First, we will need to take some
precautions.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
512
Chapter 20: Collecting Malware and Initial Analysis
513
PART V
Precautions
Since we are about to execute the binary on a live system, we need to ensure that we contain
the virus to our test system and that we do not contribute to the malware problem
by turning our test system into an infected scanner of the Internet.We will use our trusty
VMware to contain the worm. After we upload the binary and all the tools we need to a
virgin build of Windows XP, we make the following setting changes to contain the
malware to the system:
As another precaution, it is recommended that you change the local network settings of
the virtual guest operating system to some incorrect network. This precaution will protect
your host system from becoming infected while allowing network activity to be
monitored. Then again, you are running a firewall and virus protection on your host,
right?
Repeatable Process
During the live analysis, you will be using the snapshot capability of VMware and
repeating several tests over and over until you figure out the behavior of the binary. The
following represents the live analysis process:
??? Set up file, registry, and network monitoring tools (establish a baseline).
Pages:
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892