This document discusses Michael Boman's hobby of analyzing malware samples. It describes how he initially analyzed samples manually in a virtual environment but found it time consuming. He then created the Malware Analysis Research Toolkit (MART) project to automate the process. MART uses tools like Cuckoo Sandbox to analyze samples in virtual machines. It also includes components for sample acquisition, analysis, reporting, and data mining. The document discusses challenges with virtual machine analysis and ways to iterate the automation, such as doing brief static analysis on samples. It provides an overview of the hardware used in Boman's malware lab and discusses next steps for the project.

1. Malware Analysis as a Hobby
Michael Boman - Security Consultant/Researcher, Father of 5

2. Why the strange
hobby?

3. The manual way
1.Start virtual environment
2.Copy sample
3.Start logging facilities
4.Execute sample
5.Stop logging facilities
6.Analyze logs

4. Drawbacks
• Time consuming
• Boring in the long run (not all malware are created equal)

5. Choose any two….
Cheap
Good Fast

6. I can do it cheaply (hardware and
license cost-wise). Human time not
Choose any two? included.
Why not all of them?
I can do it quickly (I spend up to 3
Cheap hours a day doing this, at average
even less).
I get pretty good results (quality).
Where the system lacks I can
compensate for its shortcomings.
Good Fast

7. Automate
everything!
Automate
Engineer yourself out of the workflow

8. Birth of the
MART Project
Malware Analyst Research Toolkit

9. Components

11. Sample Acquisition
• Public & Private
Collections
• Exchange with other
malware analysts
• Finding and collecting
malware yourself
• Download files from the web
• Grab attachments from email
• Feed BrowserSpider with
links from your SPAM-folder

12. BrowserSpider
• Written in Python
• Using the Selenium framework to control REAL browsers
• Flash, PDFs, Java applets etc. executes as per normal
• All the browser bugs exists for real
• Spiders and follows all links seen

13. Sample Analysis
• Cuckoo Sandbox
• VirusTotal

14. A days work for a Cuckoo
Fetch a task
Process and Prepare the
create reports analysis
Launch
Store the result analyzer in
virtual machine
Execute an
Complete the
analysis
analysis
package

15. DEMO: Submit sample for analysis

17. Sample Reporting
Results are stored in MongoDB
(optional, highly recommended)
Accessed using a analyst GUI

21. Data Mining

22. Where Virtual Machine
analysis fails
And what to do about it

23. Problems
• Cuckoo is easly bypassed
• User-detection
• Sleeping malware

24. Problems
• VM or Sandbox detection
• The guest OS might not be sufficient enough
• Any multistage attack

25. Iterating automatiation
Sort out clearly
non-malicious Devide the
Do brief static
and obviosly samples into
analysis
malicious categories
samples
Known Known
Good Bad
Unknown

26. Iterating automatiation
Sort out clearly
non-malicious Devide the
Do brief static
and obviosly samples into
analysis
malicious categories
samples
• Does not do anything
• Detects environment
• Encrypted segments
• Failed execution

27. Iterating automatiation
Sort out clearly
non-malicious Devide the
Do brief static
and obviosly samples into
analysis
malicious categories
samples
• Run longer
• Envirnoment customization

29. Budget
• Computer: €520
• MSDN License: €800 (€590 renewal)
• Year 1: €1320
• Year N: €590
• Money saved from stopped smoking (yearly): €2040

30. Malware Lab

31. MART Hardware (overview)

32. MART Hardware (mounts)

33. MART Hardware (HDD)

34. MART Hardware (SSD)

35. Next steps
• Barebone on-the-iron malware
analysis
• Android platform support
• OSX platform support
• iOS patform support

36. Proof of Concept hardware
Prototype Shield
Arduino 4-Channel
Relay Shield
Arduino Ethernet Shield
Duemilanove

37. Questions?
Michael Boman Michael Boman
michael.boman@2secure.se michael@michaelboman.org
http://michaelboman.org
http://www.2secure.se @mboman