09 April 2013

Noriben - The Portable Sandbox System

Noriben is a Python-based script that works in conjunction with SysInternals Procmon to automatically collect, analyze, and report on runtime indicators of malware and suspicious system behavior. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the system's activity after running an attack.

While there are many well developed and fully featured sandboxes, such as Cuckoo, they all have various limitations that impacted the way I do malware analysis. Noriben was written specifically to fill these gaps. Noriben is an ideal solution for many unusual malware instances, such as those that would not run from within a standard sandbox environment. These files perhaps required command line arguments, or had VMware/OS detection that had to be actively debugged, or extremely long sleep cycles.

Bypassing Anti-Sandboxing

One common instance to use Noriben is with malware that is VM and Sandbox aware. Throwing the sample into any existing sandbox will most likely result in a report with no artifacts as the malware didn't run. Some applications look for manual user activity, such as mouse movement and clicking. Other malware may infect the WinHTTP stack and only trigger when a web browser is used. By just launching Noriben in the background, all of the system behavior is logged as the analyst manually controls the system to give the impression of a normal user. Once the file has been detonated, the results can be reviewed as a standard sandbox report.

Command Line-Based Applications

In rarer cases are malware samples that require command line options in order to run. Launching these executables within a sandbox would immediately fail as the malware does not have the arguments to operate. However, an analyst manually controlling the malware while Noriben is running can quickly gather all system artifacts from various command line options.

General Attack Artifacts

Even more interesting, Noriben has been used by pentesters to determine what system artifacts exist when launching an attack against a system or service. By monitoring files created or registry entries modified, a security analyst can determine all artifacts that result from running an attack, a PowerShell command, or a Javascript-based web page.

Perfect for Malware Analysis on the Road

It's commonly a scenario where an analyst may have a proper sandbox environment in a home lab but on the road has only a laptop. In working with various Sales Engineers and Support individuals from security companies, there were many times where they needed an immediate malware answer out of their hotel room. Noriben was designed to be used with little effort, little setup, and little maintenance. Even if you don't have a dedicated malware VM, any Windows VM will do! Even <a snapshot copy of> your corporate environment!


How to Run Noriben


Noriben is simply a Python wrapper to SysInternal's Process Monitor (procmon.exe). Procmon is a system artifact collection tool that stores millions of events into a massive database. However, for many analysts, this turns into information overload. Noriben works as a filtering system to remove all activity that's known to be from legitimate activity. Therefore, whatever is left over is very likely to be related to suspicious activity from malware or an attack.

Simply run Noriben.py and wait for it to start listening to the system. Once prompted, run your malware or perform your attack actions. When the malware or attack has reached a point of activity necessary for analysis, stop Noriben by pressing Ctrl-C. Noriben will then stop the logging, gather all of the data, and process a report for you.

Noriben will actually produce multiple reports: a readable text document, a CSV separated by activity type, and a full timeline CSV.


Noriben in Action


In my last blog post, I showed one of my recent tools for parsing Java IDX files, a forensic byproduct of Java-based malware infections. In that post we talked about the first-stage malware attack which was used solely to drop a file named hehda.exe to the user's Temporary folder. What was that executable and what does it do? Let's turn to Noriben:


Place your Noriben files (Noriben.py, procmon.exe, and the recommended ProcmonConfiguration.pmc) into any standard Windows virtual machine. Then copy your malware to the VM. Run Noriben and you will receive the following output:






After awhile I see the original malware file, hehda.exe, disappear from my desktop. I wait about a minute and then press Ctrl-C to stop the scan. The following text is then displayed:



Notepad then automatically opens the resulting text report shows a lot of data, seen below at the following link (because the output is so large):

Original Report

This is an older sample, of ZeroAccess on a Win7 64-bit system. From this, we can see a few items of high notability. The processes show Hehda.exe being executed, and then spawning cmd.exe:

[CreateProcess] python.exe:2420 > "C:\malware\hehda.exe" [Child PID: 1764]
[CreateProcess] hehda.exe:1764 > "%WinDir%\system32\cmd.exe" [Child PID: 692]

By following cmd.exe's PID, we can see it is later responsible for deleting hehda.exe.
Hehda.exe drops a few very interesting files, including:

[CreateFile] hehda.exe:1764 > C:\$Recycle.Bin\S-1-5-21-2905866499-540305738-3985726813-1000\$a8caf0b8de44cf9788e65a608c597466\n [SHA256: 8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0]
[CreateFile] hehda.exe:1764 > C:\$Recycle.Bin\S-1-5-18\$a8caf0b8de44cf9788e65a608c597466\n [SHA256: 8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0]


Right away, a Google search on this hash value returns many interesting results that tell us that the file was virus scanned as ZeroAccess. The filenames themselves are also indicative of ZeroAccess.

