Abstract: Malware remains one of the largest global cybersecurity threats. There is an ongoing effort by specialists in the industry to analyze, identify, detect, and protect against the harm inflicted by malicious code. The Applied Cybersecurity Lab at LSU CCT is aiding those efforts by researching and developing tools to analyze such code. In order to analyze malware, a researcher needs live samples to study in order to collect information about their behavior. The results of this analysis can be then be used to develop security patches, detection signatures, and drive further research efforts. Our team has collected a large population of millions of malware samples that affect a wide variety of platforms. We use these to research new malware detection and classification techniques. However, initial analysis used to determine whether a particular sample is appropriate for a specific project can be extremely time consuming. This is particularly true when looking for a sample that possesses a specific set of characteristics or fits a particular profile. For this reason, we decided to catalog every sample we have in storage and collect as much relevant information as possible. This is accomplished by utilizing a combination of built-in system tools as well as publicly available information found on the internet. The results of our mass pre-processing of samples greatly speeds up preliminary analysis and allows researchers to curate relevant samples on a case-by-case basis.
Abstract: Cyber incident responders often have to perform analysis of malware found on compromised devices. With the number of malware threats continuing to rise, there is a need for new and efficient techniques for static analysis of malware samples. Memory analysis allows an investigator to gather complete information about a sample’s behavior once it has loaded into memory rather than just “speculating” about potential behavior documented through manual reverse engineering. One of the most tedious tasks of reverse engineering malware is a technique known as unpacking - the process of taking malware that has compressed, encrypted, and/or encoded its data and code such that the application on disk is a “wrapper” for the real code that executes in memory. Manually removing this wrapper to find the real code is a daunting task that takes even expert reverse engineers substantial time and effort. Our research goal was to design a process that would help investigators to gather more information about a malware sample through automatic unpacking and retrieval. We accomplish this by first allowing the malware to load and unpack itself in the memory of a virtual machine, and then capture a complete memory snapshot of this virtual machine. We have also scripted the Volatility memory forensics framework to automatically find and extract the malware introduced into the virtual machine. The result of this process is that an unpacked version of the malware can be automatically saved to an analyst’s system, for further investigation. In real-world investigations, our process saves the investigator hours or days of time.