427 Botnet fm qxd

hooking
(a technique described later in this chapter) is used to monitor the
malware’s interesting system calls. Decoupling from the network has the
advantage that the malware is not able to infect other computers, but there
also is the disadvantage that less information can be collected, because no real
outgoing connection can be established.
Chas Tomlin has chosen a different approach with his 
Sandnet
. In Sandnet,
the malicious software is executed on a real Windows system, not on an emu-
lated or simulated one. After 60 seconds of execution, the host is reset and
forced to reboot from a Linux image instead of its actual Windows OS. For
that purpose,
Preboot Execution Environment (PXE)
is used: a mechanism for
booting a computer via its network interface independently of an available
data storage device or operating system. After booting Linux, the Windows
partition is mounted and the registry hives are extracted, as well as the com-
plete file list.They are sent to a different analysis host for further examination.
After that, the Windows partition is reverted to its initial clean state using
PartImage.
.
(
PartImage
is a utility to save/restore hard disc partitions to/from an
image file. For more information go to www.partimage.org.) Because Chas
Tomlin’s Sandnet focuses on network activity, several dispositions are made.
During the execution of the malware, the Windows host is connected to a
virtual Internet with an IRC server running that positively answers all
incoming IRC connection requests. Furthermore, all packets are captured to
examine all other network traffic afterward.The collected packets are parsed
using Perl scripts for known protocols such as IRC, DNS, and HTTP, and the
relevant information is extracted.
A similar method is used in 
Truman,The Reusable Unknown Malware
Analysis Net,
provided by Joe Stewart from SecureWorks. (For more informa-
tion go to www.lurhq.com/truman.) It consists of a PXE bootable Linux
client based on Chas Tomlin’s PXE Windows Image using Linux and a set of
additional tools. (For more information visit www.wiul.org.) The malware
sample is also executed on a real Windows system, which is connected to a
virtual Internet. After the sample’s execution, the Truman tools are used to
dump the system’s memory and its file system contents.Then a different anal-
ysis machine is able to examine the dumps and compare them against the ini-
tial system state. More information on Truman can be found at
www.lurhq.com/truman.

Download 6,98 Mb.

Do'stlaringiz bilan baham: