Malware Analysis for the Enterprise presented at BlackHatDC 2010

by Jason Ross,


Summary : Your organization has Anti-Virus deployed and is logging virus activity to a central location. Your IDS is watching the perimeter, and you have your systems on a regular patch cycle. Malware doesn't affect you, right?
This presentation shows where these technologies are falling short and why malware analysis is quickly becoming a need for companies other than Anti Virus vendors. We'll discuss the pros and cons to virtual machines and bare metal as they apply to the purpose of analyzing malicious software.
After talking about the "why", we'll move on to the "how" and walk through setting up a sandnet, or "virtual internet", comprised of a victim host and a server running multiple services so that you can:
Observe Operating System changes made by malware
Capture network traffic being sent by the compromised host
Intercept DNS calls and redirect them to services you control
Set up netcat to interact with unknown protocols
Using these methods, an organization can determine exactly what has been compromised on a host, and more importantly, determine where their data is going.
Armed with accurate information as a result of analyzing the malware an effective response to the incident can be formed.