In the upcoming posts, I will be presenting a step by step process to analyze a piece of malware. I will be analyzing Slackbot. It is an old bot but nevertheless, customizable and useful in learning the malware analysis process.
One of the most important things to ensure is that all of the analysis is performed in a lab network. The lab network must be isolated completely from the production environment. Another crucial point is to use virtual machine snapshots during the analysis. Snapshots allow you to revert back to a clean copy of OS & machine set up during and after the analysis.
This is a general topology of the network set up I have used for this session:
Lenny Zeltser [ http://zeltser.com ] has written extremely useful post and a cheat sheet for Reverse Engineering malware. It talks about the approach analysts should take, various phases in reversing malware, tools you can use in each step, how to use the tools, time saving techniques using tools as well bypassing malware defenses in response to reversing. A very good read, get it here: http://zeltser.com/reverse-malware/reverse-malware-cheat-sheet.html
The analysis I am gonna post is based on Lenny’s cheat sheet above. Here’s the reversing methodology:
- Set up a controlled, isolated laboratory in which to examine the malware specimen.
- Perform behavioral analysis to examine the specimen’s interactions with its environment.
- Perform static code analysis to further understand the specimen’s inner-workings.Perform dynamic code analysis to understand the more difficult aspects of the code.
- If necessary, unpack the specimen.
- Repeat steps 2, 3, and 4 (order may vary) until sufficient analysis objectives are met.
- Document findings and clean-up the laboratory for future analysis.
If you are keen on starting up on or polishing your reversing skills, following is a list of few books. I read and refer to these books for practicing reversing and malware analysis as and when I get time out of projects.
Another awesome learning resource is SANS 610 Reverse Engineering Malware [ GREM ] course. You can have it via self-study, live onsite or vLive [ over the internet ].
I highly recommend you start referring and going deep dive with these books to follow on and enhance learning pace.
After listening to all of readers’ positive feedbacks and requests, I have now collated this entire 5-part Malware Analysis series into a short, easy to read book. If you have found this series useful, and would like to show some love, you can purchase it from here:
This series will still be available for free here on the blog.!