Malware is the Swiss-army knife of cybercriminals and other adversaries of corporations and organizations. An understanding of how malware works and what malware does to computer systems should be possessed by all computer forensics or cybersecurity professionals. Our challenge is not just investigating malware, but investigating it in a safe and secure environment where replicable, structure, and scientific thoroughness are priorities. To accomplish this, we will be employing the Cuckoo Sandbox malware analysis system in a controlled environment. With this project, the LCDI hopes to give aspiring computer security professionals the opportunity to both safely explore malware and share quality results with the rest of the scientific community.
What does analyzing malware tell us? What attack vector does the malware use to infect systems? How do we safely handle the malware so it doesn’t infect other systems? What evidence does malware leave behind? How can we verify the findings we discover? These are the questions we hope to answer while developing a scientifically sound malware analysis system for future student analysts to explore!
- Can a malware analysis system such as Cuckoo Sandbox be safely and securely deployed on current computing assets?
- Given a piece of malware, what type of information can be discovered using malware analysis?
- Is the information that can be gleaned from Cuckoo Sandbox relevant in understanding malware?
- Is there malware that the Cuckoo sandbox cannot analyze? How do we analyze it? How can we verify our findings?
methodology and methods
Our team will first set up an isolated computer system with Ubuntu Linux running Cuckoo Sandbox and SIFT Workstation for malware analysis and logging. As this is being set up, each of us will familiarize ourselves with different tools and methodologies regarding malware analysis and what kinds of information they each produce. At this point we will collaborate to develop a methodology for investigating malware using Cuckoo Sandbox, which was selected because of its versatility and accessibility. Each of us will individually test an identical piece of malware using our methodology in an effort to advance the malware investigative process before performing further testing on more varied malware samples and analysis tools. We will analyze the data by comparing reports, identifying inconsistencies, and running the malware through a second iteration of tests to refine data and confirm repeatability. Over the course of the project, the LCDI will produce an analysis and report template. This template will outline the process of analyzing malware safely, and reporting those results effectively.