The document notes that manually analyzing malware can be time consuming and boring. MART was created to automate parts of the process such as sample acquisition, analysis using tools like Cuckoo Sandbox, and reporting. This reduces the time spent by malware analysts and allows them to focus on more complex samples. The system also aims to address limitations of virtual machine-based analysis by integrating additional techniques. Overall, MART streamlines malware analysis as a hobby while cutting costs compared to paying for commercial solutions.

1. Malware Analysis as a Hobby
Michael Boman - Security Consultant/Researcher, Father of 5
Siavosh Zarrasvand – Security Consultant/Researcher, Searching

2. Why the strange hobby?

3. The manual way

4. Drawbacks
Time consuming
Boring in the long run (not all malware are created equal)

5. Choose any two….
Cheap
Good Fast

6.  I can do it cheaply (hardware and
license cost-wise). Human time not
Choose any two? Why included.
not all of them?
 I can do it quickly (I spend up to 3
Cheap hours a day doing this, at average even
less).
 I get pretty good results (quality).
Where the system lacks I can
compensate for its shortcomings.
Good Fast

7. Automate
everything!
Automate
Engineer yourself out of the workflow

8. Birth of the
MART Project
Malware Analyst Research Toolkit

9. Components

11. Sample Acquisition
• Public & Private Collections
• Exchange with other malware analysts
• Finding and collecting malware
yourself
• Download files from the web
• Grab attachments from email
• Feed BrowserSpider with links from your
SPAM-folder

12. BrowserSpider
 Written in Python
 Using the Selenium framework to control REAL browsers
 Flash, PDFs, Java applets etc. executes as per normal
 All the browser bugs exists for real
 Spiders and follows all links seen

13. Sample Analysis
• Cuckoo Sandbox
• VirusTotal

14. A days work for a Cuckoo
Fetch a task
Process and Prepare the
create reports analysis
Lunch analyzer in
Store the result
virtual machine
Complete the Execute an
analysis analysis package

15. DEMO: Submit sample for
analysis

17. Sample Reporting
• Results are stored in MongoDB
(optional, highly recommended)
• Accessed using a analyst GUI

21. Data Mining

22. Where Virtual Machine
analysis fails
And what to do about it

23. Problems
 Cuckoo is easly bypassed
 User-detection
 Sleeping malware

24. Problems
 VM or Sandbox detection
 The guest OS might not be sufficient enough
 Any multistage attack

25. Iterating automatiation
Sort out clearly
Devide the
non-malicious and Do brief static
samples into
obviosly malicious analysis
categories
samples
Known Known Bad
Good
Unknown

26. Iterating automatiation
Sort out clearly
Devide the
non-malicious and Do brief static
samples into
obviosly malicious analysis
categories
samples
• Does not do anything
• Detects environment
• Encrypted segments
• Failed execution

27. Iterating automatiation
Sort out clearly
Devide the
non-malicious and Do brief static
samples into
obviosly malicious analysis
categories
samples
• Run longer
• Envirnoment customization

29. Budget
 Computer: €520
 MSDN License: €800 (€590 renewal)
 Year 1: €1320
 Year N: €590
 Money saved from stopped smoking (yearly): €2040

30. Next steps
• Barebone on-the-iron malware
analysis
• Android platform support
• OSX platform support
• iOS patform support

31. Questions?
Michael Boman Siavosh Zarrasvand
michael@michaelboman.org siavosh.zarrasvand@gmail.com
http://michaelboman.org
@mboman @zarrasvand