lost and found ( for me ? )

analyze malware with zerowine on Linux ( Ubuntu 13.10 )

Reference
http://zerowine.sourceforge.net/
http://oc.gtisc.gatech.edu/

Here is how to install / use zerowine on Ubuntu 13.10.
You can analyze malware with zerowine.

# tail -1 /etc/lsb-release ; uname -ri
DISTRIB_DESCRIPTION="Ubuntu 13.10"
3.11.0-18-generic x86_64

install wine
# apt-get install qemu python-pefile

download zerowine qemu image from http://zerowine.sourceforge.net/
# bunzip2 zerowine-image-2.0.0.tar.bz2
# tar xvf zerowine-image-2.0.0.tar

start zerowine.
root@ubuntu:/home/hattori/bin/srv# pwd
/home/hattori/bin/srv

# less start_img.sh
#!/bin/sh

#qemu -hda zerowine.img -boot c -m 1024 -redir tcp:8000::8000 -redir tcp:2022::22 -redir tcp:8001::8001 -snapshot
kvm -hda zerowine.img -boot c -m 1024 -redir tcp:8000::8000 -redir tcp:2022::22 -redir tcp:8001::8001 -snapshot


root@ubuntu:/home/hattori/bin/srv# ./start_img.sh
W: kvm binary is deprecated, please use qemu-system-x86_64 instead

zerowine will start.




# ps aux | grep qemu
root     14663  3.7  2.6 1596356 210088 pts/3  Sl+  02:10   0:47 qemu-system-x86_64 -machine accel=kvm:tcg -hda zerowine.img -boot c -m 1024 -redir tcp:8000::8000 -redir tcp:2022::22 -redir tcp:8001::8001 -snapshot
root     15190  0.0  0.0  14620   908 pts/12   S+   02:32   0:00 grep --color=auto qemu



user: malware
pass: malware


on the Ubuntu box ( not zerowine ), issue commands like this:
./xmlrpc_client.py http://localhost:8000/ <malware>.exe <report directory>
# pwd
/home/hattori/bin/cli

# ./xmlrpc_client.py http://localhost:8000/ /home/hattori/Malware_samples/foobar.exe /home/hattori/Zerowine_reports
[Wed Mar 26 02:16:49 2014] Checking server http://localhost:8000/ status: [ALIVE]
[Wed Mar 26 02:17:04 2014] Writting dumped file num 1 [DONE]
[Wed Mar 26 02:17:04 2014] Writting behavior report [DONE]
[Wed Mar 26 02:17:04 2014] Writting dropped files [DONE]
[Wed Mar 26 02:17:04 2014] Dumping: [DONE]

reports will be stored under /home/hattori/Malware reports directory.

move to /home/hattori/Malware reports.
# pwd
/home/hattori/Zerowine_reports

root@ubuntu:/home/hattori/Zerowine_reports# ls
foobar.exe1395767824.71.dump  foobar.exe1395767824.71.tgz
foobar.exe1395767824.71.rpt

# pwd
/home/hattori/Zerowine_reports
root@ubuntu:/home/hattori/Zerowine_reports#

root@ubuntu:/home/hattori/Zerowine_reports# head -10 foobar.exe1395767824.71.rpt
Launching wine /tmp/vir/233185c90ebfeeec634b400f79b7d482/foobar.exe > 10
0009:malware:Call to CreateDirectoryW(L"C:\\windows")
0009:humanmalware:Creating directory L"C:\\windows"
0009:malware:Call to CreateDirectoryW(L"C:\\windows\\system32")
0009:humanmalware:Creating directory L"C:\\windows\\system32"
0009:malware:App (null) cmdline L"C:\\windows\\system32\\wineboot.exe --init"
0009:humanmalware:Opened process (null) with command line L"C:\\windows\\system32\\wineboot.exe --init"
0009:malware:Call to CreateFileW(L"C:\\windows\\system32\\wineboot.exe", GENERIC_READ FILE_SHARE_READ FILE_SHARE_DELETE , creation 3 attributes 0x0)
0009:malware:Call to FindFirstFileExW(L"C:\\windows", 0, 0xbfe357dc, 0, (nil), 0)
0009:malware:Call to FindFirstFileExW(L"C:\\windows\\system32", 0, 0xbfe357dc, 0, (nil), 0)


Python scapy: craft DNS packets with scapy

Here is a sample script of how to send DNS queries to multiple IPs from one IP address with Python scapy.

# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 13.10"

# apt-get install python-scapy

# cat send_queries_03.py -n
    1  #!/usr/bin/env python
    2
    3  from scapy.all import *
    4
    5  
    6
    7
    8  def send_ip50(counter):
    9      packet = (IP(src="192.168.10.15",dst="192.168.10.50")/UDP(sport=RandShort(),dport=53)/DNS(rd=1,id=RandShort(),qd=DNSQR(qname="a%s.foo.com" % counter)))
   10      sr1(packet, verbose=0, timeout=0.000001, retry=0)
   11
   12  def send_ip51(counter):
   13      packet = (IP(src="192.168.10.15",dst="192.168.10.51")/UDP(sport=RandShort(),dport=53)/DNS(rd=1,id=RandShort(),qd=DNSQR(qname="b%s.foo.com" % counter)))
   14      sr1(packet, verbose=0, timeout=0.000001, retry=0)
   15
   16  def send_ip52(counter):
   17      packet = (IP(src="192.168.10.15",dst="192.168.10.52")/UDP(sport=RandShort(),dport=53)/DNS(rd=1,id=RandShort(),qd=DNSQR(qname="c%s.foo.com" % counter)))
   18      sr1(packet, verbose=0, timeout=0.000001, retry=0)
   19
   20  def send_ip53(counter):
   21      packet = (IP(src="192.168.10.15",dst="192.168.10.53")/UDP(sport=RandShort(),dport=53)/DNS(rd=1,id=RandShort(),qd=DNSQR(qname="d%s.foo.com" % counter)))
   22      sr1(packet, verbose=0, timeout=0.000001, retry=0)
   23
   24  if __name__ == '__main__':
   25      for i in range(0,100000):
   26          send_ip50(i)
   27          send_ip51(i)
   28          send_ip52(i)
   29          send_ip53(i)

capture data
# tcpdump -i br0 -n udp and dst port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:45:04.042689 IP 192.168.10.15.13123 > 192.168.10.53.domain: 60431+ A? d828.foo.com. (30)
23:45:04.042845 IP 192.168.10.11.62606 > 192.168.10.15.domain: 12062+ [1au] A? d828.foo.com. (41)
23:45:04.098405 IP 192.168.10.15.12479 > 192.168.10.50.domain: 36773+ A? a829.foo.com. (30)
23:45:04.098554 IP 192.168.10.11.26948 > 192.168.10.15.domain: 32326+ [1au] A? a829.foo.com. (41)
23:45:04.154371 IP 192.168.10.15.37971 > 192.168.10.51.domain: 47661+ A? b829.foo.com. (30)
23:45:04.154524 IP 192.168.10.11.22917 > 192.168.10.15.domain: 55193+ [1au] A? b829.foo.com. (41)
23:45:04.218333 IP 192.168.10.15.48133 > 192.168.10.52.domain: 7299+ A? c829.foo.com. (30)
a830.foo.com. (41)
23:45:04.430456 IP 192.168.10.15.36751 > 192.168.10.51.domain: 49019+ A? b830.foo.com. (30)
23:45:04.430602 IP 192.168.10.11.61530 > 192.168.10.15.domain: 21721+ [1au] A? b830.foo.com. (41)
23:45:04.486421 IP 192.168.10.15.12881 > 192.168.10.52.domain: 23496+ A? c830.foo.com. (30)
23:45:04.486567 IP 192.168.10.11.40049 > 192.168.10.15.domain: 15839+ [1au] A? c830.foo.com. (41)
23:45:04.546634 IP 192.168.10.15.4886 > 192.168.10.53.domain: 57954+ A? d830.foo.com. (30)
23:45:04.546786 IP 192.168.10.11.30473 > 192.168.10.15.domain: 32175+ [1au] A? d830.foo.com. (41)

Ubuntu 13.10 : install LXC, docker, shipyard and shipyard agent on one machine.

Here are logs when installing LXC, docker, shipyard GUI and shipyard agent on the same box.
I am newbie to LXC, docker and shipyard.

