Michael Boman, profile picture
Uploaded byMichael Boman
1,286 views

Malware Analysis on a Shoestring Budget

The document discusses budget-friendly strategies for malware analysis, emphasizing automation and efficient use of resources to achieve quality results quickly. It introduces the MART project, a malware analysis toolkit that includes components for sample acquisition and analysis, and highlights common challenges in virtual machine analysis. Key recommendations include investing in hardware that supports multiple virtual machines and leveraging community resources for malware collection and exchange.

Embed presentation

Downloaded 32 times
Malware Analysis on a shoe- string budget Michael Boman - Security Consultant/Researcher, Father of 5
Why the strange hobby?
Start virtual environment The manual way Start logging Analyze logs facilities Stop logging Execute facilities sample
Drawbacks •  Time consuming •  Boring in the long run •  not all malware are created equal
I don’t have time for this… I need a (better) system!
Choose any two…. Cheap Good Fast
I can do it cheaply (hardware and license cost-wise) - Human time not Choose any two? included. Why not all of them? I can do it quickly (I spend up to 3 Cheap hours a day doing this, at average even less). An analysis is done in less then 5 minutes… I get pretty good results (quality). Where the system lacks I can compensate for its shortcomings. Good Fast
Automate everything! Automate Engineer yourself out of the workflow
Birth of the MART Project Malware Analyst Research Toolkit
Components
Sample Acquisition •  Public & Private Collections •  Clean MX •  Malware.lu •  Etc. •  Exchange with other malware analysts •  You know who you are •  Finding and collecting malware yourself •  Download files from the web •  Grab attachments from email •  Feed BrowserSpider with links from your SPAM-folder
BrowserSpider •  Written in Python •  Using the Selenium framework to control REAL browsers •  Flash, PDFs, Java applets etc. executes as per normal •  All the browser bugs exists for real •  Spiders and follows all links seen
Sample Analysis •  Cuckoo Sandbox •  VirusTotal
DEMO: Submit sample for analysis
A days work for a Cuckoo Fetch a task Process and Prepare the create reports analysis Launch analyzer Store the result in virtual machine Complete the Execute an analysis analysis package
Sample Reporting Results are stored in MongoDB (optional, highly recommended) Accessed using a analyst GUI
Data Mining
Malware attribution Black Hat USA 2010: Greg Hoglund: Malware attribution and fingerprinting
Where Virtual Machine analysis fails And what to do about it
Problems •  User-detection •  Sleeping malware •  Multi-stage attacks
Problems •  VM or Sandbox detection •  The guest OS might not be sufficient enough
Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples Known Known Good Bad Unknown
Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples •  Does not do anything •  Detects environment •  Encrypted segments •  Failed execution
Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples •  Run longer •  Envirnoment customization
Budget •  Computer: €520 •  MSDN License: €800 (€590 renewal) •  Year 1 (2012): €1320 •  Year N (2013…): €590 •  Money saved from stopped smoking (yearly): €2040
Malware Lab
MART Hardware (overview)
MART Hardware (mounts)
The need for speed •  Original setup couldn’t run more then 2 virtual machines simultaneously •  Disk I/O couldn’t keep up
MART Hardware (HDD) Transfer speed: 72-144 Mb/s Access time: 13.6 ms
MART Hardware (SSD) Transfer speed: 2x 270-280 Mb/s Access time: 0.2 ms 68x Running 3-4 machines simultaneously
Next steps 1.  Barebone on-the-iron malware analysis 2.  Android platform support 3.  OSX platform support 4.  iOS patform support
Existing barebone implementations •  BareBox •  BareBox: Efficient Malware Analysis on Bare-Metal •  Dhilung Kirat, Giovanni Vigna, Christopher Kruegel •  ACSAC 2011 •  No code has been released •  NVMTrace •  Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis •  Paul Royal •  Blackhat 2012 EUROPE •  Requires special hardware (Intelligent Platform Management Interface [IPMI])
Proof of Concept hardware Prototype Shield Arduino 4-Channel Relay Shield 300 SEK (€~30) Arduino Ethernet Shield Duemilanove
Questions? Michael Boman Michael Boman michael.boman@2secure.se michael@michaelboman.org http://michaelboman.org http://www.2secure.se @mboman

More Related Content

PPTX
How to drive a malware analyst crazy
byMichael Boman
 
PPTX
Indicators of compromise: From malware analysis to eradication
byMichael Boman
 
PDF
Malware Detection With Multiple Features
byMuhammad Najmi Ahmad Zabidi
 
PDF
Challenges in High Accuracy of Malware Detection
byMuhammad Najmi Ahmad Zabidi
 
PDF
Anti Debugging
byn|u - The Open Security Community
 
PDF
Anti-Debugging - A Developers View
byTyler Shields
 
PDF
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
byTyler Shields
 
PDF
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
byCODE BLUE
 
How to drive a malware analyst crazy
byMichael Boman
 
Indicators of compromise: From malware analysis to eradication
byMichael Boman
 
Malware Detection With Multiple Features
byMuhammad Najmi Ahmad Zabidi
 
Challenges in High Accuracy of Malware Detection
byMuhammad Najmi Ahmad Zabidi
 
Anti Debugging
byn|u - The Open Security Community
 
Anti-Debugging - A Developers View
byTyler Shields
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
byTyler Shields
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
byCODE BLUE
 

What's hot

PDF
A client-side vulnerability under the microscope!
byNelson Brito
 
PDF
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
by44CON
 
PPTX
Automating Malware Analysis
bysecurityxploded
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class
byCODE WHITE GmbH
 
PPTX
Windows Crash Dump Analysis
byMicrosoft TechNet - Belgium and Luxembourg
 
PPTX
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
byWayne Huang
 
PDF
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
byenSilo
 
PPTX
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
byShota Shinogi
 
PDF
One-Byte Modification for Breaking Memory Forensic Analysis
byTakahiro Haruyama
 
PDF
Volatile IOCs for Fast Incident Response
byTakahiro Haruyama
 
PPTX
Exceptions in Java
byVadym Lotar
 
PDF
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
byNelson Brito
 
PDF
SyScan 2016 - Remote code execution via Java native deserialization
byDavid Jorm
 
ODP
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
byJoxean Koret
 
PDF
Understand study
byAntonio Costa aka Cooler_
 
PDF
44CON London - Attacking VxWorks: from Stone Age to Interstellar
by44CON
 
PPTX
Injection on Steroids: Codeless code injection and 0-day techniques
byenSilo
 
PDF
The Hunter Games: How to Find the Adversary with Event Query Language
byRoss Wolf
 
PPTX
Code Injection in Windows
byn|u - The Open Security Community
 
A client-side vulnerability under the microscope!
byNelson Brito
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
by44CON
 
Automating Malware Analysis
bysecurityxploded
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
byCODE WHITE GmbH
 
Windows Crash Dump Analysis
byMicrosoft TechNet - Belgium and Luxembourg
 
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
byWayne Huang
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
byenSilo
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
byShota Shinogi
 
One-Byte Modification for Breaking Memory Forensic Analysis
byTakahiro Haruyama
 
Volatile IOCs for Fast Incident Response
byTakahiro Haruyama
 
Exceptions in Java
byVadym Lotar
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
byNelson Brito
 
SyScan 2016 - Remote code execution via Java native deserialization
byDavid Jorm
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
byJoxean Koret
 
Understand study
byAntonio Costa aka Cooler_
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
by44CON
 
Injection on Steroids: Codeless code injection and 0-day techniques
byenSilo
 
The Hunter Games: How to Find the Adversary with Event Query Language
byRoss Wolf
 
Code Injection in Windows
byn|u - The Open Security Community
 

Similar to Malware Analysis on a Shoestring Budget

PPTX
Malware analysis as a hobby (Owasp Göteborg)
byMichael Boman
 
PPTX
Malware Analysis as a Hobby - 44CON 2012
by44CON
 
PPTX
Malware Analysis as a Hobby
byMichael Boman
 
PDF
Intro2 malwareanalysisshort
byVincent Ohprecio
 
PDF
Malware Analysis -an overview by PP Singh
byn|u - The Open Security Community
 
PDF
'Malware Analysis' by PP Singh
byBipin Upadhyay
 
PDF
CH1- Introduction to malware analysis-v2.pdf
byWajdiElhamzi3
 
PDF
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
byManjuAppukuttan2
 
PPTX
Malware analysis as a hobby - the short story (lightning talk)
byMichael Boman
 
PDF
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
byDaveEdwards12
 
PDF
Cyber Defense Forensic Analyst - Real World Hands-on Examples
bySandeep Kumar Seeram
 
PDF
Reading Group Presentation: The Power of Procrastination
byMichael Rushanan
 
PPTX
Malware analysis
byPrakashchand Suthar
 
PDF
Maximize Computer Security With Limited Ressources
bySecunia
 
PPT
The Future of Automated Malware Generation
byStephan Chenette
 
PPT
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
byManjuAppukuttan2
 
PPTX
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
bygrecsl
 
PPTX
Building next gen malware behavioural analysis environment
byisc2-hellenic
 
PPTX
Malware Classification and Analysis
byPrashant Chopra
 
PDF
Modern Malware and Threats
byMarketingArrowECS_CZ
 
Malware analysis as a hobby (Owasp Göteborg)
byMichael Boman
 
Malware Analysis as a Hobby - 44CON 2012
by44CON
 
Malware Analysis as a Hobby
byMichael Boman
 
Intro2 malwareanalysisshort
byVincent Ohprecio
 
Malware Analysis -an overview by PP Singh
byn|u - The Open Security Community
 
'Malware Analysis' by PP Singh
byBipin Upadhyay
 
CH1- Introduction to malware analysis-v2.pdf
byWajdiElhamzi3
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
byManjuAppukuttan2
 
Malware analysis as a hobby - the short story (lightning talk)
byMichael Boman
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
byDaveEdwards12
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
bySandeep Kumar Seeram
 
Reading Group Presentation: The Power of Procrastination
byMichael Rushanan
 
Malware analysis
byPrakashchand Suthar
 
Maximize Computer Security With Limited Ressources
bySecunia
 
The Future of Automated Malware Generation
byStephan Chenette
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
byManjuAppukuttan2
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
bygrecsl
 
Building next gen malware behavioural analysis environment
byisc2-hellenic
 
Malware Classification and Analysis
byPrashant Chopra
 
Modern Malware and Threats
byMarketingArrowECS_CZ
 

More from Michael Boman

ODP
44CON 2014: Using hadoop for malware, network, forensics and log analysis
byMichael Boman
 
PDF
DEEPSEC 2013: Malware Datamining And Attribution
byMichael Boman
 
PPT
44CON 2013 - Controlling a PC using Arduino
byMichael Boman
 
KEY
Sans och vett på Internet
byMichael Boman
 
PDF
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
byMichael Boman
 
PPT
Hur man kan testa sin HTTPS-server
byMichael Boman
 
PPT
OWASP AppSec Research 2010 - The State of SSL in the World
byMichael Boman
 
PPTX
Enkla hackerknep för testare
byMichael Boman
 
ODP
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
byMichael Boman
 
ODP
USB (In)Security 2008-08-22
byMichael Boman
 
ODP
Automatic Malware Analysis 2008-09-19
byMichael Boman
 
ODP
Overcoming USB (In)Security
byMichael Boman
 
PPT
Privacy in Wireless Networks
byMichael Boman
 
PDF
Network Security Monitoring - Theory and Practice
byMichael Boman
 
ODP
Introduction To Linux Security
byMichael Boman
 
ODP
Snort
byMichael Boman
 
ODP
SoHo Honeypot (LUGS)
byMichael Boman
 
ODP
Sguil
byMichael Boman
 
ODP
Introduction To NIDS
byMichael Boman
 
ODP
Acid
byMichael Boman
 
44CON 2014: Using hadoop for malware, network, forensics and log analysis
byMichael Boman
 
DEEPSEC 2013: Malware Datamining And Attribution
byMichael Boman
 
44CON 2013 - Controlling a PC using Arduino
byMichael Boman
 
Sans och vett på Internet
byMichael Boman
 
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
byMichael Boman
 
Hur man kan testa sin HTTPS-server
byMichael Boman
 
OWASP AppSec Research 2010 - The State of SSL in the World
byMichael Boman
 
Enkla hackerknep för testare
byMichael Boman
 
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
byMichael Boman
 
USB (In)Security 2008-08-22
byMichael Boman
 
Automatic Malware Analysis 2008-09-19
byMichael Boman
 
Overcoming USB (In)Security
byMichael Boman
 
Privacy in Wireless Networks
byMichael Boman
 
Network Security Monitoring - Theory and Practice
byMichael Boman
 
Introduction To Linux Security
byMichael Boman
 
Snort
byMichael Boman
 
SoHo Honeypot (LUGS)
byMichael Boman
 
Sguil
byMichael Boman
 
Introduction To NIDS
byMichael Boman
 
Acid
byMichael Boman
 

Recently uploaded

PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
The year in review - MarvelClient in 2025
bypanagenda
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
December Patch Tuesday
byIvanti
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 

Malware Analysis on a Shoestring Budget

  • 1.
    Malware Analysis ona shoe- string budget Michael Boman - Security Consultant/Researcher, Father of 5
  • 2.
  • 3.
    Start virtual environment The manual way Start logging Analyze logs facilities Stop logging Execute facilities sample
  • 4.
    Drawbacks •  Time consuming •  Boring in the long run •  not all malware are created equal
  • 5.
    I don’t have timefor this… I need a (better) system!
  • 6.
    Choose any two…. Cheap Good Fast
  • 7.
    I can doit cheaply (hardware and license cost-wise) - Human time not Choose any two? included. Why not all of them? I can do it quickly (I spend up to 3 Cheap hours a day doing this, at average even less). An analysis is done in less then 5 minutes… I get pretty good results (quality). Where the system lacks I can compensate for its shortcomings. Good Fast
  • 8.
    Automate everything! Automate Engineer yourself out of the workflow
  • 9.
    Birth of the MARTProject Malware Analyst Research Toolkit
  • 10.
  • 12.
    Sample Acquisition •  Public& Private Collections •  Clean MX •  Malware.lu •  Etc. •  Exchange with other malware analysts •  You know who you are •  Finding and collecting malware yourself •  Download files from the web •  Grab attachments from email •  Feed BrowserSpider with links from your SPAM-folder
  • 13.
    BrowserSpider •  Written inPython •  Using the Selenium framework to control REAL browsers •  Flash, PDFs, Java applets etc. executes as per normal •  All the browser bugs exists for real •  Spiders and follows all links seen
  • 14.
    Sample Analysis •  Cuckoo Sandbox •  VirusTotal
  • 15.
    DEMO: Submit samplefor analysis
  • 16.
    A days workfor a Cuckoo Fetch a task Process and Prepare the create reports analysis Launch analyzer Store the result in virtual machine Complete the Execute an analysis analysis package
  • 18.
    Sample Reporting Results arestored in MongoDB (optional, highly recommended) Accessed using a analyst GUI
  • 22.
  • 23.
    Malware attribution Black HatUSA 2010: Greg Hoglund: Malware attribution and fingerprinting
  • 24.
    Where Virtual Machine analysis fails And what to do about it
  • 25.
    Problems •  User-detection •  Sleepingmalware •  Multi-stage attacks
  • 26.
    Problems •  VM or Sandbox detection •  The guest OS might not be sufficient enough
  • 27.
    Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples Known Known Good Bad Unknown
  • 28.
    Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples •  Does not do anything •  Detects environment •  Encrypted segments •  Failed execution
  • 29.
    Iterating automatiation Sort out clearly Devide the non-malicious and Do brief static samples into obviosly malicious analysis categories samples •  Run longer •  Envirnoment customization
  • 31.
    Budget •  Computer: €520 •  MSDN License: €800 (€590 renewal) •  Year 1 (2012): €1320 •  Year N (2013…): €590 •  Money saved from stopped smoking (yearly): €2040
  • 32.
  • 33.
  • 34.
  • 35.
    The need forspeed •  Original setup couldn’t run more then 2 virtual machines simultaneously •  Disk I/O couldn’t keep up
  • 36.
    MART Hardware (HDD) Transfer speed: 72-144 Mb/s Access time: 13.6 ms
  • 37.
    MART Hardware (SSD) Transfer speed: 2x 270-280 Mb/s Access time: 0.2 ms 68x Running 3-4 machines simultaneously
  • 38.
    Next steps 1.  Bareboneon-the-iron malware analysis 2.  Android platform support 3.  OSX platform support 4.  iOS patform support
  • 39.
    Existing barebone implementations • BareBox •  BareBox: Efficient Malware Analysis on Bare-Metal •  Dhilung Kirat, Giovanni Vigna, Christopher Kruegel •  ACSAC 2011 •  No code has been released •  NVMTrace •  Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis •  Paul Royal •  Blackhat 2012 EUROPE •  Requires special hardware (Intelligent Platform Management Interface [IPMI])
  • 40.
    Proof of Concepthardware Prototype Shield Arduino 4-Channel Relay Shield 300 SEK (€~30) Arduino Ethernet Shield Duemilanove
  • 41.
    Questions? Michael Boman Michael Boman michael.boman@2secure.se michael@michaelboman.org http://michaelboman.org http://www.2secure.se @mboman