A student’s guide to free and open-source enterprise level malware analysis tooling

Botconf 2023
2023-04-22 | 16:45 – 17:05

Max ‘Libra’ Kersten 🗣

Finding malware is not the difficult part, as it is prevalent due to the widespread malware campaigns which target consumers and companies alike. Samples are available in multitudes on sample sharing websites, but it is impossible to manually sift through all available samples. This is why the ideal process is streamlined using a pipeline. The malware is collected, after which it is scanned to detect known patterns and behaviour. Lastly, interesting samples can be reverse engineered manually.

The creation of such a pipeline is relatively straight-forward. The majority of the issues are encountered when setting everything up in a scalable manner. An example would be the scanning of files. If this cannot be done concurrently (enough), this will strain the whole system. The throughput of the pipeline then poses as a bottleneck. Additionally, or alternatively, the scaling of scanning requires improved and more hardware, which is often costly.

This talk focuses on setting up a pipeline on a budget, where the analyst will have access to malware samples of the last 60 days, all of which are scanned with Yara rules for known patterns. Additionally, all samples are executed in a sandbox to obtain heuristic data. Lastly, tools to analyse samples that the analyst deems interesting are referenced. This pipeline can be executed on a Raspberry Pi 3B, paired with a USB (or external hard) drive. Needless to say, more performance-oriented hardware ensures a smoother experience, but this is the lower limit of the hardware with which the pipeline was tested.

Slides Icon


Scroll to Top