Thursday, May 7, 2009

Automating Malware Analysis article

In the latest Hakin9 issue (3/2009), I have an article on automating malware analysis. The article discusses how one can set up their own malware analysis automation system using VMWare, some analysis tools and two scripts. The article uses a Linux system as the base system and a Windows XP Pro as the guest/analysis OS, but I don't see why one couldn't use Cygwin on Windows for a base system with a few tweaks.

The scripts I created for the article are meant to be used as a base for your own automated analysis system - they are meant to be expanded upon. I encourage others to add other tools and capabilities to the scripts and share them here on the blog. The scripts used are available on Hakin9's site. However, if anyone wants the actual files let me know and I'll send them out.

I should point out that the system and scripts in this article assume you are in VMWare's host-only network mode. This is to prevent malware from accidentally infecting other systems on your network, the Internet, etc. However, since the system is set up host-only mode your malware will not be able to communicate with any hosts. The only network traffic you will see are DNS requests and probes to systems that go unanswered.

I encourage others to implement this into their automation system using software such as Truman, fakedns, or InetSim to create a virtual network. Don't want to take the time? Then you'll have to wait for the next issue of Hakin9 where I have part 2 to this article and show how to set this up (along with some other cool things).

I'd love to hear any feedback on the scripts, tools, or the article...including anything you use to expand upon it.


بنت النور said...

I am building a multi-agent system for malware detection in my PhD project.Are you expecting that such kind of system helps automating malware detection.

Thanks & best regards

Tyler said...

By multi-agent system, do you mean something like If so, I do think those types of systems work well to help detect malware, but only when the signatures area available for the malware.

Anonymous said...

hi tyler

where I can download the latest version of the script

Tyler said...

Hey - I'll be releasing them in the next few weeks on some type of file share. I'll post when I get it up and running. In the mean time, if you want them shoot me an email.