Malware Analysis‎ > ‎User Guide‎ > ‎

History

分層區間二型模糊知識本體模型之異質惡意程式行為分析架構 
A Hierarchical IT2FO Model for Heterogeneous Malware Behavior Analysis Architecture
Building Own Heterogeneous Cloud Architecture for Adaptive Malware Behavioral Knowledge base


There are some articles which about MiT for your reference. you should understanding DRBL (Clonezilla), libvirt, KVM etc...
2013/11/1 Update: Quick Install Script for Server: http://sourceforge.net/projects/twmanplus/files/MiT-Beta_2014/
BTW, I only describe how to establish the Heterogeneous  
Architecture for 
 
Malware Behavior Analysis as follow
For more information you about Malware Behavioral Knowledge-base you may need, please visit: Approach & Model
Now ! Let's step by step to build the new generation analysis environment !

CentOS 6.4 x64 as Server with 2 Network Interface Card
ownCloud as Cloud Share malicious sample and analysis report
Hash & Log Forensics
Inetsim as fake network service
File as detect file type
Microsoft Windows XP and 7 (x86) as Clients
KVM, Libvirt & Virt-Manager as Virtual Environment
DRBL (Bridge), Clonezilla & DRBL-Winroll as Physical Environment


Community on Google+:http://X.TWMAN.ORG/Community

Server side:


Step 1: install Cent OS 6.4 x64


Step 2: Setup Bridge:

Briage:

# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
UUID=301227d9-20ba-4764-857e-02b00a3750bf
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
HWADDR=20:20:30:45:9D:EA
#IPADDR=YOUR IP
#GATEWAY=YOUR GATEWAY
#DNS1=8.8.8.8
#DNS2=8.8.4.4
#DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth0"
BRIDGE=br0


# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-br0


# vi /etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
TYPE=Bridge
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
IPADDR=YOUR IP
NETMASK=255.255.255.0
GATEWAY=YOUR GATEWAY
DNS1=8.8.8.8
DNS2=8.8.4.4
DEFROUTE=yes
NAME="System br0"


# service network restart

SeLinux & destroy Vibr0

# virsh net-destroy default 
# virsh net-undefine default 
# service libvirtd restart
# vi /etc/selinux/config 


 

Step 3: Install & Update Software:

Update System

# yum update -y


# yum -y install tigervnc-server tigervnc aide samba qemu-kvm libvirt python-virtinst bridge-utils perl-Digest-SHA1 gcc-c++ gcc virt-manager

# yum -y groupinstall "General Purpose Desktop" "X Window System" "Desktop" 
For VNC Server, samba and aide: # yum -y install tigervnc-server tigervnc

# iptables -I INPUT 5 -m state --state NEW -m tcp -p tcp -m multiport --dports 5901:5903,6001:6003 -j ACCEPT 
# vncserver :1 (input vnc passwd twice) 

iptables -A INPUT -i eth0 -p tcp --dport 514 -j ACCEPT
tcpdump -i eth0 -nn port 21 
tcpdump -tlni eth0 port 515 
netstat -ntulp | grep 514

volatility-2.2

#  wget https://volatility.googlecode.com/files/volatility-2.2.tar.gz
#  tar -zxf volatility-2.2.tar.gz && cd  volatility-2.2 && python setup.py install && cd ..


file-5.14

# wget ftp://ftp.astron.com/pub/file/file-5.14.tar.gz
# tar -zxf file-5.14.tar.gz && cd file-5.14 && ./configure && make && make install && cd ..

inetsim-1.2.4

# wget http://search.cpan.org/CPAN/authors/id/R/RH/RHANDOM/Net-Server-2.007.tar.gz && tar -zxf Net-Server-2.007.tar.gz && cd Net-Server-2.007 && perl Makefile.PL && make && make install && cd ..

# wget http://search.cpan.org/CPAN/authors/id/N/NL/NLNETLABS/Net-DNS-0.72.tar.gz && tar -zxf Net-DNS-0.72.tar.gz && cd Net-DNS-0.72 && perl Makefile.PL && make && make install && cd ..

# wget http://search.cpan.org/CPAN/authors/id/M/MS/MSOUTH/IPC-Shareable-0.61.tar.gz && tar -zxf IPC-Shareable-0.61.tar.gz && cd IPC-Shareable-0.61 && perl Makefile.PL && make && make install && cd ..

# wget http://search.cpan.org/CPAN/authors/id/S/SU/SULLR/IO-Socket-SSL-1.953.tar.gz && tar -zxf IO-Socket-SSL-1.953.tar.gz && cd IO-Socket-SSL-1.953 && perl Makefile.PL && make && make install && cd ..

