Full Disclosure: Malware analysis isn’t my area of expertise, but I have been looking for chances to learn more. Let’s learn together!
I was recently describing to a friend how phishing attacks work, one of the most common ways being word documents with a macro to run or download malicious code. Sure enough, several weeks later the same friend received a phishing email. “Speak of the Devil and he doth appear”. The goal of this series is to go through some beginner steps for analyzing malware, talk about some prevention methods for this and other attacks, and learn something new. Let’s begin!
Creating a Malware Analysis Lab Environment
One of the most important steps for malware analysis is setting up your own environment. You will be handling dangerous software and you don’t want to infect your own machine and risk your data. Furthermore, if you want to do any dynamic analysis you will need to isolate it from the network so that it doesn’t attack anything on the network.
Step 1: Creating the Analysis System
One of the most convenient environments for analyzing malware is in a virtual machine. Virtual machines give us the ability to isolate the device on the network as well as saving and reverting states which allows us to infect and revert easily.
Here are some of the options available for virtualization:
- VMWare Workstation, Player, Fusion, etc.
- Microsoft Virtual Server
In this guide specifically, I will be using VMWare Workstation for some of the network and snapshotting features.
Note: Some malware can detect if it is being run in a virtual machine which can cause it to behave differently. This is actually becoming more rare, thanks to the increasing popularity of virtualization. In these rare cases it’s possible to turn off certain VM features, use different VM technologies, or use real (isolated) hardware instead.
Next we want to select an OS. In this case, we had a Word document as the delivery method so we want something Windows. I picked Windows 7.
Step 2: Tools
To analyze malware we need tools and there are many great free ones out there.
This is a full suite of tools that is extremely useful in understanding Windows as well as in malware analysis.
A couple of highlights:
- Process monitor- shows real-time file system, registry, and process/thread activity
- System Monitor- logs system activity to the Windows Event log
- Process Explorer- a more detailed version of Task Manager
- Autoruns- shows what programs are configured to run at boot or login.
Creating Registry Keys is a common method used by malware to maintain persistence. This tool allows us to compare the registry values before and after running the malware.
Process hacker is another process analysis tool that can give a much clearer picture of what is happening when processes run.
PeStudio can be used for static analysis of executables. It checks external resources like Virustotal, shows anomalies, imported libraries, resources used, and more.
This behavior analysis tool can analyze the behavior of executables (imagine that). More specifically it monitors the file system, registry, and processes and performs analysis.
IDA is the one of the main static analysis tools used for malware analysis. If you want to fully reverse engineer the malware and understand it at the assembly level, this tool is for you.
OllyDbg is a debugger, it can be used to run malware step by step and see what happens. Another extremely useful tool.
Wireshark allows you to track network activity. Very useful for dynamic analysis, allowing you to see which systems the malware tries to contact.
Remnux is a Linux distribution delivered as a virtual machine, which offers many reversing tools including ones already mentioned here.
There are plenty of tools that I have missed but hopefully this gives you an idea of some tools to look into.
Step 3: Network Isolation
In VMWare Workstation we can create a virtual lab that cannot communicate with anything outside of it. To do so, go to Edit > Virtual Network Editor. Add a network, select host only, use local DHCP service.
Then for the virtual machine set the network adapter to our newly created one. I also recommend disabling all of the guest isolation options. Now our dirty machine can no longer reach anything on the network.
That’s great, but what if our malware downloads other files or tries to exfiltrate data? Since it is on an isolated, non-Internet connected network, how can we see what it will do? Another great tool that we have available to us is INetSim. INetSim is useful for responding to any traffic from our malware sample. If our malware tries to download an executable, we can send it an executable. If it tries to make DNS calls to find its C2 server, we can fake that response. These features are invaluable for further dissecting the malware.
For the next item in this series we will take a look at the original phishing document. We will get to see the initial method of compromise and get an idea of how to prevent future issues.