SETTING UP YOUR OWN MALWARE LAB Presented by : Digit Okttavianto email@example.com http://digitoktavianto.web.idJWC 4th Computer and Network Security Forum
About MeSecurity ConsultantMember of Honeynet Indonesia ChapterMember of OWASP IndonesiaCoordinator of Cloud Indonesia (SysAdmin)Member KPLI JakartaIT Security Enthusiast (Opreker :D)
TODAYS DISCUSSION Introduction of Malware Analysis What is Malware Lab? How to build your own malware lab? What tools are included in Malware Lab?
Introduction of Malware AnalysisMalware : Any piece of code that has malicious intentions and /or performs a function that the user was not aware that it was going to doMalware analysis : process of analyzing malware; how to analyze malware behavior; how to reverse the malware; how to disassemble the malware
Introduction Malware Analysis (Contd..)Benefits from malware analysis? We can investigate how the malware works We can predict what it is going to do with the victims We will know how to mitigate this malware attack (quickly assess the threat) We can prevent further malware action We will understand threat management better We can secure our environment
What is Malware LabMalware Lab is a safe environment to analyze themalware. Basically, it is an isolated environmentwhich contains a lot of tools that are useful for themalware analyst analyse.
What is Malware Lab (Contd...)Why we should build a malware lab? Proactive approach Advanced detection (before AV vendor detects it?)
What is Malware Lab (Contd...)Why an isolated and safe environment? We need to execute the malware itself (dynamic analysis) We interact with the malware to know how they works We observe how the malware infects the file system, what files are infected, its registry and the network traffic.
What is Malware Lab (Contd...)What are the purposes? Personal research Hobby Profit oriented (Works as malware analyst) Enhance knowledge
How to build your own malware lab? Physical Lab Virtualization Lab
How to build your own malware lab? (Contd ...) Physical LabAdvantage :- No VM Aware Detection- Real environment lab- Full function as a victimDisadvantage :- Costly- Time to build the real environment
How to build your own malware lab? (Contd ...) Virtualization LabAdvantage :- Easy to deploy- Minimum cost- Easy to isolate and safe environmentDisadvantage :- VM Aware detection
How to build your own malware lab? (Contd ...) Step for building your Malware Lab (taken from (http://zeltser.com/malware-analysis-toolkit/):Step1: Allocate physical or virtual systems for the analysis labStep 2: Isolate laboratory systems from the production environmentStep 3: Install behavioral analysis toolsStep 4: Install code-analysis toolsStep 5: Utilize online analysis tools
How to build your own malware lab? (Contd ...) Operating System?1. Windows XP2. Windows 73. Linux (REMnux from Lenny Zeltser)
Tools included in Malware Lab Honeypot (Trap the Malware)ThugGhostUSB Honeypot
Tools included in Malware Lab (Contd...) Behavioral analysis tools- Filesystem and Registry monitoring :CaptureBAT, Regshot, Filemon,- Process Monitoring :Process Explorer, Process Hacker, Procmon, CFF Explorer, PEID, PEView- Network Monitoring :Wireshark, Tcpdump, fakeDNS, ApateDNS, Tshark, TCPView, Netwitness, Netcat
Tools included in Malware Lab (Contd...) Code Analysis Tools- Dissasembler / Debugger :IDAPro, Ollydbg, Immunity Debugger, Pydbg,Windbg, Fiddler (Web Debugger)- Memory Dumper :LordPE, OllyDump, Fast Dump HBGary,- Misc.Tools :Sysinternals, Dependency Walker, Hex Editor, Hash Calc, Mac Changer,
Tools included in Malware Lab (Contd...)Sandboxing ???Based on Wikipedia, “in computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites.”
Tools included in Malware Lab (Contd...) Online Sandbox for Check the malware sample :- Anubis (http://anubis.iseclab.org/)- GFISandbox (http://www.threattrack.com/)- ThreatExpert (http://www.threatexpert.com/)- Norman Sandboxhttp://www.norman.com/security_center/security_tools/
Tools included in Malware Lab (Contd...) Online Malware Scanner : - Virus Total (https://www.virustotal.com/ ) - Wepawet (http://wepawet.iseclab.org/) → Web Based Malicious Apps detector - AVG Web Scanner(
Tools included in Malware Lab (Contd...) Online Malware Scanner :Complete List can be found here : http://www.pentestit.com/list-online-malware-scanners/ http://zeltser.com/combating-malicious-software/lookup-malicious-websites.html