Nowadays the number of malicious softwares, also known as malware programs has dramatically increased causing tremendous damages in computer systems and networks. Purposes of these malicious applications can be very diverse, starting from those applications which delete files permanently from the computer’s storage, through those kinds of programs which open a backdoor in the computer’s operating system to the complex malware platforms which are developed for the purpose of collecting large amounts of information from multiple different sources on the victim’s machine. Understanding the functioning of these malicious softwares is the key to an effective defense against them, and the revealment of the information collected by the malware can be very helpful in the analysis of the malware samples and can have a key role to understand the operation of the malware and the goals of the developers.
However, analysis of malware samples is far away from an easy task, because in these programs variety of techniques are used by the developers to ensure that the operation of the malware remain undetected and analysis of the collected information and the operation would be a difficult task. Efficiency problems also arise when the analysis is carried out jointly by several security experts.
Among these problems, perhaps the most significant ones are the problem of which methods would be used to share, document and store the malware samples, the newly detected components and modules, and the information between the participants of the analysis; what kinds of workflows should be used to allocate the tasks between the participants, to collect, systematize, reconcile the information resulting from the analysis and to summarize the analysis results. During the analysis carried out by several experts, another important aspect is how to follow effectively the work of the participants and the evolution of the allocated tasks’ solutions.
On the other hand, it may be useful for a particular participant if the analysis is carried out in a well-defined, systematic manner, and the particular results of the analysis can easily be overviewed. The results of the work would be easy to understand later, creating the possibility to effectively continue the analysis.
For the implementation of these tasks, there are numerous software applications available which give support to perform the above discussed analysis tasks and are able to partially automate these procedures.
As a part of my Diploma thesis, I have designed a collaborative malware analysis supportive software framework, and have also implemented it at a prototype level. The developed framework according to my hope would be able to provide efficient support for the aforementioned problems, or at least make it easier the collaboration of the experts. The developed framework and the solutions, techniques and approaches applied in it serve as a starting point of a possible, potentially subsequently developed larger framework in the future. According to this, at the design phase of the framework’s development in my Diploma thesis, it was an important goal that the application would be flexible extensible and effectively improvable towards a potentially larger, more complex application.
At the beginning of my thesis, I present some practical problems encountered in malware analysis, and solutions which can be used to support the collaboration during the analysis. After that, I define a workflow, methodology which can increase the efficiency of the collaborative malware analysis. After defining the workflow, I present the developed framework’s functional and architectural design based on this methodology. After the design phase, I describe the questions and problems (and the possible answers) which have emerged during the implementation of the application.
I close my thesis with the testing results and the evaluation of the developed framework’s prototype, as well as I propose opportunities for the further improvement and expansion of the framework.