A common approach to analyzing malware is to turn it loose inside of a VMware session, but some malware have methods for detecting virtual machines and will refuse to run if they encounters one. Joe Stewart has developed a tool called Truman that can be used to construct a sandnet. The sandnet expands on the idea of using VMware as a sandbox. The malware runs inside of a normal OS environment not a virtual one and it interacts with what it thinks is an entire network.

This is how the setup works: You have two machines connected using a crossover network cable. Machine 1 is the server and machine 2 is the client that the malware will be run on. Machine 2 is booted via PXE into a clean Windows install (or whatever OS your malware is for). Once booted it begins watching a directory on the server for the malware’s exe. Once you copy the executable into the directory the Windows machine copies the file and executes it. After 10 minutes the Windows machine dumps its physical memory to disk and then shuts down. An image of the newly infected Windows file system is then saved. The client machine then boots into Linux for analysis of the new Windows image. Truman improves analysis speed because you don’t have to constantly reimage the client machine by hand.

The PXE server also acts as a fauxinternet for the client machine. By watching tcpdump you can see what outbound connections the malware is trying to make. To aid in this process, Truman includes several fauxservers which are just simple Perl scripts designed to act like servers. The fauxservers tell the malware exactly what it wants to hear in hopes that it will cough up logins, passwords and other useful information.

Continue reading “Shmoocon 2006: Behavioral Malware Analysis Using Sandnets” →