Malware Analysis


SRL Home

Home

Description

Prerequisites

Topics

Material

References


Prerequisites

    To perform hands-on exercises you are expected to bring your own laptop. The laptop should be configured with the software listed below. The course duration does not permit time for installing software at the site.

System Requirements:

  1. Laptop: A laptop with 500MHz or faster compatible x86 processor with a minimum of 128MB RAM.
    For more constraints on the Operating System/Hardware refer to VMware Host requirements.

  2. VMware: VMware, a machine virtualization system, is available in server/workstation versions. We will use VMware Workstation version for the exercises. The workstation version can be downloaded from http://www.vmware.com/download. You may need to either purchase the system or register for using a trial version.

  3. Windows 2000 Professional Installation Disk: Windows 2000 Professional installation disk will be used to create a virtual machine that runs on VMware. This virtual machine will be infected by the malicious code sample used in the tutorial, hence it is necessary that it be installed in a virtual environment. A laptop with Windows 2000 Professional will not serve the purpose.

Installation steps:

Follow the installation steps to setup a system for virus analysis on VMware before the Workshop.

  1. Installing VMware: Download VMware workstation software (version 4.5).  Install VMware using the downloaded executable. Answer "yes" to all the options.

  2. Creating New Virtual Machine: To create a Windows 2000 Professional virtual machine, do the following:

    1. Start the VMware workstation (installed in Step 1) by clicking the icon on the desktop.
    2. Create a virtual hardware: click on File->New Virtual Machine and typically say "yes" to all the options except the type of network card.
      The network type by default is set to "Bridged" network. You need to set it to "Host-only" type. A new machine with empty hard disk is created.
    3. To install the O.S, click on "Start this virtual machine" and boot it with the Windows 2000 Professional CD. Follow steps similar to the installation on a real machine.

  3. Analysis Tools: The following tools have to be installed in Windows 2000 virtual machine (after installing O.S)
    1. BinText - Exracts and displays strings from a binary (just like Unix 'strings')
    2. FileMon - Monitors file system activities
    3. RegMon - Monitors registry activities
    4. TCPView - Shows which ports are open and the owner processes
    5. Process Explorer - Shows all the currently running processes. Better than Windows Task Manager.
    6. RegShot - Create snapshot of registry and file system and compare snapshots (before and after infection)
    7. IDA Pro disassembler (License/Trial version)
    8. Process Dump - Dumps memory content of a process into a file
    9. UPX Decompressor - Decompress UPX compressed executable
    10. OllyDbg Debugger

If you have any questions/comments regarding the tutorial or website please do not hesitate to contact here.
 


WCRE logo and graphics design - Copyright (C) 2004 Claire Knight, University of Delft. All Rights Reserved.
Web content - Copyright (C) 2004 University of Louisiana at Lafayette. All Rights Reserved.