This document discusses Michael Boman's hobby of analyzing malware samples. It describes how he initially analyzed samples manually in a virtual environment but found it time consuming. He then created the Malware Analysis Research Toolkit (MART) project to automate the process. MART uses tools like Cuckoo Sandbox to analyze samples in virtual machines. It also includes components for sample acquisition, analysis, reporting, and data mining. The document discusses challenges with virtual machine analysis and ways to iterate the automation, such as doing brief static analysis on samples. It provides an overview of the hardware used in Boman's malware lab and discusses next steps for the project.
6. I can do it cheaply (hardware and
license cost-wise). Human time not
Choose any two? included.
Why not all of them?
I can do it quickly (I spend up to 3
Cheap hours a day doing this, at average
even less).
I get pretty good results (quality).
Where the system lacks I can
compensate for its shortcomings.
Good Fast
11. Sample Acquisition
• Public & Private
Collections
• Exchange with other
malware analysts
• Finding and collecting
malware yourself
• Download files from the web
• Grab attachments from email
• Feed BrowserSpider with
links from your SPAM-folder
12. BrowserSpider
• Written in Python
• Using the Selenium framework to control REAL browsers
• Flash, PDFs, Java applets etc. executes as per normal
• All the browser bugs exists for real
• Spiders and follows all links seen
14. A days work for a Cuckoo
Fetch a task
Process and Prepare the
create reports analysis
Launch
Store the result analyzer in
virtual machine
Execute an
Complete the
analysis
analysis
package
24. Problems
• VM or Sandbox detection
• The guest OS might not be sufficient enough
• Any multistage attack
25. Iterating automatiation
Sort out clearly
non-malicious Devide the
Do brief static
and obviosly samples into
analysis
malicious categories
samples
Known Known
Good Bad
Unknown
26. Iterating automatiation
Sort out clearly
non-malicious Devide the
Do brief static
and obviosly samples into
analysis
malicious categories
samples
• Does not do anything
• Detects environment
• Encrypted segments
• Failed execution
27. Iterating automatiation
Sort out clearly
non-malicious Devide the
Do brief static
and obviosly samples into
analysis
malicious categories
samples
• Run longer
• Envirnoment customization
28.
29. Budget
• Computer: €520
• MSDN License: €800 (€590 renewal)
• Year 1: €1320
• Year N: €590
• Money saved from stopped smoking (yearly): €2040