 So we're shifting gears completely with the previous talk. This will be more or less technical and more or less only applicable to people who are interested in doing technical and Work on a terminal so very different So who am I? I have it already said all of this I guess the only thing I really want to plug here is Montreal hack, which is our monthly security Trainings where we focus on doing hands-on CTF exercises see the other stuff is already plugged besides the hacker jeopardy, which I will host On Saturday, so if you never came to the hacker jeopardy you should come it's It's free for a one who is attending Nordsec. Francois is really proud. He's assisting me. We've been doing this for five years It's a it's a blast. It's really fun to do and it's really fun to attend. I think Do you go and yeah for me basically Pierre David just read my bio So that's basically it for me Polyak was Montreal in poly MTL and that's basically it All right, so today we'll see why wet where and say what? of our talk so since Building machines take a while like building complete when those machines from scratch take a while our demo is actually at The beginning of the talk and you'll see the results at the end of the talk So this is how we decided to do it. Let's just open up the shell here Thank you and I'll be with that. It worked. Nope. I have no internet So basically it works All right So here we go. This is the tool and now we're going to start it and And now back to the talk. This was the demo. I will see the result at the end All right, so was there any questions? It's a cool tool. Thank you. Thank you All right, so why are we building this? So I had no internet when I loaded the slide deck so I need to refresh the whole thing It's really funny. So you really want to see it. So here's the context. This is how we do malware analysis right now It's manual we throw tons of people at it a lot of resources it's individual tasks are relatively boring and Yet it is very impressive Huge companies have our building whole whole, you know business model around it and we really malware Industry really secures people. I know it's not trendy to say it right now But I strongly believe that AV is kind of the belt In a car you need you need one, you know, you need everyone has it. It's mandatory and and yeah So that's the way I feel about it But stuff like this go secure cannot afford that like AV companies can afford that So what I needed to do in order to scale at work is we needed to improve the tool chain In order to be able to do analysis quicker and spend less time managed micromanaging virtual machines and So this is what this talk is about So for customization of DVM, it's kind of the same story here We have vanilla XP VMs or more recent version if you want to analyze a 64 bit Sample, but that's basically the main story here. We see that a lot No trace of a previous user. You don't have files. You don't have browser history. You don't have emails You don't have anything on it. It's basically just an empty PC That has no no user that has never been inside of it So you have to manually customize your PC and it's really Time-consuming It's really not non-technical So you just basically waste time and it can lead to cross-infected VMs And you can't build or reuse templates at all. You have to rebuild the whole system all over again when you try to do basically the same thing and So, yeah, that's basically it. It's really time-consuming and we could do much better. I Have a problem. I need to restart the whole deck and there goes my joke Yeah, so basically We would recommend ASCII doc reveal GS. We're back in it's really good He's one of the maintainers. So yeah, it works really great Alright now go on with your joke. Okay, so it's time-consuming and Basically, the 90s called and they want their mythology back and they're I have a funny gift Put them So other problems with Marilla analysis is it's not easily accessible to newcomers So most of the people getting into the this field. They need to get a book Which is called practical Mallory analysis they need to read through it and then they need to understand that they need to be really careful with live samples that you cannot trust the VM once it's infected and so on so it's easy to mess things up Teamwork is also hard. The tools don't encourage it either pro is not able to do any collaboration There's not even a goddamn control Z in that on that tool, which is I mean in 2016 completely idiotic but it's it's there and it's what we use so Sharing VMs is also like sending files to each other and like oh, yeah, the sample is in that folder. Oh, yeah But oh you like that tool. Oh, no, it's not installed on my VMs. I don't use the fiddler I use like wire shark out of the VM. So it's it's really just Pain in the butt in the neck so Building a credible environment is time-consuming as you go was saying Also, there are several ways to make mess things up like if you install either inside your your VM And the malware happens to be stealing idle licenses Then oh you leaked an idle license to the whole internet and everyone you meet at conferences tells you Oh, thank you for the idle license by the way that was leaked from your company So a lack of integrated or enforced best practices can lead to leaks like that now when