Behavioral Malware Analysis Using Sandnets (Build It!) presented at ShmooCon 2006

by Joe Stewart,

Tags: Security Analysis Malware

Summary : The amount of malware being propagated in the wild is growing to staggering proportions. Many people are aware of the problem and would like to help stem the tide, but without significant skills in debugging and assembly language, most are left to simple "strings" analysis or VMWare-based sandbox behavioral analysis. The malware authors have responded by packing their creations with an ever-increasing array of packers, and utilizing sandbox-detection techniques to prevent themselves from running inside a virtual machine.
A sandnet extends the concept of a sandbox by giving the malware a "playground" network environment that appears from the malicious code's point of view to be the whole Internet, much in the same way the concept of a "honeynet" evolved from the simple honeypot. In this presentation, I will detail the construction of a 2-machine behavioral analysis "sandnet", which will allow semi-automated analysis of malware using a stock Windows operating system running directly on standard hardware.
Detailed instructions and a toolkit will be provided to assist attendees in later setting up their own sandnets for malware analysis. Also to be released as part of the toolkit is a program that can reassemble all a Windows machine's processes' virtual memory space from a physical memory dump offline, rendering most packers once again vulnerable to string-based analysis by amateurs. Source code to all tools will be provided.