Presentation Slides
Using Cuckoo Sandbox:
- Follow the installation instructions for installing Cuckoo Sandbox on a Linux machine here.
- After Cuckoo is configured on the host, it can be used with a virtual Windows environment for malware analysis. Free, official versions of virtual Windows OS environments can be found here.
- Usage instructions (including how to run Cuckoo, submit an analysis, view results via the web interface, etc.) can be found here.
Presentation Notes:
What is Malware (short for Malicious software)?
-
Encompasses a variety of forms of hostile or intrusive software.
-
Often disguised as, or embedded in, non-malicious files:
-
Executable Files
-
PDF and Word documents
-
Photos
-
E-mail attachments
What is Malware Used for?:
-
Steal Information from infected computers
-
Spy on the user.
-
Harm infected computers
-
Encrypt the infected computer and extort payment (ex: CryptoLocker)
Malware thrives on user error and insecurities:
-
Everyday computer users (Adware, Ransomware, etc.):
-
Drive-by downloads
-
Opening e-mail attachments
-
Vulnerable Machines:
-
Systems with vulnerable software
-
Large networks containing a vulnerable machine
Types of Malware:
-
Computer Virus/Computer Worm
-
Email-Worm
-
IM-Worm
-
IRC-Worm
-
Net-Worm
-
P2P-Worm
-
Virus
-
Most known computer worms are spread in one of the following ways:
-
Files sent as email attachments
-
Via a link to a web or FTP resource
-
Via a link sent in an instant message
-
Via P2P (peer-to-peer) file sharing networks
-
Some worms are spread as network packets. These directly penetrate the computer memory, and the worm code is then activated
-
Viruses can be divided according to the method that they use to infect a computer:
-
File viruses
-
Boot sector viruses
-
Macro viruses
-
Script viruses
-
Trojan
-
Suspicious Packer
-
Objects that have been compressed, using packets that are designed to protect malicious code against detection by antivirus products
-
Multipacked - files that have been packed several times, using a variety of packers
-
Malicious Tools
-
Adware, Pornware, Riskware, Ransomware, Spyware
How to discover Malware:
-
File integrity monitoring
-
Advanced Intrusion Detection Environment (AIDE)
-
CimTrak
-
OSSEC
-
Samhain
-
Tripwire Enterprise/File Integrity Manager
-
Qualys
-
Verisys
-
Trustwave
-
LogRhythm
-
CloudPassage
-
Process monitoring
-
Process Explorer
-
Process Hacker
-
Network monitoring
Once You’ve Discovered Malware:
-
It’s not enough to simply find and delete the file
-
You need to investigate the implications of the malware process
-
Typically, execute malware in a safe environment (sandbox) to determine what it’s doing
What is a Sandbox:
-
A Sandbox is a secure environment used to run and observe untrusted programs.
-
These environments typically restrict OS resources such as disk space and networking features to these untrusted programs.
-
Anything created or changed within a Sandbox environment is not able to interact with programs or data outside of the Sandbox.
-
Anything created or changed within a Sandbox is deleted when the Sandbox environment closes/exits. There are no permanent changes made to the system.
-
Can be set up using virtual machines on a host or a network of physical machines
-
Physical machines are typically the preferred method, since most malware does checks if it is running in a virtual environment
-
Must ensure that the sandbox is isolated from the production environment
-
When providing data to the sandbox. Ensure to use write-once media such as CDs, to prevent malware from writing itself to USB drives
Malware Analysis Tools:
-
Online
-
Malwr https://malwr.com/
-
Anubis
-
ThreatExpert
-
Comodo
-
TheatTrack ThreatAnalyzer
-
Standalone
-
Cuckoo
-
Sandboxie
-
Remnux
-
Zero Wine Tryout
Cuckoo Sandbox:
-
Free malware analysis system.
-
Allows files/folders/urls to be queued up (called tasks) and then inspected within a target VM.
-
Generates a detailed report on the inspected malware. Information can include:
-
Malware file hashes and file version info
-
Native Libraries Used
-
Registry and File changes on the system
-
Network Packets
-
Communicated domains/IP addresses
-
Programs accessed
-
Screenshots during the malware execution
-
AntiVirus Security identification (detect if a website appears to be safe or malicious)
Preventing Malware Infections:
-
Using multiple real-time Anti-Malware (ex: Malwarebytes) and Anti-Virus (Norton) software.
-
Anti-Malware vs. Anti-Virus?:
-
Anti-Malware is aimed toward removing malware from an already infected computer
-
Anti-Virus is focused on prevention of being infected in the first place.
-
Both types can usually do a bit of both.
-
Sandboxing Software:
-
Sandboxie (Desktop Sandbox)
-
AirGap, Spoon.net (Browser Sandboxes)
-
Updating security software and Operating System
-
Firewalls, limiting user privileges