izatt82 Posted December 15, 2012 Posted December 15, 2012 I am looking to dive into malware analysis and wanted to see if you guys have tips and or resources to put me on the right track? Any thing you guys have small or large would be awesome. I can script and program although rusty and do a lot of firewall admin/infrastructure security stuff now. I like the fact of knowing more about the enemy will allow me to make a more security environment. Either way thanks for any advise you guys have. Quote
Mr-Protocol Posted December 15, 2012 Posted December 15, 2012 I have this book, have yet to read it though lol. http://nostarch.com/malware Quote
digip Posted December 16, 2012 Posted December 16, 2012 (edited) I'm by no means able to understand ASM or really work through a debugger, but a lot of breaking down malware is done in a virtual machine using things like OllyDebug to see what the code does(knowing it will execute and run in a debugger, make sure you do this on a test machine, sandbox or VM that you can revert a snapshot to not connected to your network). For me, I like tools like PEiD to look at files to see what they are packed with, and UniExtract to unpack them and look at all the files their installers contain, and then send a zip of the unpacked files to VirusTotal, or send the unpacked installer to places like http://anubis.iseclab.org/ Anubis is really nice, since it shows what the file does to your system and changes, registry changes, and also will give you a pcap, if the file tries to use the internet and communicate with a 3rd party server for more downloads. You can open the pcap in wireshark and then track down more info and keep digging into things. Strings is also another tool I use, whether its the built in one for linux, or the one from Microsoft/SysInternals - http://technet.micro...s/bb545021.aspx it lets you pull readable text from files, which sometimes let you see websites and other file download urls embeded in executables. Know that having a copy of malware on your system to dissect, is dangerous, so as mentioned, do it in a sandbox, or a VM, and tied off from your lan. If you want to give it internet access to monitor what it does, then make sure its isolated from everything else on the router(as in disconnect all other devices wired or wireless on the same network when allowing the malware to connect to the internet) Edited December 16, 2012 by digip Quote
izatt82 Posted December 17, 2012 Author Posted December 17, 2012 Thanks guys this should be a fun ride. hahah Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.