Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Setting up a malware analysis environment

This forum focuses on analyzing malware and any aspects of dealing with packer protections.
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Setting up a malware analysis environment

Post by Kayaker »

A frequent request here is for both introductory and detailed information on setting up and using a safe malware analysis environment. I've created a sticky thread where I hope we can gather as many good articles as possible that touch on that subject.

Please add any noteworthy articles you find or are aware of that can help guide those of us who are interested in secure reversing of insecure targets.

The best of the articles will find its way into a larger knowledge resource that is currently being set up, so anything you can add will be a contribution to something far grander and permanent than this thread.


To start with, here are a few that have been mentioned before in the forums:


Capture, care and analysis of Malware made easy
http://www.linklogger.com/vm_capture.htm

Practical Malware Analysis
http://www.blackhat.com/presentations/b ... Millan.pdf


Setting up Windbg/VMWare:

Remote Debugging using VMWare
http://www.catch22.net/tuts/vmware

Driver Debugging with WinDbg and VMWare
http://silverstr.ufies.org/lotr0/windbg-vmware.html


Cheers,
Kayaker
cEnginEEr
Member
Posts: 55
Joined: Sun Apr 22, 2007 1:00 am

Post by cEnginEEr »

I think any mal analyzer should know pros & cons of various tools for setting up an analysis environment in the first place;

http://www.sans.org/reading_room/whitep ... cture_1841
Silkut
Senior Member
Posts: 579
Joined: Fri Mar 31, 2006 11:29 am

Post by Silkut »

Interesting article: an automated malware analysis environment (already linked up somewhere on the forum I'm sure).
http://cert.at/downloads/papers/mass_ma ... is_en.html
Please consider donating to help Woodmann.com staying online (here is why).
Any amount greatly appreciated. Thank you.
mansourweb
Member
Posts: 35
Joined: Thu Jan 28, 2010 2:33 pm

Post by mansourweb »

VirusBuster
Member
Posts: 85
Joined: Mon Aug 27, 2007 10:48 am

Post by VirusBuster »

For malware analysis a good combination could be Sandboxie + Buster Sandbox Analyzer

Sandboxie: http://www.sandboxie.com

Buster Sandbox Analyzer: http://bsa.sandboxie.info

As soon as I finish coding next BSA feature probably I will write a paper about setting up a malware analysis environment.
mansourweb
Member
Posts: 35
Joined: Thu Jan 28, 2010 2:33 pm

Post by mansourweb »

Sandboxie is not a good one , because the new malwares can detect sandboxie.
VirusBuster
Member
Posts: 85
Joined: Mon Aug 27, 2007 10:48 am

Post by VirusBuster »

mansourweb wrote:Sandboxie is not a good one , because the new malwares can detect sandboxie.

I told Sandboxie + Buster Sandbox Analyzer. ;)

http://bsa.sandboxie.info/frameb.htm
Silkut
Senior Member
Posts: 579
Joined: Fri Mar 31, 2006 11:29 am

Post by Silkut »

Another one from CERT.at


Hi folks,

it's just a few days ago that I put my new version of Minibis on our (CERT.at) website.
For everyone that haven't heared about it yet: Minibis is a fully customizable automated malware analysis environment.
So, for anyone that's interested in this topic feel free to visit our website http://cert.at/downloads/software/minibis_en.html at "Computer Emergency Response Team of Austria". There's plenty o informations there regarding Minibis, it's concept as well as of course a download-link.

Cya,
Chrisu.
source: https://www.openrce.org/forums/posts/1279
Please consider donating to help Woodmann.com staying online (here is why).
Any amount greatly appreciated. Thank you.
VirusBuster
Member
Posts: 85
Joined: Mon Aug 27, 2007 10:48 am

Post by VirusBuster »

Silkut wrote:Another one from CERT.at

source: https://www.openrce.org/forums/posts/1279
As usual it uses a Linux distribution (Ubuntu) to do the work.

I always wonder the same and it´s one of the reasons of why I coded Buster Sandbox Analyzer: Why to analyze Windows malware Linux is used?

Why are required complicated installations?

Apart it uses VirtualBox, so lots of malwares will detect the virtual machine and will not work properly.

What´s the point of doing this project under Linux if you use VirtualBox, something already available under Windows?
User avatar
Darkelf
Posts: 222
Joined: Wed Jan 24, 2007 7:20 pm

Post by Darkelf »

Hmm, maybe in order to prevent malware that is capable of breaking out of the virtual machine from infecting the host?
Just an idea.
VirusBuster
Member
Posts: 85
Joined: Mon Aug 27, 2007 10:48 am

Post by VirusBuster »

Darkelf wrote:Hmm, maybe in order to prevent malware that is capable of breaking out of the virtual machine from infecting the host?
Just an idea.
Could be the reason but I don´t think so.

