I recently encountered an interesting malware sample. Examining its network activity, I noticed that it was beaconing out to translate.google.com. It doesn’t really make sense that malware would need to translate a webpage, so I took a closer look at what was going on. It turns out that the malware was using Google translate (and other translation websites) to proxy access to their malicious websites. Using the translation pages allows the malware to communicate with command and control servers without ever connecting to them. Analysis of the traffic would only show connections to Google Translate servers. These websites may contain commands or configuration that the malware downloads.
Chapter 2 in our book teaches readers how to set up a safe environment for performing malware analysis in VMs using VMware. The first step in setting up a VM is installing the OS (we recommend Windows XP). For readers that don’t have access to a Windows XP installation CD you may be able to obtain the Windows XP virtual machine that comes free from Microsoft.
As part of the release of our book Practical Malware Analysis, we wanted to start a blog to connect with our readers and share security tips from our experiences analyzing malicious software. Topics of conversation will be malware analysis tips and tricks, analysis of interesting techniques from innovative malware, and responding to reader’s questions about our book. We’ll also use this as a platform for releasing malware tools and scripts, both related to our book and separate from our book. We welcome feedback and questions from readers of our book and blog; feel free to contact us with the feedback link on the navigation bar.