This presentation was originally given as a lightning talk for a Charleston ISSA meeting. I talk briefly about malware analysis, and how to get started with malware analysis on a budget using virtualization.
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
1. Building a Malware Analysis
Lab on a Budget
Chris Sanders
Charleston ISSA
January 2015
2. Chris Sanders
• Christian & Husband
• Mandiant
• Kentuckian and South
Carolinian
• MS, GSE, et al.
• Non-Profit Director
• BBQ Pit Master
3. Chris Sanders
“[Practical Packet Analysis] gives you everything you need, step by step, to become
proficient in packet analysis. I could not find a better book.”
“[Applied NSM] should be required reading for all intrusion analysts and those
looking to develop a security monitoring program.”
– Amazon Reviewers
4. Outline
Objectives:
Intro to Malware Analysis
Lab Networking
Lab Hardware
Lab Software
Other Resources
“How can I build a malware analysis lab without spending
much money? What are some best practices?”
5. ***Disclaimer***
• You cannot be reckless while performing
malware analysis.
• Malware can
– Erase your hard drive
– Permanently encrypt your data
– Highjack your social networking identity
– Highjack your real identity
6. Why Analyze Malware?
• It’s critical as a function of intelligence.
• It’s useful for understanding how systems
work.
• It’s a desirable skill. If you can analyze
malware well and enjoy it, we’ll hire you.
7. Malware Analysis Processes
• Behavioral Analysis
– Executing malware to observe behaviors
– Requires network knowledge and communication
manipulation
• Code Analysis
– Reverse engineering malware by examining code
– Much harder, requires assembly and system level
knowledge
9. Virtualization is a Must
• Free / Cheap
– VirtualBox, VMWare ESXi, VMWare Workstation
• Configurable Networking
– Instant setup of virtual networks
• Snapshots
– Create and restore points in time
10. Virtualization is a Must
Source: http://www.cybersquared.com.php53-7.dfw1-1.websitetestlink.com/wp-
content/uploads/2012/06/snapshots_jpeg.jpg
11. Networking
• Isolated virtual networks
• Multiple guests can exists in these networks
and communicate with each other
• Guests should not be able to communicate
with the host
• Be EXTREMELY careful not to connect infected
devices to the Internet
13. Software
• Windows Operating Systems
– MSDN Accounts
– Leverage 30 Day Trials
– Windows 7
• Remnux
– Free malware analysis distro from Lenny Zeltser
(SANS)
– Pre-built tools
14. Pro Tips™
• Color code your Virtual Machines
• Leave a terminal window with your IP open
• Snapshot early, snapshot often
• Don’t leave an infected machine unwatched
• Always encrypt + password protect malware
during transmission
– Password: “infected”
16. Conclusion
• Malware analysis is an important security skill
even if it isn’t your primary focus
• If you can do it well, you can find a job
• You can practice analyzing malware right
now!
• The best way to learn is to do the real thing.