-
Notifications
You must be signed in to change notification settings - Fork 15
/
Malboxes-Make-Malware-Analysis-More-Accessible.html
190 lines (184 loc) · 20.4 KB
/
Malboxes-Make-Malware-Analysis-More-Accessible.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="author" content="Olivier Bilodeau, <[email protected]>"><title>Malboxes: Making Malware Analysis More Accessible</title><meta content="yes" name="apple-mobile-web-app-capable"><meta content="black-translucent" name="apple-mobile-web-app-status-bar-style"><meta content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, minimal-ui" name="viewport"><link href="reveal.js/css/reveal.css" rel="stylesheet"><link rel="stylesheet" href="reveal.js/css/theme/gosecure.css" id="theme"><link href="reveal.js/lib/css/zenburn.css" rel="stylesheet"><script>var link = document.createElement( 'link' );
link.rel = 'stylesheet';
link.type = 'text/css';
link.href = window.location.search.match( /print-pdf/gi ) ? "reveal.js/css/print/pdf.css" : "reveal.js/css/print/paper.css";
document.getElementsByTagName( 'head' )[0].appendChild( link );</script><!--[if lt IE 9]><script src="reveal.js/lib/js/html5shiv.js"></script><![endif]--><link rel="stylesheet" href="gosecure.css"></head><body><div class="reveal"><div class="slides"><section class="title" data-state="title" data-background-size="contain" data-background-image="images/theme/title-slide-bg.jpg" data-background-color="#ffffff"><h1>Malboxes</h1><h2>Making Malware Analysis More Accessible</h2><p class="author"><small>Olivier Bilodeau, <[email protected]></small></p></section><section id="whoami"><h2>$ whoami</h2><div class="ulist"><ul><li><p>Cybersecurity Researcher at GoSecure+CounterTack <span class="image right"><img src="images/gosecure.png" alt="gosecure" width="200"></span></p></li><li><p>3rd time speaking at SecTor over the last 4 editions</p></li><li><p>Co-founder Montrehack (hands-on security workshops) <span class="image right"><img src="images/nsec.png" alt="nsec" width="150"></span></p></li><li><p>VP Training and Hacker Jeopardy at NorthSec</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>Previously</p><div class="ulist"><ul><li><p>Malware Researcher at ESET</p></li><li><p>Infosec lecturer at ETS University in Montreal</p></li><li><p>Infosec developer, network admin, linux system admin</p></li></ul></div></li><li><p>MontreHack running monthly for 5 years!</p></li></ul></div></aside></section>
<section id="agenda"><h2>Agenda</h2><div class="ulist"><ul><li><p>Problem space</p></li><li><p>Malboxes</p></li><li><p>Demo</p></li><li><p>Future work</p></li></ul></div></section>
<section id="problem_space" class="topic" data-background-color="#da291c"><h2>Problem Space</h2></section>
<section id="context"><h2>Context</h2><div class="videoblock stretch"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/kZH9JtPBq7k?rel=0&start=34" frameborder="0" allowfullscreen data-autoplay></iframe></div>
<aside class="notes"><div class="ulist"><ul><li><p>this is how we do malware analysis</p></li><li><p>manual</p></li><li><p>needs a lot of resources (lab full of ppl)</p></li><li><p>relatively boring</p></li><li><p>yet very impressive</p></li><li><p>but ppl like gosecure can’t afford that</p></li></ul></div></aside></section>
<section id="current_toolchain_customization"><h2>Current toolchain (customization)</h2><div class="ulist"><ul><li><p>Vanilla Windows 7 VMs (or more recent versions)</p></li><li><p>No trace of a previous user</p></li><li><p>Manual customization</p></li><li><p>Can lead to cross-infected VMs</p></li><li><p>Can’t build or reuse templates</p></li><li><p>Also time consuming</p></li></ul></div></section>
<section id="problems_of_malware_analysis"><h2>Problems of malware analysis</h2><div class="ulist"><ul><li><p>Not accessible to newcomers</p></li><li><p>Easy to mess things up</p></li><li><p>Team work is hard (tools don’t encourage it)</p></li><li><p>Building a credible environment is time consuming</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>afraid to infect themselves</p></li></ul></div></aside></section>
<section id="ways_to_mess_things_up"><h2>Ways to mess things up</h2><div class="imageblock" style=""><img src="images/good_job_eset_cropped.png" alt="good job eset cropped" width="100%"></div>
<aside class="notes"><div class="paragraph"><p>lack of integrated/enforced best practices can lead to leaks</p></div></aside></section>
<section id="also_dealing_with_vm_problems"><h2>Also, dealing with VM problems</h2><div class="videoblock stretch"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/LaApqL4QjH8?rel=0&start=3" frameborder="0" allowfullscreen data-autoplay></iframe></div>
<aside class="notes"><div class="ulist"><ul><li><p>requires skill</p></li><li><p>time consuming</p></li><li><p>why don’t we simply destroy / re-create</p></li></ul></div></aside></section>
<section id="recent_opportunities" class="topic" data-background-color="#da291c"><h2>Recent Opportunities</h2></section>
<section id="devops"><h2>DevOps</h2><div class="paragraph"><p>Why would the devops people have all the fun?</p></div>
<div class="imageblock" style=""><img src="images/devops.gif" alt="devops" width="600"></div>
<aside class="notes"><div class="ulist"><ul><li><p>Devops changed traditional IT</p></li><li><p>No one is looking back</p></li><li><p>But besides linux servers, no one else is doing it</p></li></ul></div></aside></section>
<section data-background-image="images/pets-vs-cattle.jpeg" data-background-size="contain">
<aside class="notes"><div class="ulist"><ul><li><p>The famous pets vs cattle analogy</p></li><li><p>Core principle: Infrastructure as code</p></li><li><p>Reproducible</p></li><li><p>Throw-away</p></li><li><p>Efficient</p></li></ul></div></aside></section>
<section id="inspiration"><h2>Inspiration</h2><div class="videoblock stretch"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/JamZi-WVJ_s?rel=0&start=57" frameborder="0" allowfullscreen data-autoplay></iframe></div>
<aside class="notes"><div class="ulist"><ul><li><p>This machine builds railroads</p></li><li><p>This guy is just supervising it</p></li><li><p>checking emails, smartphone, etc.</p></li><li><p>We built something like that to create machines for malware analysis</p></li></ul></div></aside></section>
<section id="malboxes" class="topic" data-background-color="#da291c"><h2>Malboxes</h2></section>
<section id="architecture"><h2>Architecture</h2><div class="listingblock"><div class="content"><pre class="highlight"><code data-noescape> FRONT-END BACK-END
+---------------+ +---------------+ +-------------------+
| | | +---> | Autounattend.xml |
| +-> | packer | +-------------------+
| | | +-+
| | +---------------+ | +--------------------+
| malboxes.py | +-> | |
| | +---------------+ | PowerShell|
| | | | | WinRM winrmcp |
| +-> | vagrant +---> | Shell |
| | | | | Chocolatey|
+---------------+ +---------------+ +--------------------+
+------------------------------------------+
| |
| VirtualBox / vSphere (ESXi) / KVM |
| |
+------------------------------------------+</code></pre></div></div>
<aside class="notes"><div class="ulist"><ul><li><p>4 years ago this wasn’t possible (shoulder of giants)</p><div class="ulist"><ul><li><p>vagrant didn’t work on Windows</p></li></ul></div></li><li><p>Reusing existing devops tools</p><div class="ulist"><ul><li><p>packer: machine image builder</p></li><li><p>vagrant: configure reproducible operating environments</p></li><li><p>WinRM: Windows Remote Management</p></li></ul></div></li></ul></div></aside></section>
<section id="batteries_included"><h2>Batteries included</h2><div class="ulist"><ul><li><p>Tools automatically installed based on profiles</p><div class="ulist"><ul><li><p>all sysinternal tools</p></li><li><p>windbg</p></li><li><p>putty</p></li><li><p>fiddler</p></li><li><p>wireshark</p></li></ul></div></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>only limited by your imagination (or chocolatey packages)</p></li></ul></div></aside></section>
