Limon is a sandbox developed as a research project written in python, which automatically collects, analyzes, and reports on the run time indicators of Linux malware. It allows one to inspect the Linux malware before execution, during execution, and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using open source tools. Limon analyzes the malware in a controlled environment, monitors its activities and its child processes to determine the nature and purpose of the malware. It determines the malware's process activity, interaction with the file system, network, it also performs memory analysis and stores the analyzed artifacts for later analysis.
Analyzing Linux Malwares Using Limon
Setting up and Configuring Limon
Black Hat 2015 Europe Video Recording (Automating Linux Malware Analysis Using Limon Sandbox)
Black Hat 2015 Europe presentation (Automating Linux Malware Analysis Using Limon Sandbox)
Why Malware Analysis?
Malware is a piece of software which causes harm to a computer system without the owner's consent. Viruses, Trojans, worms, backdoors, rootkits and spyware can all be considered as malwares.
With new malware attacks making news every day and compromising company’s network and critical infrastructures around the world, malware analysis is critical for anyone who responds to such incidents.
Malware analysis is the process of understanding the behaviour and characteristics of malware, how to detect and eliminate it.
There are many reasons why we would want to analyze a malware, below to name just a few:
Determine the nature and purpose of the malware i.e. whether the malware is an information stealing malware, http bot, spam bot, rootkit, keylogger, RAT etc.
Interaction with the Operating System i.e. to understand the file system, process and network activities.
Detect identifiable patterns (network and host based indicators) to cure and prevent future infections
Types of Malware Analysis
In order to understand the characteristics of the malware three types of analysis can be performed they are:
- Static Analysis
- Dynamic Analysis
- Memory Analysis
In most cases static and dynamic analysis will yield sufficient results however Memory analysis gives post-mortem perspective and helps in determining hidden artifacts, rootkit and stealth malware capabilities.
Static Analysis involves analyzing the malware without actually executing it. Following are the steps:
- Determining the File Type: Determining the file type can also help you understand the type of environment the malware is targeted towards, for example if the file type is ELF (Executable and Linkable format) format which is a standard binary file format for Unix and Unix-like systems, then it can be concluded that the malware is targeted towards a Unix or Unix flavoured systems
- Determining the Cryptographic Hash: Cryptographic Hash values like MD5 and SHA1 can serve as a unique identifier for the file throughout the course of analysis. Malware, after executing can copy itself to a different location or drop another piece of malware, cryptographic hash can help you determine whether the newly copied/dropped sample is same as the original sample or a different one. With this information we can determine if malware analysis needs to be performed on a single sample or multiple samples. Cryptographic hash can also be submitted to online antivirus scanners like VirusTotal to determine if it has been previously detected by any of the AV vendors. Cryptographic hash can also be used to search for the specific malware sample on the internet.
- Strings search: Strings are plain text ASCII and UNICODE characters embedded within a file. Strings search give clues about the functionality and commands associated with a malicious file. Although strings do not provide complete picture of the function and capability of a file, they can yield information like file names, URL, domain names, ip address, attack commands etc.
- File obfuscation (packers, cryptors) detection: Malware authors often use softwares like packers and cryptors to obfuscate the contents of the file in order to evade detection from anti-virus softwares and intrustion detection systems. This technique slows down the malware analysts from reverse engineering the code.
- Determine Fuzzy Hash: Comparing the malware samples collected or maintained in a private or public repository is an important part of file identification process. The easiest way to check for file similarity is through a process called “Fuzzy Hashing”. Fuzzy hash comparison can tell the percentage similarity between the files. Fuzzy hash comparison is a method by which identical files can be identified. This can help in determine the variants of the same malware.
- Submission to online Antivirus scanning services: This will help you determine if the malicious code signatures exist for the suspect file. The signature name for the specific file provides an excellent way to gain additional information about the file and capabilities. By visiting the respective antivirus vendor web sites or searching for the signature in search engines can yield additional details about the suspect file. Such information may help in further investigation and reduce the analysis time of the malware specimen. VirusTotal (http://www.virustotal.com) is a popular web based malware scanning services.
- Inspecting File Dependencies: Executable loads multiple shared libraries and call api functions to perform certain actions like resolving domain names, establishing an http connection etc. Determining the type of shared library and list of api calls imported by an executable can give an idea on the functionality of the malware.
- Examining ELF File Structure: ELF stands for “Executable and Linkable Format” this is a standard binary file format for Linux systems. Examining the ELF file structure can yield wealth of the information including Sections, Symbols and other file metadata information.
- Disassembling the File: Examining the suspect program in a disassembler allows the investigator to explore the instructions that will be executed by the malware. Disassembly can help in tracing the paths that are not usually determined during dynamic analysis.
Dynamic Analysis involves executing the malware sample in a controlled environment and monitoring as it runs. Sometimes static analysis will not reveal much information due to obfuscation, packing in such cases dynamic analysis is the best way to identify malware functionality. Following are some of the steps involved in dynamic analysis:
- Monitoring Process Activity: This involves executing the malicious program and examining the properties of the resulting process and other processes running on the infected system. This technique can reveal information about the process like process name, process id, child processes created, system path of the executable program, modules loaded by the suspect program.
- Monitoring File System Activity: This involves examining the real time file system activity while the malware is running; this technique reveals information about the opened files, newly created files and deleted files as a result of executing the malware sample.
- Monitoring Network Activity: In addition to monitoring the activity on the infected host system, monitoring the network traffic to and from the system during the course of running the malware sample is also important. This helps to identify the network capabilities of the specimen and will also allow us to determine the network based indicator which can then be used to create signatures on security devices like Intrusion Detection System
- System Call Tracing: System calls made by malware can provide insight into the nature and purpose of the executed program such as file, network and memory access. Monitoring the system calls can help determine the interaction of the malware with the operating system.
Memory Analysis also referred to as Memory Forensics is the analysis of the memory image taken from the running computer. Analyzing the memory after executing the malware sample provides post-mortem perspective and helps in extracting forensics artifacts from a computer's memory like:
- running processes
- network connections
- shared libraries
- loaded kernel modules
- code injections
- Rootkit capabilities.
- API Hooking