe
          --- Process_B.exe
          --- Process_B.exe
          --- Process_B.exe
 ※「lsass.exe」は一つのみ、複数ある場合はおかしい。
 ※「lsass.exe」は「winlogon.exe」の下に作成される
 ※他のサービスは「services.exe」の下に作成される
 ※「lsass.exe」のスタートタイムはBOOT時間の近くになる
Explorer.exeの正しい位置
C:\Windows
   |
    --- Explorer.exe
iexplore.exeの正しい位置
C:\Program Files
   |
    --- iexplore.exe
svchost.exeに関して
explorer.exe
   |
    --- svchost.exe
 ※「svchost.exe」はシステム権限なので
 ※ユーザ権限である「explorer.exe」の下にはつかない

[forensics] SuperTimeline

【旧】
# mount -o loop,ro,show_files,streams_interface=windows,offset=32256 /mnt/hgfs/image.dd /mnt/windows_mount
# log2timeline -z Japan -p -r -f winxp /mnt/windows_mount -w supertimeline.txt
# l2t_process -b supertimeline.txt > supertimeline.csv

【新】
# log2timeline.py -o 63 --parsers "win7" /cases/timeline/myhost.dump image.dd
# psort.py -w /cases/timeline/myhost.sorted.csv /cases/timeline/myhost.dump

【Windows】
log2timeline.exe -o 63 -z Japan -p --vss myhost.dump image.dd
psort.exe -z Japan -w supertimeline.txt myhost.dump

http://plaso.kiddaland.net/usage/upgrading-from-0-x-branch

INetSim: Internet Services Simulation Suite

偽サーバ,DNS,HTTPなど

INetSim: Internet Services Simulation Suite - Project Homepage
screenshot

# Available service names are:
# dns, http, smtp, pop3, tftp, ftp, ntp, time_tcp,
# time_udp, daytime_tcp, daytime_udp, echo_tcp,
# echo_udp, discard_tcp, discard_udp, quotd_tcp,
# quotd_udp, chargen_tcp, chargen_udp, finger,
# ident, syslog, dummy_tcp, dummy_udp, smtps, pop3s,
# ftps, irc, https


/etc/inetsim/inetsim.conf
service_bind_address 192.168.1.1
dns_default_ip 192.168.1.1
上記項目を自IP「192.168.1.1」に変更

remnux@remnux:/var/log/inetsim$ inetsim
INetSim 1.2.3 (2012-10-01) by Matthias Eckert & Thomas Hungenberg
Using log directory:      /var/log/inetsim/
Using data directory:     /var/lib/inetsim/
Using report directory:   /var/log/inetsim/report/
Using configuration file: /etc/inetsim/inetsim.conf
Parsing configuration file.
Configuration file parsed successfully.
=== INetSim main process started (PID 3521) ===
Session ID:     3521
Listening on:   192.168.1.1
Real Date/Time: Tue Jan  7 02:09:26 2014
Fake Date/Time: Tue Jan  7 02:09:26 2014 (Delta: 0 seconds)
 Forking services...
  * ident_113_tcp - started (PID 3536)
  * time_37_tcp - started (PID 3538)
  * daytime_13_tcp - started (PID 3540)
  * tftp_69_udp - started (PID 3532)
  * dns_53_tcp_udp - started (PID 3523)
  * time_37_udp - started (PID 3539)
  * daytime_13_udp - started (PID 3541)
  * quotd_17_tcp - started (PID 3546)
  * echo_7_tcp - started (PID 3542)
  * discard_9_udp - started (PID 3545)
  * quotd_17_udp - started (PID 3547)
  * finger_79_tcp - started (PID 3535)
  * chargen_19_udp - started (PID 3549)
  * irc_6667_tcp - started (PID 3533)
  * ntp_123_udp - started (PID 3534)
  * chargen_19_tcp - started (PID 3548)
  * dummy_1_udp - started (PID 3551)
  * discard_9_tcp - started (PID 3544)
  * dummy_1_tcp - started (PID 3550)
  * syslog_514_udp - started (PID 3537)
  * echo_7_udp - started (PID 3543)
  * smtps_465_tcp - started (PID 3527)
  * pop3s_995_tcp - started (PID 3529)
  * ftp_21_tcp - started (PID 3530)
  * smtp_25_tcp - started (PID 3526)
  * ftps_990_tcp - started (PID 3531)
  * pop3_110_tcp - started (PID 3528)
  * http_80_tcp - started (PID 3524)
  * https_443_tcp - started (PID 3525)
 done.
Simulation running.



/var/log/inetsim/service.log

[2014-01-07 02:30:34] [3812] [dns_53_tcp_udp 3814] [192.168.1.2] connect
[2014-01-07 02:30:34] [3812] [dns_53_tcp_udp 3814] [192.168.1.2] recv: Query Type A, Class IN, Name xxxxxxxxx.ddo.jp
[2014-01-07 02:30:34] [3812] [dns_53_tcp_udp 3814] [192.168.1.2] send: xxxxxxxxx.ddo.jp 3600 IN A 127.0.0.1
[2014-01-07 02:30:34] [3812] [dns_53_tcp_udp 3814] [192.168.1.2] disconnect
[2014-01-07 02:30:34] [3812] [dns_53_tcp_udp 3814] [192.168.1.2] stat: 1 qtype=A qclass=IN qname=xxxxxxxxx.ddo.jp
[2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] recv: Host: xxxxxxxxx.ddo.jp
[2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] recv: Connection: Keep-Alive
[2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] recv: Cache-Control: no-cache
[2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] recv: Pragma: no-cache
[2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] info: Request URL: http://xxxxxxxxx.ddo.jp/usr/Y-Vm6St6fBt9BgNTez6BOK
[2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] info: No matching file extension configured. Sending default fake file.
[2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] send: HTTP/1.1 200 OK
[2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] send: Server: INetSim HTTP Server
[2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] send: Connection: Close
[2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] send: Content-Length: 258
[2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] send: Content-Type: text/html
[2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] send: Date: Tue, 07 Jan 2014 07:45:06 GMT
[2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html
[2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] stat: 1 method=GET url=http://xxxxxxxxx.ddo.jp/usr/Y-Vm6St6fBt9BgNTez6BOK sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=

[malware] Malware-Analyzer.com

Malware-Analyzer.com is your solution to malware analysis tools, resources, and discounted malware reverse engineer training. Malware-Analyzer.com has a variety of tools from automated analysis to memory forensics. If you have a malware analysis tool, dissassembler, debugger, or web site you would like featured, please let me know on my contact page!

Malware-Analyzer - Malware Analysis Tools and Resources
screenshot