Category: Blog Posts

Why I chose my project

When I was first looking through the options for my Senior Capstone Project what immediately caught my eye was the malware analysis project. My concentration for my degree is in cybersecurity, so for that reason I thought it would be the most applicable choice for me. This was also the clear choice for me based on my interests which I have found through my years at Oregon State. My all-time favorite class up to the point of choosing this project was CS 373 – Defense Against the Dark Arts. The class was all about introducing anti-malware and computer forensic principles and methodologies, so I thought this would be a great continuation of those fields.

It turns out that my initial reasonings were correct, and this has by far been my favorite class throughout my senior year. I have really enjoyed getting a hands-on experience in analyzing malware and my knowledge of both what to look for and how to use the various analysis tools has grown substantially. As I reflect on everything I have learned, I think I can best summarize my insights into five major takeaways.

The five major takeaways

1. VM creation and handling

The very first step of this project (after the planning phase) was to create a VM environment that is isolated from the host network and then install all the necessary analysis tools as well as the malware samples onto it. Up until this course my only experience with VM’s was working with those which were pre-built for the purpose of the course which I needed them for.

2. Static analysis is essential for an impactful dynamic analysis

In the various samples that I analyzed this term, I have always found that the stronger my static analysis was, the easier and more conclusive my finding were in dynamic analysis. This initial phase helped me to identify key indicators, like API calls, suspicious strings, file structure, etc. which guided me in my approach during the malwares execution. Essentially, static analysis was my guide for what to look for when I finally executed the program and began monitoring its behavior in real time.

3. Malware analysis required a wide tech stack

I quickly found out when I began analyzing the samples, that I always needed to add another tool in order to get a complete grasp of the software. No single tool or analysis technique will paint a comprehensive picture of the intent of a piece of malware.

4. Simulated networks are vital for finding malware intent

Without using a tool like FakeNet to simulate network traffic, my isolated VM, being disconnected from the internet, would have been insufficient in analyzing samples that utilize a command-and-control (C2) server. FakeNet was able to mimic the expected network responses, so that the malware would behave as if it had successfully made a connection to its C2 server, which lead to further findings of the malwares intent and functionality.

5. Documentation is key to a proper analysis

As I investigated the malware samples, I made a habit of documenting everything I found. This proved extremely useful as I continued my study of the sample. I was always able to look back at what I had documented which made tracking patterns within the sample and understanding how everything tied together much easier.

At this point in the term, I have gotten to utilize all of the technologies I have installed onto my VMWare environment through practical malware analysis. In this blog post, I wish to share the difficulties and successes that I have had throughout the process thus far, though I am sure there are many more to come!

The Most Difficult Technology: VMWare Workstation

Ironically, the technology that has caused the most amount of headaches for me, and from what I can discern, many members within my group as well, is the very foundation on which our analysis is done, VMWare Workstation. Going into this course, my experience with VMWare, and VM’s in general, was limited to pre-built VM’s that were designed for the particular class I was taking at OSU. This project was totally different in this regard, having to construct the VM from scratch, and install all of the necessary tools for analysis onto it. Seems simple enough, right?

Well, that’s what I thought, but let me tell you, I have had many long troubleshooting sections trying to get everything to work properly. The primary challenge for me was finding compatible technologies with the operating systems that my VM’s are running, and then successfully transferring and installing them onto their respective machine. Since most technologies I am familiar with in regard to malware analysis are much more modern, I had to go through the tedious process of identifying if they have older versions that are compatible, and if not, finding viable alternatives.

After that headache, I ran into another problem. specifically on my Windows XP VM. VMWare tools doesn’t have any automatic installation process for operating systems older than Windows Vista. This meant that I needed a different way of transferring files than I was familiar with. I ended up going the hardware route by installing all the tools I needed onto a USB flash drive and then transferring that flash drive to the VM where I could install it’s contents onto the machine.

Despite the initial difficulties, I appreciate the experience working with VMWare, as I can say I am much more comfortable navigating the VM building process now, and I think in the future I will have significantly less frustration.

The Most Enjoyable Technology: Wireshark

On the flip side, the technology I have enjoyed working with the most so far is Wireshark. Unlike with VMWare, I have a lot of experience with Wireshark, having used it in multiple courses at Oregon State, as well as in personal research. Because of this, I was able to jump right in without any concerns.

For this project my primary focus with Wireshark has been analyzing malware behavior and detecting potential command and control (C2) traffic. Understanding how malware communicates over a network has proven essential in identifying the potential threats the malware contains, and for that Wireshark has been the best tool for the job.

How Wireshark Works

Wireshark is simply a network protocol analyzer, which captures network data packets in real-time. This allows for deep inspection of the traffic a network has, which can lead to the detection of unusual behavior. The typical Wireshark usage, from my experience goes as follows:

1. Packet Capture – As mentioned above, Wireshark records all of the inbound and outbound network traffic on a given network interface.
2. Filtering & Analysis – Once you have completed your packet capture, depending on the nature of the network you are working with, there may be a large amount of packets that were caught in your capture. To analyze these, you can utilize Wireshark’s custom filtering, which allows for you to organize the packets in various ways, for example you can search only for HTTP traffic.
3. Reconstructing Sessions – If there are suspicious packets that are detected, like in my case during this project, Wireshark offers easy ways of following the traffic and getting a full picture. One way this can be done is through following TCP streams. This stitches all of the packets that belong to a single session together to help paint a full picture of a given connection.

Final Thoughts

While each technology I have used in my malware analysis stack has had its learning curve, I am glad to have the opportunity to sharpen my skills and get a better understanding of how malware analysis is done in a hands on way. I look forward to moving forward with this project and honing in my skills with these various technologies.