Anyway there are solutions to prevent anything breaks out of the virtual machine.

e.g.: if I´m not wrong Sandboxie is able to sandbox VirtualBox.
chrisu

Post by chrisu »

Darkelf wrote:Hmm, maybe in order to prevent malware that is capable of breaking out of the virtual machine from infecting the host?
Just an idea.
That's exactly *the* reason!
VirusBuster wrote:As usual it uses a Linux distribution (Ubuntu) to do the work.

I always wonder the same and it´s one of the reasons of why I coded Buster Sandbox Analyzer: Why to analyze Windows malware Linux is used?

Why are required complicated installations?

Apart it uses VirtualBox, so lots of malwares will detect the virtual machine and will not work properly.

What´s the point of doing this project under Linux if you use VirtualBox, something already available under Windows?
Hm, a few things that need to be mentioned:

*) As already mentioned above, usually another OS is used for the base (and therefore not necessarily Linux), just in the case of an escape. In the case of Minibis (which is CERT.at's implementation of a concept posted earlier) there has to be a place that is declared to be save. That's because of all the monitoring-data there which has to stay "trusted" at least with adequate efforts.

*) Regarding VirtualBox I have to say that it is one of the least detected VM-solutions, though, to be more precisely, as it's built upon QEMU it's more of an emulator than a typical virtualization.
Anyway, Minibis is primarely used for mass malware analysis, so a few samples that won't execute do not mess up the results of let's say 25k samples.
Furthermore, nowadays malware is changing its characteristics regarding VM-detection. Actually the trend of VM-detection is massively falling down. That's because of the fact that virtualization became daily business for productive machines. As malware's major goal is to run to make money that is just a logical implication.

*) For anyone whose paranoia-mode is in god-mode: There's also a possibility to use native machines instead of virtual machines, that's usually done with data-recovery cards, forensic writeblockers and automated re-imaging.

Hope that brought some light into the discussion.

Cheers,
Chrisu.
VirusBuster
Member
Posts: 85
Joined: Mon Aug 27, 2007 10:48 am

Post by VirusBuster »

If I´m not wrong Sandboxie is able to sandbox VirtualBox so in the rare case of an escape from the virtual machine the malware would land inside sandbox folder.

Other solutions like Deep Freeze, Returnil, Shadow Defender, ... would make the work too.
chrisu

Post by chrisu »

VirusBuster wrote:If I´m not wrong Sandboxie is able to sandbox VirtualBox so in the rare case of an escape from the virtual machine the malware would land inside sandbox folder.

Other solutions like Deep Freeze, Returnil, Shadow Defender, ... would make the work too.
It really depends on what your goal is. Just as a prevention-layer for emailing and surfing I agree with you. But if comes to professional behavioral analysis of malware those sandboxes are just the wrong tool. That is because of the differences between sandboxes, VMs and emulators regarding their characteristics.
When you do behavioral malware analysis you *want* the underlying OS to get infected, furthermore (besides VM-detection, I already mentioned that above) you want to have "normal" looking, full OS, so in other words, any thing on the system that is additional might change your monitoring results.
Another thing is the fundamental diffrence in the approach of sandboxes and VMs: You can compare it with "white"- and "black"-listing. Sandboxes do blacklisting - they try to slap an executable on any thinkable way it could act evil. VMs won't let the guest do anything until you give it the ability.
There are just too many drawbacks sandboxes have in comparison to VMs when it comes to professional behavorial malware research, but as I said, there are definitely use-cases for sandboxes, though.
As for me, I would prefer to bring my own trusted oxygen with me when I enter a room with unknown bacterias and viruses than breathing the air in that room through a filter ... but that's just my opinion.

Cheers, Chrisu.
VirusBuster
Member
Posts: 85
Joined: Mon Aug 27, 2007 10:48 am

Post by VirusBuster »

I agree with you, Chrisu, I only disagree in one thing: if you are going to use VirtualBox for malware analysis, why to use it under Linux if VirtualBox for Windows exists?

The reason you give is "to prevent malware that is capable of breaking out of the virtual machine from infecting the host".

There are several methods to prevent such situation, so using Linux is like killing flies with cannons.
there has to be a place that is declared to be save. That's because of all the monitoring-data there which has to stay "trusted" at least with adequate efforts.
You can declare a place to be save under Windows with a minimum effort.
Locked