Wednesday, May 8, 2013

Malware Analysis: How to Begin

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

Recently, I was collaborating with a PhD candidate on a research project on malware analysis. The subject relates to behavior-based analysis of malware. I helped analyze malware samples that were collected from various sources.

First thing we did was to set up a virtual environment. She runs her samples in a virtual sandbox (CWSandbox), while I installed a fresh copy of Windows on a VirtualBox.

We collected the virus samples from various places including:

We used the following tool during analysis:

Process Monitor sysInternals: This gives a detailed look at processes running on the system. This tool makes it possible to execute the malware and then observe its behavior by identifying its name in Process Internals.

Regshot: This tool takes a snapshot of the Registry before and after the malware infection, compares them., and then points out the differences. This points to the changes that the malware has made.

Ollydbg: A debugger to reverse the malware executable into its assembly code.

Comodo Instant Malware Analysis: A good short summary of the submitted executable.

Anubis: You can analyze unknown binaries here.

Wireshark: To observe packet flow on the network after infection.

No comments:

Post a Comment