Re: Malware Analysis vs. Analysing a 'dirty' OS

[Robert Larsen <robert () the-playground dk>]

I tried replying to this but it seems like it didn't make it through...I
give it another shot.


Very interesting project. I am not a malware analyst but I am quite fond
of reverse engineering but reversing an entire os as a single project
will be a ginormous task. I would acquire a legit version of the os
(same version), install that and use that as a baseline. MD5/SHA all the
files and then check against the backdoored version which files have
been altered. Then BinDiff (http://www.zynamics.com/bindiff.html) the
altered files. That will probably speed everything up.

Robert

On 08/31/2013 04:22 AM, Syn Ack wrote:
> Hi All,
>
> So some time back (year or 2 ago at least) I bought a copy of Win
> Server 2008 R2 from a computer mall/market type thing in Beijing,
> China. Can't remember exactly how much it cost, but it was
> ridiculously cheap. Came on a blank CD type deal.
>
> Some questions:
>
> 1) Surely will have nasties (malware, backdoors, etc) loaded by default, right?
>
> ... I have looked a little bit into building a malware analysis
> environment and I assume the process of analysing an OS would be
> similar, but given this is an entire OS not a little .exe we are
> launching from a fresh/rollbacked environment, where we start the
> analysis...
>
> 2) How would you go about analysing a potentially dirty OS as oposed
> to a smaller executable? is it exactly the same?
>
> I would imagine you want to-
> - monitor memory, disk R/W
> - monitor network activity
> - check listening ports
> - differentiate between bad/good traffic (appreciate that this is
> probably the main skill of a malware analyst, but there will be a lot
> going on and i assume its easier when you know what executable you are
> about to launch and can scope your searching/monitoring a lot easier).
> Without that ability, I guess that you're quite likely to need to
> baseline traffic against a known good host, to assist identifying good
> vs. bad traffic.
>
> Cheers
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------