Results 1 to 9 of 9

Thread: To start with malwares

  1. #1

    Lightbulb To start with malwares

    If i start with malware unpacking, do i need to setup malware analysis environment with victim and sniffer PC or to have a VMWARE workstation, isnt there any other way around, coz i dont have access to two PC's nor do i have heavy RAM sticks to support VMWARE. I read many papers on malware unpacking but most of them are official releases, that means not true knowledge or obfuscated knowledge
    What steps must be taken to start with malwares, i am already working on packers/protectors so i think i should as well start with malwares tooo, since they both are closely related and the later sounds more fun.
    Btw i tried to analyse that malware mnso.exe but i cant get it to open in any of the debuggers, olly or IDA disassembler, however i am sure it did not really infect my PC.
    Regards,
    _InSaNe_
    Last edited by _InSaNe_; July 28th, 2007 at 00:18.

  2. #2
    You can try manual tracing in a hex editor, like I've been doing

  3. #3
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    I would say that to do malware analysis you need both. The VMWare image is really cool for non-vm-aware malwares, and you can revert it if you make an error, while a quickly re-imageable phisical goat comes handy to handle VMWare aware malware with ease. Anyway, do not make the mistake of thinking that you can handle malware analysis on your own machine: no matter how good you are, sooner or later an accidental double click, a debugger failure to break or something else will activate the malware and put your data at risk.

    Anyway, IMHO a base document for malware analysis is the one from Lenny Zeltser, as it shows both the process and the way it should be documented. Find it here:

    http://www.zeltser.com/reverse-malware-paper/reverse-malware.pdf
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  4. #4
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Analysis of Malware using your own computer and no virtual machine. . .
    There was a bomb squad school in which live explosives were used for training exercises in bomb defusing.

    Graduation rate was rather low

  5. #5
    Registered User
    Join Date
    Aug 2005
    Location
    Greece
    Posts
    157
    I heard they also used colorless cables...
    A picture worth 1K words (or .5K DWORDS).

  6. #6
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,507
    Blog Entries
    15
    you dont need loads of ram sticks to operate virtual machines

    i can assure you that you can run a virtual machine (the vm in this case is microsoft virtual pc 2004) running on a winxp host

    vpc is running win2k-sp4

    host is running winxp-sp1 / sp2

    host has 128 mb ram and vpc was allocated 32 mb ram

    processor is p3

    they both run peacefully with not much of an impact on processing speed sure some slowness is inevitable but that isnt iiritatingly slow )

    now i think none of the modern computers come with less than 256 ddr

    if you are talking about vms then i can assume that you have a pc which can run xp (xp installs with 64 mb ram minimum so by default the pc would have atleast 128 mb ram)

    grab a copy and set it up and start to form your own opinion never rely on hand me down information that says you need blah blah to run blah blah

    thay are almost always not right (including mine above )

  7. #7
    Quote Originally Posted by blabberer View Post
    you dont need loads of ram sticks to operate virtual machines
    i can assure you that you can run a virtual machine (the vm in this case is microsoft virtual pc 2004) running on a winxp host
    Hey i have enough RAM then, i must have made sure what that geek meant in a tutorial i read that "to setup VMware you will need enough RAM". I am on for VM's then, thanx for info.

    So all i need to do is setup a virtual Machine, run the mnso.exe ( Malware) and attach olly debugger to it, that i will be able to understand the working of Malware, however isnt it obvious that i wont be able to know the packing scheme.
    Reagrds,
    _InSaNe_
    Last edited by _InSaNe_; July 28th, 2007 at 12:06. Reason: Just curious.

  8. #8
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,507
    Blog Entries
    15
    when you are onto a malware

    JUST ETCH THIS INTO YOUR MIND PERMANENTLY

    THERE IS NOTHING CALLED RUNNING IT

    YOU SIMPLY DO NOT RUN MALWARES

    UNLESS AND OTHERWISE YOU HAVE A SUITBLE LABORATORY ENVIRONMENT (WHERE CONTROLLED EXECUTION IS POSSIBLE )

    a vm is still a piece of complex unreliable (attackable by a determined malware)

    if the malware falls into the catogory of a master piece it simply can
    evade your vm and infect yours and or the whole world 's comps

    so you always start with understanding it statically (hexeditor, ida, whatever rocks your boat (in my case i would say ollydbg -> view --> file --> right click -> peheader /// right click --> disassemble /// ctrl+g addresss // peek poke and get a preliminary grasp of its extents

    then you should be almost ready to open it in ollydbg for tracing

    and always start tracing from the earliest possible stage

    if in windows userland i could state LdrLoadThunk ( after ntdll.dll is mapped and no other dlls are mapped )

    the ntdll.debugbreakcomes next (ollydbg -> pause at system break point)

    then comes tls,dllinits, and then comes the applications entry point
    (if there are no stealth in the above then if this malware is coded in
    a hight level language (compiler generated code) then _crtstartup codes will be executed and the the control will be transferred to the real applications code (main or winmain) (im assuming unobfuscated unpacked code here which is never the case in real world)

    if it contains packers obfuscaters, crypters , foolers , cheaters then all thes will be executed before you end up on _crtstartup or main or winmain)

    and winmain or main in most cases would be simply crap

    so if you run and try to attach it you might have almost always lost the game right the second you double clicked the malware

  9. #9
    so if you run and try to attach it you might have almost always lost the game right the second you double clicked the malware
    Aye Aye sir, thanks for illumination, i will update as soon as i am able to atleast disassemble/debug one malware, downloading vmware workstation right now.
    Regards,
    _InSaNe_

Similar Threads

  1. some malwares from USB
    By evaluator in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: March 26th, 2013, 04:21
  2. Easy and simple way to analyze malwares
    By VirusBuster in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: June 2nd, 2010, 09:44
  3. how to start
    By Sorrow in forum The Newbie Forum
    Replies: 8
    Last Post: January 6th, 2008, 13:19
  4. new, where should i start
    By Soldier in forum OllyDbg Support Forums
    Replies: 2
    Last Post: April 11th, 2005, 09:16
  5. Where to start
    By |azy|eg in forum The Newbie Forum
    Replies: 4
    Last Post: December 9th, 2004, 12:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •