Michael Boman, profile picture
Uploaded byMichael Boman
PPTX, PDF1,058 views

Malware Analysis as a Hobby

The document notes that manually analyzing malware can be time consuming and boring. MART was created to automate parts of the process such as sample acquisition, analysis using tools like Cuckoo Sandbox, and reporting. This reduces the time spent by malware analysts and allows them to focus on more complex samples. The system also aims to address limitations of virtual machine-based analysis by integrating additional techniques. Overall, MART streamlines malware analysis as a hobby while cutting costs compared to paying for commercial solutions.

Embed presentation

Downloaded 39 times
Malware Analysis as a Hobby Michael Boman - Security Consultant/Researcher, Father of 5 Siavosh Zarrasvand – Security Consultant/Researcher, Searching
Why the strange hobby?
The manual way
Drawbacks Time consuming Boring in the long run (not all malware are created equal)
Choose any two…. Cheap Good Fast
 I can do it cheaply (hardware and license cost-wise). Human time not Choose any two? Why included. not all of them?  I can do it quickly (I spend up to 3 Cheap hours a day doing this, at average even less).  I get pretty good results (quality). Where the system lacks I can compensate for its shortcomings. Good Fast
Automate everything! Automate Engineer yourself out of the workflow
Birth of the MART Project Malware Analyst Research Toolkit
Components
Sample Acquisition • Public & Private Collections • Exchange with other malware analysts • Finding and collecting malware yourself • Download files from the web • Grab attachments from email • Feed BrowserSpider with links from your SPAM-folder
BrowserSpider  Written in Python  Using the Selenium framework to control REAL browsers  Flash, PDFs, Java applets etc. executes as per normal  All the browser bugs exists for real  Spiders and follows all links seen
Sample Analysis • Cuckoo Sandbox • VirusTotal
A days work for a Cuckoo Fetch a task Process and Prepare the create reports analysis Lunch analyzer in Store the result virtual machine Complete the Execute an analysis analysis package
DEMO: Submit sample for analysis
Sample Reporting • Results are stored in MongoDB (optional, highly recommended) • Accessed using a analyst GUI
Data Mining
Where Virtual Machine analysis fails And what to do about it
Problems  Cuckoo is easly bypassed  User-detection  Sleeping malware
Problems  VM or Sandbox detection  The guest OS might not be sufficient enough  Any multistage attack
Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples Known Known Bad Good Unknown
Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples • Does not do anything • Detects environment • Encrypted segments • Failed execution
Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples • Run longer • Envirnoment customization
Budget  Computer: €520  MSDN License: €800 (€590 renewal)  Year 1: €1320  Year N: €590  Money saved from stopped smoking (yearly): €2040
Next steps • Barebone on-the-iron malware analysis • Android platform support • OSX platform support • iOS patform support
Questions? Michael Boman Siavosh Zarrasvand michael@michaelboman.org siavosh.zarrasvand@gmail.com http://michaelboman.org @mboman @zarrasvand

More Related Content

PPTX
Malware analysis as a hobby (Owasp Göteborg)
byMichael Boman
 
PPT
Maintaining a Malware Collection
byfrisksoftware
 
PPT
The Difference between Track and Testing Performance
byfrisksoftware
 
PPTX
Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...
byAndriy Krayniy
 
PPTX
Malware analysis as a hobby - the short story (lightning talk)
byMichael Boman
 
PPTX
Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...
byMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
PDF
Effective debugging
byAndy Dawson
 
PPT
Testing Heuristic Detections
byfrisksoftware
 
Malware analysis as a hobby (Owasp Göteborg)
byMichael Boman
 
Maintaining a Malware Collection
byfrisksoftware
 
The Difference between Track and Testing Performance
byfrisksoftware
 
Alexey Ostapov: Distributed Video Management and Security Systems: Tips and T...
byAndriy Krayniy
 
Malware analysis as a hobby - the short story (lightning talk)
byMichael Boman
 
Deep Dive Modern Apps Lifecycle with Visual Studio 2012: Software Testing wit...
byMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
Effective debugging
byAndy Dawson
 
Testing Heuristic Detections
byfrisksoftware
 

Similar to Malware Analysis as a Hobby

PDF
Malware Analysis on a Shoestring Budget
byMichael Boman
 
PPTX
Malware Classification and Analysis
byPrashant Chopra
 
PDF
'Malware Analysis' by PP Singh
byBipin Upadhyay
 
PDF
Malware Analysis -an overview by PP Singh
byn|u - The Open Security Community
 
PDF
Intro2 malwareanalysisshort
byVincent Ohprecio
 
PDF
Cyber Defense Forensic Analyst - Real World Hands-on Examples
bySandeep Kumar Seeram
 
PDF
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
byManjuAppukuttan2
 
PDF
CH1- Introduction to malware analysis-v2.pdf
byWajdiElhamzi3
 
PDF
Automated Mobile Malware Classification
byzynamics GmbH
 
PPTX
Malware analysis
byPrakashchand Suthar
 
PPT
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
byManjuAppukuttan2
 
PDF
Keith J. Jones, Ph.D. - Crash Course malware analysis
byKeith Jones, PhD
 
PDF
Malware Analysis Tips and Tricks.pdf
byYushimon
 
PPTX
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
bygrecsl
 
PPTX
Building next gen malware behavioural analysis environment
byisc2-hellenic
 
PDF
Practical Incident Response - Work Guide
byEduardo Chavarro
 
PDF
Reading Group Presentation: The Power of Procrastination
byMichael Rushanan
 
PPT
The Future of Automated Malware Generation
byStephan Chenette
 
PPTX
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
bygrecsl
 
PDF
Project in malware analysis:C2C
byFabrizio Farinacci
 
Malware Analysis on a Shoestring Budget
byMichael Boman
 
Malware Classification and Analysis
byPrashant Chopra
 
'Malware Analysis' by PP Singh
byBipin Upadhyay
 
Malware Analysis -an overview by PP Singh
byn|u - The Open Security Community
 
Intro2 malwareanalysisshort
byVincent Ohprecio
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
bySandeep Kumar Seeram
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
byManjuAppukuttan2
 
CH1- Introduction to malware analysis-v2.pdf
byWajdiElhamzi3
 
Automated Mobile Malware Classification
byzynamics GmbH
 
Malware analysis
byPrakashchand Suthar
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
byManjuAppukuttan2
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
byKeith Jones, PhD
 
Malware Analysis Tips and Tricks.pdf
byYushimon
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
bygrecsl
 
Building next gen malware behavioural analysis environment
byisc2-hellenic
 
Practical Incident Response - Work Guide
byEduardo Chavarro
 
Reading Group Presentation: The Power of Procrastination
byMichael Rushanan
 
The Future of Automated Malware Generation
byStephan Chenette
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
bygrecsl
 
Project in malware analysis:C2C
byFabrizio Farinacci
 

More from Michael Boman

PPTX
How to drive a malware analyst crazy
byMichael Boman
 
PPTX
Indicators of compromise: From malware analysis to eradication
byMichael Boman
 
ODP
44CON 2014: Using hadoop for malware, network, forensics and log analysis
byMichael Boman
 
PDF
DEEPSEC 2013: Malware Datamining And Attribution
byMichael Boman
 
PPT
44CON 2013 - Controlling a PC using Arduino
byMichael Boman
 
KEY
Sans och vett på Internet
byMichael Boman
 
PDF
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
byMichael Boman
 
PPT
Hur man kan testa sin HTTPS-server
byMichael Boman
 
PPT
OWASP AppSec Research 2010 - The State of SSL in the World
byMichael Boman
 
PPTX
Enkla hackerknep för testare
byMichael Boman
 
ODP
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
byMichael Boman
 
ODP
USB (In)Security 2008-08-22
byMichael Boman
 
ODP
Automatic Malware Analysis 2008-09-19
byMichael Boman
 
ODP
Overcoming USB (In)Security
byMichael Boman
 
PPT
Privacy in Wireless Networks
byMichael Boman
 
PDF
Network Security Monitoring - Theory and Practice
byMichael Boman
 
ODP
Introduction To Linux Security
byMichael Boman
 
ODP
Snort
byMichael Boman
 
ODP
SoHo Honeypot (LUGS)
byMichael Boman
 
ODP
Sguil
byMichael Boman
 
How to drive a malware analyst crazy
byMichael Boman
 
Indicators of compromise: From malware analysis to eradication
byMichael Boman
 
44CON 2014: Using hadoop for malware, network, forensics and log analysis
byMichael Boman
 
DEEPSEC 2013: Malware Datamining And Attribution
byMichael Boman
 
44CON 2013 - Controlling a PC using Arduino
byMichael Boman
 
Sans och vett på Internet
byMichael Boman
 
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
byMichael Boman
 
Hur man kan testa sin HTTPS-server
byMichael Boman
 
OWASP AppSec Research 2010 - The State of SSL in the World
byMichael Boman
 
Enkla hackerknep för testare
byMichael Boman
 
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
byMichael Boman
 
USB (In)Security 2008-08-22
byMichael Boman
 
Automatic Malware Analysis 2008-09-19
byMichael Boman
 
Overcoming USB (In)Security
byMichael Boman
 
Privacy in Wireless Networks
byMichael Boman
 
Network Security Monitoring - Theory and Practice
byMichael Boman
 
Introduction To Linux Security
byMichael Boman
 
Snort
byMichael Boman
 
SoHo Honeypot (LUGS)
byMichael Boman
 
Sguil
byMichael Boman
 

Recently uploaded

PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
The year in review - MarvelClient in 2025
bypanagenda
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 

Malware Analysis as a Hobby

  • 1.
    Malware Analysis asa Hobby Michael Boman - Security Consultant/Researcher, Father of 5 Siavosh Zarrasvand – Security Consultant/Researcher, Searching
  • 2.
  • 3.
  • 4.
    Drawbacks Time consuming Boring in the long run (not all malware are created equal)
  • 5.
    Choose any two…. Cheap Good Fast
  • 6.
    I can do it cheaply (hardware and license cost-wise). Human time not Choose any two? Why included. not all of them?  I can do it quickly (I spend up to 3 Cheap hours a day doing this, at average even less).  I get pretty good results (quality). Where the system lacks I can compensate for its shortcomings. Good Fast
  • 7.
    Automate everything! Automate Engineer yourself out of the workflow
  • 8.
    Birth of the MARTProject Malware Analyst Research Toolkit
  • 9.
  • 11.
    Sample Acquisition • Public & Private Collections • Exchange with other malware analysts • Finding and collecting malware yourself • Download files from the web • Grab attachments from email • Feed BrowserSpider with links from your SPAM-folder
  • 12.
    BrowserSpider  Written in Python  Using the Selenium framework to control REAL browsers  Flash, PDFs, Java applets etc. executes as per normal  All the browser bugs exists for real  Spiders and follows all links seen
  • 13.
    Sample Analysis • Cuckoo Sandbox • VirusTotal
  • 14.
    A days workfor a Cuckoo Fetch a task Process and Prepare the create reports analysis Lunch analyzer in Store the result virtual machine Complete the Execute an analysis analysis package
  • 15.
    DEMO: Submit samplefor analysis
  • 17.
    Sample Reporting • Results are stored in MongoDB (optional, highly recommended) • Accessed using a analyst GUI
  • 21.
  • 22.
    Where Virtual Machine analysis fails And what to do about it
  • 23.
    Problems  Cuckoo is easly bypassed  User-detection  Sleeping malware
  • 24.
    Problems  VM or Sandbox detection  The guest OS might not be sufficient enough  Any multistage attack
  • 25.
    Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples Known Known Bad Good Unknown
  • 26.
    Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples • Does not do anything • Detects environment • Encrypted segments • Failed execution
  • 27.
    Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples • Run longer • Envirnoment customization
  • 29.
    Budget  Computer: €520  MSDN License: €800 (€590 renewal)  Year 1: €1320  Year N: €590  Money saved from stopped smoking (yearly): €2040
  • 30.
    Next steps • Barebone on-the-iron malware analysis • Android platform support • OSX platform support • iOS patform support
  • 31.
    Questions? Michael Boman Siavosh Zarrasvand michael@michaelboman.org siavosh.zarrasvand@gmail.com http://michaelboman.org @mboman @zarrasvand