Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

DeepSEC: DYI malware analysis with Minibis

1 Comment Posted by on November 26, 2010

DYI malware analysis with Minibis Aaron Kaplan & Christian Wojner

Minibis 2.1b is available for download

Anubis = Analyzing unknown binaries

Problem: malware can check if it runs on the Anubis server (via IP addr)

http://avtracker.info

actually it was a proof of concept to check if specific malware checked if it was running inside a VM

Minibus

Minibis is a total rewrite (no code from Anubis used)

Take 5,000 samples and run them through to check what percentage detect if it’s running in a VM

Behavioral Analysis

  1. Prepare system (VM) with monitoring tools
  2. Transfer sample to VM
  3. Start up monitoring tools in the VM
  4. Run sample
  5. Gave sample some time to do its thing
  6. Save monitoring logs and transfer them back
  7. Analyze logs
  8. (revert VM)
  9. (repeat)

Architecture

Started off with a simple host and virtualized system

Has evolved into a complex multi-system environment to transfer and run the required analysis

Allows for parallel running of malware samples to speed up processing

Minibis is a practical framework to simulate the process a malware analyst would perform.

It’s up to the user to customize to their specific needs.

Customization done using a simple bash script in several key locations

Toolset available with pre-built, customizable widgets.

GUI configuration of many aspects of the environment

Can be configured to run with VirtualBox (default) or VMware

Easy configuration of post/pre run actions, including a list of files to extract from the target after the malware has run.

New in version 2.1: Customized filetypes

Matching based on extension, FILE tool, or regex

postminibis

Analyse results, classify (alert, warning, info)

Then quickly filter for those that are interesting (alert?)

Future

2.1 is in beta

Next full version will be available in summer 2011

  • Parallelization
  • Diffs over different VM configurations
  • GUI for postminibis
  • Installer
  • Support for more VMs (VMware, QEMU)
  • 64big Linux support
  • OSX support
  • Support for physical machines (data recovery cards)
  • More sample based scripts
  • Community

Links:

Conference, Security , , , ,

One response to “DeepSEC: DYI malware analysis with Minibis

  1. Pingback: Week 47 in Review – 2010 - 博客与新闻 - Network Security - 网络安全 - 信息安全播客网