SETTING UP YOUR OWN MALWARE LAB

Presented by :

DigitDigit Okttaviantodigit.oktavianto@gmail.comhttp://digitoktavianto.web.idhttp://digitoktavianto.web.id

JWC 4th Computer and Network Security Forum

About Me

Security Consultant

Member of Honeynet Indonesia Chapter

Member of OWASP Indonesia

Coordinator of Cloud Indonesia (SysAdmin)

Member KPLI Jakarta

IT Security Enthusiast (Opreker :D)

TODAY'S DISCUSSION

Introduction of Malware Analysis What is Malware Lab? How to build your own malware lab? What tools are included in Malware Lab?

Introduction of Malware Analysis

Malware : Any piece of code that has malicious intentions and /or performs a function that the user was not aware that it was going to do

Malware analysis : process of analyzing malware; how to analyze malware behavior; how to reverse the malware; how to disassemble the malware

Introduction Malware Analysis (Cont'd..)

Benefits from malware analysis? We can investigate how the malware works We can predict what it is going to do with the victims We will know how to mitigate this malware attack

(quickly assess the threat) We can prevent further malware action We will understand threat management better We can secure our environment

What is Malware Lab

Malware Lab is a safe environment to analyze the malware. Basically, it is an isolated environment which contains a lot of tools that are useful for the malware analyst analyse.

What is Malware Lab (Cont'd...)

Why we should build a malware lab? Proactive approach Advanced detection (before AV vendor detects it?)

What is Malware Lab (Cont'd...)

Why an isolated and safe environment? We need to execute the malware itself (dynamic

analysis) We interact with the malware to know how they

works We observe how the malware infects the file system,

what files are infected, its registry and the network traffic.

What is Malware Lab (Cont'd...)

What are the purposes? Personal research Hobby Profit oriented (Works as malware analyst) Enhance knowledge

How to build your own malware lab?

Physical Lab Virtualization Lab

How to build your own malware lab? (Cont'd ...)

Physical Lab

Advantage :

- No VM Aware Detection

- Real environment lab

- Full function as a victim

Disadvantage :

- Costly

- Time to build the real environment

How to build your own malware lab? (Cont'd ...)

Virtualization Lab

Advantage :

- Easy to deploy

- Minimum cost

- Easy to isolate and safe environment

Disadvantage :

- VM Aware detection

How to build your own malware lab? (Cont'd ...)

Step for building your Malware Lab (taken from (http://zeltser.com/malware-analysis-toolkit/):

Step1: Allocate physical or virtual systems for the analysis lab

Step 2: Isolate laboratory systems from the production environment

Step 3: Install behavioral analysis tools

Step 4: Install code-analysis tools

Step 5: Utilize online analysis tools

How to build your own malware lab? (Cont'd ...)

Operating System?

1. Windows XP

2. Windows 7

3. Linux (REMnux from Lenny Zeltser)

Tools included in Malware Lab

Honeypot (Trap the Malware)

Thug

GhostUSB Honeypot

Tools included in Malware Lab (Cont'd...)

Behavioral analysis tools

- Filesystem and Registry monitoring :

CaptureBAT, Regshot, Filemon,

- Process Monitoring :

Process Explorer, Process Hacker, Procmon, CFF Explorer, PEID, PEView

- Network Monitoring :

Wireshark, Tcpdump, fakeDNS, ApateDNS, Tshark, TCPView, Netwitness, Netcat

Tools included in Malware Lab (Cont'd...)

Code Analysis Tools

- Dissasembler / Debugger :

IDAPro, Ollydbg, Immunity Debugger, Pydbg,Windbg, Fiddler (Web Debugger)

- Memory Dumper :

LordPE, OllyDump, Fast Dump HBGary,

- Misc.Tools :

Sysinternals, Dependency Walker, Hex Editor, Hash Calc, Mac Changer,

Tools included in Malware Lab (Cont'd...)

Sandboxing ???

Based on Wikipedia, “in computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites.”

Tools included in Malware Lab (Cont'd...)

Sandbox Apps : Cuckoo Sandbox (http://www.cuckoosandbox.org/) Malheur (http://www.mlsec.org/malheur/) Buster Sandbox Analyzer (http://bsa.isoftware.nl/) ZeroWine Image (http://zerowine.sourceforge.net/) Zerowine Tryout (http://zerowine-tryout.sourceforge.net/) Evalaze (http://www.evalaze.de/en/Screenshots/) Truman (

http://www.secureworks.com/research/tools/truman/)

Tools included in Malware Lab (Cont'd...)

Online Sandbox for Check the malware sample :

- Anubis (http://anubis.iseclab.org/)

- GFISandbox (http://www.threattrack.com/)

- ThreatExpert (http://www.threatexpert.com/)

- Norman Sandbox

http://www.norman.com/security_center/security_tools/

Tools included in Malware Lab (Cont'd...)

Online Malware Scanner :

- Virus Total (https://www.virustotal.com/) - Wepawet (http://wepawet.iseclab.org/) → Web Based Malicious

Apps detector - AVG Web Scanner

(http://www.avg.com.au/resources/web-page-scanner/) → URL Malicious Scanner

- Malware Domain List (http://www.malwaredomainlist.com/mdl.php) → Online tools to Check Web that contain /hosted malicious apps

- PhishTank (http://www.phishtank.com/) -->Submit Phishing Web / Malicious Web

Tools included in Malware Lab (Cont'd...)

Online Malware Scanner :

Complete List can be found here :

http://www.pentestit.com/list-online-malware-scanners/

http://zeltser.com/combating-malicious-software/lookup-malicious-websites.html

Additional Resources for Malware Analyst

Malware Repository : http://malware.lu https://code.google.com/p/malware-lu/ http://contagiodump.blogspot.com/ http://www.offensivecomputing.net/ http://www.malwareblacklist.com/showMDL.php http://www.scumware.org/

Finish

Question?

Thank You