Categories
Uncategorized

Paving the way for Controlled Chaos

Over the last few weeks, since my last blog post, my group and I have been hammering away at developing a solid virtual environment that would be both isolated from our host systems, yet seemingly authentic to any malware through the use of simulated traffic via other virtual machines connected to the same network.

Setting Up the Lab

Before we can analyze any malware, we want to ensure that no harm will be done to our host machines or across our home networks. The first step in doing so is creating a virtual environment via a hypervisor, in our case VMWare. These environments are often called “detonation chambers” or dynamic execution environments, because they allow for a safe and controlled space to execute and observe malware to better understand its behavior.

Creating the groundwork for this isolation chamber, we created a Windows XP VM and cloned it, creating a second identical machine. We then set both of their network adapters to VMnet7, which prevents any communication between the virtual and host networks. We tested this by using CMD and pinging our host machines from the VM, which showed no connection, and then pinging the cloned machine, which showed that communication could be made between the VMs.

Building our Arsenal

Now that we had created the virtual machines which will be hosting the malware, our groups next goal was to build our toolkit by installing a variety of analysis tools on them. While I can’t cover all of the tools we will be utilizing within this blog post, I will go into some detail on a select few of what I think are the most important:

  • FakeNet: This tool simulates network traffic, which will help trick the malware into believing it has access to the internet.
  • Process Explorer: A tool built for system monitoring which allows you to examine any files or registry keys that the malware interacts with.
  • Wireshark: Allows for the capturing and analyzing of packets which will allow for us to read further into what the malware is intending to do.

Looking forward

As the current term comes to a close and all our preparatory work will be built to the test in the next, I am confident in the groundwork our group has laid out in setting up a strong and isolated virtual environment with all the necessary tools in our toolkit. The next term will certainly be exciting as we begin our deep analysis of the malware samples we have selected, but part of me is still a bit nervous, as this is my first time working with a piece of malware in a more free-flowing environment, whereas my only experience thus far has been in a tightly structured course where we were given guides on what to do.

Categories
Blog Posts

The Project is in Motion

Project Updates & Where We are Now

Wow, this term sure has been flying by. So far this project has comprised of a lot of planning and preparatory work so that we can really get into the heavy stuff next term. I have absolutely no complaints about my group or the project as a whole and I am satisfied with where we are at so far. This last week we put together a draft for our design document which essentially laid out all the plans and goals we have for our project and how we plan on completing them.

Seeing how our ideas have begun to take shape into a more structured plan has felt incredibly rewarding. It’s one thing to have some ideas in our heads, but seeing it organized into a roadmap provides my team and I with confidence and a mutual understanding that will help us be more unified and efficient as this project continues underway.

What is to Come

As I mentioned, now that we have a design document we have our roadmap for the whole project in front of us. Within the coming weeks we will be working and building upon the foundation of the project. Our project is unique in that it is not necessarily a “coding project” in the same sense as others taking this course. Our project is meant to analyze malware using both static and dynamic analysis strategies. This malware will be examined within a VM network that we will build using VMWare Workstation.

The majority of our design focus for our V0.0.1 and V0.0.2 will be to create the virtual environment of VMs and download the necessary analysis tools for our testing. In our environment setup we will ensure that our various VMs can communicate with one another as to simulate normal network traffic. Once we have the proper environment setup we will download our various analysis tools. A list of these tools has been written within our design document, but to name a few we download FakeNet, Wireshark, and process explorer.

These tools will allow us to monitor the malware’s behavior from different angles. FakeNet, for example, will simulate network services and capture any outgoing communication attempts made by the malware, giving us insight into its communication patterns. Wireshark will enable us to capture and analyze network packets, allowing us to trace any connections the malware tries to establish. Process Explorer will give us a detailed view of the processes and system resources the malware interacts with, helping us identify suspicious activity at the system level.

Upon the completion of the environment, we should have a strong foundation for the project. With a solid foothold now in place we can look forward to the next term where we will begin our static and dynamic analysis of the malware.