you deal with a VM problems, this is how where's my cursor? This is how you feel like So it were it requires skills. So oh you foresee the problem What do I need to do? How should I react? Okay? Now I can fix this problem. That's perfect Took me some time and it's applicable only to one environment one situation. Oh, yeah, I matters that okay. Yeah, I'm good I'll be able to continue. Yeah. All right That's fine. Okay. Next the bug step step. Oh shit another problem. What do I do? Okay? Oh, I can figure this out. Oh my god I'm a genius So we feel like heroes like This is really the way we've been working and it feels great. That's why we're it's the static wall is still here and One other problem is malware orders really want to know if they're being tracked or not So there are a couple of ways to do that. One of them is an anti-vm like red pill SLDT instruction So just they kind of get they're inside a virtual machine. They're probably analysis behind that So they just won't they just don't want to run on that exit and then It's nothing has been done. It's it's not a malware But now Some of them are not reliable in multi-core systems and when acceleration is deactivated in virtual machine so actually They're kind of non non always applicable so Other tricks you can have an anti debugging you can have debugger plugins to just pass that through and The software the malware doesn't see anything so the anti-debuggers are completely useless But what about a system fingerprinting? Is there really tools for that? And that's what we we tried to to to get to if What's the next step if the VM? is installed in an office and in companies virtualization on the desktop is getting More and more popular so if you want to affect your VM, you don't want and to anti-vm So what you can do is fingerprinting the system if it's a good system to infect or not another thing is it's one shot one kill for APD research or basically You don't want to waste your time or your IP if if it's not Realistic you just could Get banned your IP just blacklisted and then you get nothing from from the CNC And so it it wastes a lot of time Another time so it has to be credible and has to be fast and you have to make it word the first time you get into it So now that you saw the demo what have you built? So we were inspired by the devops principle So why should the devops people have all the fun? They are building great tools that changes traditional it no one is looking back Like I heard of no one saying oh, yeah the old way of doing system administration is nice I take care of seven servers, and I'm a full-time employee assessment and I love this thing, but DevOps has applied a lot to Linux server, but what happened? What is going on on the wisdom Windows ecosystem luckily things have changed lately? So yeah, you go so yeah, I devops so why devops? basically one of the core principle of devops is infrastructure infrastructure as code so basically like Olivia gave me an example like get and you just want to make something. This is you can reproduce So basically if you do it one time you can be you you are able to do it Every time so you just don't have to do it all over again every way every now and then so It's also you can also throw away your VM, and then you have All the tools to build that really fast Another time and so it's really more efficient, and that's what we want to bring to malware analysis So Continuing on our train analogy Let's see what is our inspiration if we're talking about building railroads So this machine is building railroads It was engineered by someone who took a lot of time to make Railroad building easier and faster. So the human now instead of 80 humans running around There's now one guy who is inventing work. He has nothing to do He's like sweeping dust to look like he's busy doing something And this is exactly what I want when I build analysis machine I want to see a Terminal who is working and installing the tools for me, and I don't want to be doing anything I want to be checking my emails looking up on Twitter getting reading the latest APT report I don't have time to read. I don't want to be clicking next next next through all the tools I need installed in my VM. So we need to build something like that or we built something like that for malware analysis So yeah, basically checking Twitter and checking emails is basically the malware analysis job So you just want to do that and just being concentrated on that He was an intern at the work. He didn't yeah, we didn't give him any real tasks. So yeah So yeah, you're a Twitter expert social media expert now is that yeah, all right So what architecture did we use? Well, we were used existing DevOps tools So the the base image builder is Packer Which is a hashicorp open source solve and source and free of course Then we use vagrant to do the reproducible and operating environments and to manage if you want the Infrastructure, this is all running on top of virtual box so the VMs are you have a GUI on your desktop when you spin the VM when you build it and You can do once you have built with Packer one image Which takes half an hour and a full disk IO for half an hour because Windows You know needs a lot of IO to install after this you can do a vagrant up which is a Snapshot a quick on this copy takes no space and you can have several analysis in parallel so leveraging all existing tools and for remote management and Install tools inside of em we use PowerShell through WinRM for Windows remote management Two years ago all of this wouldn't have wouldn't have been possible a vagrant didn't work on Windows Packer didn't work on Windows so I Looked at this thing. I had this idea a few years ago, but now I re-investigated it last October and last November and it was possible now and I even borrowed some configs of Mark Andrew dryers who built the Packer Mower repository and Basically, I stole his unattended config that XML because I'm not a Windows person So I didn't know anything they weren't working for Windows 7 so I adapted them But still I he really helped because he he got me started another giant where we we are on top of is Chocolati, which is the APT get for Windows now our tools is bootstrapping at Chocolati install And then we use all Chocolati packages to install six internal tools when DBG and all of the stuff fiddler and all of the stuff We need to use so this is all thanks to the Giants that we are standing on and The thing is why are we the first to it? I think no one cared because everyone likes to be the hero the one throwing the you know the wood and Saving the day and so no one has done that before and because my analysis is such a niche environment that it was not Really, you know useful or anything people prefer to do manage their VM their own way So tools are automatically installed based on profiles which are part of the of the tools and We install all of this which already mentioned So this list is just only limited by your imagination and you could customize it and I mean this is all open source So now dealing with VM problems looks like this. Whoops the gif will rotate and you will understand the beginning of it but so when you have a problem what you do is You either restart from scratch or you plow through it. You just don't care It's it's not your VM is not a cute kitten. It's a cattle. You kill it and you get another one So this is a concept of the DevOps industry about killing Cattles and you know petting kittens Anyway, so what you can do with that afterwards is put your malware in into context So basically it maybe behaves differently in different environments if it has domain attached to it If it has couple VMs So you want to to build that as efficiently as possible. So if you know For example the target of the APD you're you're trying to track You don't want to have a VM that looks like Like a vanilla one, you know, you want to have a VM that basically looks like An employee of the of a Russian company or government or something like that So you want to put your malware into context and when the bad guys arrive the Just see smoke and they're basically. Oh, yeah, that's the one we want to to be on so we're going to put stage two on that and then you get another sample and your research is better and Do that as and as little time as possible. So what are the use cases? one of the example one of The investigation I did last summer at ESET was winter to send a classic when did Manual recon it lists a lot of things it did last open files directories What's on the desktop and ran system info to get? Install date or the wire info. So basically In a couple of minutes manual recon they had a backdoor on the system. They knew it was an analysis VM Just exited and nobody got nothing. So we were that's pretty disappointing for researcher Another thing is operation fingerprinting by that's been done by malware bites it's the angler exploit kid that Fingerprinted the system with pat names. They looked for shared drives. They looked for active directory and Things like that. So things that would normally be in in a real environment and if it wasn't they just exited or Put something else that wasn't as cool as you would expect Another use case I mentioned earlier is a team analysis So of course as any conference driven open source development some things are left undone So this is one of the cases, but it's just a matter of putting the right vagrant comment So it's not even our tools fault because once the image is built It's more a manage of a workflow But I still want the workflow documented and I should take some time to document it properly in the coming weeks But the idea is you have your vagrant file and inside of your git repository Your git is associated with an investigation and you can share your git three easily vagrant file is only a text file and The vagrant boxes are hosted on an HTTP any HTTP server And then someone can clone your analysis tree and then vagrant vagrant up your analysis and be inside Your virtual machine with the malware sample inside of it. So this is only a matter of time before it's documented in our repo So how can you can you get this you want this now? So I have an anti-vaporware statement to make because I dislike most of the not most but often project that are our Discussed at security conferences you never get to see the code or academia is also guilty of that They always say yeah, yeah look at the code and then you need to send them a Twitter Or shame them on Twitter to say where is the code and then they say oh, yeah We just need to clean up a few things. It's been one year man. Come