Hey everyone! My team and I have been assigned the malware analysis project. I’m really excited we were assigned to this project as I think there’s a lot to learn from it. For those who aren’t familiar, the project will result in a document that discusses
- how to create a virtual environment with multiple machines that are connected to the same network
- how to perform static and dynamic analysis of malware using that environment
I think this project is particularly cool because you can work on two unique skills
- Documenting and developing a reliable way to create a virtual environment that can be used by anyone reading the paper (which enables other people interested in malware analysis to replicate our instructions).
- Analyze code and what affect the code has on the operating system, other applications, and the network. This pieces together many skills such as traffic analysis or conducting a baseline analysis of a machine. Other skills such as code obfuscation may also be learned, along with some others I’m sure I’m missing.
I have yet to meet with my team, but I have a couple of ideas on how to get started. I think as part of our end deliverable and to make analyzing malware safe and easy to get started on we need to create an infrastructure as code solution to create our lab. I’m leaning towards using Terraform. Terraform is a tool developed by Hashicorp that is the industry standard for defining infrastructure as code. It is compatible with all major cloud providers. By using Terraform we can easily interact with the cloud of our choice and ensure that each team member is using the lab in the same way. Also, we can share a link to our code in our paper so that the readers can use the same template. I haven’t used Terraform before, but I’ve used Amazons CDK extensively and really enjoyed it. I think Terraform is a better option though to prevent being locked into AWS. I plan to get myself and my team familiar with Terraform (if we decide to use it) by following https://developer.hashicorp.com/terraform/tutorials.
After our first obstacle is accomplished, we’ll then need to branch into where to get malware from and how to analyze it. There are many great resources available, although installing malware and purposefully running it will be a first for me. To analyze the malware, we’ll need an image with tools on it. The two best options seem to be Flare VM https://www.fireeye.de/services/freeware/flare-vm.html or REMnux https://remnux.org/. Once we can start machines with these images, we can move onto the analysis piece. This part will come with time and where I anticipate our team will spend most of its efforts. However, a good starting point seems to be tutorials linked to from REMnux and Flare VM. Once we have the very basics down, I think it will be time to dive into malware samples from some sites similar to the ones linked in this infosec article https://resources.infosecinstitute.com/topic/top-7-malware-sample-databases-and-datasets-for-research-and-training/.
Leave a Reply