# wget ftp://rpmfind.net/linux/centos/6.4/os/x86_64/Packages/iptables-devel-1.4.7-9.el6.x86_64.rpm && rpm -Uvh iptables-devel-1.4.7-9.el6.x86_64.rpm 

# wget http://search.cpan.org/CPAN/authors/id/J/JM/JMORRIS/perlipq-1.25.tar.gz && tar -zxf perlipq-1.25.tar.gz && cd perlipq-1.25 && perl Makefile.PL && make && make install && cd ..

# cd /MiT/Server-Toolkit && wget http://www.inetsim.org/downloads/inetsim-1.2.4.tar.gz && tar -zxf inetsim-1.2.4.tar.gz && cd inetsim-1.2.4 && groupadd inetsim && sh setup.sh && ./inetsim --session test --config=/MiT/Server-Toolkit/inetsim-1.2.4/conf/inetsim.conf --log-dir=/MiT/Server-Toolkit/inetsim-1.2.4/log --data-dir=/MiT/Server-Toolkit/inetsim-1.2.4/data --report-dir=/MiT/Server-Toolkit/inetsim-1.2.4/report --bind-address=192.168.0.100 --user=root &

DRBL

# rm -f GPG-KEY-DRBL; wget http://drbl.nchc.org.tw/GPG-KEY-DRBL; rpm --import GPG-KEY-DRBL  

# wget http://free.nchc.org.tw/drbl-core/x86_64/RPMS.drbl-stable/drbl-2.4.17-drbl1.noarch.rpm 

# rpm -Uvh drbl-2.4.17-drbl1.noarch.rpm 

# drblsrv -i -c n -n n -m n -g n -k 2 -o 1 -x n -t n -a n -l 2 -s  




# vi /usr/bin/mkpxeinitrd-net 
# vi /usr/lib/mkpxeinitrd-net/initrd-skel/linuxrc-or-init 
# vi /usr/share/drbl/setup/files/misc/init.drbl 

1. /usr/bin/mkpxeinitrd-net 
find the line as bellow, and add "brctl" 
include_bin_prog_from_server="sleep lspci insmod modprobe rmmod lsmod pkill strings mount umount mount.nfs umount.nfs brctl" 

Find # Deal with firmwares! and add 
# modified by drbl-virt 
cp -a --parents kernel/net/802/stp.ko $initrd/lib/modules/$kernel_ver/ 
cp -a --parents kernel/net/bridge/bridge.ko $initrd/lib/modules/$kernel_ver/ 

2. /usr/lib/mkpxeinitrd-net/initrd-skel/linuxrc-or-init 
Find # IF the netdevices is not assign in /etc/netdev.conf and add 
# modified by drbl-virt 
brctl addbr br0 
brctl addif br0 eth0 
ifconfig eth0 0.0.0.0 
ifconfig br0 0.0.0.0 

3. /usr/share/drbl/setup/files/misc/init.drbl 
# find my IP address 
-NETDEVICES="$(LC_ALL=C cat /proc/net/dev | awk -F: '/eth.:|tr.:|p.p.:/{print $1}')" 
+NETDEVICES="$(LC_ALL=C cat /proc/net/dev | awk -F: '/eth.:|tr.:|br.:|p.p.:/{print $1}')" 

# drblsrv -i 
# drblpush -c /etc/drbl/drblpush.conf 


Finally ! I also make a Auto-Install script on SourceForge

# tar -zxf MiT.tar.gz

# /MiT/MiT-Server-Install.sh



4 time for emter

1. perlipq-1.25.tar.gz  Enter for [/usr/local/]


2. drblsrv please choice from this DRBL server


3. drblpush need Enter







========client mount the vm's image from server========

# echo 192.168.0.100:/var/lib/libvirt/images /var/lib/libvirt/images nfs rw,hard,intr 0 0 >> /tftpboot/nodes/192.168.0.X/etc/fstab

# exportfs -arv



Client Side:

Step 1: Set up Wake on Lan (WOL) & PXE-Boot

Check WOL & PXE-BOOT on your NIC 



Step 2: install and setup the release toolkit as follow:

WinPcap_4_1_2.exe

jdk-7u13-windows-i586.exe

install_reader10_tw_gtba_chra_dy_aih.exe

install_flash_player.exe

dotNetFx45_Full_setup.exe

spice-guest-tools-0.59.exe

CaptureBAT-Setup-2.0.0-5574.exe

drbl-winroll-1.4.0-194-setup.exe


Ninite - Install or Update Multiple Apps at Once





However, you still need manual install some software !



========DRBL-Winroll for Server connect client by ssh ========

Server:ssh-copy-id Administrator@192.168.0.1 (password)

Client:ssh-copy-id root@192.168.0.100 (password)


======Sync your report & sample (mail to TonTon@TWMAN.ORG)======

# cd /etc/yum.repos.d/ 

# wget http://download.opensuse.org/repositories/isv:ownCloud:devel/CentOS_CentOS-6/isv:ownCloud:devel.repo 

# yum install owncloud-client -y




Please feel free to try it and contact me, if you are interested with MiT or meet some problems !