Designing and Implementing a Secure Reverse-Engineering Environment for Windows-based Malware
Yli-Lankoski, Jarkko (2024)
2024
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2024051512309
https://urn.fi/URN:NBN:fi:amk-2024051512309
Tiivistelmä
The act of analysing and reverse-engineering malware requires an environment which is both secure and effective in versatile analysis cases. While the amount of malware has rapidly increased, the skills to analyse suspect files remains niche.
To answer this problem, research was carried out using constructive methods to find out how a single analyst could setup a reverse-engineering environment for Windows-based malware in a secure way. With a documented way to setup such an environment, the bar to enter the field becomes lower for the people that already have interest in the subject matter.
Several focus areas and criteria were defined to guide the design and implementation phase. The construct was built through an iterative process, which resulted in a solution that consists of three virtual machines. The building process was document in such a way that a moderately technical person can follow along and build their own environment to reflect the one in the research.
The construct was tested with a sample malware to validate the environment meets the set criteria. A multi-stage malware sample was chosen for the test to showcase a wide variety of different tools and techniques that can be used within the built environment. The environment was proven to be effective and to proficiently fulfill the set requirements. The objective and capabilities of the malware was uncovered during the analysis process, and it produced several indicators of compromise for later use. Future research work could be conducted in the focus areas of automatization and scalability to improve the construct further.
To answer this problem, research was carried out using constructive methods to find out how a single analyst could setup a reverse-engineering environment for Windows-based malware in a secure way. With a documented way to setup such an environment, the bar to enter the field becomes lower for the people that already have interest in the subject matter.
Several focus areas and criteria were defined to guide the design and implementation phase. The construct was built through an iterative process, which resulted in a solution that consists of three virtual machines. The building process was document in such a way that a moderately technical person can follow along and build their own environment to reflect the one in the research.
The construct was tested with a sample malware to validate the environment meets the set criteria. A multi-stage malware sample was chosen for the test to showcase a wide variety of different tools and techniques that can be used within the built environment. The environment was proven to be effective and to proficiently fulfill the set requirements. The objective and capabilities of the malware was uncovered during the analysis process, and it produced several indicators of compromise for later use. Future research work could be conducted in the focus areas of automatization and scalability to improve the construct further.