Malware Analysis on a Shoestring Budget


Published on

How can you build a infrastructure using mainly free and open source software to analyze potential malicious code. How you can leverage free public services together with in-house systems to compete against expensive commercial solutions which makes it cost-prohibible for many researchers.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Malware Analysis on a Shoestring Budget

  1. 1. Malware Analysis on a shoe- string budget Michael Boman - Security Consultant/Researcher, Father of 5
  2. 2. Why the strange hobby?
  3. 3. Start virtual environmentThe manual way Start logging Analyze logs facilities Stop logging Execute facilities sample
  4. 4. Drawbacks•  Time consuming•  Boring in the long run •  not all malware are created equal
  5. 5. I don’t havetime for this… I need a (better) system!
  6. 6. Choose any two…. Cheap Good Fast
  7. 7. I can do it cheaply (hardware and license cost-wise) - Human time not Choose any two? included. Why not all of them? I can do it quickly (I spend up to 3 Cheap hours a day doing this, at average even less). An analysis is done in less then 5 minutes… I get pretty good results (quality). Where the system lacks I can compensate for its shortcomings.Good Fast
  8. 8. Automateeverything! Automate Engineer yourself out of the workflow
  9. 9. Birth of theMART ProjectMalware Analyst Research Toolkit
  10. 10. Components
  11. 11. Sample Acquisition•  Public & Private Collections •  Clean MX • •  Etc.•  Exchange with other malware analysts •  You know who you are•  Finding and collecting malware yourself •  Download files from the web •  Grab attachments from email •  Feed BrowserSpider with links from your SPAM-folder
  12. 12. BrowserSpider•  Written in Python•  Using the Selenium framework to control REAL browsers •  Flash, PDFs, Java applets etc. executes as per normal •  All the browser bugs exists for real•  Spiders and follows all links seen
  13. 13. Sample Analysis •  Cuckoo Sandbox •  VirusTotal
  14. 14. DEMO: Submit sample for analysis
  15. 15. A days work for a Cuckoo Fetch a task Process and Prepare the create reports analysis Launch analyzer Store the result in virtual machine Complete the Execute an analysis analysis package
  16. 16. Sample ReportingResults are stored in MongoDB(optional, highly recommended)Accessed using a analyst GUI
  17. 17. Data Mining
  18. 18. Malware attributionBlack Hat USA 2010: Greg Hoglund: Malware attribution andfingerprinting
  19. 19. Where Virtual Machine analysis fails And what to do about it
  20. 20. Problems•  User-detection•  Sleeping malware•  Multi-stage attacks
  21. 21. Problems •  VM or Sandbox detection •  The guest OS might not be sufficient enough
  22. 22. Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samplesKnown KnownGood Bad Unknown
  23. 23. Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples •  Does not do anything •  Detects environment •  Encrypted segments •  Failed execution
  24. 24. Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples •  Run longer •  Envirnoment customization
  25. 25. Budget•  Computer: €520•  MSDN License: €800 (€590 renewal)•  Year 1 (2012): €1320•  Year N (2013…): €590•  Money saved from stopped smoking (yearly): €2040
  26. 26. Malware Lab
  27. 27. MART Hardware (overview)
  28. 28. MART Hardware (mounts)
  29. 29. The need for speed•  Original setup couldn’t run more then 2 virtual machines simultaneously •  Disk I/O couldn’t keep up
  30. 30. MART Hardware (HDD) Transfer speed: 72-144 Mb/s Access time: 13.6 ms
  31. 31. MART Hardware (SSD) Transfer speed: 2x 270-280 Mb/s Access time: 0.2 ms 68x Running 3-4 machines simultaneously
  32. 32. Next steps1.  Barebone on-the-iron malware analysis2.  Android platform support3.  OSX platform support4.  iOS patform support
  33. 33. Existing barebone implementations•  BareBox •  BareBox: Efficient Malware Analysis on Bare-Metal •  Dhilung Kirat, Giovanni Vigna, Christopher Kruegel •  ACSAC 2011 •  No code has been released•  NVMTrace •  Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis •  Paul Royal •  Blackhat 2012 EUROPE •  Requires special hardware (Intelligent Platform Management Interface [IPMI])
  34. 34. Proof of Concept hardwarePrototype Shield Arduino 4-Channel Relay Shield 300 SEK (€~30) Arduino Ethernet Shield Duemilanove
  35. 35. Questions?Michael Boman Michael http://michaelboman.org @mboman