[prev in list] [next in list] [prev in thread] [next in thread]
List: security-basics
Subject: Re: Malware Analysis vs. Analysing a 'dirty' OS
From: Robert Larsen <robert () the-playground ! dk>
Date: 2013-09-16 8:32:17
Message-ID: 5236C211.5070800 () the-playground ! dk
[Download RAW message or body]
I tried replying to this but it seems like it didn't make it through...I
give it another shot.
Very interesting project. I am not a malware analyst but I am quite fond
of reverse engineering but reversing an entire os as a single project
will be a ginormous task. I would acquire a legit version of the os
(same version), install that and use that as a baseline. MD5/SHA all the
files and then check against the backdoored version which files have
been altered. Then BinDiff (http://www.zynamics.com/bindiff.html) the
altered files. That will probably speed everything up.
Robert
On 08/31/2013 04:22 AM, Syn Ack wrote:
> Hi All,
>
> So some time back (year or 2 ago at least) I bought a copy of Win
> Server 2008 R2 from a computer mall/market type thing in Beijing,
> China. Can't remember exactly how much it cost, but it was
> ridiculously cheap. Came on a blank CD type deal.
>
> Some questions:
>
> 1) Surely will have nasties (malware, backdoors, etc) loaded by default, right?
>
> ... I have looked a little bit into building a malware analysis
> environment and I assume the process of analysing an OS would be
> similar, but given this is an entire OS not a little .exe we are
> launching from a fresh/rollbacked environment, where we start the
> analysis...
>
> 2) How would you go about analysing a potentially dirty OS as oposed
> to a smaller executable? is it exactly the same?
>
> I would imagine you want to-
> - monitor memory, disk R/W
> - monitor network activity
> - check listening ports
> - differentiate between bad/good traffic (appreciate that this is
> probably the main skill of a malware analyst, but there will be a lot
> going on and i assume its easier when you know what executable you are
> about to launch and can scope your searching/monitoring a lot easier).
> Without that ability, I guess that you're quite likely to need to
> baseline traffic against a known good host, to assist identifying good
> vs. bad traffic.
>
> Cheers
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL \
> certificate. We look at how SSL works, how it benefits your company and how your \
> customers can tell if a site is secure. You will find out how to test, purchase, \
> install and use a thawte Digital Certificate on your Apache web server. Throughout, \
> best practices for set-up are highlighted to help you ensure efficient ongoing \
> management of your encryption keys and digital certificates.
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL \
certificate. We look at how SSL works, how it benefits your company and how your \
customers can tell if a site is secure. You will find out how to test, purchase, \
install and use a thawte Digital Certificate on your Apache web server. Throughout, \
best practices for set-up are highlighted to help you ensure efficient ongoing \
management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic