Setup Your Personal Malware Lab

4,866 views

Published on

This is my presentation in JWC 4th Event Computer and Network Security FOrum at Binus International University. I talk about how to setup your own malware lab for malware analysis purpose.

Published in: Technology
1 Comment
4 Likes
Statistics
Notes
  • hi .. any network diagram for the lab ? , so total only 3 vm ?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
4,866
On SlideShare
0
From Embeds
0
Number of Embeds
830
Actions
Shares
0
Downloads
222
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide

Setup Your Personal Malware Lab

  1. 1. SETTING UP YOUR OWN MALWARE LAB Presented by : Digit Okttavianto digit.oktavianto@gmail.com http://digitoktavianto.web.idJWC 4th Computer and Network Security Forum
  2. 2. About MeSecurity ConsultantMember of Honeynet Indonesia ChapterMember of OWASP IndonesiaCoordinator of Cloud Indonesia (SysAdmin)Member KPLI JakartaIT Security Enthusiast (Opreker :D)
  3. 3. TODAYS DISCUSSION Introduction of Malware Analysis What is Malware Lab? How to build your own malware lab? What tools are included in Malware Lab?
  4. 4. Introduction of Malware AnalysisMalware : Any piece of code that has malicious intentions and /or performs a function that the user was not aware that it was going to doMalware analysis : process of analyzing malware; how to analyze malware behavior; how to reverse the malware; how to disassemble the malware
  5. 5. Introduction Malware Analysis (Contd..)Benefits from malware analysis? We can investigate how the malware works We can predict what it is going to do with the victims We will know how to mitigate this malware attack (quickly assess the threat) We can prevent further malware action We will understand threat management better We can secure our environment
  6. 6. What is Malware LabMalware Lab is a safe environment to analyze themalware. Basically, it is an isolated environmentwhich contains a lot of tools that are useful for themalware analyst analyse.
  7. 7. What is Malware Lab (Contd...)Why we should build a malware lab? Proactive approach Advanced detection (before AV vendor detects it?)
  8. 8. What is Malware Lab (Contd...)Why an isolated and safe environment? We need to execute the malware itself (dynamic analysis) We interact with the malware to know how they works We observe how the malware infects the file system, what files are infected, its registry and the network traffic.
  9. 9. What is Malware Lab (Contd...)What are the purposes? Personal research Hobby Profit oriented (Works as malware analyst) Enhance knowledge
  10. 10. How to build your own malware lab? Physical Lab Virtualization Lab
  11. 11. How to build your own malware lab? (Contd ...) Physical LabAdvantage :- No VM Aware Detection- Real environment lab- Full function as a victimDisadvantage :- Costly- Time to build the real environment
  12. 12. How to build your own malware lab? (Contd ...) Virtualization LabAdvantage :- Easy to deploy- Minimum cost- Easy to isolate and safe environmentDisadvantage :- VM Aware detection
  13. 13. How to build your own malware lab? (Contd ...) Step for building your Malware Lab (taken from (http://zeltser.com/malware-analysis-toolkit/):Step1: Allocate physical or virtual systems for the analysis labStep 2: Isolate laboratory systems from the production environmentStep 3: Install behavioral analysis toolsStep 4: Install code-analysis toolsStep 5: Utilize online analysis tools
  14. 14. How to build your own malware lab? (Contd ...) Operating System?1. Windows XP2. Windows 73. Linux (REMnux from Lenny Zeltser)
  15. 15. Tools included in Malware Lab Honeypot (Trap the Malware)ThugGhostUSB Honeypot
  16. 16. Tools included in Malware Lab (Contd...) Behavioral analysis tools- Filesystem and Registry monitoring :CaptureBAT, Regshot, Filemon,- Process Monitoring :Process Explorer, Process Hacker, Procmon, CFF Explorer, PEID, PEView- Network Monitoring :Wireshark, Tcpdump, fakeDNS, ApateDNS, Tshark, TCPView, Netwitness, Netcat
  17. 17. Tools included in Malware Lab (Contd...) Code Analysis Tools- Dissasembler / Debugger :IDAPro, Ollydbg, Immunity Debugger, Pydbg,Windbg, Fiddler (Web Debugger)- Memory Dumper :LordPE, OllyDump, Fast Dump HBGary,- Misc.Tools :Sysinternals, Dependency Walker, Hex Editor, Hash Calc, Mac Changer,
  18. 18. Tools included in Malware Lab (Contd...)Sandboxing ???Based on Wikipedia, “in computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites.”
  19. 19. Tools included in Malware Lab (Contd...)Sandbox Apps : Cuckoo Sandbox ( http://www.cuckoosandbox.org/) Malheur ( http://www.mlsec.org/malheur/) Buster Sandbox Analyzer ( http://bsa.isoftware.nl/) ZeroWine Image (
  20. 20. Tools included in Malware Lab (Contd...) Online Sandbox for Check the malware sample :- Anubis (http://anubis.iseclab.org/)- GFISandbox (http://www.threattrack.com/)- ThreatExpert (http://www.threatexpert.com/)- Norman Sandboxhttp://www.norman.com/security_center/security_tools/
  21. 21. Tools included in Malware Lab (Contd...) Online Malware Scanner : - Virus Total (https://www.virustotal.com/ ) - Wepawet (http://wepawet.iseclab.org/) → Web Based Malicious Apps detector - AVG Web Scanner(
  22. 22. Tools included in Malware Lab (Contd...) Online Malware Scanner :Complete List can be found here : http://www.pentestit.com/list-online-malware-scanners/ http://zeltser.com/combating-malicious-software/lookup-malicious-websites.html
  23. 23. Additional Resources for Malware AnalystMalware Repository : http://malware.lu https://code.google.com/p/malware-lu/ http://contagiodump.blogspot.com/ http://www.offensivecomputing.net/ http://www.malwareblacklist.com/showMDL.php http://www.scumware.org/
  24. 24. FinishQuestion?Thank You

×