Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 42

Thread: Setting up a malware analysis environment

  1. #16
    chrisu
    Guest
    Quote Originally Posted by VirusBuster View Post
    ... I only disagree in one thing: if you are going to use VirtualBox for malware analysis, why to use it under Linux if VirtualBox for Windows exists? ...
    I understand your veto on that. Actually it's (nearly) perfectly fine if you use Windows as the host-system. The fundamental concept behind Minibis furthermore gives you free decision in all of it's components, so, also in this. However, having said this I still would recommend to have another OS as host (might also be Mac OS), just massively reduce the risk that if something escapes that it will find its native environment again. You can take the following scenario as an example:

    Usually you have networking capabilities in your malware lab environment. That's a must as you want to know what the sample is trying to do over the net. Under the forensical aspect to not unnecessarily add software to the samples playing field you usually position you network-monitor (sniffer) outside of it. So if you have the typical scenario of a host and a guest (in VM-jargon) your sniffer would sit on the host. The network in that scenario is definitely the place of the highest risk for anything to escape. So if you analyse samples like Conficker (and so on) which try to spread themselves over network you're in a very bad situation if you have Windows as host system, especially if it's an unknown sample that might have some rpc-zeroday-exploit-payload onboard. In the worst case it would infect your host, which wouldn't even be the fault of the VM-solution.

    To stay on this rpc scenario: that's also a point for sandboxes. Sandboxes do hook (and so on) more or less of the OS' functionalities to hinder a process from attacking un-sandboxed components including inter-process-communication (rpc, pipes, mailslots, ...). But the network communication is usually not "influenced" as sandboxes' primarily goal is to have a prophylaxe against infections during surfing and emailing, in other words, during internet-communications. But, all this techniques (rpc, pipes, mailslots) I mentioned above are done via "cable". So it's easy to circumvent the sandbox by implementing them directly in the malware and not calling the according OS-functionalities which are controlled by the sandbox.

    So, as a ... résumé: If you're about to lock up an alien from planet "Nitro" and you know that it needs pure nitrogen for breathing wouldn't it be smarter to surround its cell with pure oxygen that nitrogen?

    Cheers,
    chrisu.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #17
    Tell me when was the last time a malware was able to escape from VirtualBox and infect the host, please.

    The network in that scenario is definitely the place of the highest risk for anything to escape. So if you analyse samples like Conficker (and so on) which try to spread themselves over network you're in a very bad situation if you have Windows as host system
    I donīt understand how is possible a malware can not spread over network directly from VirtualBox but it can escape from the VM and do it from the host. Thatīs just amazing!!! I want to see that!!!

    Could you provide an example of a program able to do that?

    I understand you want to defend your decission of using Linux, but I think your arguments are weak if not completely out of the reality.

    I asked how you avoid that malwares detect the VM and abort execution. Your reply was:

    so a few samples that won't execute do not mess up the results of let's say 25k samples.
    Why donīt you apply the same criteria to the malwares able to escape from VirtualBox and infect the host? You just need an disk image solution. In the very very rare case a malware escapes you just need to recover from the image.

    With all these argues I just pretend that people building malware analysis tools consider seriously using Windows as platform for them. The security of the host can not be the excuse to build them under Linux.

    Buster Sandbox Analyzer, apart of the ultra expensive Norman Sandbox Analyzer, is the only malware analysis solution for Windows users. I would like there are other alternatives.
    Last edited by VirusBuster; May 11th, 2010 at 08:03.

  3. #18
    chrisu
    Guest
    Quote Originally Posted by VirusBuster View Post
    Tell me when was the last time a malware was able to escape from VirtualBox and infect the host, please.
    As my automated lab is built up as I sketched it before, I had none. If my host was Windows-based and not up-to-date at that moment (which is not of relevance in this example as it's only a question of "Is it possible?") Conficker would have nailed it.

    Quote Originally Posted by VirusBuster View Post
    I donīt understand how is possible a malware can not spread over network directly from VirtualBox but it can escape from the VM and do it from the host. Thatīs just amazing!!! I want to see that!!!
    Misunderstanding on your side or I explained it to chaotic. If the latter's the point, sorry for that. Firstly, a malware lab should not be connected to the real internet (exception do exist, though). Secondly, malware *can* spread over network from VirtualBox, but under a controlled and secured environment it won't find a native (same OS) door on the others in the network, which is only my host.

