Basics for a malware analysis lab

Jun 17th, 2013
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.59 KB | None | 0 0
  1. #Written for as "tip of the week", originally in Dutch & can be found here:
  2. #
  3. #Mirrored on my blog:
  4. #Translation by: Google Translate
  5. #For the original article & links to tools, refer to my blog or the post
  7. Security Tip of the Week: Research malware in your own lab
  8. Today, 10:46 by bart Blaze
  9. In the Security Tip of the week, each week another professional, expert, researcher or reader a security tip. Personal tips ranging from safe configuring Windows, a useful security tool or just setting up a firewall, which makes the tipster his system, application or network safer.
  11. Do you also have a fun, original, but most good security tip that should not be missing, please send an email to
  13. This week's tip Security Tip of Bart Blaze
  15. Malware lab, the basics
  17. Just a quote from an article of mine:
  18. Before we start, I'd like to make clear That if you want to test your skills after reading this article or want to test malware in general, shouldering you set up a proper testing environment. Make sure you are using a Virtual Machine if testing on your own machine, or create a machine for the sole use of testing malware and anti-malware tools. In either case, it's a good idea to use a separate network or use a DMZ shouldering you have one. Personally I recommend having the machine connected to the internet, so the malware can do its evil work to its maximum potential and you will be bootable to carefully study and dissect its workings completely.
  20. Think that the above is clear:
  23. do not use shared folders between VM and host
  24. preferably use a separate network
  25. preferably use a physical device and no VM
  26. Use antivirus on your physical device when using a VM
  27. Have all patches for the VM you're using installed
  30. Malware often check on certain characteristics in the system, such as hardware GUIDs, properties of the Network, check whether X or Y tools are installed, check for X or Y services .... Hence a real physical device can give than in a VM. Sometimes better or even completely different results (behavior) If a physical device is not possible, you can indeed choose virtualization software:
  32. VirtualBox (Oracle / Sun) or VMware Workstation / VMWare Player. Both are easy to use.
  33. VirtualBox: free, can take snapshots
  34. VMWare WS: not free, can take snapshots
  35. VMWare Player: free, can not take snapshots
  38. A handy tool to determine how malware on your system certain parameters is checked Pafish.
  40. I recommend, if you use VM, take a snapshot:
  41. a) a "clean" state
  42. b) a state in which you tools and the like are
  43. After you enter X or Y malware
  45. For the disk itself can best use split virtual disk, as it will take up less disk space (dynamic), single file is used more for older devices. In terms of performance is not much difference, certainly not for malware analysis.
  47. For the network connection is usually used bridged, because NAT can give to certain network. Sometimes problems For malware analysis itself this seems to me not much to do. Another useful link with additional explanation:
  49. About the OS you can use
  50. Outside of course a Windows OS (eg Windows XP and Windows 7, two different OSes can sometimes produce two different results) you can also use a * nix distribution which is designed specifically for Malware Analysts. Here you can choose:
  53. Malnet2 - this is not developed, I know this leather somewhere in 2010 HITB and only occasionally used. Only the slides are useful for reference. Informational slides & pastebin.
  54. Remnux - this I use nowadays, the ideal toolbox, so a must have! Info: & SANS (video)
  55. You own distribution - Nothing's stopping you to indeed set up with tools that you want a private environment itself - however, why reinvent the wheel?
  58. Tools for Windows
  59. Ideally runs an analysis of what X or Y malware does as follows:
  60. a) Put both VMs on both Windows box as Remnux
  61. b) Prepare the tools or logging on both devices
  62. c) Visit link or enter X Y malware
  63. d) Examine the behavior of malware
  64. e) Save the logs and see this also another separate, in-depth
  66. Now, as to the tools themselves. Obviously there are various logging tools available, but we are going to start with some automatic systems:
  69. Malwr
  70. Threat Expert
  71. Anubis
  74. These top three are actually online sandboxes where you can upload malware to and below one can see. (Or not) extended report This can be useful should a sample refuse to run on your system, or you do not have time to do extensive research. Itself Of course there are other sandboxes online, but these are the best known. (Especially Malwr is recommended)
  76. Sandboxie
  77. If you do not have a VM or can not use yet more or less malware analysis will carry, you can use Sandboxie. This is in fact programs (or in this case malware), perform a "separate piece" of your hard drive. However, I suspect that everyone is familiar with this. Note: Never run a VM in a sandbox!
