Friday, August 7, 2009

Automating Malware Analysis Part 2

I've heard rumors that the latest issue of Hakin9 is on stands now. This issue contains the second part of my article on automating malware analysis and adds memory analysis and sandnet capabilities to the analysis script.

In the script, memory analysis is performed by suspending the virtual machine (as opposed to shutting it down as the first script did). When a VMWare VM is suspended, the memory for the machine is dumped into a file which can then be analyzed. This file is analyzed using the Volatility Framework.

Volatility is an amazing tool which can extract information from Windows XP SP2 & SP3 memory images. The analysis script in the article uses Volatility to extract the process list, network connections, list of loaded DLLs and list of loaded modules of the VM memory. However, Volatility can do so much more that I highly recommend extended what is in the article.

In addition to memory analysis, the article adds sandnet capabilities to the script. In the original script, the VM was set up in host-only networking mode which prevented the malware from communicating to anything over the network. This really limited the analyst in what they could see. For example, if the malware wanted to download additional files from a web server, the analyst would never see it.

To allow network connectivity, and still keep the network the analyst was on safe from infection, the script uses a tool set called InetSim to create a fake Internet for the malware to interact with. InetSim loads a number of localized servers (DNS, HTTP, etc) and logs any data sent to it. Now, when malware attempts to connect to a web server it will be able to and the analyst will see what it is attempted to download. I blogged about InetSim and how to install InetSim back in February.

I hope everyone enjoys the article. Please send me any feedback on the article or enhancements to the script. It does not appear that Hakin9 has posted the code listing for it yet, but as soon as they do I'll link to it from here. Of course, feel free to contact me to get the code if you want.

2 comments:

Sam said...

I enjoyed part 1 of your article. I tried to replicate it and had some issues with the scripts AutoIT script. I made some corrections that seemed to work. I also added a couple of options to the Linux bash script for testing purposes. I just got the issue with part 2 and look forward to implementing it as well.

Thank you for the tool.

Security Shoggoth said...

Sam - send me an email. I'd love to hear what you did and what problems you ran into.