Basics for a malware analysis lab
Jun 17th, 2013
- #Written for Security.nl as "tip of the week", originally in Dutch & can be found here:
- #Mirrored on my blog: http://bartblaze.blogspot.com/2013/06/basics-for-malware-analysis-lab.html
- #Translation by: Google Translate
- #For the original article & links to tools, refer to my blog or the Security.nl post
- Security Tip of the Week: Research malware in your own lab
- Today, 10:46 by bart Blaze
- In the Security Tip of the week, each week another professional, expert, researcher or reader a security tip. Personal tips ranging from safe configuring Windows, a useful security tool or just setting up a firewall, which makes the tipster his system, application or network safer.
- Do you also have a fun, original, but most good security tip that should not be missing, please send an email to firstname.lastname@example.org.
- This week's tip Security Tip of Bart Blaze
- Malware lab, the basics
- Just a quote from an article of mine:
- Before we start, I'd like to make clear That if you want to test your skills after reading this article or want to test malware in general, shouldering you set up a proper testing environment. Make sure you are using a Virtual Machine if testing on your own machine, or create a machine for the sole use of testing malware and anti-malware tools. In either case, it's a good idea to use a separate network or use a DMZ shouldering you have one. Personally I recommend having the machine connected to the internet, so the malware can do its evil work to its maximum potential and you will be bootable to carefully study and dissect its workings completely.
- Think that the above is clear:
- do not use shared folders between VM and host
- preferably use a separate network
- preferably use a physical device and no VM
- Use antivirus on your physical device when using a VM
- Have all patches for the VM you're using installed
- Malware often check on certain characteristics in the system, such as hardware GUIDs, properties of the Network, check whether X or Y tools are installed, check for X or Y services .... Hence a real physical device can give than in a VM. Sometimes better or even completely different results (behavior) If a physical device is not possible, you can indeed choose virtualization software:
- VirtualBox (Oracle / Sun) or VMware Workstation / VMWare Player. Both are easy to use.
- VirtualBox: free, can take snapshots
- VMWare WS: not free, can take snapshots
- VMWare Player: free, can not take snapshots
- A handy tool to determine how malware on your system certain parameters is checked Pafish.
- I recommend, if you use VM, take a snapshot:
- a) a "clean" state
- b) a state in which you tools and the like are
- After you enter X or Y malware
- For the disk itself can best use split virtual disk, as it will take up less disk space (dynamic), single file is used more for older devices. In terms of performance is not much difference, certainly not for malware analysis.
- For the network connection is usually used bridged, because NAT can give to certain network. Sometimes problems For malware analysis itself this seems to me not much to do. Another useful link with additional explanation:
- About the OS you can use
- Outside of course a Windows OS (eg Windows XP and Windows 7, two different OSes can sometimes produce two different results) you can also use a * nix distribution which is designed specifically for Malware Analysts. Here you can choose:
- Malnet2 - this is not developed, I know this leather somewhere in 2010 HITB and only occasionally used. Only the slides are useful for reference. Informational slides & pastebin.
- Remnux - this I use nowadays, the ideal toolbox, so a must have! Info: Zeltser.com & SANS (video)
- You own distribution - Nothing's stopping you to indeed set up with tools that you want a private environment itself - however, why reinvent the wheel?
- Tools for Windows
- Ideally runs an analysis of what X or Y malware does as follows:
- a) Put both VMs on both Windows box as Remnux
- b) Prepare the tools or logging on both devices
- c) Visit link or enter X Y malware
- d) Examine the behavior of malware
- e) Save the logs and see this also another separate, in-depth
- Now, as to the tools themselves. Obviously there are various logging tools available, but we are going to start with some automatic systems:
- Threat Expert
- These top three are actually online sandboxes where you can upload malware to and below one can see. (Or not) extended report This can be useful should a sample refuse to run on your system, or you do not have time to do extensive research. Itself Of course there are other sandboxes online, but these are the best known. (Especially Malwr is recommended)
- If you do not have a VM or can not use yet more or less malware analysis will carry, you can use Sandboxie. This is in fact programs (or in this case malware), perform a "separate piece" of your hard drive. However, I suspect that everyone is familiar with this. Note: Never run a VM in a sandbox!
- URLQuery and JSunpack are both tools to analyze malware sites if you have difficulties Malzilla or for lack of time to check something quickly. URLquery is more intuitive. However, both tools are indispensable.
- Last, but not least: VirusTotal
- Superb service to quickly check a sample. Keep in mind that detections may differ via VirusTotal or on a real system (eg behavior analysis will not be included in the scanners on VirusTotal). Also, you can easily check the meta-data in File Detail. Depending on the type of file (PE files, Android files, others) additional scanners performed. (. Exe,. Com,. Apk,. Jar,. Pdf)
- Now, manual systems and tools. You can already find this link a wealth of tools:
- My personal favorites:
- See what X or Y URL exactly trying to load, useful for the infection vector and methodology to determine: Fiddler.
- RegShot: take a "snapshot" of the current system and then compare what changes has made malware.
- Revelo: more an all-in-one tool, similar to Malzilla, but different.
- Of course you can also use Wireshark but:
- a) This is redundant if you Remnux used.
- b) I have effectively been encountered malware that simply refuses to do as Wireshark on your device. anything
- Other "monitoring" tools on the fly, for example:
- Process Guard
- General Tips & Tricks
- Some nice slides for the first time you malware analysis will perform, including the sample
- Use tools like Process Explorer to see what the malware is doing. Eg. CMD is loaded with a specific command to execute? Is injected into explorer.exe? Spawns the child-process? Going to do this click fraud? What strings are exactly loaded? What is the malware name exactly? How to reach this persistence on the system? Is this malware signed (digital certificate)?
- Do you run malware but does not seem right thing to happen? Check with Process Explorer or you see a process. Yes? Okay, continue with analysis. No? Wait 5 minutes and see if anything changes. Still not? Restart the system. You may need to even continue the system time several days.
- Possibly the malware also packed, this is either compression or bypass. Antivirus detection More information about packers can be found on this page.
- There are several packers, the best known is UPX. Also are a lot of other packers packers and even custom made by it - the malware author himself. File can unpack in a disassembler (eg IDA Pro, OllyDbg). See if there is a packer is present you can with VirusTotal, or with tools like PEiD or LordPE
- Tools for analysis of PDF you can find both online, eg Malware Tracker, VirusTotal (see above), or you can do it yourself with eg PDFiD or PDF Parser.
- Tools for analysis of JAR are scarce, eg ShowMyCode - if you look at it yourself with JD-GUI.
- Does a particular site is not malware? Double check agree with URLquery or http://isup.me to make sure that it is online. This is either
- a) Effective offline (taken offline)
- b) Your IP is banned (by country)
- c) You do not have correct referrer used
- d) not yet active
- e) Something in your network is blocking the link, eg MBAM, or a URL / Malware filter ingrained in your router or other appliance
- A whole lot of information, I hope sufficiently explained and provided information. Further questions you can always ask, of course, but looking back there first if you find something about yourself. It is important that you always keep asking not just about this post, but once you start to self-analysis questions. Why would carry this malware X or Y action? Why not do this and do this? Why this way? What is the point of this string naming or malware file / folder? Stay curious!
- Bart works at Panda Security daytime corporate & malware technician and works at night as a malware researcher. More information can be found on his Twitter or blog.
- This article is written in a personal capacity of the author and does not necessarily reflect the views of Security.NL.
Please, Sign In to add comment