<section id="dealing_with_vm_problems"><h2>Dealing with VM problems</h2><div class="imageblock" style=""><img src="images/train-cat-attack.gif" alt="train cat attack" width="800"></div>
<aside class="notes"><div class="ulist"><ul><li><p>you have a problem</p></li><li><p>you are angry</p></li><li><p>but it should be</p></li></ul></div></aside></section>
<section data-background-image="images/train-cat-doesnt-care.gif" data-background-size="contain">
<aside class="notes"><div class="ulist"><ul><li><p>this</p></li></ul></div></aside></section>
<section id="how_can_i_get_this"><h2>How can I get this?</h2><div class="listingblock oversize130"><div class="content"><pre class="highlight"><code data-noescape>pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes</code></pre></div></div>
<aside class="notes"><div class="paragraph"><p>cross platform: Windows, Linux, should work on Macs too</p></div></aside></section>
<section id="recent_releases" class="topic" data-background-color="#da291c"><h2>Recent releases</h2></section>
<section id=""><h2>0.3.0</h2><div class="ulist"><ul><li><p>Windows 7 x86 and x64 templates</p></li><li><p>ESXi / vSphere support</p></li><li><p>Added concept of profiles (experimental)</p></li></ul></div></section>
<section id=""><h2>0.4.0</h2><div class="ulist"><ul><li><p>Improved profiles (experimental)</p></li><li><p>Continuous build system</p></li><li><p>Configure mandatory proxy in the VM</p></li><li><p>Fixes</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>released monday night at 3 am</p></li><li><p>continuous build system took a long time to do</p></li></ul></div></aside></section>
<section id="how_does_it_work"><h2>How does it work?</h2><div class="ulist"><ul><li><p>Check available templates</p><div class="literalblock oversize2"><div class="content"><pre>$ malboxes list</pre></div></div></li><li><p>Builds the Vagrant box</p><div class="literalblock oversize2"><div class="content"><pre>$ malboxes build <template></pre></div></div></li><li><p>Spin a <code>Vagrantfile</code> for each of your analysis then launch</p><div class="literalblock oversize2"><div class="content"><pre>$ malboxes spin
$ vagrant up</pre></div></div></li></ul></div></section>
<section id="available_templates"><h2>Available Templates</h2><div class="ulist"><ul><li><p>win10_32_analyst</p></li><li><p>win10_64_analyst</p></li><li><p>win7_32_analyst</p></li><li><p>win7_64_analyst</p></li></ul></div>
<aside class="notes"><div class="paragraph"><p>Note that Windows 8 should be really easy to do, I have them almost ready but
there hasn’t really been any interest</p></div></aside></section>
<section id="profiles"><h2>Profiles</h2><div class="ulist"><ul><li><p>Additional configuration to customize one box even further</p></li><li><p>Available commands</p><div class="ulist"><ul><li><p>shortcut</p></li><li><p>registry</p></li><li><p>package</p></li><li><p>document</p></li><li><p>directory</p></li><li><p>packer</p></li></ul></div></li></ul></div>
<aside class="notes"><div class="paragraph"><p>Describe them a little</p></div></aside></section>
<section id="result"><h2>Result</h2><div class="videoblock stretch"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/oq6N3WLAoe8?rel=0" frameborder="0" allowfullscreen data-autoplay></iframe></div></section>
<section id="useful_for"><h2>Useful for</h2><div class="ulist"><ul><li><p>Reduce art, augment science</p></li><li><p>Get new people into malware analysis</p></li><li><p>Centralize / standardize VM creation in teams</p></li></ul></div></section>
<section id="demo" class="topic" data-background-color="#da291c"><h2>Demo</h2><aside class="notes"><div class="ulist"><ul><li><p>start wireshark</p></li><li><p>enable network in VM</p></li><li><p>open malicious document</p></li><li><p>Alt-F11 → run macro manually (if it didn’t happen automatically)</p></li><li><p>Cut network</p></li><li><p>See in Wireshark, copy full URL, show the 404</p></li><li><p>Pivot to VT with URL</p></li><li><p>Look at detection names</p></li></ul></div></aside></section>
