Malware Behavior Analyzer - MBA

• Continuous Integration (Travis-CI)
  

Introduction

MBA is a QEMU-based, sandbox system dedicated to malware analysis.
Currently, MBA is mainly for the x86_64 architecture and Win10 x64 guest OS.
The following features are supported:

1. De-coupled Information Flow Tracking (DIFT)
   It is also known as taint analysis. 
   Leveraging the DIFT feature, the contamination 
   conducted by malware to the guest OS can be identified.

   We would like to thank Chi-Wei, Wang, who developed the 
   initial version of DIFT, for sharing his source code. The
   original DIFT is mainly for x86 platform. In this project,
   the DIFT is upgraded to support modern x86_64 platform.

   For the academic paper published by Chi-Wei, Wang, please
   cite CW Wang and SP Shieh, "SWIFT: Decoupled System-Wide 
   Information Flow Tracking and its Optimizations," Journal
   of Information Science and Engineering, JISE, 2015.
   http://www.iis.sinica.edu.tw/page/jise/2015/201507_15.pdf

2. Disk Forensics (Tsk)
   The tsk extension supports the translation between the
   disk sector address and the corresponding file in the
   Windows guest OS.

3. Memory Forensics (MemFrs)
   The memfrs extension performs the virtual machine introspection
   on the guest physical/virtual memory. The high-level semantics
   of the memory data (e.g. process list) can be interpreted without
   the assistence of the guest OS. 

4. Windows in-VM Agent (Agent)
   The agent extension provides a convenient communication between 
   the QEMU console and the guest OS. An agent program is needed 
   to be pre-installed inside the Windows guest to support the 
   operations such as ...
     > execute a command in the guest w/wo return output expected
     > import/export a file into/from the guest

5. Out-of-Box Hooking (OBHook)
   The obhook extension provides the VM-based hook against the guest OS.
   This features allows MBA to intercept the event-of-interest of the guest.
   Note that the obhook is purely implemented beneath the guest OS, namely
   the hypervisor (QEMU). Thereby, not a code snippets is required to be
   inserted to the guest, and thus prevent the interference of malware.

6. Network Traffic Monitor (NetTraMon)
   The nettramon extension performs monitoring the network traffic of 
   the guest OS. This extension provides sniffing, parsing, and filtering
   packets, and supports protrocols of TCP, UDP and ICMP. User can also 
   set files for storing parsed packets according to protocols.

7. Instruction Tracer (Tracer)
   The tracer extension supports the runtime instruction trace executed 
   by a subject sample. This extension provides user-space/kernel-space
   tracing instruction tracing functionality

8. System Call Tracer (Systrace)
   The systrace extension provides the system call trace of a subject 
   sample during its runtime phase. 

Quick Start

Download MBA source

$ git clone https://github.com/GlacierW/MBA
$ cd MBA/

Configure QEMU to enable all of the MBA features.
To enable a MBA feature individually, please refer to ./configure -h

$ ./configure --target-list=x86_64-softmmu --enable-mba-all

Compile MBA. (May take a while, use -j<CPU_CORE> to speedup)

$ make

Start MBA with the prepared Win10_64bit image in QCOW2 format.
Due to the implementation issue, 2048MB RAM and 16GB disk space for the guest OS are recommended.

$ ./x86_64-softmmu/qemu-system-x86_64 \
  -m 2048 \
  -hda <YOUR_IMAGE> \
  -net nic,model=rtl8139 -net user \
  -k en-us -usb \
  -monitor stdio \
  -vnc :1 

Now the VNC server should be able to connect to via the port 5901.

The APIs of each MBA extension can be found in the under the ext directory. e.g. ext/dift.h for APIs of the DIFT extension

Members

Chi-Wei, Wang [email protected]
Chia-Wei, Wang [email protected]
Chong-Kuan, Chen [email protected]
Hao, Li [email protected]
Jui-Chien, Jao [email protected]
Chuan-Hua, Cheng [email protected]
E-Lin, Ho [email protected]

Distributed System and Network Security Lab, National Chiao-Tung University, Taiwan