basic setup for malware analysis

[lund99]

I know this question goes beyond the scope of this subforum and possibly the entire forum ( I miss the old Specialist subforum ) but I decided to give it a shot, if this belongs in a completely different forum I would surely appreciate it if someone could point me in the right direction before removing this post.

OK, here we go:

The company I work for have recently been targeted in a trojan that has been spreading for the last 14 days.

As such, my employer has decided that we need to have a simple lab environment set up for analysis of malware behaviour.

To get started with this quickly, I have pictured a simple setup where we get a internet hookup (completely separate of the corp. network) and place a box for traffic analysis in between the router and the infected computer(s).

My plan was running SNORT on the mentioned box, in addition to performing malware analysis on the computers we intentionally infect with malware.

The purpose of the lab environment is mainly to identify which IP adresses are used for retrieving data (lets say a bot net config update) and where data is sendt to (keylogger info, data retrieved by formgrabbing etc).

Would you suggest that we set up something completely different, or do you have any reccomendations regarding additions to the set-up I have planned?

I suspect that at once we begin to scratch the surface on this project the scope of the project might expand - but initially, we are only looking to analyse malware behaviour - in general IP adresses related to spreading and updating malware and also adresses used for data theft from infected computers.

[KMDave]

Well I wouldn't ever hook up a malware research lab to the internet.

Next you might want to read up on sandboxes designed for this purpose. For instance Sandboxie or Anubis.

Hope this helps you with your task.

[lund99]

Thanks, Its not our intention to keep infected computers online constantly.
However, in order for us to keep up with the updates distributed to the malware, and to track IP adresses affiliated with such mechanisms - it is quite necessary to have these machines online from time to time.

But I will take some time now and read up on Sandboxie and Anubis

[Dudeman02379]

I recently watched this video and thought it was a pretty good beginners primer for malware analysis. It may give you some ideas.
http://www.securitytube.net/Introduc...sis-video.aspx

[lund99]

Thanks Dudeman - I will watch this lesson tomorrow - seems pretty interesting!

[Impono]

Sand boxing is fine but you need to remember most malware sold on the market now for literally even a couple dollars is rather immune to that type of checking. The malware recognizes the environment and shuts itself down.

None the less here is a link you may find useful.
setting-up-malware-lab