Part 2 - Setting up a Virtual Machine

Video Activity

This lesson covers setting up a virtual machine; two common software programs to accomplish this are VMware and Virtual Box. In addition, participants also learn how to: · Find an OS · Obtain a malware sample · Identify strings

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson covers setting up a virtual machine; two common software programs to accomplish this are VMware and Virtual Box. In addition, participants also learn how to: · Find an OS · Obtain a malware sample · Identify strings

Video Transcription
00:03
>> Moving on after we've done
00:03
the automated analysis or if
00:03
we choose not to do the automated analysis,
00:03
just so we can maintain some type
00:03
of secrecy about the activities that we're doing,
00:03
we want to begin setting up
00:03
a virtual machine so we can do our
00:03
static and our dynamic analysis.
00:03
Not to go too far in depth
00:03
on how to setup a virtual machine,
00:03
but there's essentially two, the VM providers.
00:03
There's probably a lot more,
00:03
but two of your most common,
00:03
>> you're going to have VMware and VirtualBox.
00:03
>> VirtualBox is going to be a free product that you can
00:03
use and you can download
00:03
that just by going to the VirtualBox link.
00:03
With VirtualBox, it allows snapshot view,
00:03
so if you're doing a lot of
00:03
this malware analysis and you find
00:03
that the malware has done something to your machine,
00:03
you can easily revert back
00:03
>> to that initial install state.
00:03
>> But the good thing about VM is that
00:03
the software allows for multiple machines,
00:03
>> multiple OSs,
00:03
>> and that you can essentially
00:03
>> configure a network between
00:03
>> those VMs to figure out what
00:03
that malware would do in a networked environment.
00:03
Then as we talked about earlier,
00:03
your VMs will allow for
00:03
easy snapshots and rollbacks so in case you
00:03
mess something up or the virus
00:03
essentially tries to destroy one of your machines,
00:03
you can easily roll that back.
00:03
After you've installed your virtual machine,
00:03
the next thing you're going to want to do is
00:03
to find an operating system.
00:03
Ideally, it's best to test your virus on
00:03
the same operating system as your affected machines.
00:03
That way, you can see exactly what's going to happen
00:03
on those machines when you start that testing process.
00:03
Now essentially, what you're going to
00:03
have to do is you're going to have to use
00:03
a license from some of the software
00:03
>> that you purchased, either with your
00:03
>> bulk software purchase or you can go to the
00:03
>> Microsoft Developer Technologies website there.
00:03
>> They actually offer some free VMs to test out.
00:03
There's also a paid version
00:03
of Microsoft Developer Technologies.
00:03
But if you're wanting to do this,
00:03
especially at home just for some training and
00:03
testing, you can go to that link and
00:03
download a copy of one of those operating systems.
00:03
I think it's good for a three month test and trial.
00:03
Then also there are
00:03
numerous open source versions of Linux
00:03
that you can download and
00:03
run some of these programs in as well.
00:03
But obviously, Linux may have some drawbacks.
00:03
It doesn't have necessarily all of
00:03
the tools that we're going to discuss here today,
00:03
but it is a viable option.
00:03
The next thing we have to do is get a sample of
00:03
the malware to our system
00:03
>> so we can conduct our analysis.
00:03
>> Ideally, if it's possible, we want to
00:03
refrain from sending the malware across the network.
00:03
It just is easiest or best if we don't send
00:03
the malware across the network because it
00:03
prevents accidents from occurring.
00:03
If we do have to send malware across that network,
00:03
procedures I've seen happen is to
00:03
essentially establish a network folder with
00:03
write-only permissions that allows users to submit
00:03
malware but prevents others from
00:03
essentially executing the malware accidentally.
00:03
Another good TTP to use,
00:03
is that if you're going to be sending
00:03
malware either to this folder or you're
00:03
going to have to email a sample of the malware, you
00:03
>> should essentially have a password to protect the file.
00:03
>> An example that is going to be
00:03
a zip file with password protection.
00:03
That way that just again prevents someone from
00:03
accidentally clicking and opening that malware.
00:03
The best case for transparent malware is using
00:03
some type of designated white media device to
00:03
essentially download onto your controlled media
00:03
and then transporting that to your forensic machine.
00:03
However, if you've got a large networked environment
00:03
and you're spread across the United States,
00:03
you're spread across the globe,
00:03
that may not be possible and you might have
00:03
to send that malware over the network.
00:03
Strings is one of the
00:03
first things that we're going to talk
00:03
about in our static analysis.
00:03
Strings is a good way to get
00:03
an idea about the functionality of a program.
00:03
With strings, it helps
00:03
identify the functions of that file,
00:03
it identifies the processes
00:03
that are created by that file,
00:03
and it identifies the URLs that
00:03
the file's trying to connect to.
00:03
An example here that we can see on
00:03
our next slide is some of the processes that
00:03
>> this file is essentially trying to create.
00:03
>> I've circled those in red.
00:03
As you can see, it's going to start creating file A,
00:03
and then find next file A.
00:03
Those are some of the things that the file is
00:03
essentially trying to do and to create.
00:03
Going on, we can see that it's trying to reach out to
00:03
an IP address and we have that IP address there.
00:03
Those are things that you can block essentially
00:03
using your firewall settings
00:03
once you identify those IP addresses.
00:03
Then moving on, we can see that it's
00:03
essentially trying to connect to this URL here.
00:03
Those are also things that you can
00:03
block within your firewall to
00:03
prevent inbound and outbound traffic
00:03
coming from those URLs.
00:03
One of the next things that we're going to talk
00:03
about is unwrapping the malware.
00:03
A lot of times when malware writers do
00:03
their code, they go on to obfuscate
00:03
their codes so that the files are harder to read.
00:03
One of the other processes
00:03
that we're going to want to do is to
00:03
essentially see if that program
00:03
has something that packs it and unpacks it.
00:03
When a packed program runs,
00:03
a wrapper program also is going to run around
00:03
that program to unpack that file.
00:03
In normal static analysis,
00:03
packed files will not be readily apparent.
00:03
However, there are tools that you can use like PEiD,
00:03
that will be able to tell
00:03
you whether or not the files are packed.
00:03
In this next slide we have,
00:03
it shows an example of
00:03
one of the files that we have for analysis
00:03
and it shows the type of
00:03
file system that is packed within that file.
Up Next