Urgences 24 sur 7 – (888) 287-5858   Connexion au Portail TitanSupport    Contactez-nous      Blogue

Malware analysis is like defusing bombs. The objective is to disassemble and understand a program that was built to do harm or spy on computer users (oops, this is where the bomb analogy fails, but one gets the point). That program is often obfuscated (ie: packed) to make the analysis more complex and sometimes dangerous. This blog post introduces a tool that we have built that creates Windows Virtual Machines (VMs) without any user interaction. Those VMs are preconfigured with malware analysis tools and security settings tailored for malware analysis. We will then explore how to use the tool, its architecture and where we want to take it.

 

TL;DR

We are announcing the first « official » release of malboxes, a tool meant to help build safe and featureful Windows machines for malware analysis. Accessible to anyone, it even uses trial versions of Windows if one doesn’t have his own license.

 

Cut the Red or the Blue Wire?

When performing malware analysis one must be careful to avoid infecting one’s machine or triggering a trap door inside the malware. Consequences can vary from the leak of internal information, products or licenses, to the identification of an organization’s IP addresses all the way to wiping the infected computer. This is the reason why malware analysis needs to be done in isolated physical or virtual machines.

Configuring such a virtual machine takes a while and when someone has built one, they tend to add tools to it, update it and stick to it. Copy and paste of disk images and snapshots are then usually used before starting a new analysis. A whole chapter in the reference book on malware analysis – Practical Malware Analysis – is dedicated to the topic of setting up a Virtual Machine in a safe way. Automating and speeding up this process would be the natural evolution of this practice.

 

Leveraging the DevOps Ecosystem

A few years ago, based on a successful experience using Vagrant to manage development environments, we decided to look at the options to manage Windows virtual machines. Unfortunately, at the time Vagrant didn’t natively support Windows guests and so we moved on. A year ago, we re-evaluated the possibility and it turned out that it is now possible thanks to Microsoft and its maturing DevOps ecosystem.

However, one problem faced using Vagrant and Packer directly is that the Windows-specific configuration required is non-obvious. Instead of building our own complex configuration files and invoke Packer or Vagrant directly we decided to do an abstraction layer focused for people interested in malware analysis and thus is born malboxes.

 

Introducing Malboxes

There is nothing like a demo to understand the amount of work that is saved by using this tool:

What can be seen here is that by using two simple commands (build and spin) malboxes built a Windows 10 Enterprise Evaluation virtual machine (VM) template and then launched a copy of it with the current folder shared on the Desktop of the VM.

The following tools are installed as part of the build process:

  • windbg
  • The whole sysinternal suite
  • Fiddler
  • Wireshark with npcap (a Windows 10 compatible winpcap replacement)
  • IDA Pro remote debuggers (if IDA Pro is installed on the host)

The following changes are made to the guest operating system:

  • Disables automatic updates
  • Disables Windows Defender

Doing all of this by hand might take half a day but with malboxes it’s a matter of minutes.

 

Getting One’s Hands Dirty

Once installed, the tool is meant to be used on the command-line.

To list supported profiles:

$ malboxes list
supported profiles:
win10_32_analyst
win10_64_analyst
win7_32_analyst

To build a Windows 10 64-bit analysis machine:

malboxes build win10_64_analyst

Once that process is done, a vagrant box is imported. From there, that base box can be re-used as much as needed for individual analysis tasks. For example, let’s say one analyzes a sample of Sirefef. It’s only a matter of generating the proper vagrant config referring to this base box. malboxes provides a convenient wrapper to generate the proper Vagrantfile:

$ mkdir Win32.Sirefef.EV/
$ cd Win32.Sirefef.EV/
$ malboxes spin win10_64_analyst Win32.Sirefef.EV
Creating a Vagrantfile
Vagrantfile generated. You can move it in your analysis directory and issue a `vagrant up` to get started with your VM.
$ vagrant up

The analysis VM is now ready!

