Setup Your Personal Malware Lab


Published on

This is my presentation in JWC 4th Event Computer and Network Security FOrum at Binus International University. I talk about how to setup your own malware lab for malware analysis purpose.

Published in: Technology
1 Comment
  • hi .. any network diagram for the lab ? , so total only 3 vm ?
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Setup Your Personal Malware Lab

  1. 1. SETTING UP YOUR OWN MALWARE LAB Presented by : Digit Okttavianto http://digitoktavianto.web.idJWC 4th Computer and Network Security Forum
  2. 2. About MeSecurity ConsultantMember of Honeynet Indonesia ChapterMember of OWASP IndonesiaCoordinator of Cloud Indonesia (SysAdmin)Member KPLI JakartaIT Security Enthusiast (Opreker :D)
  3. 3. TODAYS DISCUSSION Introduction of Malware Analysis What is Malware Lab? How to build your own malware lab? What tools are included in Malware Lab?
  4. 4. Introduction of Malware AnalysisMalware : Any piece of code that has malicious intentions and /or performs a function that the user was not aware that it was going to doMalware analysis : process of analyzing malware; how to analyze malware behavior; how to reverse the malware; how to disassemble the malware
  5. 5. Introduction Malware Analysis (Contd..)Benefits from malware analysis? We can investigate how the malware works We can predict what it is going to do with the victims We will know how to mitigate this malware attack (quickly assess the threat) We can prevent further malware action We will understand threat management better We can secure our environment
  6. 6. What is Malware LabMalware Lab is a safe environment to analyze themalware. Basically, it is an isolated environmentwhich contains a lot of tools that are useful for themalware analyst analyse.
  7. 7. What is Malware Lab (Contd...)Why we should build a malware lab? Proactive approach Advanced detection (before AV vendor detects it?)
  8. 8. What is Malware Lab (Contd...)Why an isolated and safe environment? We need to execute the malware itself (dynamic analysis) We interact with the malware to know how they works We observe how the malware infects the file system, what files are infected, its registry and the network traffic.
  9. 9. What is Malware Lab (Contd...)What are the purposes? Personal research Hobby Profit oriented (Works as malware analyst) Enhance knowledge
  10. 10. How to build your own malware lab? Physical Lab Virtualization Lab
  11. 11. How to build your own malware lab? (Contd ...) Physical LabAdvantage :- No VM Aware Detection- Real environment lab- Full function as a victimDisadvantage :- Costly- Time to build the real environment
  12. 12. How to build your own malware lab? (Contd ...) Virtualization LabAdvantage :- Easy to deploy- Minimum cost- Easy to isolate and safe environmentDisadvantage :- VM Aware detection
  13. 13. How to build your own malware lab? (Contd ...) Step for building your Malware Lab (taken from ( Allocate physical or virtual systems for the analysis labStep 2: Isolate laboratory systems from the production environmentStep 3: Install behavioral analysis toolsStep 4: Install code-analysis toolsStep 5: Utilize online analysis tools
  14. 14. How to build your own malware lab? (Contd ...) Operating System?1. Windows XP2. Windows 73. Linux (REMnux from Lenny Zeltser)
  15. 15. Tools included in Malware Lab Honeypot (Trap the Malware)ThugGhostUSB Honeypot
  16. 16. Tools included in Malware Lab (Contd...) Behavioral analysis tools- Filesystem and Registry monitoring :CaptureBAT, Regshot, Filemon,- Process Monitoring :Process Explorer, Process Hacker, Procmon, CFF Explorer, PEID, PEView- Network Monitoring :Wireshark, Tcpdump, fakeDNS, ApateDNS, Tshark, TCPView, Netwitness, Netcat
  17. 17. Tools included in Malware Lab (Contd...) Code Analysis Tools- Dissasembler / Debugger :IDAPro, Ollydbg, Immunity Debugger, Pydbg,Windbg, Fiddler (Web Debugger)- Memory Dumper :LordPE, OllyDump, Fast Dump HBGary,- Misc.Tools :Sysinternals, Dependency Walker, Hex Editor, Hash Calc, Mac Changer,
  18. 18. Tools included in Malware Lab (Contd...)Sandboxing ???Based on Wikipedia, “in computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites.”
  19. 19. Tools included in Malware Lab (Contd...)Sandbox Apps : Cuckoo Sandbox ( Malheur ( Buster Sandbox Analyzer ( ZeroWine Image (
  20. 20. Tools included in Malware Lab (Contd...) Online Sandbox for Check the malware sample :- Anubis ( GFISandbox ( ThreatExpert ( Norman Sandbox
  21. 21. Tools included in Malware Lab (Contd...) Online Malware Scanner : - Virus Total ( ) - Wepawet ( → Web Based Malicious Apps detector - AVG Web Scanner(
  22. 22. Tools included in Malware Lab (Contd...) Online Malware Scanner :Complete List can be found here :
  23. 23. Additional Resources for Malware AnalystMalware Repository :
  24. 24. FinishQuestion?Thank You