Malware Analysis
|
Prerequisites
To perform hands-on exercises you are expected to bring your own laptop.
The laptop should be configured with the software listed below. The course
duration does not permit time for installing software at the site.
System Requirements:
- Laptop: A laptop with 500MHz or faster compatible x86 processor with a minimum of 128MB RAM.
For more constraints on the Operating System/Hardware refer to
VMware Host requirements.
- VMware: VMware, a machine virtualization system, is available in server/workstation versions. We will
use VMware Workstation version for the exercises. The workstation version can be
downloaded from http://www.vmware.com/download.
You may need to either purchase the system or register for using a trial
version.
- Windows 2000 Professional Installation Disk: Windows 2000 Professional installation disk
will be used to create a virtual machine that runs on VMware. This virtual
machine will be infected by the malicious code sample used in the tutorial,
hence it is necessary that it be installed in a virtual environment. A laptop
with Windows 2000 Professional will not serve the purpose.
Installation steps:
Follow the installation steps to setup a system for virus analysis on VMware before the Workshop.
- Installing VMware: Download VMware workstation software (version 4.5).
Install VMware using the downloaded executable. Answer "yes" to all the options.
- Creating New Virtual Machine: To create a Windows 2000
Professional virtual machine, do the following:
- Start the VMware workstation (installed in Step 1) by clicking the icon on the desktop.
- Create a virtual hardware:
click on File->New Virtual Machine and typically say "yes"
to all the options except the type of network card.
The network
type by default is set to "Bridged" network. You need to set it to
"Host-only" type. A new machine with empty hard disk is
created.
- To install the O.S, click on "Start this virtual machine" and boot it
with the Windows 2000 Professional CD. Follow steps similar to the
installation on a real machine.
- Analysis Tools: The following tools have to be installed in Windows 2000 virtual machine (after installing O.S)
- BinText
- Exracts and displays strings from a binary (just like Unix 'strings')
- FileMon
- Monitors file system activities
- RegMon
- Monitors registry activities
- TCPView
- Shows which ports are open and the owner processes
- Process Explorer
- Shows all the currently running processes. Better than Windows Task Manager.
- RegShot - Create
snapshot of registry and file system and compare snapshots (before and after
infection)
- IDA Pro disassembler
(License/Trial version)
- Process Dump
- Dumps memory content of a process into a file
- UPX Decompressor - Decompress UPX
compressed executable
- OllyDbg Debugger
If you have any questions/comments regarding the tutorial or website please do not hesitate to contact here.
|