Adam Pridgen

Abstract

The first part of the workshop will focus on building a basic analysis lab. The malware analysis environment will consist of several hosts: a PFSense gateway, REMnux system, and a Linux based VM. The PFSense gateway is used to redirect malware traffic to the REMnux system, which provides services (e.g. DNS, HTTP, etc.) that help with interacting with the malware. This session will cover how to create an analysis environment (e.g. hosts and networking) using KVM. Images and configuration files for KVM will be pre-built, so a majority of the time will be spent walking through the commands and building a familiarity with PFSense and KVM.

The second part of this workshop focuses on extracting relevant process information, commands, and other artifacts from the control samples. Controlled samples will be executed in the malware sandbox. While the sandbox is running, Frida and GDB/Radare, along with other common Linux commands and tools, will be used to analyze the program as it runs. Memory dumps will also be captured using KVM, and these memory dumps will be analyzed using Volatility and Radare.

The final parts of the workshop will focus on independent work. The students will work through a several different controlled sample programs that behave similar to real-world malware. The examples will be written in several different languages to vary the participants' exposure to different runtime complexities. Time permitting, the students will be given a malware sample and asked to create a basic actionable report based on its behavior.