Build a free Malware Analysis Toolkit
It is very important to inspect the capabilities of a malicious software, also called malware. This is in order to understand its effect and hence take necessary steps to prevent it. However, an Information Technology (IT) team cannot simply test such effects on the real system, which could result in a disaster for the entire system.
Questions about the mechanism of the malware, what it really does, and its effects are all of the main concerns to the IT team. Hence, a controlled environment is necessary to perform any required examinations on a particular malware. The following steps elaborate on some free and necessary toolkit for any IT security team. It makes teams capable of -facing any security incident on a Windows operating system, which is commonly prone to malware exploitation.
Allocate an extra physical or virtual system for a test environment
- The importance of a test environment is great. This is because it is always preferable to run malware on a system to see how it behaves like through some security monitoring tools
- Create a virtual environment –machine– or several ones which are all hosted on one physical computing device. There are several free virtual machine software installers available such as:
VMware vSphere Hypervisor
Microsoft Virtual Server
- The idea behind utilizing a virtual space is to do without several physical positions needed; the physical boxes that already exist are to be used to the maximum benefit through virtualization
- It is highly recommendable to invest in a good Random-Access Memory (RAM) size as much as possible and a large Hard Drive disk as well. Both of these will be really beneficial to host several virtual machines and run them simultaneously.
- On one of the created virtual systems, simply take a snapshot of the system before the infection by the malware. Then, after infection, compare the behavior and understand the influence that such malware had on the virtual system. It is very simple to take the aforementioned snapshots, which serve like a whole record for the state of a machine when using virtual systems.
- A malware may have the ability to identify the fact that it runs on a virtual system, and it will not thereby leave the same influence as if it was running on a physical system. In this case, the solution is to have the test environments on some physical devices. Make use of old computer devices that are not in use anymore. There is no actual need for a high-performing CPU, a great RAM, or a big hard disk drive.
- Make the test environments connected whether they are on virtual systems or physical ones. The point is to understand the malware’s network interaction, which is an essential part of the malware’s analysis from the IT’sperspective.
Make the test and production environments isolated
- A production environment has to be kept protected from the testing of a malware and its effect
- Although the network between the production environment and the test ones could be secure via the use of firewalls, it is a better idea not to connect them. This is in order to avoid any malware bypassing the applied filtering restriction.
- Bring the malware into the test systems on a write-once removable disk such as a DVD or a USB having a mechanical write-lock switch. This is for the sake of not having the media carrying the malware after installing it on the test environment.
- In the case of using physical test systems, dedicate a special DSL or a cable modem to provide internet connection for the test environment. Elsewhere, if it is the same network as the production, attempt to make the test systems connected as minimal as possible. This is to evade the risk of having other systems on the network harmed by the malware.
- In the case of using virtual test systems, always be up to date with any security patches which the virtualization software vendors release to overcome any vulnerabilities in their software. The host machine should be merely in use for the purpose of hosting the virtual test machines, not any other functions.
Install a tool to analyze behavior
There are some available utilities –all free– that one could harness to monitor the infected system behavior. This depends on the type of monitoring desired. Installation of one of the following tools on the test machine is necessary before infecting it with the malware.
- Wireshark: it serves as a perfect network traffic analyzer showing what happens on the network such as downloads, DNS resolution requests, etc.
- Process Monitor with ProcDOT: these two tools are perfect to get to know how the malware affects the registry files and entries. Any delete, read, or write actions to such files are monitored and recorded through these tools.
- Process Explorer and Process Hacker: they are alternatives for Windows Task Manager to display the current malicious processes and network ports that malware attempts to open.
- Regshot: This tool fundamentally highlights the main changes which occurred in the system – the registry and file system– after infection.
Install Code-Analysis tools
The previous tools might be able to analyze the behavior, but it does not touch the problem from its roots. Analyzing the malicious code could lead to a more interesting result. Despite the fact that it is difficult to access the source code of the executable malicious file, there are some tools that can assist in this process.
- Scylla and OllyDumpEx: These tools are helpful when dealing with packed executables which could not be disassembled. Instructions of such executables are often encoded and encrypted, and are only extracted into Ram when running. A dump file will be created having the protected code.
- OllyDbg and IDA Pro Freeware: These tools have the ability to disassemble malicious executables into their source code, and further execute each piece of it in a slow manner to perfectly understand the malware.
Use online utilities
Online utilities which are free to use are a great addition to the proposed toolkit. In fact there are a plenty of online utilities which analyze the behavior of malware albeit the executable ones. Some of such tools are
If one suspects a given URL of offering a malware, there are two websites which could be beneficial at this point.
- WebInspector, and Wepawet: they test the URL and give information whether the URL is malicious or not.
- URLVoid and MxToolbox: they provide some historical data about malicious websites and reputable ones.