Intro to Malware Dynamic Analysis: Part 2
By John Hubbard
This is the first post in a wonderfully enlightening series of five. A new post will be posted every Thursday until they’re all posted.
Dynamic Analysis Mindset
When I set out to do a dynamic analysis, the first question I ask myself is “do I need to do this manually?” Although dynamic analysis is fun, the truth of the matter is most analysts don’t have time to and shouldn’t manually tear apart every sample they find. If I have a piece of malware from a large spam campaign and don’t find it to be particularly special or targeted looking, I will often first attempt to use an automated dynamic analysis sandbox such as Cuckoo to be efficient. If you don’t have Cuckoo, there are excellent websites available that offer free automated dynamic analysis as a public service such as malwr.com and hybrid-analysis.com (my personal favorite).
Your automated sandbox should give you the detail you seek, if not, you may have evasive malware that is detecting your attempt to analyze it. In that case, it’s time to dive in!
Dynamic analysis setups can come in varying flavors with complexity. Ideally, they should be able to present a realistic environment to the malware that will be run. This means ideally not installing VMWare tools, Wireshark, SysInternals tools and anything else the malware might be able to check for on the VM and modify its behavior. Consequently, how do you analyze the malware without tools? The good news is most malware will run fine, and with the magic of virtual machines. You can save a tool-less setup too, just in case – we’ll cover that later. For network communication, I suggest a double virtual machine setup. This will include a victim virtual machine (Windows for my example), as well as another virtual machine providing fake network services that will capture all the attempted communication.
The REMnux Linux distribution is a perfect solution for this. All the tools are already installed and ready to go. At this point I’ll point out that it IS possible to do dynamic analysis on a single virtual machine, tools like FireEye’s ApateDNS and FakeNet-NG make this easy, but keep in mind it may be less reliable due to the ability for malware to detect them since they’re installed in the same environment the malware is running in. The rest of this article will focus on setting up the dual virtual machine architecture I mentioned earlier. I use this setup myself because I think it is a good compromise of convenience and detectability.
First, you need to acquire the two primary virtual machines that will be used. The first one is REMnux, which is the Kali of distributions for malware reverse-engineers. The tools we’ll use come installed and ready to go, and updates are constantly maintained. Shout out to Lenny Zeltser for creating this amazing distro and his excellent SANS FOR610 class which is an outstanding resource for learning malware reverse engineering (and launched my own journey into malware analysis.)
For Windows, you’ll need to decide which operating system version you’re using, as well as obtain a license for it …or do you? Microsoft has a site made for web developers called modern.ie, which a free bank of virtual machines that are intended to be used to ensure IE compatibility for websites, they also happen to work perfectly as a free source of malware analysis machines! Windows 7 through 10 options are available for download. Therefore, the only downside is that after a period of a month or so, they will expire. Any specific setup you’ve done for analysis will not persist. This is good for learning and getting off the ground.
For professional malware analysis you’ll need to have a fully licensed version. It should be one that you can customize and snapshot without worrying about expiration or setup.
John is a dedicated blue-teamer and is driven to help develop defensive talent around the world. Through his years of experience as the SOC Lead for GlaxoSmithKline, he has real-world, first-hand knowledge of what it takes to defend an organization against advanced cyber-attacks and is eager to share these lessons with his students. As a SANS Cyber Defense curriculum instructor and course author of SEC455, John specializes in threat hunting, network security monitoring, SIEM design and optimization, and constructing defensive postures that allow organizations to protect their most sensitive data. Throughout class, he works with students to explain difficult concepts in relatable and clear language. He illustrates important ideas with stories and demonstrations. John encourages students to push themselves beyond the limit of what they thought possible.
John holds degrees in Electrical and Computer Engineering. His past research spans from malware reverse-engineering to car hacking, mobile app security, and IoT devices. In his free time, John enjoys catching every InfoSec conference he can attend, FPV drone racing, and coffee roasting. John is slowly turning his home into a data center.