    Quote Originally Posted by VirusBuster View Post
    Could you provide an example of a program able to do that?
    I think I already did - but keep in mind, my scenario doesn't make use of what is usually understood regarding "VM-escape".

    Quote Originally Posted by VirusBuster View Post
    I understand you want to defend your decission of using Linux
    Not at all, just thought there where a complete misunderstanding why Linux can make sense in case of automated malware analysis.

    Quote Originally Posted by VirusBuster View Post
    but I think your arguments are weak if not completely out of the reality.
    Hm, I'm sorry but that's my daily reality as a malware-analyst and reverse-engineer. And regarding this I have to take all counter measures that nothing escapes and/or ruines my work. And trust me, I've seen a lot crazy things ;-)

    Quote Originally Posted by VirusBuster View Post
    I asked how you avoid that malwares detect the VM and abort execution. Your reply was ...
    And this is totally true. Regarding the initial goal of Minibis it was planned to analyze thousands of samples. That's why a "few" won't effect the statistically result in an extraordinary way.

    Quote Originally Posted by VirusBuster View Post
    Why donīt you apply the same criteria to the malwares able to escape from VirtualBox and infect the host?
    You're merging up things. In the first case you have a few samples not running as usual and therefore bringing up a handful misleading results. In the second you have a sample (or samples) escaping its cell eventually attacking my "save place" and ruining my work. These are completely different things.

    Quote Originally Posted by VirusBuster View Post
    You just need an disk image solution. In the very very rare case a malware escapes you just need to recover from the image.
    Again merged up: For my "save place" a backup image would delete all of my progress. For the "playing fields" in the case of VMs technique you can say that you're already recovering an "image" by the revertion of the guest.

    Quote Originally Posted by VirusBuster View Post
    With all these argues I just pretend that people building malware analysis tools consider seriously using Windows as platform for them. The security of the host can not be the excuse to build them under Linux.
    Wrong and write, just mixed up:
    YES, for manual analysis and reverse-engineering you will choose Windows - of course - and Windows-based tools and recover afterwards from a clean image, a data-recoverycard, and so on.
    NO, for automated scenarios you need some software to play "your" role and that must not be infected in any way.

    Quote Originally Posted by VirusBuster View Post
    Buster Sandbox Analyzer, apart of the ultra expensive Norman Sandbox Analyzer, is the only malware analysis solution for Windows users. I would like there are other alternatives.
    I'm sure it's a good tool - I never wanted to offend it or you. Actually, Minibis is more a ... framework, which you can use according to your imagination. So, we're talking 'bout oranges and apples ;-)

    Cheers,
    Chrisu.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #19
    for automated scenarios you need some software to play "your" role and that must not be infected in any way.
    Something pretty simple to do under Windows so there is no point doing automated malware analysis under Linux just in the name of security.

    I can setup such scenario under Windows any day of the week with a minumum resource impact over the system and fully secure.

    Thatīs my point to critice Linux based malware analysis tools.

    One question: Did you ever try configuring such environment under Windows or you simply didnīt try it?

  5. #20
    Other question:

    Secondly, malware *can* spread over network from VirtualBox, but under a controlled and secured environment it won't find a native (same OS) door on the others in the network
    Whatīs the point of having a network if Windows malwares can not find a Windows OS?

    Whatīs the difference with not having a network at all?

  6. #21
    chrisu
    Guest
    Quote Originally Posted by VirusBuster View Post
    Other question:



    Whatīs the point of having a network if Windows malwares can not find a Windows OS?

    Whatīs the difference with not having a network at all?
    You need a network to monitor the regarding activity, and furthermore give the sample the impression that it gets what it wants. The latter is usually more the case for manual analysis as you're focusing really in details on the specific sample.

    Besides that a lot of malware would die or switch to standby if no network is available.

    Cheers,
    Chrisu.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #22
    Quote Originally Posted by chrisu View Post
    You need a network to monitor the regarding activity, and furthermore give the sample the impression that it gets what it wants. The latter is usually more the case for manual analysis as you're focusing really in details on the specific sample.

    Besides that a lot of malware would die or switch to standby if no network is available.
    But itīs a network where VirtualBox computer is alone, no other Windows OS can be found, so itīs like if you run VirtualBox under Windows and you got the network configured but you donīt have connected any other computer. The result is the same, so again, whatīs the point of using Linux for security reasons if the solution under Windows is as simple as not having any other computer connected to the network?

    btw... you forgot to reply a question: Did you ever try configuring a secure environment under Windows or you simply didnīt try it?

  8. #23
    chrisu
    Guest
    Quote Originally Posted by VirusBuster View Post
    But itīs a network where VirtualBox computer is alone, no other Windows OS can be found, so itīs like if you run VirtualBox under Windows and you got the network configured but you donīt have connected any other computer. The result is the same, so again, whatīs the point of using Linux for security reasons if the solution under Windows is as simple as not having any other computer connected to the network?
    If read my post again ... I have 2 (logical) computers in the net, the guest and the host.

    Quote Originally Posted by VirusBuster View Post
    btw... you forgot to reply a question: Did you ever try configuring a secure environment under Windows or you simply didnīt try it?
    Didn't know that this is an interview? ;-)
    Anyway, what's the point on that? Securing Windows bit by bit (as I said, like Blacklisting) though there's a solution that has the characteristics of Whitelisting? I'm sure that Windows can be secured, and btw., I'm primarely a Windows guy (otherwise I wouldn't have the knowledge how to reverse engineer Windows malware, don't you think). In the concrete scenario we're talking about the easiest, most stable and forensically nearly "authentic" way is how Minibis is set up. To have it forensically perfectly acceptable you could even replace the guest by a real physical, native Windows box. But for automatism the "host" would stay.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #24
    Solution: You can run two instances of VirtualBox so you got also 2 (logical) computers in the net.

    This is not an interview. This is a thread about setting up a malware analysis environment and seems like here we are the only two persons that did some deep research about the topic. So I consider very interesting for us and for the rest of users if we share our experience and our thoughts about the issue.

    Iīm sorry if I make feel you are in a Gestapo interrogation but I consider the question-reply method as a good way to get concret replies about interesting topics. I felt you would not tell me if you tried to get a secure environment under Windows so I had to ask it.

    Do you think a Minibis port for Windows could be released?

  10. #25
    chrisu
    Guest
    Quote Originally Posted by VirusBuster View Post
    Iīm sorry if I make feel you are in a Gestapo interrogation
    LOOOL ... no problem

    Quote Originally Posted by VirusBuster View Post
    Do you think a Minibis port for Windows could be released?
    It definitely could. If I will? ... I've got to think through this if it's worth the effort. Please do not misunderstand this, but just for one person ... hm. You have to understand that I'm actually in a very hot phase of development regarding a new disassembler/code analyzer. But, we'll see.

    Anyway, if you like to learn more 'bout Minibis I can recommend reading the following things:
    *) Mass Malware Analysis: A Do-It-Yourself Kit (http://cert.at/downloads/papers/mass_malware_analysis_en.html)
    *) My according article in HITB eZine (https://www.hackinthebox.org/misc/HITB-Ezine-Issue-002.pdf)
    *) Minibis' website (http://cert.at/downloads/software/minibis_en.html)

    Cheers,
    Chrisu.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #26
    Quote Originally Posted by chrisu View Post
    Please do not misunderstand this, but just for one person ... hm.
    Do you really consider Minibis has more potential users if itīs released using Linux as host OS than Windows? I would have to disagree about that.

    Thanks for the links and for sharing your thoughts with me!

  12. #27
    Well, there may be an additional reason why quite a number of these malware analysis tools are running on Linux - they are coming out of an academical environment. Windows is NOT a very important OS in universities. For instance at my faculty (computer science) there are only two(2!) comps in the Computer Graphics lab running Windows (and I've never seen them being switched on), although we are a member of MSDN-AA. Every other lab is running Linux or BSD or Solaris. As far as I know, it's the same in many other unversities around here. I must admit, I know nothing about the situation in the US, maybe it's totally different there.
    Again, that's just an idea, but maybe it's related.

    Best regards
    darkelf

  13. #28
    Darkelf: interesting point of view!

    We could discuss about next questions:

    When a malware analysis tool is developed, for who is created? Is it created for personal use (even if itīs shared publicly) or for other persons?

    If itīs for other persons, in theory what are the kind of persons that we can consider in the scope for the usage of the tool? (excuse my poor english)

    chrisu: Do you prefer that Minibis is used by as many users as possible or you prefer that is used by less users but with a more advanced profile, like letīs say IT professionals, system admins, etc?

    I can talk about my experience with Buster Sandbox Analyzer.

    I didnīt have the need of a malware analysis tool for personal use because as advanced user in Windows computer security I didnīt need something like that. But even if I didnīt have the need for it I wished I had the opportunity to try one when I want.

    I didnīt like that under Windows there was only one option and a very expensive one, so with the help of Sandboxie, as I had the coding skills and the experience required to develop such tool I did it.

    So I made BSA for other people, not for myself, and I did it for Windows because it didnīt exist such tool publicly available.

    I try to approach the malware analysis to normal users. Users that usually use just an antivirus. Itīs not an easy task because most of Windows users are used to the "install-and-forget" security solutions.

    Resuming: BSA is a malware analysis tool for the masses.

  14. #29
    chrisu
    Guest
    Minibis is definitely NOT for the masses. Its constituency are malware-researchers, certs, antivirus-companies and let's say the "advanced" user that already knows how to manually analyze malware.
    So, to be precisely, Minibis is a very flexible and customizable framework to automate the manual activities of a researcher if he or she needs to analyze thousands of samples i.e. to produce a database for statistical statements, to identify trends, and so on.
    BUT, it's also usable as an initial quick-check in case of a new sample.

    That's what Minibis is - not more - not less.

    The future will also bring some new possibilities that haven't been around in this way. According to this the actual characteristic (host/guest) is a fundamental must to Minibis. But please understand, that I cannot tell more about this yet, I'm still in proof of concept - I just wanted to give another explanation for my underlying concept.

    Cheers,
    Chrisu.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #30
    Minibis could be seen as not for the masses because it was designed to analyze thousands of malwares but the same it can analyze 25k samples it can analyze 1.

    Its constituency are malware-researchers, certs, antivirus-companies and let's say the "advanced" user that already knows how to manually analyze malware.
    Do malware-researchers really need to analyze thousands of malware samples? I donīt think so. They usually analyze malware samples one by one and manually, using decompilers like IDA or debuggers like OllyDbg.

    Do advancer users have 25k malware samples? Donīt think so, but even if they do... do they need to analyze them? Again, I donīt think so. I donīt see a reason for that.

    Being realistic mass malware analysis tools are intended for antivirus companies that need to filter between the big amount of files they receive to discard between harmless and potentially dangerous files. Checking all they get one by one would be impossible nowadays.

    If an antivirus-company must do mass malware analysis, on what option will they rely? Probably in their own solution or on a professional solution like Norman Sandbox Analyzer.

    So I think a good question is: Is there a "market" for public malware analyzers? It exists but itīs very very little.

    Then who will be using public malware analyzers? Mainly advanced users, not malware researchers because they donīt need that neither antivirus companies because they will use or their own solution or a professional one.

    So in my opinion the scope of the publicly available malware analysis tools (mass analyzer or not) are the advanced users.

    I will not comment about CERTs because I donīt really know if they process big amounts of samples or they mainly work with honeypots.

    How do most of the advanced users prefer to make malware analysis? Probably using online malware analyzers like Anubis, ThreatExpert, JoeBox, etc. Why? I think because they are afraid of possible infections so they are safe using online tools.

    From the advanced users that donīt mind hosting a malware analyzer, what do they prefer: a Linux or a Windows based malware analyzer tool? Windows, of course, because they want to check if a program is trustable to later install it in their system. Having to make the analysis under Linux to analyze a Windows application is not practical for them.

    For all the above reasons is why I think malware analysis tools must be hosted under Windows. The few persons (letīs be realistic, probably just the 1 or 2% of computer users use them) that will use that kind of tools work with Windows.
    Last edited by VirusBuster; May 12th, 2010 at 12:19.

Similar Threads

  1. Replies: 12
    Last Post: December 24th, 2009, 11:34
  2. SANS malware analysis article
    By Kayaker in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: May 4th, 2009, 18:17
  3. Virtual environment to test CIH (A.K.A Chernobyl) virus?
    By neo85 in forum Malware Analysis and Unpacking Forum
    Replies: 12
    Last Post: February 29th, 2008, 21:04
  4. Setting breakpoints in dll's
    By Solus in forum OllyDbg Support Forums
    Replies: 1
    Last Post: November 19th, 2005, 12:14

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •