To Execute or Not to Execute. How to Build a Malware Execution Lab

Presented at ekoparty 14 (2018), Sept. 28, 2018, 1:50 p.m. (50 minutes)

Running malware is an essential part to create defenses against such malware. It is only possible to detect network attacks when we know in depth its real behaviour. But executing malware is complex and dangerous, since it needs a framework, authorization and methodology. Using cloud services and using sandboxes made the task easier for many people, but not even close to being effective, these services are not suitable for a serious research. This made that the malware running be everytime more related to a hidden task than a research investigation. This talk explains how to design a lab so as to execute real malware, the implications of running it, how to find malware samples on the internet, how to execute any type of malware, how to intercept HTTPs traffic and how to analyse results in a methodical way. This talk´s aim is to tell how to design and implement a high level international malware execution lab both for computers with Windows and Linux systems and for IoT hardware devices. The step-by-step of what you should do and what you shouldn't will be explained, as well as the ethical implications, legal restrictions, technical challenges, and problems with authorities. We will show the most common failures and how different authorities have blocked us several times for infecting others. We will talk about how to get malware samples and above all, how to obtain verifiable and reproducible results. Our malware execution processes are part of Stratosphere Laboratory of the Czech Technical University in Prague, where we have been generating more than 600 quality malware captures shared freely with the community, for more than 4 years. Each capture is published on the internet, together with its analysis and the binary of the used malware. Our labs also include honeypots, so as to evaluate how do real attacks work and to get new "In the Wild" attacks. From a more practical perspective, in this talk we will share for the first time the tools and pre-set virtual machines used in the Stratosphere Lab. With the Lab creation, we will later show the most outstanding cases of executed malware in our lab, including binaries that have remained unknown for the community for years. From entire infected networks with Wannacry, going through real DdoS attacks, proxy network creation and identity robbery, to attacking forums monitoring and decyphered APT cases. The talk aims to raise awareness about how important it is to execute malware so as to understand its properties and how necessary it is for the community to know the real malware behaviour in the network, so as to obtain improved detection tools. To conclude, we will execute malware live to demonstrate how to do it, what is being observed, and how it feels to discover new attacks. It is important to lose fear of executing malware so that we can improve our malware analysis and security detections. To round up this talk, we will distribute pendrives among the attendants with virtual machines and thousands of real malware binaries for them to execute these.


  • María José Erquiaga as Maria Jose Erquiaga
    Maria Jose Erquiaga is a researcher and teacher at the Universidad Nacional de Cuyo. She is also a Master student in High Performance Computing at Universidad Nacional de La Plata. Her research experience has been mostly focused on studying the behavior of malware in the network. In particular, the behavior of large botnets in real networks. She worked capturing large quantities of malware traffic for long period of times (available to download), analyzing the attacks manually and investigating the decisions taken by malware. She worked for two years on the Nomad project, directed by Sebastián García. Her main tasks consisted in looking for malware using HTTPs, execute that malware in the CVUT laboratory, monitoring it and analyze its actions. At the moment, she is a team leader of the Aposemat project directed by Sebastián García. The goal of this project is to execute malware on IoT devices.


Similar Presentations: