Robert-SimmonsAnalyzing malware has always been a little like working in a digital virology lab. Researchers have to organize virus and worm samples, and keep them in a protected environment that won’t risk infecting anyone else. Then they must pick the viruses apart, often trying to outwit malware coders that may have built anti-analysis measures into their programs. It’s a problem-solver’s paradise, which is perhaps why Rob Simmons loves the topic so much.

Simmons is research innovation director at ThreatConnect, which sells a threat intelligence platform to help companies keep track of what might endanger their systems. As such, he has to understand malware and how to pick it apart. He loves doing it, which is why he’s going to show SecTor attendees how to do it, too, when he hosts his Open Source Malware Lab at the conference this year.

There are different levels of malware analysis, explains Simmons. The least difficult is fully automated analysis, he says, followed by static properties analysis. “Fully automated analysis is detonating the malware in a sandbox and observing its behaviour, if it has behaviour at all,” he says. Sometimes, malware will have built-in mechanisms to detect whether it is running in a virtual machine. Those may include looking for registry entries or hardware drivers known to be created by virtual machines.

The next level of sophistication, static properties analysis, examines features of the file itself without actually running it. One thing is to look at the bytecode. Another is to disassemble the assembly language and try to determine what the malware author intended with it, or to look for patterns of strings in the malware that may show up in other malware variants, too.

In his open source lab, Simmons will explain how to use a selection of open-source tools such as Cuckoo Sandbox and the Thug honeyclient to crack open malware and work out what it’s doing. The beauty in these tools is the ability to string them together and have them work in unison, complementing each other, he says. It’s important to analyze malware safely, and as such he’ll be explaining how researchers can use multiple virtual machines to create a safe environment.

In his research, Simmons has seen malware written in almost everything, from the Delphi programming language originally developed by Borland, through to Javascript embedded in attachments, and increasingly, Office macro viruses. “Some things are compiled into .Net binaries which are sometimes tough to analyze,” he said. There are also many malware variants written in the PHP web scripting language that attackers upload to Linux servers. These can then be used to infect other devices, or to turn the targeted server into a DDoS attack source. “Whatever tools there are out there, there is some malware that’s been compiled in it.”

Over the last few years, malware has become increasingly cannibalistic. “One family of malware might be based on one source code base and that base was controlled by a group. And then maybe they lost control or stole it for any number of reasons,” said Simmons.

With malware evolving rapidly and exhibiting increasingly devious tactics, it’s no wonder that technically-minded hackers are interested in exploring it. Malware analysis may have been the purview of specialist experts using proprietary tools in the past, but things are changing.

“Open source tools for malware analysis have matured to the point where they’re very useful in a malware analyst’s toolbox,” he concludes.

While his talk will cover the basics of automated and static analysis, Simmons points to more sophisticated techniques for the truly dedicated. They can get into interactive behaviour, where they run the malware in debug mode and interact with it, through to manual code reversing, using tools like Binary Ninja, in which they fully reverse-engineer the malware’s source code and find out all of its secrets.

But, baby steps first. If you want to learn more about the basics of malware analysis and get some hands-on advice, come and see Simmons’ talk at the SecTor security conference. It runs on October 18-19, with a day of security training from other experts on Oct 17th. Register here, and we’ll see you at the Metro Convention Centre in downtown Toronto.


Bookmark and Share