I was listening to the ISD Security Podcast episode 168 the other day and heard this great interview with Paul Royal researched and helped shut down the original Kraken botnet in 2008. While the whole interview was excellent, one part at the end stood out as something that should be documented. Rick asked Paul how someone could get started in malware analysis if they are interested. The following is my paraphrased version of Paul’s response:
Check out the following sites to obtain malware samples:
Malfease – which is a public malware repository hosted by Georgia Tech. You don’t have to be a student at Georgia Tech to use this service. From the FAQ: “Q) What is the purpose of Malfease? A) Malfease is designed to automate many of the tasks associated with new malware collection. With thousands of new samples created each week, automation can help reduce the burden on researchers and industry analysts.”
Malware Domain List – is a site where volunteers document different malicious domains found on legitimate compromised sites, etc and has links to download some of the malware. There are several very interesting links right on the front page of the MDL that anyone interested in malware analysis, prevention and incident response should check out.
With the above links you can purposely download malware and allow it to exploit your virtual machine or other sandboxed environment running known vulnerable, unpatched software or software vulnerable to zero day threats. Once this has been done, you can study it at various different levels:
- At a basic level, study the network traffic patterns with a tool such as Wireshark.
- Next you could run it with a live binary analysis tool such as OllyDbg
- You can also do a static analysis with a debugger/disassembler such as IDA Pro.
When you are ready to move beyond those initial methods, install Linux on a system that supports hardware virtualization extensions. Then you can delve into tools such Ether in conjunction with the Xen virtualization platform. This will allow you to play around with much more sophisticated malware and figure out how it operates.
Continue experimenting and piece by piece you will start to understand how the “modern threat landscape” works.