Page 1 of 3 123 LastLast
Results 1 to 15 of 42

Thread: Setting up a malware analysis environment

  1. #1
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5

    Setting up a malware analysis environment

    A frequent request here is for both introductory and detailed information on setting up and using a safe malware analysis environment. I've created a sticky thread where I hope we can gather as many good articles as possible that touch on that subject.

    Please add any noteworthy articles you find or are aware of that can help guide those of us who are interested in secure reversing of insecure targets.

    The best of the articles will find its way into a larger knowledge resource that is currently being set up, so anything you can add will be a contribution to something far grander and permanent than this thread.


    To start with, here are a few that have been mentioned before in the forums:


    Capture, care and analysis of Malware made easy
    http://www.linklogger.com/vm_capture.htm

    Practical Malware Analysis
    http://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf


    Setting up Windbg/VMWare:

    Remote Debugging using VMWare
    http://www.catch22.net/tuts/vmware

    Driver Debugging with WinDbg and VMWare
    http://silverstr.ufies.org/lotr0/windbg-vmware.html


    Cheers,
    Kayaker

  2. #2
    I think any mal analyzer should know pros & cons of various tools for setting up an analysis environment in the first place;

    http://www.sans.org/reading_room/whitepapers/threats/malware_analysis_environment_design_and_artitecture_1841

  3. #3
    Interesting article: an automated malware analysis environment (already linked up somewhere on the forum I'm sure).
    http://cert.at/downloads/papers/mass_malware_analysis_en.html
    Please consider donating to help Woodmann.com staying online (here is why).
    Any amount greatly appreciated. Thank you.

  4. #4
    How Detect virtual machines :

    www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf

  5. #5
    For malware analysis a good combination could be Sandboxie + Buster Sandbox Analyzer

    Sandboxie: http://www.sandboxie.com

    Buster Sandbox Analyzer: http://bsa.sandboxie.info

    As soon as I finish coding next BSA feature probably I will write a paper about setting up a malware analysis environment.

  6. #6
    Sandboxie is not a good one , because the new malwares can detect sandboxie.

  7. #7
    Quote Originally Posted by mansourweb View Post
    Sandboxie is not a good one , because the new malwares can detect sandboxie.
    I told Sandboxie + Buster Sandbox Analyzer.

    http://bsa.sandboxie.info/frameb.htm

  8. #8

    Thumbs up

    Another one from CERT.at



    Hi folks,

    it's just a few days ago that I put my new version of Minibis on our (CERT.at) website.
    For everyone that haven't heared about it yet: Minibis is a fully customizable automated malware analysis environment.
    So, for anyone that's interested in this topic feel free to visit our website http://cert.at/downloads/software/minibis_en.html at "Computer Emergency Response Team of Austria". There's plenty o informations there regarding Minibis, it's concept as well as of course a download-link.

    Cya,
    Chrisu.
    source: https://www.openrce.org/forums/posts/1279
    Please consider donating to help Woodmann.com staying online (here is why).
    Any amount greatly appreciated. Thank you.

  9. #9
    Quote Originally Posted by Silkut View Post
    Another one from CERT.at

    source: https://www.openrce.org/forums/posts/1279
    As usual it uses a Linux distribution (Ubuntu) to do the work.

    I always wonder the same and itīs one of the reasons of why I coded Buster Sandbox Analyzer: Why to analyze Windows malware Linux is used?

    Why are required complicated installations?

    Apart it uses VirtualBox, so lots of malwares will detect the virtual machine and will not work properly.

    Whatīs the point of doing this project under Linux if you use VirtualBox, something already available under Windows?

  10. #10
    Hmm, maybe in order to prevent malware that is capable of breaking out of the virtual machine from infecting the host?
    Just an idea.

  11. #11
    Quote Originally Posted by Darkelf View Post
    Hmm, maybe in order to prevent malware that is capable of breaking out of the virtual machine from infecting the host?
    Just an idea.
    Could be the reason but I donīt think so.

    Anyway there are solutions to prevent anything breaks out of the virtual machine.

    e.g.: if Iīm not wrong Sandboxie is able to sandbox VirtualBox.

  12. #12
    chrisu
    Guest
    Quote Originally Posted by Darkelf View Post
    Hmm, maybe in order to prevent malware that is capable of breaking out of the virtual machine from infecting the host?
    Just an idea.
    That's exactly *the* reason!

    Quote Originally Posted by VirusBuster View Post
    As usual it uses a Linux distribution (Ubuntu) to do the work.

    I always wonder the same and itīs one of the reasons of why I coded Buster Sandbox Analyzer: Why to analyze Windows malware Linux is used?

    Why are required complicated installations?

    Apart it uses VirtualBox, so lots of malwares will detect the virtual machine and will not work properly.

    Whatīs the point of doing this project under Linux if you use VirtualBox, something already available under Windows?
    Hm, a few things that need to be mentioned:

    *) As already mentioned above, usually another OS is used for the base (and therefore not necessarily Linux), just in the case of an escape. In the case of Minibis (which is CERT.at's implementation of a concept posted earlier) there has to be a place that is declared to be save. That's because of all the monitoring-data there which has to stay "trusted" at least with adequate efforts.

    *) Regarding VirtualBox I have to say that it is one of the least detected VM-solutions, though, to be more precisely, as it's built upon QEMU it's more of an emulator than a typical virtualization.
    Anyway, Minibis is primarely used for mass malware analysis, so a few samples that won't execute do not mess up the results of let's say 25k samples.
    Furthermore, nowadays malware is changing its characteristics regarding VM-detection. Actually the trend of VM-detection is massively falling down. That's because of the fact that virtualization became daily business for productive machines. As malware's major goal is to run to make money that is just a logical implication.

    *) For anyone whose paranoia-mode is in god-mode: There's also a possibility to use native machines instead of virtual machines, that's usually done with data-recovery cards, forensic writeblockers and automated re-imaging.

    Hope that brought some light into the discussion.

    Cheers,
    Chrisu.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    If Iīm not wrong Sandboxie is able to sandbox VirtualBox so in the rare case of an escape from the virtual machine the malware would land inside sandbox folder.

    Other solutions like Deep Freeze, Returnil, Shadow Defender, ... would make the work too.

  14. #14
    chrisu
    Guest
    Quote Originally Posted by VirusBuster View Post
    If Iīm not wrong Sandboxie is able to sandbox VirtualBox so in the rare case of an escape from the virtual machine the malware would land inside sandbox folder.

    Other solutions like Deep Freeze, Returnil, Shadow Defender, ... would make the work too.
    It really depends on what your goal is. Just as a prevention-layer for emailing and surfing I agree with you. But if comes to professional behavioral analysis of malware those sandboxes are just the wrong tool. That is because of the differences between sandboxes, VMs and emulators regarding their characteristics.
    When you do behavioral malware analysis you *want* the underlying OS to get infected, furthermore (besides VM-detection, I already mentioned that above) you want to have "normal" looking, full OS, so in other words, any thing on the system that is additional might change your monitoring results.
    Another thing is the fundamental diffrence in the approach of sandboxes and VMs: You can compare it with "white"- and "black"-listing. Sandboxes do blacklisting - they try to slap an executable on any thinkable way it could act evil. VMs won't let the guest do anything until you give it the ability.
    There are just too many drawbacks sandboxes have in comparison to VMs when it comes to professional behavorial malware research, but as I said, there are definitely use-cases for sandboxes, though.
    As for me, I would prefer to bring my own trusted oxygen with me when I enter a room with unknown bacterias and viruses than breathing the air in that room through a filter ... but that's just my opinion.

    Cheers, Chrisu.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    I agree with you, Chrisu, I only disagree in one thing: if you are going to use VirtualBox for malware analysis, why to use it under Linux if VirtualBox for Windows exists?

    The reason you give is "to prevent malware that is capable of breaking out of the virtual machine from infecting the host".

    There are several methods to prevent such situation, so using Linux is like killing flies with cannons.

    there has to be a place that is declared to be save. That's because of all the monitoring-data there which has to stay "trusted" at least with adequate efforts.
    You can declare a place to be save under Windows with a minimum effort.

Similar Threads

  1. Replies: 12
    Last Post: December 24th, 2009, 11:34
  2. SANS malware analysis article
    By Kayaker in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: May 4th, 2009, 18:17
  3. Virtual environment to test CIH (A.K.A Chernobyl) virus?
    By neo85 in forum Malware Analysis and Unpacking Forum
    Replies: 12
    Last Post: February 29th, 2008, 21:04
  4. Setting breakpoints in dll's
    By Solus in forum OllyDbg Support Forums
    Replies: 1
    Last Post: November 19th, 2005, 12:14

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •