Overview

In this lecture I discuss the use of dynamic techniques to analyze malware. By dynamic I mean you are running the malware. When you run the malware you can analyze it's behavior, including changes it makes to the operating system, any attempted connections to other machines, ports that are opened, etc.  Since you are running a live piece of malware it's important you setup an experimental host-only system so that the malware can't connect to any live machine on your real network. See the notes below as to how to do this.

Videos

• Introduction to dynamic malware analysis (25 min)

Readings

• Chapters 5 & 7: Malware Forensics (29mb book) 

Notes:

Malware is fun to examine.  But you must be very careful as if you accidentally run malware on a live host it can cause serious damage (depending upon the type of malware). Best thing to do is to:

• Create a VM with the OS your malware runs on.
• Create a snapshot of the VM BEFORE you start to examine the malware
• Setup the networking so that you have a HOST-ONLY based system, that way if the malware attempts to connect to other systems it can't go live on your real network.