Jump to content

Getting started with malware analysis


Recommended Posts

Posted

I am looking to dive into malware analysis and wanted to see if you guys have tips and or resources to put me on the right track?

Any thing you guys have small or large would be awesome. I can script and program although rusty and do a lot of firewall admin/infrastructure security stuff now. I like the fact of knowing more about the enemy will allow me to make a more security environment.

Either way thanks for any advise you guys have.

Posted (edited)

I'm by no means able to understand ASM or really work through a debugger, but a lot of breaking down malware is done in a virtual machine using things like OllyDebug to see what the code does(knowing it will execute and run in a debugger, make sure you do this on a test machine, sandbox or VM that you can revert a snapshot to not connected to your network).

For me, I like tools like PEiD to look at files to see what they are packed with, and UniExtract to unpack them and look at all the files their installers contain, and then send a zip of the unpacked files to VirusTotal, or send the unpacked installer to places like http://anubis.iseclab.org/

Anubis is really nice, since it shows what the file does to your system and changes, registry changes, and also will give you a pcap, if the file tries to use the internet and communicate with a 3rd party server for more downloads. You can open the pcap in wireshark and then track down more info and keep digging into things.

Strings is also another tool I use, whether its the built in one for linux, or the one from Microsoft/SysInternals - http://technet.micro...s/bb545021.aspx it lets you pull readable text from files, which sometimes let you see websites and other file download urls embeded in executables.

Know that having a copy of malware on your system to dissect, is dangerous, so as mentioned, do it in a sandbox, or a VM, and tied off from your lan. If you want to give it internet access to monitor what it does, then make sure its isolated from everything else on the router(as in disconnect all other devices wired or wireless on the same network when allowing the malware to connect to the internet)

Edited by digip

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...