Presentation is loading. Please wait.

Presentation is loading. Please wait.

Basic Dynamic Analysis VMs and Sandboxes

Published bySilvana Mattioli Modified over 5 years ago

Similar presentations

Presentation on theme: "Basic Dynamic Analysis VMs and Sandboxes"— Presentation transcript:

1 Basic Dynamic Analysis VMs and Sandboxes

2 The Need for Dynamic Analysis
Static analysis has many limits, especially on packed malware Packing obscures metadata, strings, executable code Running malware exposes its behavior How it interacts with filesystem, network, registry, etc

3 A Safe Analysis Environment
It is very important to prepare an environment for safe dynamic analysis Need to set up VMs to run the malware on safely without infecting our host or allowing it contact with the outside world Some analysts run on “bare metal” machines that are air- gapped and can be reverted easily Why would this be advantageous? Some malware has vm detecting capabilities so running it on a real machine may be a more desirable option

4 Safe Malware Analysis Inside a VM
In order to analyze malware safely, VirtualBox’s network settings need to be configured properly Networking Mode Host -> VM VM -> Internet VM -> Other VMs Not Attached X NAT Bridged Adapter Internal Network Host-Only Adapter There are 3 network modes you need to consider when setting up a vm Host-only – the vm is assigned an IP but is only accessible by the host machine no internet access. NAT – NAT mode will mask all network activity as if it came from your Host OS, although the VM can access external resources. Bridged – This mode connects the vm directly to the LAN here it receives it’s own IP as if it were on the network Most of the time you will want to use host only as it does not allow internet access. And there are ways we can simulate an internet connection.

5 Snapshots Can save the state of a VM, and revert to it later
Take one before you run malware on your VM Revert once you are done with your analysis

6 Sandboxes - Quick and Dirty Approach
Safe, isolated environment that replicates an operating system Automatically runs malware and reports on its behavior Filesystem / disc operations Network connections, traffic Registry / system configuration changes Mutexes

7 Filesystem What files did the malware: Common malware behavior: Read?
Create? Modify? Delete? Common malware behavior: Copy itself to another location (especially to set up persistence) Delete itself after running

8 Network Network traffic generated by malware is usually the result of malware beacons to a command and control (C&C) server Malware often beacons to C&C at regular time intervals Sandbox saves traffic in a packet capture (pcap) for analysis It is important to consider false positives, because some activity (such as NTP) may look like C&C

9 Registry The Windows Registry is used to store much of the information and settings for software programs, hardware devices, user preferences, operating system configurations, and much more Malware often interacts with the registry in the following ways: Query registry keys Create registry keys Modify registry keys Delete registry keys

10 Persistence Persistence – the ability to survive reboots
Common registry keys used for persistence: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ Broad list at persistence-techniques/

11 Mutexes Global variable that provides locking for shared memory
Although used for legitimate purposes, also used to to avoid re- infection of host Checks for unique mutex If it does not exist, infects system and creates that unique mutex Can be very unique indicators of compromise

12 Anti Sandbox techniques
Detecting virtualization Stalling malicious activity until sandbox times out Detecting hooks (user level or kernel level) Prompting for user input / waiting for C&C response Sleep

13 Sandbox Demo!

Download ppt "Basic Dynamic Analysis VMs and Sandboxes"

Similar presentations

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Installing software on personal computer

Installing software on personal computer
Automated Malware Analysis

Automated Malware Analysis
Using Virtualization in the Classroom. Using Virtualization in the Classroom Session Objectives Define virtualization Compare major virtualization programs.

Using Virtualization in the Classroom. Using Virtualization in the Classroom Session Objectives Define virtualization Compare major virtualization programs.
Virtual IP Network Windows Server 2012 Windows 08 Dual Subnets.

Virtual IP Network Windows Server 2012 Windows 08 Dual Subnets.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.

About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Operating Systems Networking for Home and Small Businesses – Chapter 2 – Introduction To Networking.

Operating Systems Networking for Home and Small Businesses – Chapter 2 – Introduction To Networking.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Hands-On Virtual Computing

Hands-On Virtual Computing
Using Virtualization in the Classroom. Using Virtualization in the Classroom Session Objectives Define virtualization Compare major virtualization programs.

Using Virtualization in the Classroom. Using Virtualization in the Classroom Session Objectives Define virtualization Compare major virtualization programs.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Dealing with Malware By: Brandon Payne Image source: TechTips.com.

Dealing with Malware By: Brandon Payne Image source: TechTips.com.
Mastering Windows Network Forensics and Investigation Chapter 10: Introduction to Malware.

Mastering Windows Network Forensics and Investigation Chapter 10: Introduction to Malware.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.

Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.

Similar presentations

Ads by Google