Brazilian Jiu Jitsu
Blue Team Career Development

Building Your Own Personal Training Program

jason

One of the cool things about security is that there is so much information out there about different skills we want to develop. If you are interested in analyzing malicious files, then this is even easier since the malware comes straight to your SPAM folder or inbox. These emails can provide you with an excellent training opportunity to improve your malware analysis skills. 

In episode 101 of the Security Weekly News Podcast, I referenced this blog post by Jan Kopriva of the SANS Internet Storm Center. If you haven’t heard that episode, then let me recap it here. If you want to check out the full writeup by Kopriva, then I highly recommend you reading it.

Kopriva had written an email to the Full Disclosure email list about a vulnerability he had found several years ago in a CMS application. I’ve included a screenshot of the message here and you can see that it makes no sense what so ever.

“Greeting” to you too Jan!

I would hope that no one would ever click on such a poorly worded message. Unfortunately, people do click on these messages and find themselves infected with ransomware and other nasty stuff. Regardless, the message got Kopriva’s attention for some reason. Perhaps because he thought it would be a good blog post. He downloaded the zip file and began documenting his analysis.

Kopriva must have had a VM ready to go for this kind of work, because he had everything he needed ready to safely analyze the email and zip file. First, he checked out the message headers of the email and saw that the sender was fake and contained an unusable address. Then he opened the zip file and extracted an Excel spreadsheet file. The document claimed to be a DocuSign “encrypted” message. The viewable message said that Kopriva needed to enable Excel’s macros to decrypt the message. Instead of of doing that, he used oledump.py to analyze the file and found a simple macro that would have tried to install the Qakbot banking trojan if run as hoped by the attacker. 

Why run through all this?

I just found this to be a simple way to periodically practice analyzing malicious documents. There was no need for Kopriva to do all this, but I suspect that he did it partly because it would make a fun blog post and partly because it was good practice. We can make a similar habit to practice analyzing documents like this.

We don’t have to stop there either. You can get malware pretty readily for practice. One of the searches I follow on twitter is #opendir. People are regularly tweeting out web sites that have malware on them and they can be a great place to pick up practice targets. The malware you find may be malicious documents or may be compiled code. Either way it’s great training time for ourselves. You can find videos on how to reverse engineer x86 files if you aren’t familiar with reverse engineering compiled code. I only have a cursory knowledge of this, but I’ve found complete classes on this topic.

If you would like information about how to setup a VM to do malware analysis, then I’d recommend checking out this blog post by Lenny Zeltser. Pretty much anything he publishes is solid and useful information.

Personally, I found the blog post by Mr. Kopriva to be a fun read and a useful example on how we can develop some new skills. If this sounds interesting to you, I’d recommend checking it out and spending some time thinking about how you can apply this yourself. Your next practice exercise is in your SPAM folder, waiting for your attention.