on clean it up So what we decided to do is we're tired of this trend in info second We released the tool even before our talk so like few months ago. I created the repository We committed all of us of the stuff already there and you know what everyone should be doing this instead of hiding it And waiting to push the public publish button. No one will find your kitten the project You know just do it in the open and deal with it and as you can see it's on the go-secure repo Olivier has a couple of followers and nobody noticed we got nobody to to talk about it So basically nobody cared. No one told us our baby is ugly So how does the thing work? Well, we call it mailboxes So you use mailbox to build a profile and then I'm sorry. I'm stealing your slide I see that's okay, then it builds a vagrant box for you And then you spin a vagrant file using again mailboxes to create the vagrant file for you Which is tailored to your analysis the available available commands that to customize the profiles are the following So, yeah, that's what we have now. It has been implemented basically the four The the first four ones a registry document directory package or to customize the VM before and so you create a Profile that outputs a power shell script before you spin out you spin up the VM. So basically You just it's on the read me basic commands you just type mailboxes registry and then the arguments in you want and It's it modifies a profile that you want to apply to the VM and then you have build and spin so build builds the virtual box image for the VM and then you just spin it to create a vagrant file that you can keep and that's basically a link to the box the vagrant box and then you just you can Spin it up everywhere you want So let's look at the output of our previously built a VM Here we are and so this is what happened as you can see here We installed like system turner tools and several like putty and stuff like that And this is all happened, you know in the background without us having to do anything and it's ready Like if you put in your sample you create the port forwards for either to do remote debugging and then boom That's it. You have your new VM. I wanted this really accessible So the way we we build the cost the default profile is right now The windows 10 image is a windows 10 evaluation version So you don't even need the product key or license it will the license is okay for 90 days And it's not you don't even need to have the ISO file. I put in the the URL of the ISO so you do have mailboxes build of a windows 10 analysis profile and you will get a half an hour after depending on your download speed a Full windows 10 VM evaluation with all the tools installed ready to infect So I think this is really good to get new people started at malware analysis and be less scared of leaking stuff or being infected So this is useful to reduce art and augment science get new people in malware analysis and improve workflow of seasoned analysts and teams So where where was a harder to fit in these W's but so we figured we should say where is this headed so We are going to implement anti-vm detection tricks. So this was not done yet. So it's oh the slides Thank you. No, no people are really shy So did I had any good jokes on the one before? Oh, yeah, where? It's good. Yeah So anti-vm detection definitely must go in there because virtual box is a pretty common environment to fingerprint a form hour Mower authors like you go mentioned We want to have higher level construct to build interesting targets active directory integration is starting to be important Some malware will not do anything if you are on an active directory environment Which is interesting and the opposite is also true So some crime where we refuse to infect the company and will focus on home users So it's a thing to to have in mind generate honey documents based on a team would be interesting We want to document the work team workflow like I said and this is all in the to-do So if anyone here wants to look at it and hack on it something that I haven't mentioned I haven't tested it on Windows. So we'll we definitely will have issues on Windows But there are more they should be all solvable because packer vagrant and all of the giants We are sitting on works on the vagrant So with that said let's get to work if we want to fight things chance against the bad guys We need to stop losing time on shenanigans like next next next and building VMs and we need to start sharing images So if you have a vagrant box that is one zip file with the sample and your ID be inside You can send it to some analyst of another company and then and then work together and and stop just like Seeing these things as kitten and see that is the cattle that they are So just before I and I wanted to thank some some people that helped me Jean Calvé for tips and help. Thank you marketing for suggestions and he's the one that linked me to Olivier and made that possible Julian Bremer I worked on VM Cloak beforehand and basically I Think the new tool is is better. So we're trying to to work on that Joseph Anandis for sponsorship Jesse Campos for pushing me and basically friends family and girlfriend for support So yeah, and I'm thankful to no one So any any of you got questions? Suggestion tips This is our last train gift