secrets •Malware can damage Integrity of logs, valuable data, and possibly physical systems •A network of infected machines can prevent Availability of web sites via Distributed Denial of Service
results ◦Cheap, fast •Reverse Code Engineering ◦Deep surgery on malware code ◦Access to underlying source code ◦Expensive, time-consuming Further information about malware RCE: SANS 'Reverse Engineering Malware' Course: http://zeltser.com/reverse-malware/malware-analysis-webcast.html
machine ◦Encrypt live malware •Host logging on Infected VM ◦CaptureBAT will grab any modified files ◦Process Monitor lists system API calls ◦Process Hacker shows process info •Network logging on Analysis VM ◦Wireshark shows packets in a nice GUI ◦tcpdump is a cmd line packet capture tool ◦inetsim will emulate a network http://zeltser.com/malware-analysis-toolkit/ Virtual Environment Infected VM Analysis VM Emulated network
posts ◦Publish through your university ◦Present at conferences ◦Get on community forums and mailing lists •What to share: ◦Technical writeups ◦IP/ASN/domain names ◦Dynamic analysis logs ◦IDA database (.idb) ◦Snort signatures ◦Malware author fingerprints
Cookbook": $40 http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033 Memory Analysis: FREE https://www.volatilesystems.com/default/volatility https://code.google.com/p/malwarecookbook/source/browse/trunk/malware.py VMware Workstation: $200 http://www.vmware.com/products/workstation/ Extra copies of Windows: FREE from your school