Malware Analysis‎ > ‎

User Guide

We will explain how to set up MiT, use it and customize it.

A Hierarchical IT2FO Model for Heterogeneous Malware Behavior Analysis Architecture
Building Own Heterogeneous Cloud Architecture for Adaptive Malware Behavioral Knowledge base

There are some articles which about MiT for your reference. you should understanding DRBL (Clonezilla), libvirt, KVM etc...

2014/12/31 Update ....
Chinese Version: 
http://X.TWMAN.ORG/InstallC

###################################################################
分層區間二型模糊知識本體模型之異質惡意程式行為分析架構 
A Hierarchical IT2FO Model for Heterogeneous Malware Behavior Analysis Architecture
## Malware Analysis Network in Taiwan <MAN in Taiwan, MiT>
## http://MiT.TWMAN.ORG | <TonTon@TWMAN.ORG> 
## (C) 2014/12/31 TonTon Hsien-De Huang
## MiT README
###################################################################
This project is open source and distributed under the  GNU General Public License version 3.  Please feel free to add to or modify this source, propose changes, new converters and reference this website.
###################################################################
Official Website: http://MiT.TWMAN.ORG
Community on Google+:http://X.TWMAN.ORG/Community
###################################################################
Install / Setup User Guide: 請務必先撥空讀過下面說明及中英文網誌
Server 端自動安裝影片 (Video): https://www.youtube.com/watch?v=U3Jrs-83tYQ
(03:40 與 05:10 會有 ONE PIECE 亂入 ... xD)

Client 端自動安裝影片 (Video): https://www.youtube.com/watch?v=jafYXci_Yas


#########################Chinese - How To################################
===2014/12/31===
請自行安裝 Server端為 CentOS x64 6.5 (需兩張網卡),Client 端請自行決定要安裝什麼系統 (EX: Windows XP、Windows 7、Android等;PS: Android的實體動態分析環境建置請恕不加以說明,如有迫切需要歡迎另外討論) ... 說明寫很多,但基本上請 " 務必 " 先對 DRBL/Clonezilla 的備份/還原 的辦法跟 製作映像檔 還有 無碟 Linux 跟開機/重開機等指令 弄熟,保證您一定可以自己建一套 異質架構 橫跨 PC / Android 的 " 實體叢集惡意程式行為分析平台 !

==1. 請下載目前最新的版本 " MiT@20150228.tar.gz " 這個檔案,再解壓縮到您的 CentOS 裡的 " / ",可以看到以下幾個目錄及檔案:


MiT-Server_Auto-Install.sh: 初始安裝設定 script 檔 (沒VM)
MiT-Server_Auto-VM_Install.sh: 初始安裝 script 檔 (有VM)
MiT-Server_Auto-VM_Setup.sh: 初始安裝完設定 script (有VM)
Malware-Sample_MiT: Exes、Queue、Temp,存放分析前後的樣本
Analysis-Report_MiT: 用來存放分析前及分析後的報告
MiT-Start.sh: Server端開始執行 script
Server-Toolkit_MiT.zip: 相關工具包
Client-Toolkit_MiT.exe
README.txt: 本文字檔
MiT-Run.sh
vt.py

==2. 並且於 Server 端執行 (MiT-Server_Auto-Install.sh) or (MiT-Server_Auto-VM_Install.sh 和 MiT-Server_Auto-VM_Setup.sh),記得要修改 DRBL 的 bridge 設定後重開機 (如果不做 VM 的話就不用);到這邊應該已經都設定完成,請記得編修 Client 的相關批次檔以及製作需使用的還原印像檔

==3. 同時將 Client-Toolkit_MiT.exe 放到Client端並執行 (這裡有影片: https://www.youtube.com/watch?v=jafYXci_Yas),執行後會看到 CaptureBAT-Setup-2.0.0-5574.exe、drbl-winroll-1.4.0-194-setup.exe、MiT-Client-Installer.exe等3個安裝檔以及ppt.bat等與MiT-CaptureBAT.bat幾個執行時的批次檔以及會COPY相關套件到C:\WINDOWS\System32裡

==4. 搜集各台的 mac 值填入 (有範例) 解壓後 Server-Toolkit_MiT的macadr-br0.txt及 Client 的 hosts.conf裡,供 drbl 及 drbl-winroll 使用;關於DRBL及 drbl-winroll 請自行參考官方網站及我另外寫的相關Blog說明

==5. 需確認 Server 是否可以控制 Client: 這裡沒辦法預設定,需要自己確認Client的網卡MAC以及IP或者是VM的DOMAIN,然後相關設定寫入到 MiT-Start.sh 裡,裡面有範例,同時也有判斷特定檔案格式來啟動特定Client的範例;Client端則需調整ppt(pptx/xls/xlsx/doc/docx/pdf).bat,MiT-CaptureBAT.bat需使其開機便啟動;此外 ! 要記得編輯控制DRBL做還原的指令檔!

#########################English - How To################################
Welcome to contact us (TonTon@TWMAN.ORG) if you are interested in collaborating with us.
Also, you can download the last version til now, the latest version is " MiT@2014.tar.gz ".

