Unpacking with Windbg

A few weeks ago a friend sent me some packed malware that he was having trouble with. The malware had a number of anti-debugging techniques employed that made it difficult to unpack and my friend was in a desperate rush to create solid host-based indicators for the malware.  After spending about 30 minutes trying to find all the anti-debugging techniques, I decided to try opening it in WinDbg, because most of the anti-debugging techniques were specifically targeting OllyDbg.  OllyDbg is the most popular debugger for unpacking and in our book we devote an entire chapter to unpacking using OllyDbg.  However, in cases like this you can use WinDbg to unpack malware and all the same strategies apply.

Continue reading

New Tool: FakeNet – Coming Soon!

In Chapter 3 of our book, we discuss strategies for how to use dynamic analysis tools and techniques.  The best way to get started is set up tools to fake the network, which usually includes changing the local DNS server, running a local DNS server such as ApateDNS/FakeDNS, and setting up a second virtual machine with INetSim in order to simulate network services.  I’ve been working on a new tool called FakeNet which will combine all those steps into a single tool with additional features to handle hard coded IP addresses, new protocols, SSL support, and more.  We’ll be releasing the tool on 2/29 during a Mandiant webinar where we’ll be talking about our book and the tool.

Continue reading

Concealing Network Traffic via Google Translate

I recently encountered an interesting malware sample.  Examining its network activity, I noticed that it was beaconing out to translate.google.com.  It doesn’t really make sense that malware would need to translate a webpage, so I took a closer look at what was going on.  It turns out that the malware was using Google translate (and other translation websites) to proxy access to their malicious websites. Using the translation pages allows the malware to communicate with command and control servers without ever connecting to them. Analysis of the traffic would only show connections to Google Translate servers. These websites may contain commands or configuration that the malware downloads.

Continue reading

Do you need a XP virtual machine for malware analysis?

Chapter 2 in our book teaches readers how to set up a safe environment for performing malware analysis in VMs using VMware.  The first step in setting up a VM is installing the OS (we recommend Windows XP).  For readers that don’t have access to a Windows XP installation CD you may be able to obtain the Windows XP virtual machine that comes free from Microsoft.

Continue reading

Welcome to Running the Gauntlet!

As part of the release of our book Practical Malware Analysis, we wanted to start a blog to connect with our readers and share security tips from our experiences analyzing malicious software. Topics of conversation will be malware analysis tips and tricks, analysis of interesting techniques from innovative malware, and responding to reader’s questions about our book.  We’ll also use this as a platform for releasing malware tools and scripts, both related to our book and separate from our book.  We welcome feedback and questions from readers of our book and blog; feel free to contact us with the feedback link on the navigation bar.