Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Setting up a malware analysis environment

This forum focuses on analyzing malware and any aspects of dealing with packer protections.
chrisu

Post by chrisu »

VirusBuster wrote:... I only disagree in one thing: if you are going to use VirtualBox for malware analysis, why to use it under Linux if VirtualBox for Windows exists? ...
I understand your veto on that. Actually it's (nearly) perfectly fine if you use Windows as the host-system. The fundamental concept behind Minibis furthermore gives you free decision in all of it's components, so, also in this. However, having said this I still would recommend to have another OS as host (might also be Mac OS), just massively reduce the risk that if something escapes that it will find its native environment again. You can take the following scenario as an example:

Usually you have networking capabilities in your malware lab environment. That's a must as you want to know what the sample is trying to do over the net. Under the forensical aspect to not unnecessarily add software to the samples playing field you usually position you network-monitor (sniffer) outside of it. So if you have the typical scenario of a host and a guest (in VM-jargon) your sniffer would sit on the host. The network in that scenario is definitely the place of the highest risk for anything to escape. So if you analyse samples like Conficker (and so on) which try to spread themselves over network you're in a very bad situation if you have Windows as host system, especially if it's an unknown sample that might have some rpc-zeroday-exploit-payload onboard. In the worst case it would infect your host, which wouldn't even be the fault of the VM-solution.

To stay on this rpc scenario: that's also a point for sandboxes. Sandboxes do hook (and so on) more or less of the OS' functionalities to hinder a process from attacking un-sandboxed components including inter-process-communication (rpc, pipes, mailslots, ...). But the network communication is usually not "influenced" as sandboxes' primarily goal is to have a prophylaxe against infections during surfing and emailing, in other words, during internet-communications. But, all this techniques (rpc, pipes, mailslots) I mentioned above are done via "cable". So it's easy to circumvent the sandbox by implementing them directly in the malware and not calling the according OS-functionalities which are controlled by the sandbox.

So, as a ... résumé: If you're about to lock up an alien from planet "Nitro" and you know that it needs pure nitrogen for breathing wouldn't it be smarter to surround its cell with pure oxygen that nitrogen? :thinking:

Cheers,
chrisu.
VirusBuster
Member
Posts: 85
Joined: Mon Aug 27, 2007 10:48 am

Post by VirusBuster »

Tell me when was the last time a malware was able to escape from VirtualBox and infect the host, please.
The network in that scenario is definitely the place of the highest risk for anything to escape. So if you analyse samples like Conficker (and so on) which try to spread themselves over network you're in a very bad situation if you have Windows as host system
I don´t understand how is possible a malware can not spread over network directly from VirtualBox but it can escape from the VM and do it from the host. That´s just amazing!!! I want to see that!!! :stunned:

Could you provide an example of a program able to do that?

I understand you want to defend your decission of using Linux, but I think your arguments are weak if not completely out of the reality.

I asked how you avoid that malwares detect the VM and abort execution. Your reply was:
so a few samples that won't execute do not mess up the results of let's say 25k samples.
Why don´t you apply the same criteria to the malwares able to escape from VirtualBox and infect the host? You just need an disk image solution. In the very very rare case a malware escapes you just need to recover from the image.

With all these argues I just pretend that people building malware analysis tools consider seriously using Windows as platform for them. The security of the host can not be the excuse to build them under Linux.

Buster Sandbox Analyzer, apart of the ultra expensive Norman Sandbox Analyzer, is the only malware analysis solution for Windows users. I would like there are other alternatives.
chrisu

Post by chrisu »