Step 1: unzip MiT@20150228.tar.gz , and find txt file and directory:

l   MiT-Server_Auto_Install.sh: install the toolkits for server initial

l   MiT-Server_Auto-VM_Install.sh: install the toolkits for server initial

l   MiT-Server_Auto-VM_SetUp.sh: set up the toolkits for server

l   Malware-Sample_MiT: store the malicious sample

l   Analysis-Report_MiT: store the analysis reports

l   Client-Toolkit_MiT.exe: set up the toolkits for clients

l   Server-Toolkit_MiT.zip: the toolkits for server install & set up

l   MiT-Start.sh, MiT-Run.sh, README.txt, and vt.py

Step 2: Execute the MiT-Server_Auto-Install.sh (or MiT-Server_Auto-VM_Install.sh) and MiT-Server_Auto-VM_Setup.sh), and the server install & setup is complete.

Step 3: If you wish to run MiT on Physical Machines, please setup the related information (EX:MAC address) for DRBL. Otherwise, if you wish to run MiT on Virtual Machines, please setup the related information (EX:qemu) for libvirtd. You need complete this on Default. You also need to prepare the related OS environment (EX: Windows7, Windows 7 SP1 ... on Virtual Machine / Physical Machine).

Step 4: Upon completing these steps, please execute the Client-Toolkit_MiT.exe on Clients. It will install automated basic software for clients. You also need install CaptureBAT-Setup-2.0.0-5574.exedrbl-winroll-1.4.0-194-setup.exeMiT-Client-Installer.exe.

Step 5: Please check to see if you can send messages to control clients from server (for example open file by some program or restore client image); for this request, you need to create a clean environment and run images for clients by DRBL (Phtsical Macheine), or set up the libvirtd by qemu ! 

###################################################################
​Thanks for taking the time to read this README.
For more information you may need, please do not hesitate to inform me.
Best regards,

​TonTon
###################################################################
Malware Analysis Network in Taiwan <MAN in Taiwan, MiT>
http://MiT.TWMAN.ORG | <TonTon@TWMAN.ORG> 
(C) 2014/12/31 TonTon Hsien-De Huang
MiT README
###################################################################

###################################################################
Now ! Let's step by step to build the new generation analysis environment !

CentOS 6.4 x64 as Server with 2 Network Interface Card
ownCloud as Cloud Share malicious sample and analysis report
Hash Forensics
Inetsim as fake network service
File as detect file type
Microsoft Windows XP and 7 (x86) as Clients
KVM, Libvirt & Virt-Manager as Virtual Environment
DRBL (Bridge), Clonezilla & DRBL-Winroll as Physical Environment


Community on Google+:http://X.TWMAN.ORG/Community

Server side:


Step 1: install Cent OS 6.4 x64


Step 2: Setup Bridge:

Briage:

# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
UUID=301227d9-20ba-4764-857e-02b00a3750bf
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
HWADDR=20:20:30:45:9D:EA
#IPADDR=YOUR IP
#GATEWAY=YOUR GATEWAY
#DNS1=8.8.8.8
#DNS2=8.8.4.4
#DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth0"
BRIDGE=br0


# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-br0


# vi /etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
TYPE=Bridge
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
IPADDR=YOUR IP
NETMASK=255.255.255.0
GATEWAY=YOUR GATEWAY
DNS1=8.8.8.8
DNS2=8.8.4.4
DEFROUTE=yes
NAME="System br0"


# service network restart

SeLinux & destroy Vibr0

# virsh net-destroy default 
# virsh net-undefine default 
# service libvirtd restart
# vi /etc/selinux/config 


 

Step 3: Install & Update Software:

# yum update -y
# yum -y install tigervnc-server tigervnc aide samba qemu-kvm libvirt python-virtinst bridge-utils perl-Digest-SHA1 gcc-c++ gcc virt-manager
# yum -y groupinstall "General Purpose Desktop" "X Window System" "Desktop" 

For VNC Server, samba and aide: # yum -y install tigervnc-server tigervnc
# iptables -I INPUT 5 -m state --state NEW -m tcp -p tcp -m multiport --dports 5901:5903,6001:6003 -j ACCEPT 
# vncserver :1 (input vnc passwd twice) 

volatility-2.2
#  wget https://volatility.googlecode.com/files/volatility-2.2.tar.gz


file-5.14
#  tar -zxf volatility-2.2.tar.gz && cd  volatility-2.2 && python setup.py install && cd ..
# wget ftp://ftp.astron.com/pub/file/file-5.14.tar.gz
# tar -zxf file-5.14.tar.gz && cd file-5.14 && ./configure && make && make install && cd ..

inetsim-1.2.4

# wget http://search.cpan.org/CPAN/authors/id/R/RH/RHANDOM/Net-Server-2.007.tar.gz && tar -zxf Net-Server-2.007.tar.gz && cd Net-Server-2.007 && perl Makefile.PL && make && make install && cd ..
# wget http://search.cpan.org/CPAN/authors/id/N/NL/NLNETLABS/Net-DNS-0.72.tar.gz && tar -zxf Net-DNS-0.72.tar.gz && cd Net-DNS-0.72 && perl Makefile.PL && make && make install && cd ..
# wget http://search.cpan.org/CPAN/authors/id/M/MS/MSOUTH/IPC-Shareable-0.61.tar.gz && tar -zxf IPC-Shareable-0.61.tar.gz && cd IPC-Shareable-0.61 && perl Makefile.PL && make && make install && cd ..
# wget http://search.cpan.org/CPAN/authors/id/S/SU/SULLR/IO-Socket-SSL-1.953.tar.gz && tar -zxf IO-Socket-SSL-1.953.tar.gz && cd IO-Socket-SSL-1.953 && perl Makefile.PL && make && make install && cd ..
# wget ftp://rpmfind.net/linux/centos/6.4/os/x86_64/Packages/iptables-devel-1.4.7-9.el6.x86_64.rpm && rpm -Uvh iptables-devel-1.4.7-9.el6.x86_64.rpm 
# wget http://search.cpan.org/CPAN/authors/id/J/JM/JMORRIS/perlipq-1.25.tar.gz && tar -zxf perlipq-1.25.tar.gz && cd perlipq-1.25 && perl Makefile.PL && make && make install && cd ..
# cd /MiT/Server-Toolkit && wget http://www.inetsim.org/downloads/inetsim-1.2.4.tar.gz && tar -zxf inetsim-1.2.4.tar.gz && cd inetsim-1.2.4 && groupadd inetsim && sh setup.sh && ./inetsim --session test --config=/MiT/Server-Toolkit/inetsim-1.2.4/conf/inetsim.conf --log-dir=/MiT/Server-Toolkit/inetsim-1.2.4/log --data-dir=/MiT/Server-Toolkit/inetsim-1.2.4/data --report-dir=/MiT/Server-Toolkit/inetsim-1.2.4/report --bind-address=192.168.0.100 --user=root &

DRBL

# rm -f GPG-KEY-DRBL; wget http://drbl.nchc.org.tw/GPG-KEY-DRBL; rpm --import GPG-KEY-DRBL  
# wget http://free.nchc.org.tw/drbl-core/x86_64/RPMS.drbl-stable/drbl-2.4.17-drbl1.noarch.rpm 
# rpm -Uvh drbl-2.4.17-drbl1.noarch.rpm 
# drblsrv -i -c n -n n -m n -g n -k 2 -o 1 -x n -t n -a n -l 2 -s  




# vi /usr/bin/mkpxeinitrd-net
# vi /usr/lib/mkpxeinitrd-net/initrd-skel/linuxrc-or-init
# vi /usr/share/drbl/setup/files/misc/init.drbl

1. /usr/bin/mkpxeinitrd-net
find the line as bellow, and add "brctl"
include_bin_prog_from_server="sleep lspci insmod modprobe rmmod lsmod pkill strings mount umount mount.nfs umount.nfs brctl"

Find # Deal with firmwares! and add
# modified by drbl-virt
cp -a --parents kernel/net/802/stp.ko $initrd/lib/modules/$kernel_ver/
cp -a --parents kernel/net/bridge/bridge.ko $initrd/lib/modules/$kernel_ver/

2. /usr/lib/mkpxeinitrd-net/initrd-skel/linuxrc-or-init
Find # IF the netdevices is not assign in /etc/netdev.conf and add
# modified by drbl-virt
brctl addbr br0
brctl addif br0 eth0
ifconfig eth0 0.0.0.0
ifconfig br0 0.0.0.0

3. /usr/share/drbl/setup/files/misc/init.drbl
# find my IP address
-NETDEVICES="$(LC_ALL=C cat /proc/net/dev | awk -F: '/eth.:|tr.:|p.p.:/{print $1}')"
+NETDEVICES="$(LC_ALL=C cat /proc/net/dev | awk -F: '/eth.:|tr.:|br.:|p.p.:/{print $1}')"

# drblsrv -i
# drblpush -c /etc/drbl/drblpush.conf 

Finally ! I also write an Auto-Install script on SourceForge

# tar -zxf MiT.tar.gz

# /MiT/MiT-Server-Install.sh



4 time for emter | 1. perlipq-1.25.tar.gz  Enter for [/usr/local/] | 2. drblsrv please choice from this DRBL server | 3. drblpush need Enter




Client Side:

Step 1: Set up Wake on Lan (WOL) & PXE-Boot

Check WOL & PXE-BOOT on your NIC 



Step 2: install and setup the release toolkit as follow:

========DRBL-Winroll for Server connect client by ssh ========


官網的說明更清楚哩 !!! http://drbl-winroll.nchc.org.tw







Server:ssh-copy-id Administrator@192.168.0.1 (password)

Client:ssh-copy-id root@192.168.0.100 (password)


======Sync your report & sample (mail to TonTon@TWMAN.ORG)======


Please feel free to try it and contact me, if you are interested with MiT or meet some problems !