Wednesday, April 17, 2013
When I started my move into malware incident response my training options entailed 3rd party, on the job, or utilizing a piece of malware from a trusted source. I was limited to what I could afford, what I encountered through my work or already knowing the malware I was analyzing. While these are all valid options I wanted more.
I was impressed by the different DFIR challenges that were available online, but quickly noticed the limitations that were imposed on these. You were working with artifacts and clues that that creator felt was important. While this helped baseline where you should focus your attention, but never giving the responder the ability to determine where they should look.
I wanted to take this to the next level and see what it would take to create a malware challenge that would allow a wide range of analysts the ability to utilize and learn. This solution needed to be robust, modular, and somewhat random so it could be used more than once.
With that I am proud to announce the release of Malware Roulette. This application allows analysts to build and test their malware incident response skill set without knowing the actual malware being installed. This application can also create other random artifacts that would be considered false positives as well as non related but potentially malicious network behavior. In total at the most challenging level there are over 12000 unique artifact combinations that could be discovered on a machine.
Malware Roulette is written in the AutoIt scripting language, with all the malicious binaries packaged within the executable. To update the packaged malicious binary all that is needed is to recompile the executable with an updated malware directory. This would quickly allow a new Malware Incident Response challenge to release in a timely manner.
I will be publicly releasing this tool at GFIRST, but before I do that I am looking for people interested in testing this out and helping flesh out current features. If you are interested in testing, please send me an email with the subject MALWARE ROULETTE.
· What is Malware Roulette?
o Malware IR training App built in Autoit
o Easily updated
o 3 challenge levels, over 12000 unique artifact combinations
o Randomly generated directory for malware
o Malware Directory randomly placed in 7 system folders
o 12 active malware samples
o 12 non destructive system changes
o 12 unique network traffic behaviors