VirusBuster wrote:Tell me when was the last time a malware was able to escape from VirtualBox and infect the host, please.
As my automated lab is built up as I sketched it before, I had none. If my host was Windows-based and not up-to-date at that moment (which is not of relevance in this example as it's only a question of "Is it possible?") Conficker would have nailed it.
VirusBuster wrote:I don´t understand how is possible a malware can not spread over network directly from VirtualBox but it can escape from the VM and do it from the host. That´s just amazing!!! I want to see that!!! :stunned:
Misunderstanding on your side or I explained it to chaotic. If the latter's the point, sorry for that. Firstly, a malware lab should not be connected to the real internet (exception do exist, though). Secondly, malware *can* spread over network from VirtualBox, but under a controlled and secured environment it won't find a native (same OS) door on the others in the network, which is only my host.
VirusBuster wrote:Could you provide an example of a program able to do that?
I think I already did - but keep in mind, my scenario doesn't make use of what is usually understood regarding "VM-escape".
VirusBuster wrote:I understand you want to defend your decission of using Linux
Not at all, just thought there where a complete misunderstanding why Linux can make sense in case of automated malware analysis.
VirusBuster wrote: but I think your arguments are weak if not completely out of the reality.
Hm, I'm sorry but that's my daily reality as a malware-analyst and reverse-engineer. And regarding this I have to take all counter measures that nothing escapes and/or ruines my work. And trust me, I've seen a lot crazy things ;-)
VirusBuster wrote:I asked how you avoid that malwares detect the VM and abort execution. Your reply was ...
And this is totally true. Regarding the initial goal of Minibis it was planned to analyze thousands of samples. That's why a "few" won't effect the statistically result in an extraordinary way.
VirusBuster wrote:Why don´t you apply the same criteria to the malwares able to escape from VirtualBox and infect the host?
You're merging up things. In the first case you have a few samples not running as usual and therefore bringing up a handful misleading results. In the second you have a sample (or samples) escaping its cell eventually attacking my "save place" and ruining my work. These are completely different things.
VirusBuster wrote: You just need an disk image solution. In the very very rare case a malware escapes you just need to recover from the image.
Again merged up: For my "save place" a backup image would delete all of my progress. For the "playing fields" in the case of VMs technique you can say that you're already recovering an "image" by the revertion of the guest.
VirusBuster wrote:With all these argues I just pretend that people building malware analysis tools consider seriously using Windows as platform for them. The security of the host can not be the excuse to build them under Linux.
Wrong and write, just mixed up:
YES, for manual analysis and reverse-engineering you will choose Windows - of course - and Windows-based tools and recover afterwards from a clean image, a data-recoverycard, and so on.
NO, for automated scenarios you need some software to play "your" role and that must not be infected in any way.
VirusBuster wrote:Buster Sandbox Analyzer, apart of the ultra expensive Norman Sandbox Analyzer, is the only malware analysis solution for Windows users. I would like there are other alternatives.
I'm sure it's a good tool - I never wanted to offend it or you. Actually, Minibis is more a ... framework, which you can use according to your imagination. So, we're talking 'bout oranges and apples ;-)

Cheers,
Chrisu.
VirusBuster
Member
Posts: 85
Joined: Mon Aug 27, 2007 10:48 am

Post by VirusBuster »

for automated scenarios you need some software to play "your" role and that must not be infected in any way.
Something pretty simple to do under Windows so there is no point doing automated malware analysis under Linux just in the name of security.

I can setup such scenario under Windows any day of the week with a minumum resource impact over the system and fully secure.

That´s my point to critice Linux based malware analysis tools.

One question: Did you ever try configuring such environment under Windows or you simply didn´t try it?
VirusBuster
Member
Posts: 85
Joined: Mon Aug 27, 2007 10:48 am

Post by VirusBuster »

Other question:
Secondly, malware *can* spread over network from VirtualBox, but under a controlled and secured environment it won't find a native (same OS) door on the others in the network
What´s the point of having a network if Windows malwares can not find a Windows OS?

What´s the difference with not having a network at all?
chrisu

Post by chrisu »

VirusBuster wrote:Other question:



What´s the point of having a network if Windows malwares can not find a Windows OS?

What´s the difference with not having a network at all?
You need a network to monitor the regarding activity, and furthermore give the sample the impression that it gets what it wants. The latter is usually more the case for manual analysis as you're focusing really in details on the specific sample.

Besides that a lot of malware would die or switch to standby if no network is available.

Cheers,
Chrisu.
VirusBuster
Member
Posts: 85
Joined: Mon Aug 27, 2007 10:48 am

Post by VirusBuster »

chrisu wrote:You need a network to monitor the regarding activity, and furthermore give the sample the impression that it gets what it wants. The latter is usually more the case for manual analysis as you're focusing really in details on the specific sample.

Besides that a lot of malware would die or switch to standby if no network is available.
But it´s a network where VirtualBox computer is alone, no other Windows OS can be found, so it´s like if you run VirtualBox under Windows and you got the network configured but you don´t have connected any other computer. The result is the same, so again, what´s the point of using Linux for security reasons if the solution under Windows is as simple as not having any other computer connected to the network?

btw... you forgot to reply a question: Did you ever try configuring a secure environment under Windows or you simply didn´t try it?
chrisu

Post by chrisu »

VirusBuster wrote:But it´s a network where VirtualBox computer is alone, no other Windows OS can be found, so it´s like if you run VirtualBox under Windows and you got the network configured but you don´t have connected any other computer. The result is the same, so again, what´s the point of using Linux for security reasons if the solution under Windows is as simple as not having any other computer connected to the network?
If read my post again ... I have 2 (logical) computers in the net, the guest and the host.
VirusBuster wrote:btw... you forgot to reply a question: Did you ever try configuring a secure environment under Windows or you simply didn´t try it?
Didn't know that this is an interview? ;-)
Anyway, what's the point on that? Securing Windows bit by bit (as I said, like Blacklisting) though there's a solution that has the characteristics of Whitelisting? I'm sure that Windows can be secured, and btw., I'm primarely a Windows guy (otherwise I wouldn't have the knowledge how to reverse engineer Windows malware, don't you think). In the concrete scenario we're talking about the easiest, most stable and forensically nearly "authentic" way is how Minibis is set up. To have it forensically perfectly acceptable you could even replace the guest by a real physical, native Windows box. But for automatism the "host" would stay.
VirusBuster
Member
Posts: 85
Joined: Mon Aug 27, 2007 10:48 am

Post by VirusBuster »

Solution: You can run two instances of VirtualBox so you got also 2 (logical) computers in the net.

This is not an interview. ;) This is a thread about setting up a malware analysis environment and seems like here we are the only two persons that did some deep research about the topic. So I consider very interesting for us and for the rest of users if we share our experience and our thoughts about the issue.

I´m sorry if I make feel you are in a Gestapo interrogation :rolleyes: but I consider the question-reply method as a good way to get concret replies about interesting topics. I felt you would not tell me if you tried to get a secure environment under Windows so I had to ask it.

Do you think a Minibis port for Windows could be released?
chrisu

Post by chrisu »

VirusBuster wrote:I´m sorry if I make feel you are in a Gestapo interrogation
LOOOL ... no problem
VirusBuster wrote:Do you think a Minibis port for Windows could be released?
It definitely could. If I will? ... I've got to think through this if it's worth the effort. Please do not misunderstand this, but just for one person ... hm. You have to understand that I'm actually in a very hot phase of development regarding a new disassembler/code analyzer. But, we'll see.

Anyway, if you like to learn more 'bout Minibis I can recommend reading the following things:
*) Mass Malware Analysis: A Do-It-Yourself Kit (http://cert.at/downloads/papers/mass_ma ... is_en.html)
*) My according article in HITB eZine (https://www.hackinthebox.org/misc/HITB- ... ue-002.pdf)
*) Minibis' website (http://cert.at/downloads/software/minibis_en.html)

Cheers,
Chrisu.
VirusBuster
Member
Posts: 85
Joined: Mon Aug 27, 2007 10:48 am

Post by VirusBuster »

chrisu wrote:Please do not misunderstand this, but just for one person ... hm.
Do you really consider Minibis has more potential users if it´s released using Linux as host OS than Windows? I would have to disagree about that.

Thanks for the links and for sharing your thoughts with me! :yay:
User avatar
Darkelf
Posts: 222
Joined: Wed Jan 24, 2007 7:20 pm

Post by Darkelf »

Well, there may be an additional reason why quite a number of these malware analysis tools are running on Linux - they are coming out of an academical environment. Windows is NOT a very important OS in universities. For instance at my faculty (computer science) there are only two(2!) comps in the Computer Graphics lab running Windows (and I've never seen them being switched on), although we are a member of MSDN-AA. Every other lab is running Linux or BSD or Solaris. As far as I know, it's the same in many other unversities around here. I must admit, I know nothing about the situation in the US, maybe it's totally different there.
Again, that's just an idea, but maybe it's related.

