Recommended malwareMalware Analysis / Reverse Engineering Course

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

This topic contains 4 replies, has 5 voices, and was last updated by  McDoc 4 years, 2 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #17437

    Sage
    Participant

    In order to better improve malware analysis skills does anyone have activities they would recommend? For example the beginner malwares you used to learn from…

    #18194

    Amir
    Participant

    5 Steps to Building a Malware Analysis Toolkit Using Free Tools
    Examining the capabilities of malicious software allows your IT team to better assess the nature of a security incident, and may help prevent further infections. Here’s how to set up a controlled malware analysis lab—for free.

    Step1: Allocate physical or virtual systems for the analysis lab
    Step 2: Isolate laboratory systems from the production environment
    Step 3: Install behavioral analysis tools
    Step 4: Install code-analysis tools
    Step 5: Utilize online analysis tools
    Next Steps
    A large number of computer intrusions involve some form of malicious software (malware), which finds its way to the victim’s workstation or to a server. When investigating the incident, the IT responder typically seeks to answer questions such as: What actions can the malware specimen perform on the system? How does it spread? How, if at all, does it maintain contact with the attacker? These questions can all be answered by analyzing the offending malware in a controlled environment.

    A simple analysis toolkit, built from free and readily available software, can help you and your IT team develop the skills critical to responding to today’s security incidents. The steps below will help get you started. We’ll focus on malware analysis in a Windows environment, since that platform is particularly popular among malware authors. If this topic interests you, take a look at the reverse-engineering malware course I teach at SANS Institute.

    Step 1: Allocate physical or virtual systems for the analysis lab
    A common approach to examining malicious software involves infecting a system with the malware specimen and then using the appropriate monitoring tools to observe how it behaves. This requires a laboratory system you can infect without affecting your production environment.

    The most popular and flexible way to set up such a lab system involves virtualization software, which allows you to use a single physical computer for hosting multiple virtual systems, each running a potentially different operating system. Free virtualization software options include:

    VirtualBox
    VMware vSphere Hypervisor
    Microsoft Virtual Server
    Running multiple virtual systems simultaneously on a single physical computer is useful for analyzing malware that seeks to interact with other systems, perhaps for leaking data, obtaining instructions from the attacker, or upgrading itself. Virtualization makes it easy to set up and use such systems without procuring numerous physical boxes.

    Another useful feature of many virtualization tools is the ability to take instantaneous snapshots of the laboratory system. This way, you can record the state of the system before you infect it, and revert to the pristine environment with a click of a button at the end of your analysis.

    If using virtualization software, install as much RAM into the physical system as you can, as the availability of memory is arguably the most important performance factor for virtualization tools. In addition, having a large hard drive will allow you to host many virtual machines, whose virtual file systems typically are stored as files on the physical system’s hard drive.

    Because malware may detect that it’s running in a virtualized environment, some analysts prefer to rely on physical, rather than virtual, machines for implementing laboratory systems. Your old and unused PCs or servers can make excellent systems for your malware-analysis lab, which usually doesn’t need high-performing CPUs or highly redundant hardware components.

    To allow malware to reach its full potential in the lab, laboratory systems typically are networked with each other. This helps you observe the malicious program’s network interactions. If using physical systems, you can connect them with each other using an inexpensive hub or a switch.

    Step 2: Isolate laboratory systems from the production environment
    You must take precautions to isolate the malware-analysis lab from the production network, to mitigate the risk that a malicious program will escape. You can separate the laboratory network from production using a firewall. Better yet, don’t connect laboratory and production networks at all, to avoid firewall configuration issues that might allow malware to bypass filtering restrictions.

    If your laboratory network is strongly isolated, you can use removable media to bring tools and malware into the lab. Consider using write-once media, such as DVDs , to prevent malicious software from escaping the lab’s confines by writing itself to a writable removable disk. A more convenient option is a USB key that includes a physical write-protect switch.

    Some malware-analysis scenarios benefit from the lab being connected to the internet. Avoid using the production network for such connectivity. If possible, provision a separate, and usually inexpensive, internet connection, perhaps by dedicating a DSL or Cable Modem line to this purpose. Avoid keeping the lab connected to the internet all the time to minimize the chance of malware in your lab attacking someone else’s system on the internet.

    If virtualizing your lab, be sure to keep up with security patches released by the virtualization-software vendor. Such software may have vulnerabilities that could allow malware to escape from the virtual system you infected and onto the physical host. Furthermore, don’t use the physical machine that’s hosting your virtualized lab for any other purpose.

    Step 3: Install behavioral analysis tools
    Before you’re ready to infect your laboratory system with the malware specimen, you need to install and activate the appropriate monitoring tools. Free utilities that will let you observe how Windows malware interacts with its environment include:

    File system and registry monitoring: Process Monitor with ProcDOT offer a powerful way to observe how local processes read, write, or delete registry entries and files. These tools can help you understand how malware attempts to embed into the system upon infection.
    Process monitoring: Process Explorer and Process Hacker replace the built-in Windows Task Manager, helping you observe malicious processes, including local network ports they may attempt to open.
    Network monitoring: Wireshark is a popular network sniffer, which can observe laboratory network traffic for malicious communication attempts, such as DNS resolution requests, bot traffic, or downloads.
    Change detection: Regshot is a lightweight tool for comparing the system’s state before and after the infection, to highlight the key changes malware made to the file system and the registry.
    Behavioral monitoring tools can give you a sense for the key capabilities of malicious software. For further details about its characteristics, you may need to roll up your sleeves and perform some code analysis.

    Step 4: Install code-analysis tools
    Examining the code that comprises the specimen helps uncover characteristics that may be difficult to obtain through behavioral analysis. In the case of a malicious executable, you rarely will have the luxury of access to the source code from which it was created. Fortunately, the following free tools can help you reverse compiled Windows executables:

    Disassembler and debugger: OllyDbg and IDA Pro Freeware can parse compiled Windows executables and, acting as disassemblers, display their code as assembly instructions. These tools also have debugging capabilities, which allow you to execute the most interesting parts of the malicious program slowly and under highly controlled conditions, so you can better understand the purpose of the code.
    Memory dumper: Scylla and OllyDumpEx help obtain protected code located in the lab system’s memory and dump it to a file. This technique is particularly useful when analyzing packed executables, which are difficult to disassemble because they encode or encrypt their instructions, extracting them into RAM only during run-time.

    Step 5: Utilize online analysis tools
    To round off your malware-analysis toolkit, add to it some freely available online tools that may assist with the reverse engineering process. One category of such tools performs automated behavioral analysis of the executables you supply. These applications look similar at first glance, but use different technologies on the back end. Consider submitting your malware specimen to several of these sites; depending on the specimen, some sites will be more effective than others. Such tools include:

    Anubis
    EUREKA
    Malwr
    ThreatExpert
    You can see a longer list of free automated malware analysis services that can examine compiled Windows executables.

    Another set of potentially useful online tools provides details about websites that are suspected of hosting malicious code. Some of these tools examine the sites you specify in real time; others provide historical information. Consider submitting a suspicious URL to several of these sites, because each may offer a slightly different perspective on the website in question:

    Real-time threat assessment: WebInspector, and Wepawet
    Historical reputation data: URLVoid and MxToolbox
    You can see a longer list of free on-line tools for looking up a potentially malicious website.

    Next Steps
    With your initial toolkit assembled, start experimenting in the lab with malware you come across on the web, in your e-mail box, on your systems, and so on. There are several “cheat sheets” that can help you in this process, including:

    Reverse-Engineering Malware Cheat Sheet
    Analyzing Malicious Documents Cheat Sheet
    Begin analysis with the tools and approaches most familiar to you. Then, as you become more familiar with the inner workings of the malware specimen, venture out of your comfort zone to try other tools and techniques. The tools I’ve listed within each step operate virtually identically. Since they’re all free, you should feel free to try them all. You’ll find that one tool will work better than another, depending on the situation. And with time, patience, and practice, you will learn to turn malware inside out.

    #20176

    Karvina
    Participant

    also for security try to use sandbox

    #25732

    Digit Oktavianto
    Participant

    Not forget to mention Cuckoo Sandbox 😀

    #27888

    McDoc
    Participant

    I keep an old machine, router, and a few HDD’s with different OS’s on them (swap the HDD’s ergo the OS’s out and they can be old 20GB or so drives you can pick up for a couple of bucks. Size is only important insofar as what’s required for OS installation), with nothing but the OS, a registry back-up, and a few basic software’s on each (no anti-virus), and then go hunting for malware in the wild by engaging in risky surfing behavior. When I get a hit I look to see what’s been changed, replaced, removed, or added in the registry, temp folders, appdata, settings, etc. Once I see what’s happened I try to understand why & how, then how it can be prevented, repaired, etc. It’s a slow process but I get there in the end more often than not. It’s kept me learning in the absence of school and given me quite a bit of practical experience. I’m not very fond of virtual machines for this.
    Good luck!

    • This reply was modified 4 years, 2 months ago by  McDoc.
Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 333 / December 14, 2019
How do I Get MTA Certified?
Views: 925 / December 12, 2019
How much does your PAM software really cost?
Views: 1378 / December 10, 2019
How Do I Get into Android Development?
Views: 1756 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel