Introduction to Course and VirtualBox
by Coleman Kane
This course will cover the analysis techniques that help us understand, and thus, detect and prevent malware. Learning from the adversary is core to the science of Cyber Security, and malware analysis is a key part of this - much as malware is a key part of most adversary toolboxes.
Lecture Video:
Background on Malware Analysis
Though many of the examples used in this course will involve handling benign artifacts designed to help us learn malware analysis techniques, we may also delve into analyzing real malware (although such artifacts will be long inactive campaigns) from the wild. Similar to a bomb technician using special containment equipment, or a doctor using gear appropriate for minimizing the risk of contamination from disease, we will be using technology to employ similar measures in this course.
There are many valuable reasons for this, but here are some of them:
- Accidents do happen - you wouldn’t be the first person to accidentally double-click malware while trying to copy it.
- Anti-virus avoidance: You neither want to fight with AV on your host, nor do you want to disable the AV and other protections on your host system
- You are opening up complex, unknown files, using analysis tools that are widely known. Are you certain your tools don’t have inherent vulnerabilities?
- Often your system configuration will differ from that of the users whom you are protecting. Setting up a lab allows us to replicate their environment without having to adopt it.
Background on Me
- Coleman Kane
- Ph.D. candidate in Computer Science Engineering at UC (cyber focus)
- Principal Cyber Intelligence Analyst at GE Aviation
- Began security career as security monitoring tool engineer, and then malware analyst
- 3rd year teaching this course
Work to do this week
This week, we will focus on a few core concepts working with VirtualBox and our systems.
ncat
Windows users may want to download the following program, ncat.exe
, and install it somewhere
convenient:
Linux users should be able to install the ncat
or netcat
package on their favorite distribution.
The ncat
tool is commonly used for providing a quick connection between two systems and allowing
the user to send data across the connection using the keyboard, or using other CLI programs.
VirtualBox Networking
By default, the OVA image I provided to you utilizes NAT networking so that it is easy to access the Internet, install updates, and generally use. We will want to go beyond this an use VirtualBox’s “Host-only Networking” to create virtualized isolated networks within which the attacks can run. This will require us to create a new network interface in our VM, and make configuration changes both in Kali as well as on our host system, to create a virtual network. We will demonstrate using the virtual networking options to achieve this.
VirtualBox Snapshotting
Another beneficial feature of VirtualBox is the capability of snapshotting and cloning your VM snapshots. This allows quick & easy revert to a known-clean state, which will become beneficial later on when we may want to experiment with various malware features and test operations. Additionally, this facilitates VM reuse across multiple analysis projects.
VirtualBox Shared Folders
VirtualBox provides a simplified interface for providing access to a directory on your host system to the underlying VM. In Linux, this is implemented using a driver and the virtual file system (VFS) that is part of the Linux kernel. In Windows, this is implemented by masquerading as a fileserver on a local network named VBOXSVR. We will familiarize ourselves with both of these interfaces.
Network Traffic Capture with tcpdump
or wireshark
The tcpdump
utility is the de-facto standard network traffic viewing tool, and the Wireshark tool is the
GUI counterpart to it. We will demonstrate using both of these utilities to view the content of network
traffic we generate between host & VM using netcat
.