As part of the Malware Analysis team, we’ve spent a lot of time testing various software and configuration for an analysis lab of virtual machines. I used Workstation Player, Workstation Pro, and VirtualBox as I was trying to figure out the best environment for our testing, and after many weeks of issues and setbacks, finally getting 2 virtual machines connected on a Host-Only network without putting the Host OS (my laptop) at risk felt like a big win. This involved a lot of research, tutorials, and testing various OS’s as older ones typically used for this type of research (like Windows XP or Vista) are becoming obsolete and left behind by most software these days. It also meant testing malware analysis programs like PeID, Process Monitor, Dependency Walker, and others as some have not been updated in a while, or no longer work on more recent OS’s despite their utility in older environments. I can confidently say that I understand the process and environment and tools used in malware analysis much more than when I started, and would not be opposed to pursuing this further in my career.
This process of research and experimentation made the feeling much more rewarding when I was finally able to drop selected pieces of malware into the tools and start really digging into the details of how malicious software works. Things I now know to look for: is the software already recognized by the community (there are many websites that can compare the hash of a program to see if someone has already evaluated the code), is the software packaged (this can make analysis difficult, and requires specific methods to unpack the code), what processes or actions does the program appear to take upon execution (some have clear patterns of establishing network communications, or create new files all over the host, or start processes to record user keystrokes, etc), and does the software have defenses against analysis (the code can often tell if it’s running inside a virtual machine, or has no internet access, or has been modified, all of which may make the malicious program act differently so as to conceal it’s true purpose). I still have a lot to learn about this field of study, but I have greatly enjoyed the process and problem solving it took to reach this point!
Leave a Reply