Danielle Eve’s Guide to Malware Reverse Engineering – Day 1

Day 1 – Building Your Lab on a Budget

Prologue from the Girl

So, I’ve been working on my GIAC Certified Reverse Engineer certification via the SANS Forensic 610 track.  It’s an interesting course to be sure and Lenny Zeltser gives good instruction.  I have had years of experience in development and I would encourage anyone interested in reverse engineering to get a good foundation in a higher level programming language such as C# or C++.  Nothing too in-depth, but enough to know how to make an API call or two to open a file on disk and/or store a registry entry without using the .Net assemblies.  Understanding C/C++ loops, memory management, etc. is helpful as well.  It just makes it easier to understand.  Having been in IT for 28, almost 29, years. . . Crap. . . I’ve been in IT longer than any of my children have been alive.  Anyway, having been in IT for 28 years, I already had a good foundation in Assembly and computer science as well, so I am able to enjoy the course work in a more nuanced way than I think I would have otherwise in my career.  That being said, I realized that the material that I’m taking at 90 miles an hour to prepare for the exam might be better doled out in small measured doses for folks taking it on much earlier in their career, especially if they haven’t had any mid-level language development experience.

This series of posts will focus weekly on first setting up the lab and then each week we will focus on a different vital tool to be used in reversing systems.  The entire series will be focused on free or open source tools wherever possible.  In fact, the only thing we’ll be buying for the lab is a single copy of Windows, available for less than $100.00.

Again, they’ll be short bite sized chunks.  Something you could read in 10 minutes and execute in less than hour with a good internet connection.

So, without further or do. . .

Build the Lab Foundation on a Shoe String

If you’re going to build out a reverse engineering lab, you need to start with some basics.  First and foremost, you do NOT need a bunch of computers, one will do nicely.  Having multiple machines, firewalls and switches can be helpful, but to be clear, it’s not necessarily required and in some instances can be very unwieldy.  You will need, at minimum, one copy of Windows 7, 8, or 10.  Any of them will do.  You could use Windows XP as well, but it given that there has been a lot more adoption of Windows 7 to date, a Windows 7 minimum is what I would recommend.

In today’s posting, we’re going to build out our host environment and get set up for the virtual machines we’ll load later.

For a host environment, I prefer using Ubuntu Linux for various reasons.  Primarily, most of the malware I’m going to be reverse engineering will be windows malware and it keeps my host system more protected if the malware tries to exit the virtualized environment.

Our hardware host will be running Ubuntu.  I prefer to install from USB.  For this we will be using Ubuntu 14.04.3 LTS (Long Term Support), the current Ubuntu LTS distribution as of this writing, though you could probably use an Ubuntu 15.x version, I am not testing that at this time, maybe later.

I’m using the 64-bit version that you can get from http://www.ubuntu.com/download/desktop.

To create a bootable USB stick, follow the following instructions (assuming you’re building the stick on Windows).  http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows

Follow the standard Ubuntu installation defaults.  Follow these instructions, but be sure you leave at least 100GB of free disk space for your virtual machines, you’ll need 2. http://www.ubuntu.com/download/desktop/install-ubuntu-desktop

Installing Virtual Box 5 on Ubuntu 14.04.3

Installing Virtual Box 5 on Ubuntu 14.04.3 is trivially easy in most respects.  First order of business, make sure your Ubuntu instance is up to date.  Open a terminal window and execute the following:

sudo apt-get update

This will update your list of available packages.  Then you need to update your VM with:

sudo apt-get upgrade

The system will list the packages to be upgraded and prompt you with the following:

After this operation, 10.4 MB of additional disk space will be used. Do you want to continue? [Y/n]

Enter “Y” and press enter.

It’s important to keep your system patched anyway.  Finding security professionals with unpatched production systems is like nails on the chalkboard. Grrr… how embarrassing.

While virtual box is available as an Ubuntu package, I’ve seen some issues getting it stalled via the Ubuntu repositories, so I like to download it from Virtualbox from scratch.  You can do this from https://www.virtualbox.org/wiki/Linux_Downloads.

Click on the Ubuntu AMD64 link for “Trusty”.  Execute the following:

sudo dpkg -i Downloads/virtualbox-5.0_5.0.10-104061~Ubuntu~trusty_amd64.deb

Once installation completes, you’ll be ready for the next step, installing REMNUX, the reverse engineering toolkit on linux.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s