How did this file gain persistence on the victim machine? Now that we see the files, we can peruse the registry values and see the following items:

[RegSetValue] hehda.exe:1764 > HKCU\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel  =  Both
[RegSetValue] hehda.exe:1764 > HKCU\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\(Default)  =  C:\$Recycle.Bin\S-1-5-21-2905866499-540305738-3985726813-1000\$a8caf0b8de44cf9788e65a608c597466\n.



And what other damage did it do? Well, it looks like it took out a few notable services, including those for the Windows Firewall and Windows Security Center:

[RegSetValue] services.exe:500 > HKLM\System\CurrentControlSet\services\SharedAccess\DeleteFlag  =  1
[RegSetValue] services.exe:500 > HKLM\System\CurrentControlSet\services\SharedAccess\Start  =  4
[RegSetValue] services.exe:500 > HKLM\System\CurrentControlSet\services\iphlpsvc\DeleteFlag  =  1
[RegSetValue] services.exe:500 > HKLM\System\CurrentControlSet\services\iphlpsvc\Start  =  4
[RegSetValue] services.exe:500 > HKLM\System\CurrentControlSet\services\wscsvc\DeleteFlag  =  1
[RegSetValue] services.exe:500 > HKLM\System\CurrentControlSet\services\wscsvc\Start  =  4
[RegSetValue] services.exe:500 > HKLM\System\CurrentControlSet\services\MpsSvc\DeleteFlag  =  1
[RegSetValue] services.exe:500 > HKLM\System\CurrentControlSet\services\MpsSvc\Start  =  4
[RegSetValue] services.exe:500 > HKLM\System\CurrentControlSet\services\BFE\DeleteFlag  =  1
[RegSetValue] services.exe:500 > HKLM\System\CurrentControlSet\services\BFE\Start  =  4

That is one nasty piece of work. But, it gets better when we get down to the network traffic:

[UDP] hehda.exe:1764 > 8.8.8.8:53

[UDP] hehda.exe:1764 > 83.133.123.20:53
[UDP] services.exe:500 > 75.202.94.7:16470
[UDP] services.exe:500 > 98.28.36.10:16470
[UDP] services.exe:500 > 173.28.32.12:16470
[UDP] services.exe:500 > 96.24.206.12:16470
[UDP] services.exe:500 > 174.140.125.252:16470

[UDP] services.exe:500 > 76.100.222.13:16470

The large list of IP addresses to UDP port 16471 are another big indicator for ZeroAccess. Upon doing open research, you'll find that the dropped file "@" is a list of IP addresses used to bootstrap the malware onto the botnet network.


Conclusions

The goal of Noriben is to provide very quick and simple answers to your questions, either to a more in-depth analysis of an infected system, a better understanding of a malware's capabilities without static analysis, or to quickly craft network filters to look for (and block) other infections. What files were created? What hashes should I scan for? What network hosts and ports are being used? The pure text report allows you to quickly see data and copy/paste it to a relevant solution.

Noriben is not always a turn-key solution. While the built-in filters will remove most innocuous items, the user will likely need to adjust and add new filters to remove additional benign entries. It's highly recommended to run Noriben in your VM and run benign applications to modify the built-in filters to meet your particular operating system.  Editing is extremely easy, just edit Noriben.py with any text editor and add new items to the respective black list.

P.S. Why call it Noriben? Noriben (海苔弁) is a very simple Japanese lunch box. Noriben are plentiful in shops, provide your basic nourishment, and are a staple meal for a struggling family. It felt only appropriate to analogize it to Noriben.py, a very simple sand box that provides basic indicators, can directly feed your security solutions, and fits easily within the budget of any organization.


P.P.S. If you have any errors or unusual items that you want to report, email the PML/CSV/TXT files (ZIP is fine) to brian @ thebaskins .com. Additionally, if you have any notable filter items that you would like to share, I will review them and, if helpful, add to the trunk with credit to you.

4 comments:

  1. Hi Brian, I found your site via the Volatility blog. Thanks for creating Noriben !

    ReplyDelete
  2. you the man! Nice job.. pretty useful to me

    ReplyDelete