So You Want to Analyse Malware?

1. Preface

If you’re reading this, I think it’s fairly safe to assume your motivations for your own lab. When I started, I found it very hard to find up-to-date resources on beginning my interest. Granted, I had the precursory knowledge of tools and techniques that was explored throughout my University studies, making it much more approachable for me.

There’s no better way of defeating your enemy then understanding how it works.

Hopefully, you will find the following a great way to get started in the vast world of malware analysis; combining a cohort of techniques from reverse engineering and researching skills. Note, this post isn’t a guide on how to install the tools mentioned, but rather to expose them to you and ecourage you to research into them on your own accord.

Mandatory plug, the tools and resources I detail throughout this post are those that I have implemented in the tasks of my commissoned TryHackMe Malware Pathway/Series.

2. Understanding Your Scope.

First things first, understanding and road-mapping your aspirations. What information do you want to extract during your analysis? Source code? Networking traffic to C&C servers permissing you to track Advanced Persistent Threats?

Decisions like these, including the architectures of the samples you want to analyse I.e. Linux and/or Windows, are fundamental in understanding what tools and techniques you need.

3 Virtualised Vs. Dedicated Platforms.

What is given, however, is the necessity for a platform to analyse on! Making the choice: Virtualised environments or a physical environment.

3.1. Virtualised

Arguably the most convenient, a virtualised environment involves using a Hypervisor such as Virtualbox to abstract your computers hardware and separate your devices operating system to allow other operating systems to coincide. Whilst I live for anything VMWare, this is the only exception.

Malware these days are pretty smart. Often, samples are capable of detecting whether or not it is being executed in a virtualised environment - a direct middle finger to malware analysts. Sophisticated samples even change their behaviours in virtualised environments to throw analysts off the scent. They employ these checks through a few ways:

  1. Checking for the presence of registry values such as the VMware provider names for drivers (Hard drive and network interfaces)
  2. Opening the VMware Guest OS <–> Host OS communications channel (Carpenter., Liston and Skoudis., 2007).
  3. MAC Address checks of network interface cards 3.1. VMware has a range of hardcoded octets such as 00:1C:14, Virtualbox having D4:01:29 for example.

What’s most convenient about using a virtual environment is the facilitation for snapshots. After execution, you will need to reset your environment to a pre-infection state for the next sample or to analyse things that you may have initially missed. Installing all of your tools again is laborious. Snapshots allow you to do just as the name suggests - take a picture of your environment at this state.

With this said, Malware is very capable of escaping your virtualised environment (Seals., 2014), onto your host OS where valuable data is most likely contained. It’s a risk vs. convenience here.

3.2. Physical

A time consuming and expensive alternative, a physical environment is arguably where the big boys play. The checks outlined line in Virtuaised no longer apply - simply because these artifcats are no longer present for Malware to check.

However, whilst you can virtualise many hosts for infection - building a large varied lab incl. Windows domains and network analysis suites, you will have to replicate this onto multiple machines in real life.

4. Taking the Plunge: Tools for the Job

Sure, a good worker always blames his tools. But we don’t have room for that here. More suitably, a good worker keeps his host clean. I can think of a lot of metaphors here, aptly, a surgeon doesn’t bring a chainsaw to a surgery…But that’s a bit of stretch.

There is a [https://github.com/rshipp/awesome-malware-analysis](plethora of tools) to choose from, but I’ll detail my favourite ones below and the situations I might use them for:

4.1. Sample Collection (Honeypots):

  • Cowrie, an SSH honeypot
  • Dionaea, a low-level honeypot emulating services from Samba, HTTP to SMTP and MS/MYSQL for sample collection

4.2. De-obfuscation:

  • Balbuzard, able to detect patterns like IP addresses, malicious strings etc.
  • de4dot, a .NET Unpacking/Deobfuscation package

4.3. Disassembly (Static analysis of code):

4.4. Debugging (Dynamic analysis of code):

4.5. Network Analysis:

4.6. Sandboxing Environments:

Pre-packaged analysis environments

4.7. Miscellaneous

Some neat little scripts/tools that deserve shoutouts! (WIP)

4.8. Reading

5. References

Carpenter, M., Liston, T. and Skoudis, E., 2007. Hiding Virtualization from Attackers and Malware. IEEE Security & Privacy Magazine, 5(3), pp.62-65.

Seals, T., 2014. Malware No Longer Avoids Virtual Machines. Infosecurity Magazine. from: https://www.infosecurity-magazine.com/news/malware-no-longer-avoids-virtual/.