Skip navigation.
Home

dannyquist's blog

Ether Automation Utility: Ether Bunny

Ether Bunny is a script that I use to automatically startup and run Xen domains, copy files, and then execute them with Ether. It is a quick hack I put together. Most of the variables at the top of the file will need to be changed to match your configuration. This script is made available as-is. If it doesn't work you'll need to debug it on your own. That being said if you find it useful and modify it let me know and I'll be happy to update the public version.

You'll need to get a copy of Winexe as well to remotely run the files. There are some setup instructions at the Winexe page that will help you to configure your host machine.

Here's how I use it:

snoosnoo:/xen# ./eb.py 192.168.0.2 malware.exe
Ether Bunny v0.1 by Danny Quist

Analyzing malware.exe to on VM 192.168.0.50
Destroying old vm image /xen/winxp-sp2-malware-instance/
Restoring vm image...
Starting vm from /etc/xen/ramdisk-winxp-sp2.cfg
Copying malware.exe to VM 1166 at 192.168.0.50
Attempt: 1
Running malware.exe on VM winxp-sp2-ramdisk (1166) 192.168.0.50
Letting program run...
dos charset 'CP850' unavailable - using ASCII
EPOLL_CTL_ADD failed (Operation not permitted) - falling back to select()
Killing ether.
Destroying VM ID: 1166
Aborting...

Download Ether Bunny here.

Danny

Edit Jan 18 2011: The Winexe site seems to have disappeared, so I have linked to my local compiled copy.

My Ether Installation Method

I've gotten a few emails from people asking questions about how to install Ether. I thought I would put some very rough notes together for my general method to install it. Artem Dinaburg and crew have some good notes at the official Ether website but there are a few more things I do to get things rolling.

Here goes:

  1. Download the Debian AMD64 5.x net installation ISO and install it. Get your network card and configuration working.
  2. Install ONLY the linux-image-2.6.26-*-xen-amd6 package. You just want the kernel for this one. This is where I've gotten myself into trouble by installing the kernel source that comes with the patched Xen system.
  3. Download the Xen and the ether_ctl source and patch as described on the Ether installation instructions page.
  4. Install the Debian packages necessary to get the system up and running. I recently installed a system and this is the output of dpkg --get-selections command: ether_install_packages.log
    Hint: grep '[[:space:]]install$=' ether_install_packages.log| awk '{print $1}'| xargs aptitude install
  5. Start compilation of Ether in the following directories not the main xen-3.1.0-src directory
    1. cd xen ; make && make install
    2. cd ../tools ; make && make install
    3. cd firmware ; make && make install
  6. Edit the /boot/grub/menu.lst to have an entry that looks something like this (be sure to substitute your information):


    title Debian GNU/Linux, kernel 2.6.26-2-xen-amd64
    root (hd0,0)
    kernel /boot/xen-3.1.0.gz dom0_mem=1G
    module /boot/vmlinuz-2.6.26-2-xen-amd64 root=/dev/sda1 ro quiet
    module /boot/initrd.img-2.6.26-2-xen-amd64

  7. Reboot. You should see a Xen logo then your system will start up and look like normal.
  8. Make a Windows VM and follow the modification instructions on the Ether website.

That should be all it takes to get a working system up and running. While you're playing with Ether be sure to check out Vera as well.

Updates

  • 10/9/2009 - I've heard from a number of people that you may have to disable NX protection in your motherboard's BIOS to get this to work correctly.
  • 10/27/2009 - Updated to not need compilation of libdisasm, updated installed modules list

Vizsec 2009: Visualizing Compiled Executables for Malware Analysis

The Vizsec 2009 program looks to be a pretty exciting this year. Please join us in Atlantic City New Jersey; I will be presenting more visualization techniques for malware. I'm presenting a paper titled "Visualizing Compiled Executables for Malware Analysis." I hope to see you there.

Visualizing Compile Executables for Malware Analysis PDF - This won best paper at the workshop.

Abstract

Reverse engineering compiled executables is a task with a steep learning curve. It is complicated by the task of translating assembly into a series of abstractions that represent the overall flow of a program. Most of the steps involve finding interesting areas of an executable and determining their overall functionality. This paper presents a method using dynamic analysis of program execution to visually represent the overall flow of a program. We use the Ether hypervisor framework to covertly monitor a program. The data is processed and presented for the reverse engineer. Using this method the amount of time needed to extract key features of an executable is greatly reduced, improving productivity. A preliminary user study indicates that the tool is useful for both new and experienced users.

Offensive Computing Twitter OComputing

Offensive Computing is now on Twitter! Follow OComputing for all the malware and reverse engineering 140 characters can handle.

Blackhat USA 2009: Reverse Engineering by Crayon

My Blackhat talk is over and I think things went really well. As promised here is the latest information on the slides. To be able to use VERA you will need to follow the installation instructions from the Ether project. Thanks again to everyone who attended and thank you for all the great questions.

VERA Info and Download Page
Reverse Engineering by Crayon Slides from the Blackhat talk.

If you're going to try and use Ether (which you definitely should) make sure you run Debian Sarge (or Etch or Lenny) with a 64-bit installation. From there the installation instructions from the Ether site should be all you need.

Read more for usage instructions.