Best regards
darkelf
VirusBuster
Member
Posts: 85
Joined: Mon Aug 27, 2007 10:48 am

Post by VirusBuster »

Darkelf: interesting point of view!

We could discuss about next questions:

When a malware analysis tool is developed, for who is created? Is it created for personal use (even if it´s shared publicly) or for other persons?

If it´s for other persons, in theory what are the kind of persons that we can consider in the scope for the usage of the tool? (excuse my poor english)

chrisu: Do you prefer that Minibis is used by as many users as possible or you prefer that is used by less users but with a more advanced profile, like let´s say IT professionals, system admins, etc?

I can talk about my experience with Buster Sandbox Analyzer.

I didn´t have the need of a malware analysis tool for personal use because as advanced user in Windows computer security I didn´t need something like that. But even if I didn´t have the need for it I wished I had the opportunity to try one when I want.

I didn´t like that under Windows there was only one option and a very expensive one, so with the help of Sandboxie, as I had the coding skills and the experience required to develop such tool I did it.

So I made BSA for other people, not for myself, and I did it for Windows because it didn´t exist such tool publicly available.

I try to approach the malware analysis to normal users. Users that usually use just an antivirus. It´s not an easy task because most of Windows users are used to the "install-and-forget" security solutions.

Resuming: BSA is a malware analysis tool for the masses. :)
chrisu

Post by chrisu »

Minibis is definitely NOT for the masses. Its constituency are malware-researchers, certs, antivirus-companies and let's say the "advanced" user that already knows how to manually analyze malware.
So, to be precisely, Minibis is a very flexible and customizable framework to automate the manual activities of a researcher if he or she needs to analyze thousands of samples i.e. to produce a database for statistical statements, to identify trends, and so on.
BUT, it's also usable as an initial quick-check in case of a new sample.

That's what Minibis is - not more - not less.

The future will also bring some new possibilities that haven't been around in this way. According to this the actual characteristic (host/guest) is a fundamental must to Minibis. But please understand, that I cannot tell more about this yet, I'm still in proof of concept - I just wanted to give another explanation for my underlying concept.

Cheers,
Chrisu.
VirusBuster
Member
Posts: 85
Joined: Mon Aug 27, 2007 10:48 am

Post by VirusBuster »

Minibis could be seen as not for the masses because it was designed to analyze thousands of malwares but the same it can analyze 25k samples it can analyze 1.
Its constituency are malware-researchers, certs, antivirus-companies and let's say the "advanced" user that already knows how to manually analyze malware.
Do malware-researchers really need to analyze thousands of malware samples? I don´t think so. They usually analyze malware samples one by one and manually, using decompilers like IDA or debuggers like OllyDbg.

Do advancer users have 25k malware samples? Don´t think so, but even if they do... do they need to analyze them? Again, I don´t think so. I don´t see a reason for that.

Being realistic mass malware analysis tools are intended for antivirus companies that need to filter between the big amount of files they receive to discard between harmless and potentially dangerous files. Checking all they get one by one would be impossible nowadays.

If an antivirus-company must do mass malware analysis, on what option will they rely? Probably in their own solution or on a professional solution like Norman Sandbox Analyzer.

So I think a good question is: Is there a "market" for public malware analyzers? It exists but it´s very very little.

Then who will be using public malware analyzers? Mainly advanced users, not malware researchers because they don´t need that neither antivirus companies because they will use or their own solution or a professional one.

So in my opinion the scope of the publicly available malware analysis tools (mass analyzer or not) are the advanced users.

I will not comment about CERTs because I don´t really know if they process big amounts of samples or they mainly work with honeypots.

How do most of the advanced users prefer to make malware analysis? Probably using online malware analyzers like Anubis, ThreatExpert, JoeBox, etc. Why? I think because they are afraid of possible infections so they are safe using online tools.

From the advanced users that don´t mind hosting a malware analyzer, what do they prefer: a Linux or a Windows based malware analyzer tool? Windows, of course, because they want to check if a program is trustable to later install it in their system. Having to make the analysis under Linux to analyze a Windows application is not practical for them.

For all the above reasons is why I think malware analysis tools must be hosted under Windows. The few persons (let´s be realistic, probably just the 1 or 2% of computer users use them) that will use that kind of tools work with Windows.
Locked