Sunday, February 3, 2013

Malware Analysis - Getting Started
Some of my friends asked me how to get started with Malware Analysis, so in this post I want to share the answer, not only for them but for the rest of the world. Malware Analysis for me is some kind a hobby because I think it is funny, really interesting, a good way to help people to solve their problems and finally to fight against Cybercrime.

How to start?
There is no a strict guide to follow, but I recommend to you to follow these phases:
  1. Design your Infrastructure for Malware Analysis
  2. Prepare a set of tools for Reverse Engineering and Monitoring
  3. Select a target OS for the infection
  4. Decide if you want to virtualize the target OS
  5. Isolate the Environment
  6. Obtain a Malware Source
  7. Infect the target OS and Start the Analysis (You can monitor the malware behaviour or you can debug it)
  8. Generate your Report with your conclusions
1. Infrastructure Design
In this step you need to think what do you want to create, for example, this infrastructure could be for personal use only, for an Educational Institution, or even for corporations interested in this topics and the requirements for all this scenarios are not the same so you must know the differences between them.

In this post I am going to show an example of an Infrastructure por a personal use only so we need a physical host and inside it we can install some virtual machines and create virtual networks, as shown in  Figure 1.
Figure 1. Infrastructure Example for Malware Analysis
Figure 1. Infrastructure Example for Malware Analysis

2. Tools
Selecting the tools is one of the most interesting steps, because there are many tools on the Internet, and you are free to select what you want or the one that you like the most, here are some basic tools that you can use to start in this great new world of Malware Analysis.
  • Behaviour Analysis Tools (e.g Sandboxes, Process Explorer, etc)
  • Code Analysis Tools (e.g. Any Hex Editor, Debugger like Ollydbg or gdb)
  • Network Traffic Analysis Tools (e.g. Sniffers, Wireshark)
3. Target OS
In this part you need to select one or more Operative Systems that you are going to infect in order to analyse the behaviour of a malware sample, you can choose from various options like:
  • Microsoft Windows XP SP3, Vista, Windows 7, Windows 8
  • GNU/Linux Distros (e.g. Ubuntu, Linux Mint, Debian, RedHat, CentOS, etc.)
  • Mac OS X (e.g. Tiger, Leopard, Snow Leopard, etc.)
  • Unix, BSD and others.
Maybe right now you have this question: "Why do we need to select an specific platform for a malware sample?",
Well the answer is really simple, because some kinds of malware can only be executed in a specific operative system or architecture, so for this it would be a good idea to have an ISO image of all of those operative systems listed before.

4. Virtualize, Yes or No?
At this point we have to decide in which environment we want to work with, in our real machine or in a virtual machine?
Why is a good idea to virtualize?
Is an isolated environment, and it is easier to control the behaviour and activity of our malware samples.
We can take screenshots od the system, so after finishing the analysis can easily return the environment to its initial state.

Why is NOT a good idea to virtualize?
Malware coders incorporate some functions to detect a virtualized environment, like:
  • Searching for some drivers
  • Searching for some devices
  • Searching for some directories
  • Searching for some registry entries
  • Searching for some installed tools
  • Searching for some executing processes
5. Isolate the Environment
After you decide if you use a virtual machine or your real machine, in both ways you need to isolate the environment in order to control the behaviour of the sample in your OS. This means that we need to know the changes that are made in our hard drive by the malware (creating, replacing or deleting files, changes in our registry, etc.), for that purpose we can use a sandbox.

6. Malware Samples
Now you need to focus on where to get malware samples, the most common way to get infected it is visiting cyber cafes, but this is not the most efficient way, so maybe you should search on the Internet for Cracks, Keygens, Patches and then you will find out a lot of samples.

But if you are a member of a Security Corporation (e.g. Antivirus Companies), you can get malware samples from VirusTotal or similar Projects, in future entries I am going to publish two things, 1. Some malware samples recollected by me. 2. A list of sites where you can get some samples, so stay tunned. ;)

7. Infection and Monitoring
Now it is the time, we must infect our target system, if the malware sample is an .exe, .bat, .com, etc. We only need to execute it pressing Enter key, but some samples need to exploit some vulnerabilities (e.g. Java, Microsoft Office, Adobe Acrobat Reader, Adobe Flash, etc.) so we need to install the required software for the malware to be executed correctly, after that, you can start monitoring the malware behaviour, this part is going to be explained with more details in a future post.
8. Report Generation
After the analysis, you can build a report with the results of your research about the malware sample, you can list the affected files, the registry entries that were affected, the methods that the sample uses to spread itself, the vulnerabilities that were exploited and more details. In future entries I am going to post an example of a Malware Analysis Report.

Note: This post was part of my experience in Malware Analysis, if you want to know more about it a Research Paper was presented at Cybersecurity for the Next Generation South American Round 2013 Conference organized by Kaspersky Lab and Hackem Research Group, this event was celebrated at National Polytechnic School in Quito, Ecuador.

0 comentarios:

Post a Comment