At this point in the term, I have gotten to utilize all of the technologies I have installed onto my VMWare environment through practical malware analysis. In this blog post, I wish to share the difficulties and successes that I have had throughout the process thus far, though I am sure there are many more to come!
The Most Difficult Technology: VMWare Workstation
Ironically, the technology that has caused the most amount of headaches for me, and from what I can discern, many members within my group as well, is the very foundation on which our analysis is done, VMWare Workstation. Going into this course, my experience with VMWare, and VM’s in general, was limited to pre-built VM’s that were designed for the particular class I was taking at OSU. This project was totally different in this regard, having to construct the VM from scratch, and install all of the necessary tools for analysis onto it. Seems simple enough, right?
Well, that’s what I thought, but let me tell you, I have had many long troubleshooting sections trying to get everything to work properly. The primary challenge for me was finding compatible technologies with the operating systems that my VM’s are running, and then successfully transferring and installing them onto their respective machine. Since most technologies I am familiar with in regard to malware analysis are much more modern, I had to go through the tedious process of identifying if they have older versions that are compatible, and if not, finding viable alternatives.
After that headache, I ran into another problem. specifically on my Windows XP VM. VMWare tools doesn’t have any automatic installation process for operating systems older than Windows Vista. This meant that I needed a different way of transferring files than I was familiar with. I ended up going the hardware route by installing all the tools I needed onto a USB flash drive and then transferring that flash drive to the VM where I could install it’s contents onto the machine.
Despite the initial difficulties, I appreciate the experience working with VMWare, as I can say I am much more comfortable navigating the VM building process now, and I think in the future I will have significantly less frustration.
The Most Enjoyable Technology: Wireshark
On the flip side, the technology I have enjoyed working with the most so far is Wireshark. Unlike with VMWare, I have a lot of experience with Wireshark, having used it in multiple courses at Oregon State, as well as in personal research. Because of this, I was able to jump right in without any concerns.
For this project my primary focus with Wireshark has been analyzing malware behavior and detecting potential command and control (C2) traffic. Understanding how malware communicates over a network has proven essential in identifying the potential threats the malware contains, and for that Wireshark has been the best tool for the job.
How Wireshark Works
Wireshark is simply a network protocol analyzer, which captures network data packets in real-time. This allows for deep inspection of the traffic a network has, which can lead to the detection of unusual behavior. The typical Wireshark usage, from my experience goes as follows:
- Packet Capture – As mentioned above, Wireshark records all of the inbound and outbound network traffic on a given network interface.
- Filtering & Analysis – Once you have completed your packet capture, depending on the nature of the network you are working with, there may be a large amount of packets that were caught in your capture. To analyze these, you can utilize Wireshark’s custom filtering, which allows for you to organize the packets in various ways, for example you can search only for HTTP traffic.
- Reconstructing Sessions – If there are suspicious packets that are detected, like in my case during this project, Wireshark offers easy ways of following the traffic and getting a full picture. One way this can be done is through following TCP streams. This stitches all of the packets that belong to a single session together to help paint a full picture of a given connection.
Final Thoughts
While each technology I have used in my malware analysis stack has had its learning curve, I am glad to have the opportunity to sharpen my skills and get a better understanding of how malware analysis is done in a hands on way. I look forward to moving forward with this project and honing in my skills with these various technologies.
