--- This was redacted and edited because I have seem to have gotten it wrong ---
Skipfish (http://code.google.com/p/skipfish/) has been released on Google Code, which is a WebApp Security Scanner. The author of this tools is lcamtuf (Zalewski) who is responsible for Ratproxy and several other great tools. I am sure this is going to be a great tool as the other ones that exist!
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=ccf18352-bc92-47e1-8091-eab567b3d9d2)
Building a good Malware Analysis environment is no easy task. I know because I have set up a few of them myself. I hope that I can help everyone in the setup of a cheap enough lab for easy malware analysis in this multi-part series. So let's get some basics out of the way. First thing is, if you really want to continue to grow as an information security professional and especially in the field of forensics, penetration testing, or incident handling; your going to have to play with malware! Sorry, you got to pay your dues; it will make you a better information security professional to understand what it really happening with these samples. What I want to emphasis here is that you really need to think about how to do it in a responsible manner as to NOT infect your production boxes, or any other computers outside your lab environment.
First of all a cheap way to get a lab going is to build a computer with enough horsepower to leverage virtualization technologies. Virtualization comes in many flavors such as fully hardware virtualization and just software emulation. I will tell you, however, that this may not be the best route for malware analysis today. Malware writers know that you most researchers will attempt to use VMware to stop the process of reversing their code. Their malware will actually stop running once they detect they are in a VMware virtual machine environment. To this end, physical machines are still the way to go for most of the professional malware analysis shops. There are ways to step around the detection, but to be honest; sometimes it's not worth the trouble. At some point, the malware writers will switch due to the nature of everything becoming more and more dependent on running within virtualized environments such as Amazon's EC2 cloud.
So what do I recommend for a cheap way to do it? Well here is one possible solution. Purchase a few (one or two) of eMachines EL-16001 product:
http://www.emachines.com/products/products.html?prod=EL1600-01These eMachines have some pretty solid hardware and only range at $229 MSRP. That's pretty cheap.
If you still would like to build a VMware host for your lab (and I recommend it), then I would say the following specifications will serve you well for a long time.
Now combining the power of physical and virtual machines can make for a powerful environment for analysis. Suppose you have a piece of malware that is coming in through say PDF. The PDF itself will not have the malware inside of it, although it may, most of the time what we see is obfuscated JavaScript code that will have a stager shellcode to download the real malware which will give the attacker some method of maintaining access. The quickest way to potentially get to this point is through the use of snapshots within your virtual environment. The ultimate malware specimen may not run within the virtual environment, however, you can leverage it for initial analysis and potentially to even grab the final malware file.
Here is potentially how your virtual network should be setup:
In the image above we have a host device; this is representative of your physical virtual machine host computer. Inside of it we have a few virtual machine victims. In addition you have a 'router' or bridging device which can help in analysis. The 'router' has two virtual networks, one bridge, and one on a private 'vmnet', like vmnet3. The router is also bridged the physical network interface card.
There are also many virtualiation products out there that you can leverage, some commercial, some free:
Some of them are full hardware virtualization such as VMware, Redhat, Microsoft, and Citrix’s offerings; while others are going to be software emulation which is more dangerous like Linux WINE (Windows Emulator).
So now that we have the Virtualization components done. Let's talk about how to setup the physical lab. I would recommend having at least 1 computer with pull out drive cages if you can. Here is an example of one: http://www.amazon.com/5-25-Mobile-Rack-Removable-Tray/dp/B002OOBR0M. Have more than one drive, so that you can swap drives which serves as the equivalent of reverting to a snapshot in your virtual environment which we can get into.
In then next part we will talk about how to revert images quick using cloning and snapshots. We will also get into the tools that you can use in the lab.
Happy Hunting!
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=7e762927-f11a-42ea-8ec5-88233a7e3812)
I am an information security professional for the last decate. I do great things with computers and networks.
Recent Comments