During my last blog post, I briefly introduced my project for this term. I cant really believe it, but we are coming upon the Midpoint Archive assignment next week. If you aren’t aware of what that assignment entails, we basically need to compile and report on everything we have been working on over the last few weeks. I imagine that it is supposed to signify the halfway (Mid) point of the Capstone Project. Regardless, time has really been shooting by at light speed. It may seem late, but I think that now is actually the perfect time to give you a more in depth introduction to my project and what my team has accomplished over the last month. I have firmly wrapped my head around exactly what we are doing and what is expected of our final results.

My project is the Malware Analysis research project. Briefly, our goal is to document the process of setting up a safe virtual lab environment to use for malware analysis and then to document the basics of the actual analysis. No one on my team has ever dealt with malware in an educational manner before. Additionally, there are certain characteristics that the virtual needs to conform to, in order to be safe to use. While we have all had some experience with virtual machines in the past, the specifics of this project were new to all of us. What does this all mean? It meant that we had to accomplish a lot of work up front in order to contextualize, for ourselves, exactly what we were going to be accomplishing. This is part of the reason I held back on this particular post. It is hard to talk about what you are doing when part of the project entails figuring that out. Yes, we had specific goals. But how do you set up a virtual network? What hypervisor should we use? What is Basic Static Analysis? What is Basic Dynamic Analysis? These are the types of questions we had to consider during the planning stages of this project.

We had a lot of questions, and taking the time to answer these questions for ourselves meant that we ended up with a fairly robust project plan. We built out background information that helped us determine why someone might want to engage with a project like ours. We also defined, for ourselves, a lot of the terms specific to this project and malware analysis. For example, basic static analysis refers to when an analyst studies a piece if malware without actual viewing the actual code or running the malware [1]. Basic dynamic analysis refers to when an analyst studies the behavior of malware while it is actually running using various techniques and tools [2]. We broke down tasks as much as we would and decided what each of us would be working on from week to week. We also decided on the tools we would be using during the completion of our research project. For example, we decided on using the Virtual Machine Hypervisor VMware Workstation Pro. A Hypervisor is software that generates and hosts virtual machines [3]. This hypervisor is not free, like some of the alternatives [4]. However, Oregon State University offers licenses to active students. It offers a lot of control over settings for Virtual Machines and Virtual Networks [4]. Because we are dealing with malware, we wanted to have as much control over our lab environment as possible.

Once we had our general plan, we moved to actually setting up the Lab Environment. This took a bit over a week to set up properly. We took our time for set up and documentation in order to make sure that our environment met our specifications exactly. We did not want to take chances when dealing with malware. Even though we will not be dealing with extremely dangerous samples, the point of this project is to generate a guide that malware analysts can use to get started with their own endeavors. Additionally, this set up has many different parts. We first had to create new Virtual Machines. We ended up generating three machines, one Windows 10 and two Linux. We also needed to set up the machines with any necessary tools, for analysis, before they were disconnected from the Internet. We then needed to create a virtual network. A virtual network is a network that is created using software instead of hardware [5]. This virtual network needed to be as isolated from the physical machine and live Internet as it possibly could. Next, you have to set up the machines to use this custom virtual network. Finally, you need to adjust any other miscellaneous settings for maximum safety.

Furthermore, this past week we actually began analyzing a real malware sample. We made sure to properly source the malware. We then performed several methods belonging to Static Analysis on the sample. These included computing hash values for files and running them against known signatures, String Search, and PE Header Analysis. Perhaps in a future blog I will delve deeper into what these techniques entail. But, I don’t want to bloat this post too much with a long aside. Overall, we were able to learn information about the sample using various tools and techniques. We documented how we accomplished all of these tasks as we went.

Finally, lets briefly talk about what will be coming up for our team in the next few weeks. The next task we need to accomplish is to begin Dynamic Analysis of the sample. This will involve actually running the malware (exciting!). We will get to see firsthand how it behaves. I have a feeling that this will be the most exciting portion of the project. After that, we will be repeating the processes for other samples. Finally, if we have time, we will be completing a secret (for you) extension of the project. Be sure to stay tuned to learn more!

References:

1. Ninja, Security. “Static Malware Analysis.” Infosec Resources, Infosec Resources, 12 June 2021, https://resources.infosecinstitute.com/topic/malware-analysis-basics-static-analysis/#:~:text=Basic%20static%20analysis%20consists%20of%20examining%20the%20executable,will%20allow%20you%20to%20produce%20simple%20network%20signatures.
2. “Basic Dynamic Analysis.” Infosec, Infosec, 8 Nov. 2022, https://www.infosecinstitute.com/skills/courses/basic-dynamic-analysis/.
3. “What Is a Hypervisor?: Vmware Glossary.” VMware, 21 Jan. 2023, https://www.vmware.com/topics/glossary/content/hypervisor.html.
4. “Windows VM: Workstation Pro.” VMware, 3 Feb. 2023, https://www.vmware.com/products/workstation-pro.html.
5. “What Is Virtual Networking?” VMware, VMware, 25 Jan. 2023, https://www.vmware.com/topics/glossary/content/virtual-networking.html.