$30
CS6262 Project 3 Solved
Agenda
• Part 1: Analyzing Windows Malware
• Part 2: Analyzing Android Malware
• Analyzing Windows Malware
• You got a malware sample from the wild. Your task is to discover what the malware does by analyzing it
• How do you discover the malware’s behaviors?
• Static Analysis
• Manual Reverse Engineering • Programming binary analysis
• Dynamic Analysis
• Network behavioral tracing
• Run-time system behavioral tracing(File/Process/Thread/Registry)
• Symbolic Execution
• Fuzzing
• In our scenario, you are going to analyze the given malware with tools that we provide.
• These tools help you to analyze the malware with static and dynamic analysis.
• Objective
1. Find which server controls the malware (the command and control (C2) server)
2. Discover how the malware communicates with the command and control (C2) server • URL and Payload
3. Discover what activities are done by the Linux malware
• Attack activities
• Requirement
• Make sure that no malware traffic goes out from the virtual machine
• But, updating the malware (stage 2), and downloading the Linux malware (stage 3) must be allowed for us to understand the malware’s behavior
• The command and control server is dead. You need to reconstruct it • Use tools to reconstruct the server, then reveal hidden behaviors of the malware
• Analyze network traffic on the host, and figure out the list of available commands for the malware
• Analyze network traffic trace of the host, and figure out what malware does
• Write down your answer into assignment-questionnaire.txt
• A Virtual Machine for Malware analysis
• Please install/update to the latest version of VirtualBox.
• https://www.virtualbox.org/wiki/Downloads
• Download the VM
• Download the project VM from one of the following links
• https://gtvaultmy.sharepoint.com/:u:/g/personal/vraymond6_gatech_edu/EeOzzyYd43FDrkx0sw8
-xF0Bf4XWBPMHpdatP9gVayO59A?e=3I5kRw
• MD5 Hash: 19E3E05638172762959C4C9E8D89E373
• Network Configurations
Ubuntu
• Network Configurations
• tap0
• Virtual network interface for Windows XP • IP Address: 192.168.133.101
• br0
• A network bridge between Windows XP and Ubuntu • IP Address: 192.168.133.1
• enp0s3
• A network that faces the Internet
• IP Address: 10.0.2.15 (it varies with your VirtualBox settings)
• Open VirtualBox
• Go to File-Import Appliance.
• Select the ova file and import it.
• For detailed information on how to import the VM, see:
• https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html
• VM user credentials
• Username: analysis
• Password: analysis
• In the Virtual Machine (VM)
• Files
• init.py
• This initializes the project environment
• Type your Georgia Tech username (your Canvas login name) after running this
• e.g $ ./init.py
• update.sh
• This script updates the VM if any further update has been made by TAs
• Please run this script when you start the project! (If it says that you’re already updated when you run it, that’s fine)
• If you have already completed stage 1 before running update.sh, you do NOT need to redo stage 1 – but you will need to run update.sh to complete stage 2
• archive.sh
• This will archive the answer sheet for submission (create a zip file)
• In the Virtual Machine (VM)
• Directories
• vm
• A directory that stores the Windows XP virtual machine (runs with QEMU) • We use the given VM for both Cuckoo and a testbed. Please see page 19.
• shared
• A shared directory between the Ubuntu host and Windows guest (XP is running on a VM within your project VM). You can copy/move files to or from this directory.
• Please see page 22.
• report
• The answer sheet for project questionnaire.
• setup
• Required files for setting up the machine. You don’t need to modify, nor use the files in this
directory.
• In the Virtual Machine (VM)
• Directories
• tools
• network
• Configure your network firewall rules (iptables) by editing iptables-rules.
• You can allow/disallow/redirect the traffic from the malware
• ‘./reset’ command in this directory will apply the changes
• cfg-generation (CFG stands for Control-Flow Graph)
• An analysis tool that helps you to find interesting functions of malicious activity • You need to edit score.h to generate the control-flow graph
• Use xdot to open the generated CFG.
• In the Virtual Machine (VM)
• Directories
• tools
• sym-exec
• A symbolic executor (based on angr: https://github.com/angr)
• Helps you to figure out the commands that malware expects
• Use cfg-generation tool to figure out the address of the function of interests
• c2-command
• A simplified tool for C2 server reconstruction
• You can write down command in the *.txt file as a line
• It will randomly choose one command at a time to send to the malware
• Malware
• stage1.exe – stage 1 malware
• It will download the stage 2 malware if this malware receives the correct command
• stage2.exe – stage 2 malware
• It will download the stage 3 malware if this malware receives the correct command
• payload.exe – the linux malware attack payload
• Analyze the dynamic instruction trace
• Write a script to detect where the C&C communication happens – Find the loop entry point and function sequence in the loop
• Add constraint to symbolic execution to limit the loop to one
• Find the feasible attacks within given set of possible attacks.
Questionnaire
• 1) To get credit for the project, you have to answer the questionnaire, found at ~/report/assignment-questionnaire.txt !!!!!
• 2) Please strictly follow the format or the example answer for each question in assignment-questionnaire.txt. TAs use a autograder
for your submission.
• Windows Part
• Read ~/report/assignment-questionnaire.txt
• Carefully read the questions, and answer them in ~/report/assignmentquestionnaire.txt • For each stage, there are 4-6 questions regarding the behavior of the malware.
• Android Part
• READ ~/Android/MaliciousMessenger/writeup.pdf
• Carefully read the writeup, answer in ~/report/assignment-questionnaire.txt