<section id="future_work" class="topic" data-background-color="#da291c"><h2>Future work</h2></section>
<section id="where_is_this_headed"><h2>Where is this headed?</h2><div class="ulist"><ul><li><p>Implement anti-{VM,sandbox} detection</p></li><li><p>Sysmon integration</p></li><li><p>Manage the network isolation with subcommands</p></li><li><p>Ansible for provisioning</p></li><li><p>Rework the approach to configuration</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>elaborate on sysmon, inspired by Peter from yesterday’s talk</p></li><li><p>elaborate on network isolation: vboxnet w/ gateway or flare-fakenet-ng</p></li><li><p>ansible: some folks from github and Nick Aleks from yesterday’s party</p></li></ul></div></aside></section>
<section id="the_docker_opportunity"><h2>the Docker opportunity</h2><div class="ulist"><ul><li><p>Docker happened</p></li><li><p>Depart from the one global config</p></li><li><p>Focus on multi-machine and config stacking</p></li></ul></div>
<aside class="notes"><div class="paragraph"><p>since we started, docker happened, and it changed devops even more</p></div></aside></section>
<section id="malboxfile"><h2>Malboxfile</h2><div class="listingblock oversize130"><div class="content"><pre class="highlight"><code data-noescape>client:
os: windows7_64
# product_key: abcd-efgh-ijkl
network: fakenet
defender: false
windows_updates: false
packages: [wireshark, x64dbg.portable, sysinternal]
powershell:
- script1.ps1: [with, arguments]
domain: example.com
server:
os: windows_server_2016
defender: true
domain: example.com</code></pre></div></div></section>
<section id="expand_to_other_use_cases"><h2>Expand to other use cases</h2><div class="ulist"><ul><li><p>RDP Honeypots</p></li><li><p>Multi-machine Labs</p></li></ul></div></section>
<section id="more_back_ends"><h2>More Back-Ends</h2><div class="ulist"><ul><li><p>KVM / QEMU (already in progress)</p></li><li><p>Proxmox</p></li></ul></div></section>
<section id="the_ecosystem"><h2>The Ecosystem</h2><div class="ulist"><ul><li><p>Flare-VM</p></li><li><p>OALabs-VM</p></li></ul></div></section>
<section id="the_struggles"><h2>The Struggles</h2><div class="ulist"><ul><li><p>Long test cycles due to Windows installs</p></li><li><p>Hard to debug</p></li><li><p>Chocolatey fails <strong>a lot</strong></p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>debug: guest vs host, packer, virtualbox, port forwarding, disk i/o</p></li></ul></div></aside></section>
<section id="help_wanted"><h2>Help Wanted!</h2><div class="ulist"><ul><li><p>Code: <a href="https://github.com/GoSecure/malboxes" class="bare">https://github.com/GoSecure/malboxes</a> <span class="image right"><img src="images/train-fun-together.png" alt="train fun together" width="400"></span></p></li><li><p>Chat: <a href="https://gitter.im/malboxes_/Lobby" class="bare">https://gitter.im/malboxes_/Lobby</a></p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>we are starting to have a nice small and friendly community</p></li></ul></div></aside></section>
<section id="lets_get_to_work"><h2>Let’s get to work!</h2><div class="imageblock" style=""><img src="images/fast-train.gif" alt="fast train"></div>
<aside class="notes"><div class="ulist"><ul><li><p>we need to attract more young people into malware reverse engineering</p></li><li><p>it needs to be simpler for beginners</p></li><li><p>because the malware train isn’t stopping!</p></li></ul></div></aside></section>
<section id="questions"><h2>Questions?</h2><div class="imageblock" style=""><img src="images/train-loop.gif" alt="train loop"></div>
<div class="paragraph"><p>Big Thanks to all contributors!</p></div>