  79. Malzilla
  80. Malzilla is an excellent tool for when you do not have a VM (different course). Malzilla can actually quite a few, such as Javascript decoding, on a site display list of links, but the main one is that you can visit a URL and can see what is happening (eg a redirect to X site, a redirect to Google, nothing at all, ...). Useful is that you can not set. A referrer Some malware will make sure you go through X or Y referral and if not, just redirect to Google. It may also happen that the same IP 1x same malware site may / may visit only. In Malzilla can you set a proxy.
  82. URLQuery and JSunpack are both tools to analyze malware sites if you have difficulties Malzilla or for lack of time to check something quickly. URLquery is more intuitive. However, both tools are indispensable.
  84. Last, but not least: VirusTotal
  85. Superb service to quickly check a sample. Keep in mind that detections may differ via VirusTotal or on a real system (eg behavior analysis will not be included in the scanners on VirusTotal). Also, you can easily check the meta-data in File Detail. Depending on the type of file (PE files, Android files, others) additional scanners performed. (. Exe,. Com,. Apk,. Jar,. Pdf)
  87. Now, manual systems and tools. You can already find this link a wealth of tools:
  89. My personal favorites:
  90. See what X or Y URL exactly trying to load, useful for the infection vector and methodology to determine: Fiddler.
  91. RegShot: take a "snapshot" of the current system and then compare what changes has made malware.
  92. Revelo: more an all-in-one tool, similar to Malzilla, but different.
  94. Of course you can also use Wireshark but:
  95. a) This is redundant if you Remnux used.
  96. b) I have effectively been encountered malware that simply refuses to do as Wireshark on your device. anything
  98. Other "monitoring" tools on the fly, for example:
  100. WinPatrol
  101. Process Guard
  104. General Tips & Tricks
  106. Some nice slides for the first time you malware analysis will perform, including the sample
  107. Use tools like Process Explorer to see what the malware is doing. Eg. CMD is loaded with a specific command to execute? Is injected into explorer.exe? Spawns the child-process? Going to do this click fraud? What strings are exactly loaded? What is the malware name exactly? How to reach this persistence on the system? Is this malware signed (digital certificate)?
  108. Do you run malware but does not seem right thing to happen? Check with Process Explorer or you see a process. Yes? Okay, continue with analysis. No? Wait 5 minutes and see if anything changes. Still not? Restart the system. You may need to even continue the system time several days.
  109. Possibly the malware also packed, this is either compression or bypass. Antivirus detection More information about packers can be found on this page.
  111. There are several packers, the best known is UPX. Also are a lot of other packers packers and even custom made by it - the malware author himself. File can unpack in a disassembler (eg IDA Pro, OllyDbg). See if there is a packer is present you can with VirusTotal, or with tools like PEiD or LordPE
  113. Tools for analysis of PDF you can find both online, eg Malware Tracker, VirusTotal (see above), or you can do it yourself with eg PDFiD or PDF Parser.
  114. Tools for analysis of JAR are scarce, eg ShowMyCode - if you look at it yourself with JD-GUI.
  115. Does a particular site is not malware? Double check agree with URLquery or to make sure that it is online. This is either
  116. a) Effective offline (taken offline)
  117. b) Your IP is banned (by country)
  118. c) You do not have correct referrer used
  119. d) not yet active
  120. e) Something in your network is blocking the link, eg MBAM, or a URL / Malware filter ingrained in your router or other appliance
  123. Lock
  124. A whole lot of information, I hope sufficiently explained and provided information. Further questions you can always ask, of course, but looking back there first if you find something about yourself. It is important that you always keep asking not just about this post, but once you start to self-analysis questions. Why would carry this malware X or Y action? Why not do this and do this? Why this way? What is the point of this string naming or malware file / folder? Stay curious!
  126. Bart works at Panda Security daytime corporate & malware technician and works at night as a malware researcher. More information can be found on his Twitter or blog.
  128. This article is written in a personal capacity of the author and does not necessarily reflect the views of Security.NL.
Add Comment
Please, Sign In to add comment