malware analysis skull and crossbones

Malware Analysis Project Update

FINAL Malware Analysis Update

Introduction:

Throughout this semester, we’ve been working diligently  to create a malware analysis environment that  is both effective and easily accessible.  After considerable research and testing,we   have learned useful information about various aspects of  malware analysis. Cuckoo allows us to automate the process by simply importing malware into it and  receiving a very detailed report once it is finished analysing the offending file or program. We discovered that Cuckoo obtains a large amount of information from malware by simultaneously performing both static and dynamic  analyses during its examination. This means that while Cuckoo  dissects the malware file, it also simultaneously executes the malware in a Windows 7 Virtual Machine (VM). The VM even pops up on screen, allowing us to look directly at what effects the malware has on the system. It’s also easy to use, with a web interface available for viewing the analysis reports and uploading malware samples. Cuckoo is a sophisticated system, but once it is set up correctly it clearly proves itself as a valuable analysis asset.

Creating a Malware Analysis Environment:

The first thing we learned is that  setting up a sterile and secure malware environment is more difficult than it seems. There were  snags along the way, from Cuckoo missing files and programs it relied on to the virtual environment not being able to connect to the Internet. At one point we were stuck with malware analysisthe Windows 7 VM not updating – after some troubleshooting, we realized that we were attempting to run the machine onthe debug version of Windows 7 which uses incompatible settings. After installing the standard version of Windows, everything started updating smoothly. However, due to an issue with the host-only network we created between the virtual environment and the analysis engine, we were unable to connect Cuckoo to the Internet while testing malware. In an effort to ‘fool’ the malware, we set up the analysis environment to appear like a normal user by installing programs like  Adobe Reader and Libre Office, as well as non-default internet browsers like Mozilla Firefox and Google Chrome. This makes the sandbox less conspicuous, which seems to help evade the actual detection of the sandbox by the malware we analyze.

Methodology and Methods:

We began with a fresh installation of Ubuntu 14.04 and a command line terminal, and ended with a functional automated malware analysis environment and accompanying web interface for report analysis and sample submission. Extensive logs were kept of the entire process, and we’re confident that any future iterations of this project and will be able to jump right into it and get started with version 2.0!

What the Future Holds:

There are quite a few directions that this project can  take in the future . One future objective should be to finalize the environment to be entirely self-contained: simply turn it on and you can start from anywhere on the network. We are currently having trouble getting Cuckoo to auto-load on startup. Another direction is creating a distributed Cuckoo network (virtual and/or physical). This would mean having a ‘hub’ computer that delegates analysis tasks to other computers running Cuckoo on the network, and having them report their analyses back to the main database, which would make analysis faster and give us the ability to process more samples into our database. Further, we could enhance Cuckoo and its environments, which would ultimately make it a more capable and efficient system. Cuckoo can also be setup to use a RAM disk, which would increase  the speed of data transfer. Since Cuckoo stores all data locally right now, we can also set it up so that the data is sent to an external server, keeping a level of persistence upon restarting the system.

conclusion

As we await the project proposals for next semester to come in, we’re starting to prep our system for the possibility of future work. We’ve recorded the entire process in a log so as to assist others in setting up a similar environment on their own machines, and have begun work on official LCDI templates and reports regarding malware analysis and the processes therein. Cuckoo’s potential for expansion  is huge, and we all look forward to seeing where future LCDI employees can take it.

For more information, feel free to email us at lcdi@champlain.edu.