Hello everyone 
In my free time I'm implementing my malware analysis lab and I thought to share with you some concepts and tips to make more professional work.
We must say that the majority of antivirus/antimalware is based on two methods of detection:
The first one goes simply to consult a database of hashes of files or strings to match features with some known patterns. How it all works? We can imagine simplifying the appearance of a new malware "in the wild" based on a single executable. Someone suspicious or some research team sends a copy of the executable "suspect" analysis centers and they basically do two things: compute the hash of the file and look for strings into your executable. The results are processed in our definition file and virus is the "signature" of the malware in question. The real-time antivirus will check the files that go into the system and make hashing and search for strings inside. If It finds a match, it will report the item as infected.
Heuristic analysis is a bit more sophisticated, but less accurate. It is based essentially on an analysis of code that try to "understand" the execution and therefore it's "malicious" or not. Normally you set a threshold for defining the accuracy or "paranoid level". If the parsed code involves operations such as writing to system areas, running from entry point not sure or activation of sessions using known protocols (for example IRC), etc., then the antivirus will report the suspicious activity.
All right? Well, to be honest it lacks a "slight" coverage: who defends us from a malware that exploits Advanced Evasion Techniques and how to know if a process that does not know it is legitimate or if it is part of an advanced persistent threat (Advanced Persistent Threat)?
We can't.
With security traditional tools you cannot catch this kind of threats.
Need a specialized analysis.
Those who like me use Virtualbox must configure network adapters in vm host mode, so as not to make them interact outside the system.
But to implement a virtual machine and launch a virus doesn't let us know how the threat. It should be at least one other system for analysis. Personally I plan to install two specific distro for pentesting and forensic analysis: REMnux, which is basically made for reverse engineering of malware and Kali. These agree on some items associate test machine:
Usually, the first thing to do is activate Wireshark to monitor network traffic, Process Explorer and Process Monitor by Sysinterals to see that malware processes will eventually turn and changes to the system that will perform. The malware will write something in the registry or the file system in order to enable at startup. In some cases the malware "create" processes by using the dynamic generation of batch code that invokes other processes. The reason for this behavior? A heuristic virus analyzing a binary soon if it wants to write to the log. But if the executable creates a batch which in turn is a push in the key for the autostartup, the antivirus will not ever catch ... Another handy tool to monitor the registry is always the Autoruns. Allows you to view all processes that are started automatically by the system, along with the entry point and triggers. Maybe the malware is a Bot that is part of a Botnet. In which case Wireshark will show attempts to contact with CnC (Command and Control) server. At this point it may happen that the analysis become impossible, because some bots and malware they find themselves running out of VM because they can't contact the CnC server and therefore put themselves in "quiet mode" or even autostopped. Some very advanced malware do a quick scan of your system before anything else and, if they detect to be in a virtual environment, leaving the execution immediately.
In this case it is necessary to make the analysis on physical system.
When the malware are starting to generate network traffic, it is time to operate the analysis systems. Firstly ensure name resolution: we will then configure as DNS on the client the address of our analysis machine, where we will activate fakedns (REMnux) or dnschef (Kali) to respond to requests with the address of the same analysis machine.
For each DNS request, the machines will scan with your address to enable network sessions to have a terminator. At this point, depending on the protocols that will be used by the client to test, you can try to understand the type of service being requested: malware usually communicate with the outside world with IRC, FTP, HTTP, TFTP, SFTP, HTTPS. IRC lately is used less and less because most corporate firewalls block traffic IRC ... Once you understand the type of service you require, you can try to respond with a setup. Enable an FTP or HTTP server to respond will allow us to find out what the client is trying to recover from the network: at this point we can try going to manually retrieve the components around using the same requests for "popular" web or ftp server of what malware requires, whether they are strings of commands or pieces of code to get more and more complex operations.
ATTENTION!!!
The malware analysis is on a task that involves several risks:
I hope these tips will be useful if you want to start analyzing malware and sorry for mistakes.
Here the software list:
Oracle VM VirtualBox
REMnux: A free Linux Toolkit for Reverse-Engineering and Analyzing Malware
https://www.kali.org/
OllyDbg v1.10
Sysinternals Suite
https://www.wireshark.org/
http://www.pspad.com/
In my free time I'm implementing my malware analysis lab and I thought to share with you some concepts and tips to make more professional work.
We must say that the majority of antivirus/antimalware is based on two methods of detection:
- signatures
- heuristic analysis.