Malware Patent Application

I recently came across this patent from Network Associates by Igor Muttik. Here's the abstract:

"One embodiment of the present invention provides a system for determining whether software is likely to exhibit malicious behavior by analyzing patterns of system calls made during emulation of the software. The system operates by emulating the software within an insulated environment in a computer system so that the computer system is insulated from malicious actions of the software. During the emulation process, the system records a pattern of system calls directed to an operating system of the computer system. The system compares the pattern of system calls against a database containing suspect patterns of system calls. Based upon this comparison, the system determines whether the software is likely to exhibit malicious behavior. In one embodiment of the present invention, if the software is determined to be likely to exhibit malicious behavior, the system reports this fact to a user of the computer system. In one embodiment of the present invention, the process of comparing the pattern of system calls is performed on-the-fly as the emulation generates system calls."

Reading through the claims it appears that they have patented much of what was the state of the art of academic research in the early 2000's. I'm shocked with how loosely the patent is written. Comparing system calls might have been novel at the time, but the real magic is finding a matching algorithm for them. That algorithm, I would think, would be the real patentable material. Then again that's why I'm not a patent lawyer.

New Reversing and Visualization Tools Released this Summer

A few conference acceptances are in so I can now lift the cone of silence and share some of the research I've been doing.

Lately I've been using Artem Dinaburg and Paul Royal's excellent Ether Malware Analysis system they presented at ACM CCS last year. This is some very good work that allows you to instrument a running binary extremely well. The paper they have written is very good. I've submitted some patches to the project and overall it's in good shape. I'll write up a more detailed post about using the Ether framework later. Those of you that have been using Saffron should check out this system. Even though it requires dedicated hardware it's a much more robust system.

Using Ether I've been working on my visualization tool for better dynamic and static analysis integration. I call it VERA: Visualizing Execution for Reversing and Analysis. Using the dynamic trace data and unpacking capabilities of Ether, VERA helps you to better unpack unknown binaries, reduce the reversing time, and generally make the whole process easier. I've shown it to a pretty limited set of people, mainly the students in my Reverse Engineering courses, and it seems to be reasonably well received.

I will be talking about VERA at some conferences and workshops this summer and fall. The first is the Blackhat USA Briefings 2009 and Defcon 17. This talk will show how to integrate the reversing process into using Ether and also demonstrating VERA. I'll be giving a live demo and release the tool here.

A more formal treatment will be at the Workshop on Visualization and Security 2009 (VizSec). This paper will outline the nitty-gritty details of the Reverse Engineering process and how VERA fits into it.

I hope to see you this summer. Several former OC members will be giving talks too so it should be a worthwhile experience.

Cyber Security Act of 2009

The Cyber Security Act of 2009 submitted by US senators John Jay Rockefeller and Olympia Snowe looks like it is geared up to be some poor US policy. Joe Stewart has written up a response to it. Joe makes some very valid observations.

To recap the criticism of the bill, there are two big complaints: First is that it gives the president the power to turn off the Internet in an emergency. Second it requires mandatory licensing for "Infosec professionals." The second point is the one I take the most issue with.

Requiring mandatory licensing for a field as dynamic and changing as ours is just a bad idea. There are already a couple of government entities that require the CISSP as a condition of employment. Side-stepping a long winded rant about the CISSP, it is not an accurate measure of knowledge. There has been a concerted effort to liken our field to others such as electricians and general contractors. The problem is that things are changing so fast, any certification is basically worthless as soon as it is issued.

So if you're a US citizen please write your senators and encourage them to revise this bill.

Vista Wireless Power Tools

Josh Wright from Inguardians has written a paper on Vista's wireless stack. He describes the NDIS6 command line interfaces and how to use them in a pentest. From the paper:

"With the introduction of Windows Vista, Microsoft has put forth considerable effort in revamping the IEEE 802.11 wireless stack through the Network Driver Interface Specification (NDIS) 6 model. With considerably greater functionality and capability than was provided in Windows XP, Vista's wireless capabilities shine with new freedom for developers, a robust development framework, rich information sources for wireless analysis and end-user tools for analyzing and controlling wireless parameters."

I'm looking forward to doing some wifi research again and this paper certainly provides a healthy kick in the pants to do so.

On the Legitimacy of Obfuscated Code

Chris Wysopal has written an article about different uses of obfuscation inside of executables. Malicious or not, it is a useful tool for hiding or at least raising the bar on reverse engineering effort required. It's a good article and I recommend you read it. It did get me to thinking about a couple of things in reverse engineering.

One thing that Chris mentions is that users should be able to decide whether or not they want obfuscated code on their system. In many ways this is similar to the open vs. closed source debate. I have long argued that having the assembly for a program is equivalent to having the source code for a skilled reverse engineer. Looking at enough assembly and work with different compiler variations and one can work out what the original code looked like.

Regarding the question about whether obfuscation is a bad thing, Rolf Rolles recently commented that Bitdefender decided wholesale that the VMProtect packer is malware and anything obfuscated with it should be removed. Now the Bitdefender developers are smart guys, and maybe they decided that any legitimate software has no need to use this. Other anti-virus software takes a similar tactic. During the Race To Zero contest at Defcon last year, the winning team noticed that removing all the imports from an executable caused multiple AV vendors to automatically flag an executable as being suspicious.

The choice about the legitimacy of packers and obfuscation has already been made for us by the AV community: It's bad. This may be narrow sighted but hey, that's what the industry is all about.

Syndicate content