Please note this environment is not meant to be a sandbox but rather an environment where one can conduct research on malware while most likely not executing the malware (unless you consider malicious code on a website malware then it will execute). ?However, most downloaded critters won’t execute in this environment. ?Please visit the upcoming desktop support article for detailed instructions on how to set up and leverage this environment without spreading infections.
Selecting a virtual environment is fairly easy, however, it does bring about a lot of debate. Personally I don’t understand the argument. If you are looking for a desktop virtual environment but not willing to pay for it, go with Sun XvM. Sometimes the networking can cause some issues but on the whole it seems to work a lot better than Virtual Player. I have a copy of VMware Workstation and I prefer that, so VMware Server is also a valid choice but requires more set up than I felt like doing. Thus, here are the primary desktop virtualization options for the basic Malware Analysis Environment we’re going to set up today.
Sun XvM (AKA Virtual Box)?http://www.virtualbox.org/wiki/Downloads
The Operating System: Ubuntu
A generic copy of Ubuntu 9.10 can be very easy to use and extremely powerful. In addition, many of the tools necessary for observing malware are open-source or Linux specific tools. Unfortunately however, a Linux system will most likely not execute the actual malware. This is both a positive and a negative in that it creates a little bit safer environment for dissecting the malware, however it also makes things a touch more difficult. ?It is for the ladder that it is recommended that users utilize resources such as CW Sandbox and Threat Report for analyzing execution of malware.
Traffic Analysis Tools
Wireshark (#apt-get install wireshark)
Wireshark is somewhat of an industry standard in packet sniffing through a graphical user interface. Utilizing Wireshark can be extremely useful in analyzing malware delivered through web applications. Wireshark will record aspects such as unauthorized redirects and attempts at delivering payloads and/or attempts to pull down malware on a machine.
EtherApe (#apt-get install etherape)
Following what is happening during full packet capture can often be difficult however. That’s where EtherApe comes in. EtherApe monitors network activity through graphical representation. The visual representation of network traffic is essential in detecting unauthorized channels that should be tracked down.
NetWitness Investigator (http://www.n etwitness.com)
Although NetWitness Investigator is not necessarily a Linux utility it is extremely useful in analyzing malware. Packet captures can be loaded into NetWitness Investigator in order to forensically investigate network traffic as well as run the entire packet capture against multiple threat feeds. This helps in determining IP reputation for systems involved in a malware attack.
The inclusion of the worlds most recognizable open-source Intrusion Detection System is obvious. Snort can help detect the type of attack that is being run as well as serve as an excellent resource for determining what aspects of captured traffic to analyze. Snort can either be run actively while attempting to observe how malware is delivered or it can be run against packet captures.
Malware Analysis Tools
A lot of exploits currently targ et Adobe Reader exploits. As a result a large amount of malware infects machines through the delivery of malciously crafted .pdf documents. Thus, tools like pdf-parser which allow investigators to better analyze what is housed within pdf documents are essential.
Paros Proxy (http://www.parosproxy.org/download.shtml)
Paros Proxy is a web proxy that can be locally stored. Paros allows investigators to trap specific server requests and responses in order to more easily traffic what is being delivered to a system. Paros Proxy can also be leveraged to spider web applications should a detected piece of malware be called as function of a full attack. For example, many malware infected sites utilize separate scripts to call things such as heap sprays or shellcode. In these situations alerts that detect the heap spray attempt or the shellcode may sound, however, the controlling page may be difficult to find. In such a scenario spidering a site may be able to detect the controlling malware infection.
Burp Suite (http://www.portswigger.net/suite/)
Burp Suite is similar to Paros Proxy in it’s usage for malware analysis as it too is a web proxy that can be stored locally. However, Burp Suite is much more powerful than Paros. In the opinion of SecAnalysis however, the user interface is not nearly as pretty or user friendly however.
Assembly Language Debugger (http://ald.sourceforge.net/)
SecAnalysis preferences for graphical debuggers include ImmunitySec debugger, Ollydbg, and IDA Pro. However, getting any of these to run in an Ubuntu environment can be somewhat challenging and often times requires Windows emulation. Thus, Assembly Language Debugger is preferred for this type of malware analysis environment.
String (Pre-installed on Ubuntu)
String can help pull code from files such as .jpg’s in an easy to read fashion. This can be essential in manual source code analysis.
Firefox & Plugins
User Agent Switcher (https://addons.mozilla.org/en-US/firefox/addon/59)
Sometimes malware infected websites will first detect the browser version that is attempting to access the site. Once the site detects the browser version, it determines what malware to deliver or whether to deliver malware at all. Thus, utilizing user agent switcher to spoof IE 6, IE 7, IE 8, searchbots and even iPhones can help circumvent these detection mechanisms.
Web Developer (https://addons.mozilla.org/en-US/firefox/addon/60)
Web developer has a ton of uses in observing malware. It can be especially helpful in tracking down pesky iFrames and hidden form fields. Essentially web developer allows users to control the representation of client side code as well as assist in reviewing malware infected web sites.