[ install docker ]

Reference
http://docs.docker.io/en/latest/installation/ubuntulinux/#ubuntu-raring-saucy

# tail -1 /etc/lsb-release ;uname -ri
DISTRIB_DESCRIPTION="Ubuntu 13.10"
3.11.0-18-generic x86_64

# apt-get update ;apt-get install linux-image-extra-`uname -r`

# apt-get install lxc-docker lxc

edit /etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"

restart ufw
# service ufw restart

/etc/default/docker
# grep -v ^# /etc/default/docker | grep -v ^$
DOCKER_OPTS="-dns 8.8.8.8 -dns 8.8.4.4"

# service docker restart
docker stop/waiting
docker start/running, process 14870

[ install shipyard ]

Reference
https://github.com/shipyard/shipyard/wiki/QuickStart

edit /etc/default/docker
# grep -v ^# /etc/default/docker | grep -v ^$
DOCKER_OPTS="-dns 8.8.8.8 -dns 8.8.4.4 -H tcp://127.0.0.1:4243 -H unix:///var/run/docker.sock"

restart docker
# service docker restart
docker stop/waiting
docker start/running, process 14978

# lsof -ni:4243
COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
docker  14981 root    7u  IPv4 1060465      0t0  TCP 127.0.0.1:4243 (LISTEN)

deploy shipyard
# docker run -i -t -v /var/run/docker.sock:/docker.sock shipyard/deploy setup
Shipyard Stack Deployed

You should be able to login with admin:shipyard at http://<docker-host-ip>:8000
You will also need to setup and register the Shipyard Agent.  See http://github.com/shipyard/shipyard-agent for details.

access to the docker host ( http://127.0.0.1:8000/accounts/login/ )
user: admin
pass: shipyard




[ install shipyard agent ]

download shipyard agent from https://github.com/shipyard/shipyard-agent/releases/tag/v0.2.5 and install that.
# mv shipyard-agent /usr/local/bin/

# chmod +x /usr/local/bin/shipyard-agent

# shipyard-agent --version
0.2.5



register shipyard-agenterror.
# shipyard-agent -url http://127.0.0.1:4243 -register
2014/03/25 02:30:48 Using 192.168.11.8 for the Docker Host IP for Shipyard
2014/03/25 02:30:48 If this is not correct or you want to use a different IP, please update the host in Shipyard
2014/03/25 02:30:48 Registering at http://127.0.0.1:4243
2014/03/25 02:30:48 Error parsing JSON from Shipyard register: json: cannot unmarshal number into Go value of type main.AgentData

oops, wrong URL. I need to specify shipyard url, not doker.
# shipyard-agent -url http://127.0.0.1:8000 -register
2014/03/25 02:33:01 Using 192.168.11.8 for the Docker Host IP for Shipyard
2014/03/25 02:33:01 If this is not correct or you want to use a different IP, please update the host in Shipyard
2014/03/25 02:33:01 Registering at http://127.0.0.1:8000
2014/03/25 02:33:01 Agent Key:  fdadd72f21b3486f834ce0d3ce039468

# shipyard-agent -url http://127.0.0.1:8000 -key fdadd72f21b3486f834ce0d3ce039468
2014/03/25 02:33:57 Shipyard Agent (http://127.0.0.1:8000)
2014/03/25 02:33:57 Listening on :4500

on the GUI


enabled shipyard agent ( LXC ) host.







# ps aux | grep shipyard
root     15280  0.0  0.1 938284 14584 pts/17   Sl+  02:11   0:00 node /usr/local/bin/hipache -c /etc/shipyard_router.config.json
root     15285  0.0  0.1 938272 14764 pts/17   Sl+  02:11   0:00 /usr/local/bin/node /usr/local/bin/hipache -c /etc/shipyard_router.config.json
root     15286  0.0  0.1 872476 14788 pts/17   Sl+  02:11   0:00 /usr/local/bin/node /usr/local/bin/hipache -c /etc/shipyard_router.config.json
root     15287  0.0  0.1 872476 14756 pts/17   Sl+  02:11   0:00 /usr/local/bin/node /usr/local/bin/hipache -c /etc/shipyard_router.config.json
root     15288  0.0  0.1 872476 14804 pts/17   Sl+  02:11   0:00 /usr/local/bin/node /usr/local/bin/hipache -c /etc/shipyard_router.config.json
root     15292  0.0  0.1 938272 14800 pts/17   Sl+  02:11   0:00 /usr/local/bin/node /usr/local/bin/hipache -c /etc/shipyard_router.config.json
root     15477  0.0  0.0  39144  3384 pts/18   S+   02:13   0:00 nginx: master process /usr/local/openresty/nginx/sbin/nginx -p /usr/local/openresty/nginx -c /etc/shipyard.conf
102      15937  0.0  0.0 239832  7580 ?        Ss   02:16   0:00 postgres: shipyard shipyard 172.17.0.7(56910) idle                                                                          
root     16495  0.2  0.0 292728  6592 pts/6    Sl+  02:33   0:00 shipyard-agent -url http://127.0.0.1:8000 -key fdadd72f21b3486f834ce0d3ce039468
root     16788  0.0  0.0  14624   912 pts/9    S+   02:37   0:00 grep --color=auto shipyard