The first one goes simply to consult a database of hashes of files or strings to match features with some known patterns. How it all works? We can imagine simplifying the appearance of a new malware "in the wild" based on a single executable. Someone suspicious or some research team sends a copy of the executable "suspect" analysis centers and they basically do two things: compute the hash of the file and look for strings into your executable. The results are processed in our definition file and virus is the "signature" of the malware in question. The real-time antivirus will check the files that go into the system and make hashing and search for strings inside. If It finds a match, it will report the item as infected.
Heuristic analysis is a bit more sophisticated, but less accurate. It is based essentially on an analysis of code that try to "understand" the execution and therefore it's "malicious" or not. Normally you set a threshold for defining the accuracy or "paranoid level". If the parsed code involves operations such as writing to system areas, running from entry point not sure or activation of sessions using known protocols (for example IRC), etc., then the antivirus will report the suspicious activity.
All right? Well, to be honest it lacks a "slight" coverage: who defends us from a malware that exploits Advanced Evasion Techniques and how to know if a process that does not know it is legitimate or if it is part of an advanced persistent threat (Advanced Persistent Threat)?
We can't.
With security traditional tools you cannot catch this kind of threats.
Need a specialized analysis.
Those who like me use Virtualbox must configure network adapters in vm host mode, so as not to make them interact outside the system.
But to implement a virtual machine and launch a virus doesn't let us know how the threat. It should be at least one other system for analysis. Personally I plan to install two specific distro for pentesting and forensic analysis: REMnux, which is basically made for reverse engineering of malware and Kali. These agree on some items associate test machine:
- A debugger to analyze the running process: OllyDBg
- Tools for analyzing process trees and monitoring (the Sysinternals Suite contains an impressive amount of tools for managing and monitoring Microsoft systems)
- A packet sniffer (Wireshark, obviously)
- A good hex editor it is convenient (I use PSPad)
Usually, the first thing to do is activate Wireshark to monitor network traffic, Process Explorer and Process Monitor by Sysinterals to see that malware processes will eventually turn and changes to the system that will perform. The malware will write something in the registry or the file system in order to enable at startup. In some cases the malware "create" processes by using the dynamic generation of batch code that invokes other processes. The reason for this behavior? A heuristic virus analyzing a binary soon if it wants to write to the log. But if the executable creates a batch which in turn is a push in the key for the autostartup, the antivirus will not ever catch ... Another handy tool to monitor the registry is always the Autoruns. Allows you to view all processes that are started automatically by the system, along with the entry point and triggers. Maybe the malware is a Bot that is part of a Botnet. In which case Wireshark will show attempts to contact with CnC (Command and Control) server. At this point it may happen that the analysis become impossible, because some bots and malware they find themselves running out of VM because they can't contact the CnC server and therefore put themselves in "quiet mode" or even autostopped. Some very advanced malware do a quick scan of your system before anything else and, if they detect to be in a virtual environment, leaving the execution immediately.
In this case it is necessary to make the analysis on physical system.
When the malware are starting to generate network traffic, it is time to operate the analysis systems. Firstly ensure name resolution: we will then configure as DNS on the client the address of our analysis machine, where we will activate fakedns (REMnux) or dnschef (Kali) to respond to requests with the address of the same analysis machine.
For each DNS request, the machines will scan with your address to enable network sessions to have a terminator. At this point, depending on the protocols that will be used by the client to test, you can try to understand the type of service being requested: malware usually communicate with the outside world with IRC, FTP, HTTP, TFTP, SFTP, HTTPS. IRC lately is used less and less because most corporate firewalls block traffic IRC ... Once you understand the type of service you require, you can try to respond with a setup. Enable an FTP or HTTP server to respond will allow us to find out what the client is trying to recover from the network: at this point we can try going to manually retrieve the components around using the same requests for "popular" web or ftp server of what malware requires, whether they are strings of commands or pieces of code to get more and more complex operations.
ATTENTION!!!
The malware analysis is on a task that involves several risks:
- Can take a long time: there are malware that apparently doesn't do anything about anything for hours before you take action. Others even have as a trigger only during a specific time and then are no longer executed
- Often recover on sites "disreputable" pieces of code. This exposes your pc at risk of being infected by other malware.
- In some cases the remote servers are managed directly from the creators of malware. Better not to draw too much attention with multiple contacts, maybe even repeated in a short period of time.
- The fact that a malware appears to do nothing to hurt doesn't mean you can play freely: it's no joke!!
I hope these tips will be useful if you want to start analyzing malware and sorry for mistakes.
Here the software list:
Oracle VM VirtualBox
REMnux: A free Linux Toolkit for Reverse-Engineering and Analyzing Malware
https://www.kali.org/
OllyDbg v1.10
Sysinternals Suite
https://www.wireshark.org/
http://www.pspad.com/
