7

I often run into infected devices in my environment and would like to learn more about the specific infections that have gotten in. What are the best tools and techniques I could use to do this? I was thinking of taking an image of the device and creating a virtual machine so I could run tests, kill it and create a new infected vm from scratch.

user3622268
  • 103
  • 1
  • 1
  • 6

2 Answers2

7

Malware analysis should be done in a VM preferably disconnected from the Internet. This is mainly to protect your system, and stop it from spreading (if the malware has that capability). You can also use snapshots, or sometimes you can setup a VM to never keep state. VirtualBox is free and will do the job. VMWare Player is also free, but limited. Doesn't allow the use of Snapshots unfortunately.

There are various tools out there to help you with malware analysis. Being disconnected from the Internet can sometimes stop the malware from executing its malicious code. There are a couple of sandboxing tools that will listen on ports, and respond to network requests appropriately in order to coerce the malware into continuing its operation. The one recommended by Practical Malware Analysis is FakeNet. With FakeNet you can even design custom responses to proprietary protocols, and/or non-standard ports.

Cuckoo Sandbox is an open source tool that can provide analysis reports on the malware during its operation. It can track system calls, keep copies of files created (even if they're later deleted) by the malware, and give memory dumps of the entire system. A very powerful tool.

Most malware is packed so you'll want to make sure that you can unpack binaries, extract resources, etc. UPX is the most common. CFF Explorer is pretty handy for analyzing resources, and includes a UPX utility. You might want to checkout these 5 tools recommended by MAMB.

These tools will give you a great look at what the malware is doing on a system. However, if you need to get down to the gritty details you'll want your ever popular IDA Pro. This is mainly for more complicated malware that you can't coerce into running. Some malware will start up in suspended threads to run later. Some just know that you're not connected to the Internet via their own checks. So you'll have to depend on the disassembly for figuring out what they're trying to accomplish.

Other tools that are helpful, debuggers. Windbg or Ollydbg are the two most common, but there are lots of options. Allows you to attach to the piece of malware while its running, set breakpoints, inspect memory, etc.

RoraΖ
  • 12,347
  • 4
  • 51
  • 83
1

You could take a memory image with Moonsols DumpIt and analyze the image with Volatility. You can also use Mandiant Redline to collect a memory image as well and perform some generic analysis of what could be bad.

If you have a tap or span port setup you could go back and analyze the packets if you were doing full packet capture.

You could use sysinternals tools like autoruns, process explorer and process monitor to get a quick idea of what is going on.

Once you are able to isolate the malware you could copy that off and run it in a sandbox like malwr or in a safe VM like you mentioned. I would recommend checking out the book Practical Malware Analysis on how to safely setup a VM and what tools to use for both dynamic and static analysis.

tyh
  • 36
  • 2