Recently, I was collaborating with a PhD candidate on a research project on malware analysis. The subject relates to behavior-based analysis of malware. I helped analyze malware samples that were collected from various sources.
First thing we did was to set up a virtual environment. She runs her samples in a virtual sandbox (CWSandbox), while I installed a fresh copy of Windows on a VirtualBox.
We collected the virus samples from various places including:
- http://oc.gtisc.gatech.edu:
8080/ - http://contagiodump.blogspot.
in/ - http://www.offensivecomputing.
net/?q=node/1654 - http://www.kernelmode.info/
forum/viewforum.php?f=16 - http://malware.lu/
We used the following tool during analysis:
Process Monitor sysInternals: This gives a detailed look at processes running on the system. This tool makes it possible to execute the malware and then observe its behavior by identifying its name in Process Internals.
Regshot: This tool takes a snapshot of the Registry before and after the malware infection, compares them., and then points out the differences. This points to the changes that the malware has made.
Ollydbg: A debugger to reverse the malware executable into its assembly code.
Comodo Instant Malware Analysis: A good short summary of the submitted executable.
Anubis: You can analyze unknown binaries here.
Wireshark: To observe packet flow on the network after infection.
No comments:
Post a Comment