Automated Malware Scanner Validation Tool for Digital Forensics

generate_infected_images [optional arguments] -c (--config) <configuration.file> -l (--logging) [verbose, module, full]

evaluate_scanners [optional arguments] -c (--config) <configuration.file> -l (--logging) [verbose, module, full] -e (--external) [virus_total, malice, both]

This is a prototype of a malware scanner validation tool for digital forensics. It provides a framework to perform a couple of different tasks:

1. Creating a raw (dd) copy of a virtual machine drive through vboxmanage

2. Attaching the raw copied disk to the virtual machine

3. Uploading a malware executable and a startup script via SFTP to the virtual machine

4. Rebooting the virtual machine, starting Noriben, and executing the malware

5. Parsing the Noriben output and recovering files and registry entries that are reported by Noriben to exist on the infected disk

6. Executing malware scanners (currently F-Prot fpscan, ClamAV clamscan/clamdscan, and Sophos AV savscan) and parsing the output

7. Tracking the malware's behavior (using Noriben) and collecting the artifacts created on the device

8. Analyzing the collected artifacts using multiscanners (current Malice and VirusTotal)

The goal of the platform is to provide an automated methodology to to evaluate the suitability of the malware scanner to detect and report forensically relevant artifacts.

Limitations

The prototype currently assumes the host computer is running Linux and the virtual machine is Windows configured to run SSH/SFTP. Additionally, this tool is not suitable for VM-aware malware and does not currently look for deleted artifacts.

Getting Started

1. Install Virtualbox and the Virtualbox SDK on the host OS

2. Install Python modules Paramiko, python-registry, and virtualbox on the host OS

3. Setup a project directory (for example, /path/to/project), and install a suitable VM image for malware testing with a raw disk drive at /path/to/project/base/base.raw

4. Configure base virtual machine as follows

   1. Setup project directory (for example. C:\path\to\project)

   2. Install Python 3 (I used Python 3.7.3) and add the installation directory into the PATH environment variable.

   3. Install Noriben and ProcMon to C:\path\to\project\Noriben. Make sure to satisfy ProcMon’s clickthrough agreement

   4. Setup OpenSSH on the virtual machine

5. Obtain malware samples and place in /path/to/project/evidence

6. Configure host OS not to automount disks through file manager

7. Modify configuration file and point script to the configuration file

The configuration file

Here is a sample configuration file and explanation of the parameters. Please delete the comment lines before using the configuration file.

Path to project directory on host operating system. I put this on an external drive so as to avoid storing malware on my localhost.

project_path: /path/to/project

VM’s name in Virtualbox

vm_name: Base

Login information for VM

remote_username: TESTUSER

remote_password: TESTPASS

Only windows is currently implemented

remote_type: windows

SSH port for windows VM

remote_port: 22

SSH connection timeout

timeout_seconds: 360

Time before VM boots to login

boot_delay: 90

Time to await VM to obtain IP address

ip_delay: 20

Time to wait before executing script on vm.

startup_wait: 30

Time to wait after starting Noriben on vm.

noriben_start_wait: 30

Time to wait to let virus infect vm

infect_wait: 60

Time to wait to let Noriben to wrap up before shutting down vm.

noriben_close_wait: 30

Time to wait to let computer shutdown and let VM unlock

shutdown_delay: 60

Path where viruses are stored on host OS

virus_path: /path/to/project/evidence/

VM project directory

remote_path: c:\Path\To\Project

VM project directory – FTP style

remote_ftp_path: /c:/Users/TESTUSER/Project

VM ip address

remote_ip: 192.168.51.50

%USERPROFILE%. Used to put script in Startup directory

remote_user: C:\Users\TestUser

%USERPROFILE%, %WINDIR%, %APPDATA%, and %LOCAL_APPDATA%. Used to covert Noriben entries to paths that can be mapped to Linux-comprensible paths

remote_userprofile: C:\Users\TestUser

remote_windir: C:\Windows

remote_appdata: C:\Users\TestUser\Appdata

remote_local_appdata: C:\Users\TestUser\Local Settings\Application Data

command line virus scanners, separated by a ','

virus_scanners: savscan,clamscan,fpscan

VirusTotal API key

virustotal_key:

Prerequisites

Host OS software:

• Virtualbox

• Virtualbox SDK

• Python 3

• fpscan

• savscan

• clamscan / clamdscan

• md5sum

• (optional) malice

Host OS Python Modules:

• paramiko

• python-registry

• virtualbox

• (optional) virustotal-python

VM Software:

• Noriben

• Procmon

• OpenSSH

Running the tool

There are two provided scripts that can use the tool to automate a testing suite.

generate_infected_vms.py [optional arguments] -c (--config) /path/to/config.file> -l (--logging) [verbose, module, full]

Creates a clone of a raw vm disk image, then infects it using the specified infection protocol and the malware samples stored in /path/to/project/evidence. Runs Noriben on the VM to monitor the created artifacts.