<div class="paragraph"><p>Hugo Genesse, Gregory Leblanc, @snakems, @pix, Camille Moncelier, @xambroz, @malwarenights, Mathieu Tarral</p></div></section></div></div><script src="reveal.js/lib/js/head.min.js"></script><script src="reveal.js/js/reveal.js"></script><script>// See https://github.com/hakimel/reveal.js#configuration for a full list of configuration options
Reveal.initialize({
// Display controls in the bottom right corner
controls: false,
// Display a presentation progress bar
progress: true,
// Set a per-slide timing for speaker notes, null means none
defaultTiming: null,
// Display the page number of the current slide
slideNumber: false,
// Push each slide change to the browser history
history: true,
// Enable keyboard shortcuts for navigation
keyboard: true,
// Enable the slide overview mode
overview: true,
// Vertical centering of slides
center: false,
// Enables touch navigation on devices with touch input
touch: true,
// Loop the presentation
loop: false,
// Change the presentation direction to be RTL
rtl: false,
// Randomizes the order of slides each time the presentation loads
shuffle: false,
// Turns fragments on and off globally
fragments: true,
// Flags if the presentation is running in an embedded mode,
// i.e. contained within a limited portion of the screen
embedded: false,
// Flags if we should show a help overlay when the questionmark
// key is pressed
help: true,
// Flags if speaker notes should be visible to all viewers
showNotes: false,
// Global override for autolaying embedded media (video/audio/iframe)
// - null: Media will only autoplay if data-autoplay is present
// - true: All media will autoplay, regardless of individual setting
// - false: No media will autoplay, regardless of individual setting
autoPlayMedia: null,
// Number of milliseconds between automatically proceeding to the
// next slide, disabled when set to 0, this value can be overwritten
// by using a data-autoslide attribute on your slides
autoSlide: 0,
// Stop auto-sliding after user input
autoSlideStoppable: true,
// Enable slide navigation via mouse wheel
mouseWheel: false,
// Hides the address bar on mobile devices
hideAddressBar: true,
// Opens links in an iframe preview overlay
previewLinks: false,
// Theme (e.g., beige, black, league, night, serif, simple, sky, solarized, white)
// NOTE setting the theme in the config no longer works in reveal.js 3.x
//theme: Reveal.getQueryHash().theme || 'gosecure',
// Transition style (e.g., none, fade, slide, convex, concave, zoom)
transition: Reveal.getQueryHash().transition || 'none',
// Transition speed (e.g., default, fast, slow)
transitionSpeed: 'default',
// Transition style for full page slide backgrounds (e.g., none, fade, slide, convex, concave, zoom)
backgroundTransition: 'slide',
// Number of slides away from the current that are visible
viewDistance: 3,
// Parallax background image (e.g., "'https://s3.amazonaws.com/hakim-static/reveal-js/reveal-parallax-1.jpg'")
parallaxBackgroundImage: '',
// Parallax background size in CSS syntax (e.g., "2100px 900px")
parallaxBackgroundSize: '',
// The "normal" size of the presentation, aspect ratio will be preserved
// when the presentation is scaled to fit different resolutions. Can be
// specified using percentage units.
width: 1080,
height: 700,
// Factor of the display size that should remain empty around the content
margin: 0.01,
// Bounds for smallest/largest possible scale to apply to content
minScale: 0.2,
maxScale: 4,
// Optional libraries used to extend on reveal.js
dependencies: [
{ src: 'reveal.js/lib/js/classList.js', condition: function() { return !document.body.classList; } },
{ src: 'reveal.js/plugin/markdown/marked.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } },
{ src: 'reveal.js/plugin/markdown/markdown.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } },
{ src: 'reveal.js/plugin/highlight/highlight.js', async: true, callback: function() { hljs.initHighlightingOnLoad(); } },
{ src: 'reveal.js/plugin/zoom-js/zoom.js', async: true },
{ src: 'reveal.js/plugin/notes/notes.js', async: true }
]
});</script></body></html>