list running containers




# docker info
Containers: 6
Images: 78
Driver: aufs
Root Dir: /var/lib/docker/aufs
Dirs: 90
WARNING: No swap limit support

# docker ps
CONTAINER ID        IMAGE                      COMMAND                CREATED             STATUS              PORTS                            NAMES
db14972006f4        shipyard/shipyard:latest   /app/.docker/run.sh    22 minutes ago      Up 22 minutes       0.0.0.0:8000->8000/tcp           shipyard                                                                                             
871856e04284        shipyard/db:latest         /bin/bash -e /usr/lo   24 minutes ago      Up 24 minutes       0.0.0.0:49154->5432/tcp          shipyard/db,shipyard_db                                                                              
f1fdedf89a7a        shipyard/lb:latest         /bin/sh -e /usr/loca   25 minutes ago      Up 25 minutes       0.0.0.0:80->80/tcp, 443/tcp      shipyard_lb                                                                                          
838683e60356        shipyard/router:latest     /bin/sh -e /usr/loca   27 minutes ago      Up 27 minutes       0.0.0.0:49153->80/tcp, 443/tcp   shipyard_lb/app_router,shipyard_router                                                               
e2c3b21ac096        shipyard/redis:latest      /usr/local/bin/redis   31 minutes ago      Up 31 minutes       0.0.0.0:6379->6379/tcp           shipyard/redis,shipyard_lb/app_router/redis,shipyard_lb/redis,shipyard_redis,shipyard_router/redis   
root@ubuntu:~# docker info
Containers: 6
Images: 78
Driver: aufs
Root Dir: /var/lib/docker/aufs
Dirs: 90
WARNING: No swap limit support
root@ubuntu:~# docker ps
CONTAINER ID        IMAGE                      COMMAND                CREATED             STATUS              PORTS                            NAMES
db14972006f4        shipyard/shipyard:latest   /app/.docker/run.sh    22 minutes ago      Up 22 minutes       0.0.0.0:8000->8000/tcp           shipyard                                                                                             
871856e04284        shipyard/db:latest         /bin/bash -e /usr/lo   24 minutes ago      Up 24 minutes       0.0.0.0:49154->5432/tcp          shipyard/db,shipyard_db                                                                              
f1fdedf89a7a        shipyard/lb:latest         /bin/sh -e /usr/loca   25 minutes ago      Up 25 minutes       0.0.0.0:80->80/tcp, 443/tcp      shipyard_lb                                                                                          
838683e60356        shipyard/router:latest     /bin/sh -e /usr/loca   27 minutes ago      Up 27 minutes       0.0.0.0:49153->80/tcp, 443/tcp   shipyard_lb/app_router,shipyard_router                                                               
e2c3b21ac096        shipyard/redis:latest      /usr/local/bin/redis   31 minutes ago      Up 31 minutes       0.0.0.0:6379->6379/tcp           shipyard/redis,shipyard_lb/app_router/redis,shipyard_lb/redis,shipyard_redis,shipyard_router/redis   

# pwd
/var/lib/docker
root@ubuntu:/var/lib/docker# ls
aufs        execdriver  init          repositories-aufs  volumes
containers  graph       linkgraph.db  vfs



[ deploy images ]

deploy images. It will take few minutes to deploy the image.
Images -> Import











containers tab




# docker ps | grep hello
f072532ff18c        ehazlett/py-helloworld:latest   /usr/local/bin/uwsgi   2 minutes ago       Up 2 minutes        0.0.0.0:49155->8000/tcp          helloworld-01                   

[ access to the container ]


click Mapping
Containers -> container name -> Ports -> Mapping -> 49155








python flask container is running.