Dynamic malware analysis Part I

     I was always fascinated by the computer security industry. Smart people on both sides (good/bad) of the baricade, a lot of dreams, ambition and everything i could ever wish.  The best part of it it's the dinamic in this field: if there's a 0-day detected now, in half a minute it's on twitter and after half a day it's already old news.
     I myself strongly believe that a real security guy is one that deals with data and application security, not host or network security (I don't try to be a troll or disrespect Jeremiah's  Grossman/RSnake's/all the talented people's work, but this is my oppinion).

     When faced with the threat of a malware, the course of action is somehow simple:
     1. Identify the malware that infected your system.
     2. Remove the malware(s), backdoor(s) and all the holes in your system.
     3. Asses the damage that has been done and patch your system to avoid further infections.

     I could go into specifics here, to tell you how exactly to do every big step that i've written, but i think that there are a lot of papers that do this already(if you really want and need, i could go into specifics as a future post).
     Learning what a malware does by yourself, that's a whole nother problem. It's just like in real time: there's one thing to see a house design that you like and copy it, and another thing to design your own house from scratch by yourself.
     What do i mean with that example? It's easy to get rid of the malware by using the proper application (or even installing the right antivirus), but it's very hard to try to figure by yourself what that malware does, and how. What are the challenges? Well, let's see:
     1. Get a sample of the malware.
     2. Perform a dynamic and static analysis on the malware, so that you have an ideea what does the malware do.
     If stage (1 & 2 == proper) then "document the analysis" && "write a tool"
else "read from  people smarter than you" && "learn harder" && "repeate stage 1 and 2"
     Modern malware make researchers face many problems, like: advanced obfuscation, anti-debugging, anti-dumping, EPO (Entry Point Obfuscation), resource encryption, virtual machine detection, anti-patching, metamorphism, memory protection, and these are only a few. Running your malware through OllyDbg or attaching it to ImmunityDbg doesn't cut it anymore.
     So let's say you find a malware sample. You create yourself a virtual lab (for obvious reasons). You to dissasemble the malware with IDA, but it get's you nowhere. What do you do? Or better yet, what can you do? Dynamic malware analysis is the answer.

     I've tried a quite large number of sandboxes. Starting with CWSandbox, Anubis, ThreatExpert, Norman Sandbox Analyzer, Zero Wine, Comodo Instant Malware Analysis, EUREKA Malware Analysis and many more. Some do good, others do not so good, but i think i've found a solution that works for me (of course that an antivirus has it's own tools, produced in-house, but you almost never have access to those tools).

     I've once heard of a sandbox called Sandboxie, and i felt in love with the general concept. I thought to myself: what if I could implement this sandbox in order to study malware? For a few minutes i thought: what if i hijack all the API calls that are made and just list them? This would be awesome from a malware researcher POV. 

     And then I totally forgot about it. And good that i did. After spending some time to research, I've found the amazing Buster Sandbox Analyzer (BSA). It integrates everything that I've thought about, even much more.
     Part II will be about a general introduction about Buster Sandbox Analyzer and performing a dynamic malware analysis on Virut as a case study.

No comments:

Post a Comment