Title: Malware Analysis
Post by: satyr on December 22, 2010, 04:59:35 PM
hi folks :)
After a eye opener of a post (http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,6426.0/) I thought it would be fair enough to have a dedicated post on Malware Analysis.
It would benefit folks who are interested in learning about malware analysis.
Lets contribute to what is needed for one to start with malware analysis, I am new to this field myself so ill post what all I came across when I searched about this topic on the net:
1. Basics of both Assembly Language and reverse Engineering
2. An lab environment, mainly using VM (reflux is a distro dedicated to
Malware Analyst's Cookbook and DVD: Tools and Techniques for
Fighting Malicious Code (havent read it but i have seen this
An excellent article which talks from start to finish about analyzing a trojan
Please contribute to this list with what suits it best based on your experiences
Title: Re: Malware Analysis
Post by: sil on December 22, 2010, 06:45:40 PM
My approach - as usual - is different from most that you will find and my reasoning is as follows: Analyzing malware usually means identifying what occurred due to an application being run. (Remember, most malware will be some code that has managed to run on a machine). In analyzing what went on, you need to know the prior state of a given machine, and the current state of the machine. AFTER you have these two values, differentiate between the two (pre-machine state and post-machine state), to find what is different after the rogue program/application/code is run.
So I now quote a great MUST HAVE BOOK (at least if you're serious about malware/mwforensics) "Malware Forensics - Investigating and Analyzing Malicious Code" (Ch. 9 for those who have the book and are wondering which chapter this is from)
What is the nature and purpose of the program?
How does the program accomplish its purpose?
How does the program interact with the host system?
How does the program interact with the network?
What does the program suggest about the sophistication level of the attacker?
Is there an identifiable vector of attack the program uses to infect a host?
What is the extent of the infection or compromise on the system or network?
So how do you do this? From my POV... Configure a virtualized machine to run code on. This machine must be kept away from a live network as to NOT infect any other machines. Once your machine is configured, if using VMWare, take a snapshot, this allows you to revert back and forth.
So you have your clean spiffy new machine. Now you'd want to take a pre analysis of your machine prior to inection. Suggested tools...
Winalysis - after you start your spiffy new machine. Immediately take a snapshot of the machine configuration, then monitors for changes to files, registry, users, groups, rights policies, svcs, etc.
RPIER (MUST MUST MUST HAVE) - too many things to type on this
PEiD (find out if someone packed or encrypted their crapware)
Mandiant Red Curtain
SysAnalyzer - An automated malicious code runtime analysis application, SysAnalyzer enables the digital investigators to execute an unknown binary, and then monitors various aspects of the host system, including running processes, open ports, loaded drivers, injected libraries, file modifications, registry changes, API calls made by the target process, and certain network traffic (Hypertext Transfer Protocol [HTTP], Internet Relay Chat [IRC] and Domain Name System [DNS]).
This is a brief summary of what I would play with as a beginner. Be advised, it pays to have some form of debugging skills at the end of the day. I use WinDBG a lot (yes to you programmers (h1tm0nk3y) I also use ImmunityDBG and Olly but prefer WinDBG :D) ... Debugging helps a lot since there will be points in time you will need to understand HOW something occurred, not soley: "Well it crashed IE, then boom!" ... HOW did it crash IE and trigger code execution? Where in mem did it occur and HOW did it do it
For help in the above (debugging), I suggest getting used to debugging by trial, error and reading. I visit DumpAnalysis.org (http://www.dumpanalysis.org/) a lot of obscure things since I found that they have the most information for specifics I look for, particularly heap and stack issues. If you have some money to spend though: MUST HAVE BOOK: Advanced Windows Debugging (http://www.amazon.com/Advanced-Windows-Debugging-Mario-Hewardt/dp/0321374460) its a great read and a book you will always reference.
Anyway this post is long enough for now, holidays are in full season here @ home, so happy holidays all (hannukah, kwanzaa, xmas, whatever one celebrates)
Title: Re: Malware Analysis
Post by: satyr on December 22, 2010, 11:29:56 PM
Thanks again Sil for such a wonderful and informative post ...great stuff :)
This can be used as a starting point to dive into Malware Analysis ...
I am collecting the material mentioned here so that I can start Malware Analysis in a jiffy
Thanks again Sil
Happy Christmas and have a good time in the holidays :)