Results 1 to 6 of 6

Thread: basic setup for malware analysis

  1. #1
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default basic setup for malware analysis

    I know this question goes beyond the scope of this subforum and possibly the entire forum ( I miss the old Specialist subforum ) but I decided to give it a shot, if this belongs in a completely different forum I would surely appreciate it if someone could point me in the right direction before removing this post.

    OK, here we go:

    The company I work for have recently been targeted in a trojan that has been spreading for the last 14 days.

    As such, my employer has decided that we need to have a simple lab environment set up for analysis of malware behaviour.

    To get started with this quickly, I have pictured a simple setup where we get a internet hookup (completely separate of the corp. network) and place a box for traffic analysis in between the router and the infected computer(s).

    My plan was running SNORT on the mentioned box, in addition to performing malware analysis on the computers we intentionally infect with malware.

    The purpose of the lab environment is mainly to identify which IP adresses are used for retrieving data (lets say a bot net config update) and where data is sendt to (keylogger info, data retrieved by formgrabbing etc).

    Would you suggest that we set up something completely different, or do you have any reccomendations regarding additions to the set-up I have planned?

    I suspect that at once we begin to scratch the surface on this project the scope of the project might expand - but initially, we are only looking to analyse malware behaviour - in general IP adresses related to spreading and updating malware and also adresses used for data theft from infected computers.

  2. #2
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default Re: basic setup for malware analysis

    Well I wouldn't ever hook up a malware research lab to the internet.

    Next you might want to read up on sandboxes designed for this purpose. For instance Sandboxie or Anubis.

    Hope this helps you with your task.
    Tiocfaidh ár lá

  3. #3
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default Re: basic setup for malware analysis

    Thanks, Its not our intention to keep infected computers online constantly.
    However, in order for us to keep up with the updates distributed to the malware, and to track IP adresses affiliated with such mechanisms - it is quite necessary to have these machines online from time to time.

    But I will take some time now and read up on Sandboxie and Anubis

  4. #4
    Senior Member
    Join Date
    Jan 2010
    Posts
    140

    Default Re: basic setup for malware analysis

    I recently watched this video and thought it was a pretty good beginners primer for malware analysis. It may give you some ideas.
    http://www.securitytube.net/Introduc...sis-video.aspx

  5. #5
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default Re: basic setup for malware analysis

    Thanks Dudeman - I will watch this lesson tomorrow - seems pretty interesting!

  6. #6
    Just burned his ISO
    Join Date
    Jan 2011
    Posts
    8

    Default Re: basic setup for malware analysis

    Sand boxing is fine but you need to remember most malware sold on the market now for literally even a couple dollars is rather immune to that type of checking. The malware recognizes the environment and shuts itself down.

    None the less here is a link you may find useful.
    setting-up-malware-lab

Similar Threads

  1. private research - setting up a malware lab
    By brtw2003 in forum Experts Forum
    Replies: 3
    Last Post: 03-14-2011, 11:49 AM
  2. Automated Malware Analysis
    By imported_anubis2k7 in forum OLD General IT Discussion
    Replies: 3
    Last Post: 12-05-2009, 03:58 PM
  3. Malware on apache
    By dvlchd3 in forum OLD General IT Discussion
    Replies: 12
    Last Post: 10-18-2009, 05:47 PM
  4. malware in bt4?
    By dilog in forum OLD Newbie Area
    Replies: 1
    Last Post: 06-27-2009, 10:28 AM
  5. malware sites
    By somanyholes in forum OLD Newbie Area
    Replies: 4
    Last Post: 06-27-2008, 06:51 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •