as can be guessed by the previous post Ab in die Cloud… (Reblogged) and Email Alerts for Amazon AWS Honeypots I set up a Honeypot “in the cloud” to get some malware. Until now dionaea did catch 14 malware binaries.
Ever since I bought myself the Malware Analyst’s Cookbook as Kindle version I wanted to disect some malware and see how they work. But up until now I always found some excuse not to do it. Mainly I guess because I am not really into programming and dreaded the tough of being not able to Reverse Engineer any binaries with much success.
Luckily I was able to set up a Fireeye “Malware Protection System” trial. What it does is to extract Binaries (plain ones and compressed ones) from Data-streams and putting them into Virtual Machines to analyze what disk and registry changes they perform. If they behave malicious you get an alert and can see a log of all changes with the conspicuous ones being highlighted.
That gave me some ideas how to set this up myself on a VMware ESXi Server, some Virtual machines running Windows with Regmon, Diskmon and a Firewall to watch outgoing network traffic.
So my plan is to:
- build a small “malware analysis laboratory”
- analyze all binaries catched by dionaea
- set up a malware section in this blog with a dedicated site for each binary that lists all findings I could make on it
I will accompany this with blogposts to show how I went about it and maybe get some interesting suggestions how to improve my methods.
In the next blogpost I will cover the configuration of the lab environment I am building up so stay tuned.
As always I appreciate any questions, comments and suggestions in the reply section below!