Note: Make sure base.raw is connected to the virtual machine before running the generate_infected_vms.py

evaluate_scanners.py [optional arguments] -c (--config) /path/to/config.file> -l (--logging) [verbose, module, full] -e (--external) [virus_total, malice, both]

Mounts raw vm disk images using udisksctl loop-setup and udisksctl mount, parses Noriben file, obtains copies of any still-existing artifacts, calculates the md5 sum of the artifact files, analyzes the files using VirusTotal and malice, and then executes virus scanners on the mounted raw vm disk image.

System Setup

Information about setting up the host OS

1. The most important factor in the success of your evaluation setup is the flavor / Linux distribution used for the host VM. The first version of the software used Lubuntu 18.04, which worked with a lot of difficulty. The latest version uses Kali 2020.2, which works fairly well without much difficulty. The main places you will encounter difficulty are getting python to communicate with the Virtualbox API and the installation of malware scanners. If you select a different Linux distribution and encounter trouble, it might be wise to choose a different distribution.

2. Install Virtualbox on your host OS. Here are a couple of ways you can install it.

3. You can find the Virtualbox SDK here. You can find instructions for installing the SDK here.

4. Install python3 on the host OS. You can use the command sudo apt-get install python3.8 or use the package manager, install from source, or whatever method you prefer. Kali 2020.2 comes with python3.8.

   1. Install pip (sudo apt-get install python3-pip)

   2. Install the python modules using pip3 install virtualbox python-registry paramiko virustotal-python

5. Clamdscan is recommended over clamscan, as it is much faster than clamscan.

6. In order to provide a locally-installed multiscanner, I installed Malice. Malice requires Docker. I could not get the full Malice/Engine module to work, but the individual scanners worked well albiet a bit slowly.

Detailed information about configuring the test VM

I found Windows 7 to be a good balance between modern features and malware vulnerability. I took the following steps to setup my local VM.

1. Install a vanilla Windows 7 installation in Virtualbox. If you haven’t done this before, you can follow this guide: Installing a Windows 7 VM in Virtualbox.

   1. You may find it helpful to install Guest Additions: Installing Guest Additions. This allows you to perform drag and drop from the host to the guest machine, create SMB shares, and other features that make it easier to setup the local VM. Note that malware can possibly check for the installation of Guest Additions (as well as use other methods to determine whether it is operating in a VM) and it may impact testing.

2. Install Windows 7 SP1. You can find SP1 here.

3. Additionally, I found it helpful to install KB303929, which is a fix to a code signing issue that prevents the installation of Python and other important software.

4. Some malware requires the .net framework to function. I installed the .net 4.0 30319 framework, which contains exploitable vulnerabilities.

5. Install Python 3 needed for Noriben. I installed Python 3.7.3. Make sure to check the box that installs Python to your path, or you will have to set it manually.

6. Create a project directory. I used C:\Users\TestUser\Documents\Project. Create a folder subfolder called Noriben and a subfolder called Malware. For example, C:\Users\TestUser\Documents\Project\Noriben and C:\Users\TestUser\Documents\Project\Malware.

7. Download and unpack Noriben.zip from Github. You will need Process Monitor (ProcMon) to run Noriben. Download ProcMon, and place it in the Noriben directory. Make sure to run ProcMon and agree to the license agreement. You can run Noriben to make sure it functions correctly.

8. Install OpenSSH. You follow the instructions here, but you don’t need to worry about the firewall instructions (we will be disabling the firewall later).

   1. The command I used to enable OpenSSH is powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1

   2. I enabled the OpenSSH-related services in the Control Panel.

9. Disable the security features on the Windows 7 VM.

   1. Disable Data Execution Protection (DEP). You can find instructions here.

   2. I used the command bcdedit.exe /set {current} nx AlwaysOff

   3. Disable Windows Firewall in the control panel and disable firewall-related services.

   4. Disable Windows Update services.

   5. Set User Account Control to “Never Notify.”

   6. Set the computer to automatically login

10. Create a host-only virtual network in Virtualbox: instructions here. I assigned a static IP to the Windows 7 VM. Here are instructions for setting up the Windows 7 IP. Make sure you can SSH from your host OS to the virtual machine.

11. Once everything is working correctly, make a raw image of the virtual disk using VBoxManage clonehd /path/to/virtual_disk.vdi /path/to/project/base/base.raw --format raw

Optional:

You can create internet service simulator VM following the instructions here, and point the test VM to the internet service simulator VM. You can ignore the instructions to setup burp, because we are not interested in network artifacts in this test.

Authors

• Nicolas Hughes - Initial work -

License

This project is licensed under the GNu GPL 3.0 License - see the LICENSE.md file for details