Setup Your Personal Malware Lab
-
Upload
digit-oktavianto -
Category
Technology
-
view
3.183 -
download
0
description
Transcript of Setup Your Personal Malware Lab
SETTING UP YOUR OWN MALWARE LAB
Presented by :
DigitDigit [email protected]://digitoktavianto.web.idhttp://digitoktavianto.web.id
JWC 4th Computer and Network Security Forum
About Me
Security Consultant
Member of Honeynet Indonesia Chapter
Member of OWASP Indonesia
Coordinator of Cloud Indonesia (SysAdmin)
Member KPLI Jakarta
IT Security Enthusiast (Opreker :D)
TODAY'S DISCUSSION
Introduction of Malware Analysis What is Malware Lab? How to build your own malware lab? What tools are included in Malware Lab?
Introduction of Malware Analysis
Malware : Any piece of code that has malicious intentions and /or performs a function that the user was not aware that it was going to do
Malware analysis : process of analyzing malware; how to analyze malware behavior; how to reverse the malware; how to disassemble the malware
Introduction Malware Analysis (Cont'd..)
Benefits from malware analysis? We can investigate how the malware works We can predict what it is going to do with the victims We will know how to mitigate this malware attack
(quickly assess the threat) We can prevent further malware action We will understand threat management better We can secure our environment
What is Malware Lab
Malware Lab is a safe environment to analyze the malware. Basically, it is an isolated environment which contains a lot of tools that are useful for the malware analyst analyse.
What is Malware Lab (Cont'd...)
Why we should build a malware lab? Proactive approach Advanced detection (before AV vendor detects it?)
What is Malware Lab (Cont'd...)
Why an isolated and safe environment? We need to execute the malware itself (dynamic
analysis) We interact with the malware to know how they
works We observe how the malware infects the file system,
what files are infected, its registry and the network traffic.
What is Malware Lab (Cont'd...)
What are the purposes? Personal research Hobby Profit oriented (Works as malware analyst) Enhance knowledge
How to build your own malware lab?
Physical Lab Virtualization Lab
How to build your own malware lab? (Cont'd ...)
Physical Lab
Advantage :
- No VM Aware Detection
- Real environment lab
- Full function as a victim
Disadvantage :
- Costly
- Time to build the real environment
How to build your own malware lab? (Cont'd ...)
Virtualization Lab
Advantage :
- Easy to deploy
- Minimum cost
- Easy to isolate and safe environment
Disadvantage :
- VM Aware detection
How to build your own malware lab? (Cont'd ...)
Step for building your Malware Lab (taken from (http://zeltser.com/malware-analysis-toolkit/):
Step1: Allocate physical or virtual systems for the analysis lab
Step 2: Isolate laboratory systems from the production environment
Step 3: Install behavioral analysis tools
Step 4: Install code-analysis tools
Step 5: Utilize online analysis tools
How to build your own malware lab? (Cont'd ...)
Operating System?
1. Windows XP
2. Windows 7
3. Linux (REMnux from Lenny Zeltser)
Tools included in Malware Lab
Honeypot (Trap the Malware)
Thug
GhostUSB Honeypot
Tools included in Malware Lab (Cont'd...)
Behavioral analysis tools
- Filesystem and Registry monitoring :
CaptureBAT, Regshot, Filemon,
- Process Monitoring :
Process Explorer, Process Hacker, Procmon, CFF Explorer, PEID, PEView
- Network Monitoring :
Wireshark, Tcpdump, fakeDNS, ApateDNS, Tshark, TCPView, Netwitness, Netcat
Tools included in Malware Lab (Cont'd...)
Code Analysis Tools
- Dissasembler / Debugger :
IDAPro, Ollydbg, Immunity Debugger, Pydbg,Windbg, Fiddler (Web Debugger)
- Memory Dumper :
LordPE, OllyDump, Fast Dump HBGary,
- Misc.Tools :
Sysinternals, Dependency Walker, Hex Editor, Hash Calc, Mac Changer,
Tools included in Malware Lab (Cont'd...)
Sandboxing ???
Based on Wikipedia, “in computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites.”
Tools included in Malware Lab (Cont'd...)
Sandbox Apps : Cuckoo Sandbox (http://www.cuckoosandbox.org/) Malheur (http://www.mlsec.org/malheur/) Buster Sandbox Analyzer (http://bsa.isoftware.nl/) ZeroWine Image (http://zerowine.sourceforge.net/) Zerowine Tryout (http://zerowine-tryout.sourceforge.net/) Evalaze (http://www.evalaze.de/en/Screenshots/) Truman (
http://www.secureworks.com/research/tools/truman/)
Tools included in Malware Lab (Cont'd...)
Online Sandbox for Check the malware sample :
- Anubis (http://anubis.iseclab.org/)
- GFISandbox (http://www.threattrack.com/)
- ThreatExpert (http://www.threatexpert.com/)
- Norman Sandbox
http://www.norman.com/security_center/security_tools/
Tools included in Malware Lab (Cont'd...)
Online Malware Scanner :
- Virus Total (https://www.virustotal.com/) - Wepawet (http://wepawet.iseclab.org/) → Web Based Malicious
Apps detector - AVG Web Scanner
(http://www.avg.com.au/resources/web-page-scanner/) → URL Malicious Scanner
- Malware Domain List (http://www.malwaredomainlist.com/mdl.php) → Online tools to Check Web that contain /hosted malicious apps
- PhishTank (http://www.phishtank.com/) -->Submit Phishing Web / Malicious Web
Tools included in Malware Lab (Cont'd...)
Online Malware Scanner :
Complete List can be found here :
http://www.pentestit.com/list-online-malware-scanners/
http://zeltser.com/combating-malicious-software/lookup-malicious-websites.html
Additional Resources for Malware Analyst
Malware Repository : http://malware.lu https://code.google.com/p/malware-lu/ http://contagiodump.blogspot.com/ http://www.offensivecomputing.net/ http://www.malwareblacklist.com/showMDL.php http://www.scumware.org/
Finish
Question?
Thank You