Why Teams call analytics are critical to your entire business
Malware Analysis as a Hobby
1. Malware Analysis as a Hobby
Michael Boman - Security Consultant/Researcher, Father of 5
Siavosh Zarrasvand – Security Consultant/Researcher, Searching
6. I can do it cheaply (hardware and
license cost-wise). Human time not
Choose any two? Why included.
not all of them?
I can do it quickly (I spend up to 3
Cheap hours a day doing this, at average even
less).
I get pretty good results (quality).
Where the system lacks I can
compensate for its shortcomings.
Good Fast
11. Sample Acquisition
• Public & Private Collections
• Exchange with other malware analysts
• Finding and collecting malware
yourself
• Download files from the web
• Grab attachments from email
• Feed BrowserSpider with links from your
SPAM-folder
12. BrowserSpider
Written in Python
Using the Selenium framework to control REAL browsers
Flash, PDFs, Java applets etc. executes as per normal
All the browser bugs exists for real
Spiders and follows all links seen
14. A days work for a Cuckoo
Fetch a task
Process and Prepare the
create reports analysis
Lunch analyzer in
Store the result
virtual machine
Complete the Execute an
analysis analysis package
24. Problems
VM or Sandbox detection
The guest OS might not be sufficient enough
Any multistage attack
25. Iterating automatiation
Sort out clearly
Devide the
non-malicious and Do brief static
samples into
obviosly malicious analysis
categories
samples
Known Known Bad
Good
Unknown
26. Iterating automatiation
Sort out clearly
Devide the
non-malicious and Do brief static
samples into
obviosly malicious analysis
categories
samples
• Does not do anything
• Detects environment
• Encrypted segments
• Failed execution
27. Iterating automatiation
Sort out clearly
Devide the
non-malicious and Do brief static
samples into
obviosly malicious analysis
categories
samples
• Run longer
• Envirnoment customization
28.
29. Budget
Computer: €520
MSDN License: €800 (€590 renewal)
Year 1: €1320
Year N: €590
Money saved from stopped smoking (yearly): €2040
30. Next steps
• Barebone on-the-iron malware
analysis
• Android platform support
• OSX platform support
• iOS patform support