A few weeks ago a friend sent me some packed malware that he was having trouble with. The malware had a number of anti-debugging techniques employed that made it difficult to unpack and my friend was in a desperate rush to create solid host-based indicators for the malware. After spending about 30 minutes trying to find all the anti-debugging techniques, I decided to try opening it in WinDbg, because most of the anti-debugging techniques were specifically targeting OllyDbg. OllyDbg is the most popular debugger for unpacking and in our book we devote an entire chapter to unpacking using OllyDbg. However, in cases like this you can use WinDbg to unpack malware and all the same strategies apply.
In Chapter 3 of our book, we discuss strategies for how to use dynamic analysis tools and techniques. The best way to get started is set up tools to fake the network, which usually includes changing the local DNS server, running a local DNS server such as ApateDNS/FakeDNS, and setting up a second virtual machine with INetSim in order to simulate network services. I’ve been working on a new tool called FakeNet which will combine all those steps into a single tool with additional features to handle hard coded IP addresses, new protocols, SSL support, and more. We’ll be releasing the tool on 2/29 during a Mandiant webinar where we’ll be talking about our book and the tool.
Chapter 2 in our book teaches readers how to set up a safe environment for performing malware analysis in VMs using VMware. The first step in setting up a VM is installing the OS (we recommend Windows XP). For readers that don’t have access to a Windows XP installation CD you may be able to obtain the Windows XP virtual machine that comes free from Microsoft.