ShmooCon: Malware Analysis Intro

In my effort to finally catchup with some of the great ShmooCon talks, today I’m taking a look at NoVA local Richard “@xabean” Harman’s “Malware Analysis Collaboration Automation & Training” presentation. I’ve been interested in malware analysis lately as you may have noticed. At ShmooCon I didn’t get a chance to see Richard’s talk in person but it is definitely a must watch. Although he mostly focuses on setting up collaborative and classroom environments in the second part of the presentation, the first 15 minutes provides a nice overview for those interested in getting started in malware analysis.

The first slide lists a nice summary of the overall process that includes:

  1. Baseline System State
  2. Monitor & Log System Activity
  3. Infect System
  4. Suspend, Dump & Terminate Processes
  5. Stop Monitoring
  6. Review Monitored Activity
  7. Compare New State to Baseline

After that Richard touches on several tools that he likes to use in order to monitor activities in his analysis machine. These include:

  • System Baseline: Regshot & Autoruns
  • General Analysis: OfficeCat, FileInsight (hex editor), Wireshark, Didier Steves Tools
  • Memory Analysis: Volatility Framework
  • Logging/Tracing: OllyDbg & Plugins, IDA Pro, Procmon, Capturebat

For details on all these tools check out Richard’s abstract and full talk below.


Malware Analysis Collaboration Automation & Training

Whether you’re a novice or a professional at analyzing malicious code, you’ll have a desire to learn or pass on that skill. Most malicious code analysis is performed by a single analyst, some times with collaboration tools for sharing comments on code between two or more analysts. In this presentation you will learn how to set up a virtualized analysis environment that is suitable for solo analysis, training a classroom of students, passing an analysis VM between analysts, and a self-service analysis “session” playback of previous analysis sessions. All of this while not getting in your way, and making efficient use of RAM & disk space.


Today’s post pic is from See ya!

4 comments for “ShmooCon: Malware Analysis Intro

  1. April 1, 2013 at 2:03 pm

    BLOGGED: ShmooCon: Malware Analysis Intro

  2. April 1, 2013 at 3:57 pm

    #NOVABLOGGER: ShmooCon: Malware Analysis Intro

  3. April 1, 2013 at 4:33 pm

    ShmooCon: Malware Analysis Intro

  4. April 1, 2013 at 5:55 pm

    ShmooCon: Malware Analysis Intro: [] In my effort to finally catchup with some of the great…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.