 

Malboxes’ Architecture

In a nutshell, malboxes wraps together:

Malboxes Configuration Example

 

Benefits of this architecture include leveraging chocolatey packages. This means one can install anything available in the extensive chocolatey package gallery with a single command. The default list of packages installed can be modified in malboxes’ configuration file. Additionally, packaging for chocolatey is straightforward so there is a huge network effect around chocolatey right now which we benefit from.

Another benefit is that malboxes, packer, vagrant and the PowerShell scripts all stay out of the guest. There is no custom guest agent on the VM and we have plans for further automated cloaking and multiple hypervisor support.

Malboxes is built in Python 3 and supports the following host operating systems:

  • Windows
  • MacOS
  • Linux

The Future

We will cover more use cases in upcoming blog posts, namely:

  • A team analysis workflow where an investigation is shared among analysts
  • Ways to automatically customize the VM in order to use it as a honeypot VM for a specific threat

We invite anyone interested in contributing but who doesn’t know where to start to look at our TODO file, located in the repository. Ideas and issues are also welcome, of course.

We believe there are more people working in IT Security than malware authors. However, malware analysis is still considered an art reserved to a skilled few. With our tool, we hope to make malware analysis more accessible by providing easy to build, batteries included, virtual machines. With this tool and others like the Cuckoo sandbox, more IT Security professionals or students eager to learn will be able to look at suspicious binary files and inspect them manually and safely.

Special thanks to Hugo Genesse for his help on this blog post.

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR)

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR) Fondation

Gestion des vulnérabilités en tant que service GoSecure TitanMC (VMaaS)

Surveillance des événements liés aux informations de sécurité gérée GoSecure TitanMC (SIEM gérée)

Défense du périmètre gérée GoSecure TitanMC (pare-feu)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Passerelle de messagerie sécurisée GoSecure TitanMC (SEG)

Modélisateur de menaces GoSecure TitanMC

Identity GoSecure TitanMC

Plateforme GoSecure TitanMC

Services de sécurité professionnels de GoSecure

Services de réponse aux incidents

Évaluation de la maturité de la sécurité

Services de confidentialité

Services PCI DSS

Services de piratage éthique

Opérations de sécurité

MicrosoftLogo

GoSecure MXDR pour Microsoft

Visibilité et réponse complètes au sein de votre environnement de sécurité Microsoft

CAS D'UTILISATION

Cyberrisques

Mesures de sécurité basées sur les risques

Sociétés de financement par capitaux propres

Prendre des décisions éclairées

Sécurité des données sensibles

Protéger les informations sensibles

Conformité en matière de cybersécurité

Respecter les obligations réglementaires

Cyberassurance

Une stratégie précieuse de gestion des risques

Rançongiciels

Combattre les rançongiciels grâce à une sécurité innovante

Attaques de type « zero-day »

Arrêter les exploits de type « zero-day » grâce à une protection avancée

Consolider, évoluer et prospérer

Prenez de l'avance et gagnez la course avec la Plateforme GoSecure TitanMC.

24/7 MXDR

Détection et réponse sur les terminaux GoSecure TitanMC (EDR)

Antivirus de nouvelle génération GoSecure TitanMC (NGAV)

Surveillance des événements liés aux informations de sécurité GoSecure TitanMC (SIEM)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Intelligence GoSecure TitanMC

Notre SOC

Défense proactive, 24h/24, 7j/7

À PROPOS DE GOSECURE

GoSecure est un leader et un innovateur reconnu en matière de cybersécurité, pionnier de l'intégration de la détection des menaces au niveau des terminaux, du réseau et des courriels en un seul service de détection et réponse gérées et étendues (MXDR). Depuis plus de 20 ans, GoSecure aide ses clients à mieux comprendre leurs failles en matière de sécurité et à améliorer leurs risques organisationnels ainsi que leur maturité en matière de sécurité grâce aux solutions MXDR et aux services professionnels fournis par l'une des équipes les plus fiables et les plus compétentes de l'industrie.

CALENDRIER D’ÉVÉNEMENTS

DERNIER COMMUNIQUÉ DE PRESSE

BLOGUE GOSECURE

AVIS DE SÉCURITÉ

Urgences 24 sur 7 – (888) 287-5858