A study group around Practical Malware Analysis, Part I
Get the book: http://nostarch.com/malware
Slides for sessions 0, 1, 2 in PDF: http://dfir.atlbbs.com/myslides/
Malware Study Group Session 3 : Chapter 2: VMs for Analysis
- Virtualization technology intro/Q&A
- diff VMWare products, VirtualBox (OSE)
- VMWare: sophisticated family of commercial products, nocost player
- VBox: effective free/opensource app, commerical support and addons available
- VMWare tools / VBox extensions
- useful for high interaction VMs
- carry some risk, so not always wanted (Cuckoo)
- RIP WinXP, welcome Win10
- WinXP is no longer available
- Book samples use WinXP and might misbehave on newer windows :(
- current Windows product evaluations: Win8 Ent, Win10 Ent
- Analysis tools run well on Win8,Win10
- REMNux : "free Linux toolkit for assisting malware analysts with reverse-engineering malicious software"
- Linux VM preconfigured for static,dynamic analysis -> comes with all the tools
- Developed and maintained by Lenny Zeltser for FOR610 + community
Sandbox and static tools VMs (Remnux): [redacted]
- CS/TS & Abuse
- Security Analysis
- Let's Learn Virt slides
- Blog post, docs on Remnux tools for peheaders
- http://www.aldeid.com/wiki/Pescanner , good overview of pescanner
Dynamic host and network analysis (PMA Chapter 3)
- Sandboxes and malware execution strategy and tactics
- Host tools (procmon, procexp, regshot, captureBAT)
- Net tools ( apateDNS, fakenet, inetsim, netcat/wireshark )
- Dynamic analysis lab and process
- FireEye: what goes ping : very nice, but nothing's perfect
- Cuckoo : a sandbox assembly toolkit
- Malwr.com: a public Cuckoo instance
- procexp (show) : now with strings, sigcheck (Verified), and VT integration in v16
- generally very useful for tech and sec, some features migrated into 8,10
- procmon (show) : capture filters and display filters (like tshark)
- pinned down some sophisticated malware on a windows server ...
- regshot (show)
- capture BAT : can get deleted files, network traffic with options
- memory capture? ... with careful timing this can be really useful, but:
- Network capture
- local capture : ncat ... tcpdump, dumpcap ==> Wireshark, Bro IDS
- lab design , leading us to ...
- Fake the internet!?
- one protocal or app at a time : apateDNS
- all at once : InetSim
- bit of both (fig. 3-12)
- experiment design : controls and variables, blinds?
- normality and baselines
- try out tools on normal/healthy systems first
- start recording, take an action, stop recording, review recording ... repeat
- remember our goals of (safe) malware analysis:
- how bad is this thing?
- what should we do about it?
Next time Chp3 lab samples, volunteers welcome :)
- sysinternals: https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
- ISC, Didier VirusTotal in ProcExp: https://isc.sans.edu/forums/diary/Process+Explorer+and+VirusTotal/19931/
- Honeynet Project for CaptureBAT: https://www.honeynet.org/node/315
- RE SE, awesome resource: http://reverseengineering.stackexchange.com/
- RegShot archive on GCode: https://code.google.com/p/regshot/
- VT ToS: https://www.virustotal.com/en/about/terms-of-service/
- Sick Anti Forensics Mechanisms in the Wild - YouTube (SANS DFIR)
- video by Alissa Torres / @sibertor https://www.youtube.com/watch?v=adJ_QZxW7Ck
SN did 3-1 and 3-2 , leaving 3-3 and 3-4 for me .. intro
dynamic analysis gotchas
- capture filter versus display filter ..
- Locard's principle of exchange
- monitoring tools change the system
- can "cross the streams"
- try try again
Lab setup review
- set up my XP vm and snapped to Readied state in VMWare Fusion .
- Apate DNS manually set and checked with nslookup
- VM network disabled .. pretty safe
3-3 run through .. focus on procmon, good for 3-3 (CaptureBAT is not in book, is from 610)
- review procmon filters : filter vmware, lsass ... svchost ?
- where'd the malware cmd go?
- anything happen in labs folder?
- created file by name, whoo ...
3-4 , ibid
- how many cmd are there?
- anything happen in labs folder?
- answers question 3.4.2 ?
Wrapping up the malware study group:
- You'll need to learn more about processors, assembly, and the OS (Windows?)
- The rest of PMA, and the MAC : http://www.malwarecookbook.com/
- http://opensecuritytraining.info/Training.html for classes and links (free)
- FOR610 : Malware analysis and Reversing by Lenny Zeltser (SANS) (tuition)
- many awesome blogs and webcasts : MTA (Brad), Contagio (Mila), Didier's tools, blog
- IDA Freeware or Hopper .. radare2 (free/cheap for education)
- reversing, debugging, cracking tutorials : Random, Lena (free, malware-ridden)
More study groups?
- Need your topics, votes for next year.
- Vote for something cooler than CISSP prep, or else that's first up in 2016
- My vote: OSCP labs (or even just WebGoat) for some attack skills (HTID first?)
- Also doing well in polls: Wireshark book
Thank you all for learning with us!