Sunday, January 4, 2009

Automated Malware Analysis with Zerowine

I recently did some work with Zerowine a Web/Debian based automated malware analysis tool. My efforts got me a little writeup on the Internet Storm Center.

This is a followup post to show all of the steps I took to get this tool going in Vmware and it's default QEmu. This post illustrates a Windows configuration but will still work on Linux for the most part.

The first step we need to take is to download Zerowine. You can download it here. This comes as a prebuilt QEmu image.

The next step is to download Qemu for windows. You can download it here.

Once you have both of these files and have extracted them both you will need to try and run the Virtual Machine. (If you don't want to run this in QEmu at all skip the next paragraph)

To call a QEmu virtual machine you use a batch file. QEmu is somewhat like Dynamips for those of you who are familiar with this type of Virtual Machine usage. We will need to create a batch file to call the qemu.exe. This batch file will vary from computer to computer. Specifically my batch file has this line to run the Virtual Machine. This should run zerowine with QEmu.

qemu.exe -L . -m 128 -hda C:\zerowine_vm\hda.img -redir tcp:8000:

I wanted to use VMware so what I did is convert the image file to a .vmdk format and use it with Vmware. Luckily we already have the tool we need to do this. qemu-img.exe can convert .img files to .vmdk. So the command we use to do this is

qemu-img.exe convert c:\zerowine_vm\hda.img -O vmdk c:\zerowine_vm\zerowine.vmdk

After a few minutes a .vmdk file should appear in the directory you specified. Now it's time to create a new virtual machine and attach the zerowine.vmdk file that we just created.

To start we open Vmware workstation and choose File>New>Virtual Machine. Then you choose Next then Custom and Next 2 times. Then choose Linux and Other Linux 2.6.x kernel.

Then Next through until you reach the networking section. In the Networking section choose NAT networking. Then Next twice and you will get to the Select a Disk section. Choose use existing and point this at our .vmdk file that we created earlier. After this finish the Virtual Machine wizard and boot it up.

Ok so now we have a booting image of zerowine. We have a few steps left. The first step is to change the keyboard map then we need to change a file to get eth0 to come up correctly. To do this login as root with a password of zerowine. Then type

dpkg-reconfigure console-data

walk through this wizard and change your keyboard map to pc us standard then use the following command

vi /etc/udev/rules.d/z25_persistent-net.rules

Then delete all lines in this file. This will allow you to reclaim your eth0 otherwise if you opened this file in qemu previously it might not register your eth0 in ifconfig.

Then in the VMware window choose Edit>Virtual Network Settings. Then choose the NAT tab. Then choose the edit button. Then the Port Forwarding button and finally the add button. Enter the host port of 8000 and the ip address of the virtual machine and then port 8000. If you don't know the ip of the host enter the command ifconfig eth0. This will give you the IP address of the virtual machine.

Finally enter in a browser and you will get the zerowine web interface. It should look like the following.

Thats it then, we have a cool incident response and malware analysis tool working in VMware. The reports aren't bad and it does unpacking as well. I hope newer versions expand on the functionality of this tool.


Pedro said...

With VMWare 5.5 it doesn´t work.
It says:

"GRUB Loading stage1.5.

GRUB loading, please wait...
Error 17"

It will not boot.

Solutions? Workarounds? Tips?

x said...

Doesn't work om VMWare 6.5 Workstation. I have the same error as Pedro.

Pedro said...

The image was corrupted. That´s why it failed. You must redownload the new uploaded image.

Pedro said...

The new release of zerowine boots fine. Anyway I´m having problems because when I enter "ifconfig eth0" to know the IP of the host I get a "device not found".


Pedro said...

"vi /etc/udev/rules.d/z25_persistent-net.rules"

vi is a text editor. What´s the purpose of editing that file?

It´s not explained.

x said...

It is kinda vague

Alan Lee said...

What i did is delete the previous line of generated entry, i.e. eth0 and rename eth1 to eth0

Infosec Samurai said...

Yes that is exactly what you have to do. If you use the downloaded image in qemu and then convert it to vmware you have to edit /etc/udev/rules.d/z25_persistent-net.rules and remove the entries in that file. This will set your eth0 interface back to defaults. It will then allow Vmware to use eth0.

Andy said...

Great job! When ZeroWine runs a file, does it drop the malware's file payload somewhere? I ran dropper which I know spawned more files - are those payload files stored somewhere? Thanks!

Infosec Samurai said...

I haven't looked into where it drops the files. You can check out the authors blog here

stack said...

Thanks for your tutorial. It works man!