Thursday, February 27, 2014

Creating a malware management system

During my time as a malware analyst, the methods for keeping track of the malware I have analyzed has always been problematic.  There's the excel approach (nice big spreadsheet of hashes and names, maybe some analysis details), the email approach (search through sent items to see what I did months or years ago), the word files approach (search folders and file shares for the write-up of that malware), and finally - build a database.

I started building the data base several years ago using MS Access.  Access is easy to set up (initially), portable, works almost anywhere.  This is what I used for several years across several different companies.  I stored basic analysis details, built a switchboard for searches, had a tabbed entry page for different details of analysis, etc. 




But as the information I wanted to store became more complex (many to many relationships in Access is painful!) the interface and the query design started to breakdown.

I started thinking that I needed to design a real database, but balked at designing a front-end that would be usable without months (or years!) of design and programming - after all, this was a project done on my own time or while I was between projects at work.

Then, a co-worker asked if I had ever used django.  Short answer was no, but I liked python and so looked into what django was and what it had to offer.  Almost like an answer to all my database design needs - semi-automatic database implementation, built-in web front end,  even the site title (The web framework for perfectionist with deadlines) seemed designed for exactly what I needed.

Now, we all know that nothing is that easy.  But after working through the tutorials, and putting some thought into what the database should look like.  I had a working model.  Then came the hard part - customizing exactly what I wanted and changing looks and feels to make me happy.

The default django admin worked pretty well for the basic data entry pages:


And then I decided to get a little fancy and add in some graphs to show statistics about the malware world I had analyzed.



I also added details to turn this into a forensics case management tool -- details about machines, disk images, and memory images and the case (or engagement) that ties them all together:



This is (and probably always will be!) a work in progress.  Now that I have the database semi-stable, I am working to add integration with automated tools like mastiff.py so I can pull the information from the mastiff database into my database instead of manually copying the data, plus reporting - easily pulling the information into something that I can turn into a nice report without too much editing.  Of course, the report will only be as good as the data I put into the summary and analysis parts!  But - with the django pieces in place - searching by any field is easy, showing statistical information is done, and best of all - it's an interface that some day I might be able to use across my team so we all put data into a central repository that can be used for quicker analysis in future projects.

No comments:

Post a Comment