Building a Secure Lab Environment

Presenter Notes

Why

Do not run malware in host environment...

More control

  • Networking, File Systems, easy to remove infeection

However

  • It is easy to know if running in VM and Malware can change what it does

Presenter Notes

Use a Virtual Machine

Inception. . . OS within an OS

Host = base machine

Guests = virtual machines within host

Snapshot the VM regularly (Before running malware, possibly during to capture key moments in time)

Presenter Notes

Create a new VM with whatever tool you prefer



Windows is common in Malware Analysis

Preload it with tools

  • PEView
  • A Debugger
  • IDA
  • Fake Net
  • iNetsim
  • Winpmem
  • Volatility
  • PEiD
  • All the tools

Presenter Notes

Disable internet connectivity (at first)

Do not allow malware sample to phone home or connect to the internet...

Only allow malware to connect to controlled networks such as iNetsim

Host-only networking can be useful for an external server

Presenter Notes

Sandboxes

Security mechanism to seperate running programs.

Execute untrusted code and observe what it does.

Will show

  • Network communication
  • General information about file
  • DLLs used
  • Registry activity
  • File activity
  • Process activity

Presenter Notes

Common Malware Sandboxes

Anubis

  • Upload a file
  • View Report

Malwr

  • Uses cuckoo to produce report

cuckoo

  • Open source automated malware analysis system
  • Run a file in the sandbox and an extensive report is produced
  • Remember YARA?

Presenter Notes

Cuckoo

Matches signatures to actions

Shows API calls!

Finds Hollow Process Injection 

if call["api"] == "CreateProcessInternalW":
    self.process_handles.add(self.get_argument(call, "ProcessHandle"))
    self.thread_handles.add(self.get_argument(call, "ThreadHandle"))
    self.signs.append(call)

elif (call["api"] == "NtUnmapViewOfSection" or call["api"] == "NtAllocateVirtualMemory") and self.sequence == 0:
    if self.get_argument(call, "ProcessHandle") in self.process_handles:
        self.sequence = 1
        self.signs.append(call)

elif call["api"] == "NtGetContextThread" and self.sequence == 0:
   if self.get_argument(call, "ThreadHandle") in self.thread_handles:
        self.sequence = 1
        self.signs.append(call)

elif (call["api"] == "NtWriteVirtualMemory" or call["api"] == "WriteProcessMemory" or call["api"] == "ZwMapViewOfSection") and (self.sequence == 1 or self.sequence == 2):
    if self.get_argument(call, "ProcessHandle") in self.process_handles:
        self.sequence = self.sequence + 1
        self.signs.append(call)

elif (call["api"] == "SetThreadContext" or call["api"] == "NtSetContextThread") and (self.sequence == 1 or self.sequence == 2):
    if self.get_argument(call, "ThreadHandle") in self.thread_handles:
        self.sequence = self.sequence + 1
        self.signs.append(call)

elif call["api"] == "NtResumeThread" and (self.sequence == 2 or self.sequence == 3):
    if self.get_argument(call, "ThreadHandle") in self.thread_handles:
        self.signs.append(call)
        self.add_match(process, 'api', self.signs)

Presenter Notes

EOF

Presenter Notes