Building a Malware Analysis Lab. In a world where antivirus companies simply can’t keep up with the number of malware samples submitted to them in a given day, it is becoming crucial that organizations have their own malware analysis capabilities. Defining Lab Scope The scope of the malware analysis lab can be defined by examining the processes that will occur within it. There are really two main tasks that occur within a malware analysis lab: behavioral analysis and code analysis. Behavioral AnalysisBehavioral analysis involves executing a malware specimen in a controlled environment.
Within this environment you should have all of the tools necessary to simulate the services the malware will try to interact with. These phases are very different but are both essential for performing a thorough analysis. Operating System Considerations Malware behaves drastically different depending on the operating system it is executed on. Network Isolation Physical vs. Snapshots Rapid OS Deployment Advanced Networking Standardized Hardware. Binders and Malware (Part 4) If you missed the previous parts in this article series please read: If you would like to be notified of when Don Parker releases the next part in this article series please sign up to our WindowSecurity.com Real Time Article Update newsletter.
In the last part of this article series we will look at our newly created malware via a variety of ways. First we shall view it via a hex editor, which will allow us to view its contents safely ie: not actually executing it. From viewing it in a hex editor we will come away with some key information. From there we will use the tool LordPE and Procdump to dump the actively running trojan server from memory. This will allow us to look at the malware while it is running. Practice safe hex I remember seeing a t-shirt with the above “Practice safe hex” somewhere online before. Figure 1 All Microsoft executables conform to the Portable Executable (PE) file format, and as such they have the ASCII characters “MZ” at the beginning of the file. Figure 2 Wrapup. Binders and Malware (Part 3) If you missed the previous parts in this article series please read: If you would like to be notified of when Don Parker releases the next part in this article series please sign up to our WindowSecurity.com Real Time Article Update newsletter.
We left off in part two having finished configuring and building our bound piece of malware using the binder called YAB. We will now look at and execute the now bound malware. The perspective that we will take to begin with, is what this executed piece of malware looks like and behaves like once executed by an unsuspecting user. Now if you recall, we used the actual Pong.exe icon to represent our malware as this made the malicious program seem all that more legitimate.
We will monitor the actual installation of the malware itself via a couple of tools that I covered before. What does it look like? Now as mentioned earlier let us take a look at this malware from the user's perspective. Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Quick recap. Binders and Malware (Part 2) If you would like to read the other parts in this article series please go to Of binders and malware In part one we left off having configured the Optix Pro server as our piece of malware.
It is this trojan server that we will graft on to the legitimate game program called Pong.exe, using the binder program called YAB. A binder is a program that will take two executable files and combine them together. It is important to realize that by "combine" I do not mean mixing the two of them together, much as you would the ingredients for a cake. The binder YAB There are many different binders out there to be found on the Internet.
Figure 1 You will note that the other little dialog box called “Icon Preview” is not seen in the screenshot above. Figure 2 I will now only comment on the information that we need to fill in, or change, in order to use YAB properly. Figure 3 There are many options that you can play around with, and I would encourage you too, in YAB. Figure 4 Figure 5 Figure 6 Figure 7 Figure 8. Binders and Malware (Part 1) If you would like to read the other parts in this article series please go to The problem of malware is neither a new one, nor is it one that is going to go away any time soon. There is far, far too much money involved for the criminals who use Trojans, viruses, and bot armies to simply give up using them. It is not only home users who are targeted with these malware attacks, but it is also the corporate end-user.
That brings us to the point of this article series. It is only through education that this problem can be eradicated. This article is aimed squarely at the system administrator (sys admin) who works in any corporate network setting. What we shall now go about doing is to show our end-users just how malware gets grafted onto a legitimate looking program. Let’s get started Please note that I have not linked to the malware binder called YAB, or the trojan called Optix Pro.
Figure 1 Figure 2 From there we will click on the “Main Settings” menu. Figure 3 Figure 4 Wrap Up. Hunt Down and Kill Malware with Sysinternals Tools (Part 3) If you would like to read the other parts in this article series please go to: Introduction In parts 1 and 2 of this three-part series, we looked at how you can use Process Explorer and Autoruns to identify malicious software on a Windows system.
Since the publication of the first article, a new version of Process Explorer (v15.01) was released this month, so be sure to get the latest version here. The new version uses less memory, and it now displays GPU usage and gives you the ability to restart services. Performance graphs look nicer, too. Installing and Using Process Monitor Process Monitor replaces the old FileMon and RegMon tools and combines and updates the functionality of both.
So what can you do with it? You can download and install Process Monitor on your machine (it’s a 1.26 MB download) or you can fun it from Live.Sysinternals.com. Figure 1 You can add many other columns for additional information about the application, the event and process management, as shown in Figure 2. Hunt Down and Kill Malware with Sysinternals Tools (Part 2) - Autoruns. If you would like to read the other parts in this article series please go to: Introduction In part 1 of this series, I recapped some of what I learned from Mark Russinovich at this year’s MVP Summit, in regard to using Process Explorer to find suspicious processes that might indicate malware running on your system. This month in Part 2, I will talk about how you can use the Autoruns tool to find malware that boots at startup. Autoruns Overview The next tool we’re going to look at is Autoruns, which shows you what programs are set up to run during the system bootup and login process.
It’s very configurable, allowing you to display not only the programs in the startup folder and registry keys Run and RunOnce, but also Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, autostart services and a lot more. And it shows them in the order in which they’re processed by Windows. The command line version is autorunsc, which is also included in the download. Figure 1. Hunt Down and Kill Malware with Sysinternals Tools (Part 1) If you would like to read the other parts in this article series please go to: Introduction For the past few years, each time I’ve attended the annual MVP Summit in Redmond, a highlight of the conference has been Mark Russinovich’s presentation.
This past March, his talk dealt with a particularly fascinating topic: how to use some of the popular Sysinternals tools that he created to hunt down malware on your system. The Sysinternals tools are free to download from the Windows Sysinternals page on the TechNet web site. Automated vs. There are many different malware detection and cleaning applications, including Microsoft’s own Malicious Software Removal Tool (MSRT), which is a free download here. That means users are left unprotected against the new threats for some amount of time, depending on how rapidly the vendor can create, test and deploy updates. Thus the need for manual malware cleaning methods. Manually Identifying and Cleaning Malware Disconnect the machine from the network. Viruses, trojans and other malware Articles & Tutorials. Contagio. View topic - List of Malware Sources.