How To Practice Malware Analysis Legally ? | Cyber Security |

How To Practice Malware Analysis? |

Article By: Pawan Chaudhary

What Is Malware ?

Malware is malicious software or code that typically damages or disables, takes control of, or steals information from a computer system. Malware broadly includes botnets, viruses, worms, Trojan horses, logic bombs, rootkits, bootkits, backdoors, spyware, and adware.

The Changing Face of Cybercriminals 

Cybercriminals have evolved from the prototypical “whiz kid” — sequestered in a basement, motivated by notoriety, and fueled by too much carbonated caffeine — into bona fide cybercriminals, often motivated by significant financial gain and sponsored by nation-states, criminal organizations, or radical political groups. Today’s attacker fits the following profile:
 ✓ Has far more resources available to facilitate an attack 

✓ Has greater technical depth and focus

 ✓ Is well funded

 ✓ Is better organized

Why does this matter? Because a kid in a basement may be able to break into a corporate network, but doesn’t necessarily know what to do with, say, RSA source code. On the other hand, a rogue nation-state or criminal organization knows exactly what to do or who to sell stolen intellectual property to on the gray or black market.

Additionally, criminal organizations and nation-states have far greater financial resources than independent individuals. Many criminal hacking operations have been discovered, complete with all the standard appearance of a legitimate business with offices, receptionists, and cubicles full of dutiful cybercriminals. 

These are criminal enterprises in the truest sense and their reach extends far beyond that of an individual.
Not only do we face more sophisticated adversaries today, but the types of information of value to them are continually expanding as well. These groups can do interesting things with the most seemingly innocuous bits of information.

How To Practice Malware Analysis


Binaries for the book Practical Malware Analysis

Two download options:

  1. Self-extracting archive
  2. 7-zip file with archive password of "malware"


The lab binaries contain malicious code and you should not install or run these programs without first setting up a safe environment.


The labs are targeted for the Microsoft Windows XP operating system. Many of the labs work on newer versions of Windows, but some of them will not. The labs are designed to mimic realistic malware. Some of them are well-written code that runs reliable and some of them (just like real malware) are poorly written code that may crash, contain memory leaks, or otherwise behave unexpectedly.
Use this 

 RSA (intellectual property)

 In March 2011, RSA Security (a division of the EMC Corporation) was infiltrated by an attacker that sent a phishing e-mail with an attached Microsoft Excel spreadsheet file to several RSA employees. The infected file contained malware that used a zeroday exploit in Adobe Flash software to install a backdoor, establish command and control, and steal passwords and sensitive data. 

The Lifecycle of an  Advanced Attack 

Attack strategies have also evolved. Instead of a traditional, direct attack against a high-value server or asset, today’s strategy employs a patient, multi-step process that blends exploits, malware, and evasion into an ongoing coordinated network attack.

As an example, an attack often begins by simply luring an individual into clicking on an infected link. The resulting page remotely exploits the individual, gains root access on the user’s computer, and downloads malware to the user’s computer in the background. 

The malware then acts as a control point inside the network, allowing the attacker to further expand the attack by finding other assets in the internal network, escalating privileges on the infected machine, and/or creating unauthorized administrative accounts — just to name a few tactics.

The key is that instead of malware and network exploits being separate disciplines as they were in the past, they are now integrated into an ongoing process. Furthermore, malware or an exploit is not an end unto itself, but simply enables the next step of an increasingly complex attack plan. 

Malware, which is increasingly customized to avoid detection, provides a remote attacker with a mechanism of persistence, and the network enables the malware to adapt and react to the environment it has infected. Key components of the advanced attack strategy include infection, persistence, communication, and command and control . 


Infection often has a social aspect, such as getting users to click on a bad link in a phishing e-mail, luring them to a social networking site, or sending them to a web page with an infected image, for example. 

Understanding how malware and exploits have become closely interrelated in the advanced attack lifecycle is important. Exploits used to be directed at vulnerabilities on servers that were directly targeted.

 Most exploits today are used to crack a target system to infect it with malware: an exploit is run, causing a buffer overflow, which allows the attacker to gain shell access.


 Once a target machine is infected, the attacker needs to ensure persistence (the resilience or survivability of his foothold in the network). 

Rootkits and bootkits are commonly installed on compromised machines for this purpose. A rootkit is malware that provides privileged (root-level) access to a computer. A bootkit is a kernel-mode variant of a rootkit,  commonly used to attack computers that are protected by full-disk encryption.

Backdoors enable an attacker to bypass normal authentication procedures to gain access to a compromised system. 

Backdoors are often installed as failover in case other malware is detected and removed from the system. Poison Ivy is one example of a backdoor that was used in the RSA attack (discussed earlier in this chapter).
Finally, anti-AV malware may be installed to disable any legitimately installed antivirus software on the compromised machine, thereby preventing automatic detection and removal of malware that is subsequently installed by the attacker. 

Many anti-AV programs work by infecting the Master Boot Record (MBR) of a target machine.



Endpoint controls 

The end-user’s machine is the most common target for advanced malware and is a critical point for policy enforcement. 

Endpoint policies must incorporate ways of ensuring that antivirus and various host-based security solutions are properly installed and up to date.

Although targeted attacks are becoming more common, the majority of threats today continue to be known threats with known signatures. 

Gartner, Inc. predicts that known threats will comprise 95 percent of all threats through 2015. As such, these endpoint solutions must be kept up to date and must be audited regularly.
Similarly, you need to have a method for validating that host operating systems are patched and up to date. 

Many malware infections begin with a remote exploit that targets a known vulnerability in the operating system or application. Thus, keeping these components up to date is a critical aspect of reducing the attack surface of the enterprise.

As with employee policies, desktop controls are a key piece to the safe enablement of applications in the enterprise. Desktop controls present IT departments with significant challenges. 

Careful consideration should be applied to the granularity of the desktop controls and the impact on employee productivity. The drastic step of desktop lockdown to keep users from installing their own applications is a task that is easier said than done and, if used alone, will be ineffective. 

Here’s why:

 ✓ Remotely connected laptops, Internet downloads, USB drives, and e-mail are all means of installing applications that may or may not be allowed on the network. 

✓ Completely removing administrative rights is difficult to implement and, in some cases, severely limits end-user capabilities to an unacceptable level. 

✓ USB drives are now capable of running applications, so a Web 2.0 application, for example, can be accessed after network admission is granted.
Desktop controls can complement documented employee policies as a means to safely enable Web 2.0 applications.

How To Practice Malware Analysis Legally ? | Cyber Security |
DONATE VIA PAYPAL Support Your Brother | God Gaves You Alot | Contibute To Community Jai Hind.
Newer Posts Newer Posts Older Posts Older Posts

More posts


Post a comment

Are You CyberSafe ?

Be CyberSafe