Open Source Malware Lab

BSidesChicago 2016

Presented by: Robert Simmons
Date: Saturday May 07, 2016
Time: 13:15 - 15:30
Location: Sponsor Hall

Note: For workshops, a paid tier of badge is required.

The landscape of open source malware analysis tools improves every day. A malware analysis lab can be thought of as a set of entry points into a tool chain. The main entry points are a file, a URL, a network traffic capture, and a memory image. This talk is an examination of the major open source tools that satisfy the analysis requirements for each of these entry points. Each tool’s output can potentially feed into another tool for further analysis. The linking of one tool to the next in a tool chain allows one to build a comprehensive automated malware analysis lab using open source software. For file analysis, the three major versions of Cuckoo Sandbox will be examined. To analyze a potentially malicious URL, the low-interaction honeyclient, Thug, will be covered. Next, if one has a network capture (PCAP) to analyze, the Bro Network Security Monitor is a great option, and will be covered. Finally, if the analysis target is a memory image, the Volatility Framework will be examined. Each of the inputs and outputs of the tools will be reviewed to expose ways that they can be chained together for the purpose of automation.

Attendees that want to get hands on with the tools must bring a laptop with a working network connection installed with a modern browser with current version like Chrome or Firefox. Please have the network connection tested and working before the start of the workshop. Everything is web based, and malware will only be handled remotely. Laptop, network, and browser are not required. If you just want to watch and learn, that is great too

Robert Simmons

Robert Simmons is the Director of Research Innovation at ThreatConnect, Inc. With an expertise in building automated malware analysis systems based on open source tools, he has been tracking malware and phishing attacks and picking them apart for years. Robert is also the author of PlagueScanner, an open source virus scanner framework. Robert, also known as Utkonos, has a background in biology, linguistics, and Russian area studies. He has lived extensively in Russia and Ukraine and has been known to swear profusely and constantly in Russian.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats