This document discusses how to set up a malware analysis lab. It begins by introducing malware analysis and explaining why it is important. It then defines a malware lab as a safe, isolated environment for analyzing malware, noting both physical and virtual options. The document outlines the steps to build a malware lab, including isolating systems, installing behavioral and code analysis tools, and using online analysis tools. Finally, it lists specific tools that could be included in a malware lab, such as honeypots, behavioral monitors, disassemblers, sandboxes, and online scanners.
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Setup Your Personal Malware Lab
1. SETTING UP YOUR OWN
MALWARE LAB
Presented by :
Digit Okttavianto
digit.oktavianto@gmail.com
http://digitoktavianto.web.id
JWC 4th Computer and Network Security Forum
2. About Me
Security Consultant
Member of Honeynet Indonesia Chapter
Member of OWASP Indonesia
Coordinator of Cloud Indonesia (SysAdmin)
Member KPLI Jakarta
IT Security Enthusiast (Opreker :D)
3. TODAY'S DISCUSSION
Introduction of Malware Analysis
What is Malware Lab?
How to build your own malware lab?
What tools are included in Malware Lab?
4. Introduction of Malware
Analysis
Malware : Any piece of code that has malicious
intentions and /or performs a function that the user
was not aware that it was going to do
Malware analysis : process of analyzing malware; how
to analyze malware behavior; how to reverse the
malware; how to disassemble the malware
5. Introduction Malware
Analysis (Cont'd..)
Benefits from malware analysis?
We can investigate how the malware works
We can predict what it is going to do with the victims
We will know how to mitigate this malware attack
(quickly assess the threat)
We can prevent further malware action
We will understand threat management better
We can secure our environment
6. What is Malware Lab
Malware Lab is a safe environment to analyze the
malware. Basically, it is an isolated environment
which contains a lot of tools that are useful for the
malware analyst analyse.
7. What is Malware Lab
(Cont'd...)
Why we should build a malware lab?
Proactive approach
Advanced detection (before AV vendor detects it?)
8. What is Malware Lab
(Cont'd...)
Why an isolated and safe environment?
We need to execute the malware itself (dynamic
analysis)
We interact with the malware to know how they
works
We observe how the malware infects the file system,
what files are infected, its registry and the network
traffic.
9. What is Malware Lab
(Cont'd...)
What are the purposes?
Personal research
Hobby
Profit oriented (Works as malware analyst)
Enhance knowledge
10. How to build your own
malware lab?
Physical Lab
Virtualization Lab
11. How to build your own
malware lab? (Cont'd ...)
Physical Lab
Advantage :
- No VM Aware Detection
- Real environment lab
- Full function as a victim
Disadvantage :
- Costly
- Time to build the real environment
12. How to build your own
malware lab? (Cont'd ...)
Virtualization Lab
Advantage :
- Easy to deploy
- Minimum cost
- Easy to isolate and safe environment
Disadvantage :
- VM Aware detection
13. How to build your own
malware lab? (Cont'd ...)
Step for building your Malware Lab (taken from
(http://zeltser.com/malware-analysis-toolkit/):
Step1: Allocate physical or virtual systems for the
analysis lab
Step 2: Isolate laboratory systems from the
production environment
Step 3: Install behavioral analysis tools
Step 4: Install code-analysis tools
Step 5: Utilize online analysis tools
14. How to build your own
malware lab? (Cont'd ...)
Operating System?
1. Windows XP
2. Windows 7
3. Linux (REMnux from Lenny Zeltser)
15. Tools included in Malware
Lab
Honeypot (Trap the Malware)
Thug
GhostUSB Honeypot
16. Tools included in Malware
Lab (Cont'd...)
Behavioral analysis tools
- Filesystem and Registry monitoring :
CaptureBAT, Regshot, Filemon,
- Process Monitoring :
Process Explorer, Process Hacker, Procmon, CFF Explorer,
PEID, PEView
- Network Monitoring :
Wireshark, Tcpdump, fakeDNS, ApateDNS, Tshark,
TCPView, Netwitness, Netcat
18. Tools included in Malware Lab
(Cont'd...)
Sandboxing ???
Based on Wikipedia, “in computer security, a sandbox
is a security mechanism for separating running
programs. It is often used to execute untested
code, or untrusted programs from unverified
third-parties, suppliers, untrusted users and
untrusted websites.”
20. Tools included in Malware
Lab (Cont'd...)
Online Sandbox for Check the malware sample :
- Anubis (http://anubis.iseclab.org/)
- GFISandbox (http://www.threattrack.com/)
- ThreatExpert (http://www.threatexpert.com/)
- Norman Sandbox
http://www.norman.com/security_center/security_tools/
21. Tools included in Malware Lab
(Cont'd...)
Online Malware Scanner :
- Virus Total (https://www.virustotal.com/
)
- Wepawet (http://wepawet.iseclab.org/)
→ Web Based Malicious Apps detector
- AVG Web Scanner
(
22. Tools included in Malware Lab
(Cont'd...)
Online Malware Scanner :
Complete List can be found here :
http://www.pentestit.com/list-online-malware-scanners/
http://zeltser.com/combating-malicious-software/lookup-malicious-websites.html