Join us for the Honeynet Workshop 2024: May 27th–29th, Copenhagen, Denmark

TaiWan Malware Analysis Net

20 Dec 2010 Yi Lang Tsai malware taiwan twman

Basically, The TWMAN is an automated behavioral malware analysis environment to analyze the malware targeted at Microsoft Windows, and it can develop a free and open source software, and the environment is built around Joe Stewart’s TRUMAN sandnet. Although, there are many services of analysis malware behavioral, such as the Norman Sandbox, CWSandbox, Threat Expert, etc. For privacy and policy reasons, it must be treated as if they contain personally identifiable information.

The TWMAN environment consists a Linux server, we use Community Enterprise Operating System 5 (CentOS5) and a client machine which is able to run Windows XP. The client is configured to boot from PXE environment. It not only receives its IP address from the server’s DHCP service, but it also serves up a small Linux-based boot image. The client can be booted into several modes. It stores a baseline image in the disk and can restores itself from the baseline, or creates a new infected image, then restores itself to the baseline automatically. The boot environment is responsible for carrying out these functions. In general, the first step in analyzing a binary is to skip these functions, and boot the system from the local disk, which in the default mode.

We use DRBL to build testbed for malware analysis. DRBL (Diskless Remote Boot in Linux) is a free software, open source solution to managing the deployment of the GNU/Linux operating system across many clients. Imagine the time required to install GNU/Linux on 40, 30, or even 10 client machines individually! DRBL allows for the configuration all of your client computers by installing just one server machine.

DRBL provides a diskless or systemless environment for client machines. It works on Debian, Ubuntu, Mandriva, Red Hat, Fedora, CentOS and SuSE. DRBL uses distributed hardware resources and makes it possible for clients to fully access local hardware. It also includes Clonezilla, a partitioning and disk cloning utility similar to Symantec Ghost®.