Part One - What are we analyzing and what do we want from the results:
Malware comes in many different varieties from many different sources with many different delivery mechanisms. Before setting up your lab you need to decide what your looking at and how you want to analyse it. If this is from a corporate viewpoint there are a lot of additional factors you need to consider, if this is a personal project then you possibly have a little more freedom.
First define the scope of the project. with this in place we can focus and tune the lab, whilst still leaving flexibility to change or add to it later.
For me my lab these are the things i want to be able to do.
1. To Process all my emails looking for anything nasty ( i have a few old mail boxes which are just full of nasty )
2. To check suspect malware samples from friends and families
3. A platform that will help me learn and develop my malware analysis tools and skills.
4.Be flexible enough to expand.
With all this in mind lets look at what we are going to need.
- Management database
- Sample collector
- Automated Collectors
- Manual collectors
- Analysis environment
- Dynamic results
- Network Access
- Reporting / Publishing
There are many, many different approaches and everyone has their own preferences to tools and configurations. I’m just going to talk about my setup and the tools I use.
In this section I’m just going to list the tools and methods the next section will look at how to install them and get them all up and running.
For the management database I couldn’t find anything that did some of this things i wanted to achieve so i pulled together some old scraps of code and threw something together myself, and i emphasis the throw together. I’m not saying there aren’t tools out there that do this, just not what i wanted. for details of the management database look here. The integration of the rest of my lab is designed to work with this application, but the methods and tools can be used standalone or configured to work with other applications.
Sample collection is included within the Management database and allows me to import samples automatically from emails and pcaps, and allows me a manual submission method.
This is typically split on to two sections:
For dynamic analysis i use Cuckoo Malware Sandbox this application is extremely well written and documented, it’s still being actively developed and one of my favorite things, it’s released free and open source. I also have some vm images setup so i can run some analysis with human interaction if required.
For static analysis i have some vm’s loaded with static tools, ill list them on another page somewhere, A mixture of ubuntu and windows OS depending on the task. i run these on an ESX server with the free License.
Networking is a tough one with a couple of pros and cons. You don’t want to accidentally infect your home network, you don’t want your external IP address showing up or being blacklisted as part of a botnet. and perhaps most importantly you don’t want the bad guys seeing you and targeting you directly, although this is extremely unlikely to happen.
On the opposing side if your malware is only a first stage implant you want to see what happens next, if you want to start analysing urls or scraping samples in the future your going to want network access.
fortunately there are a few things we can do to protect ourselves. some of them free others have a price tag.
To protect my home network i do a couple of things:
- Separate LAN segment for the malware lab.
- Where this LAN meets the internet i have a firewall and IDS
- any Traffic going out from the malware lab is sent via an anonymous VPN
The final thing is how to collate and publish the results but I will discuss this in a lot more detail in the final section of this write-up.
That’s all for this one, the next section will look at setting up all the different sections