If i start with malware unpacking, do i need to setup malware analysis environment with victim and sniffer PC or to have a VMWARE workstation, isnt there any other way around, coz i dont have access to two PC's nor do i have heavy RAM sticks to support VMWARE. I read many papers on malware unpacking but most of them are official releases, that means not true knowledge or obfuscated knowledge
What steps must be taken to start with malwares, i am already working on packers/protectors so i think i should as well start with malwares tooo, since they both are closely related and the later sounds more fun.
Btw i tried to analyse that malware mnso.exe but i cant get it to open in any of the debuggers, olly or IDA disassembler, however i am sure it did not really infect my PC.
Regards,
_InSaNe_

You can try manual tracing in a hex editor, like I've been doing

I would say that to do malware analysis you need both. The VMWare image is really cool for non-vm-aware malwares, and you can revert it if you make an error, while a quickly re-imageable phisical goat comes handy to handle VMWare aware malware with ease. Anyway, do not make the mistake of thinking that you can handle malware analysis on your own machine: no matter how good you are, sooner or later an accidental double click, a debugger failure to break or something else will activate the malware and put your data at risk.

Anyway, IMHO a base document for malware analysis is the one from Lenny Zeltser, as it shows both the process and the way it should be documented. Find it here:

http://www.zeltser.com/reverse-malware-paper/reverse-malware.pdf

Analysis of Malware using your own computer and no virtual machine. . .
There was a bomb squad school in which live explosives were used for training exercises in bomb defusing.

Graduation rate was rather low

I heard they also used colorless cables...

you dont need loads of ram sticks to operate virtual machines

i can assure you that you can run a virtual machine (the vm in this case is microsoft virtual pc 2004) running on a winxp host

vpc is running win2k-sp4

host is running winxp-sp1 / sp2

host has 128 mb ram and vpc was allocated 32 mb ram

processor is p3

they both run peacefully with not much of an impact on processing speed sure some slowness is inevitable but that isnt iiritatingly slow )

now i think none of the modern computers come with less than 256 ddr

if you are talking about vms then i can assume that you have a pc which can run xp (xp installs with 64 mb ram minimum so by default the pc would have atleast 128 mb ram)

grab a copy and set it up and start to form your own opinion never rely on hand me down information that says you need blah blah to run blah blah

thay are almost always not right (including mine above )

Hey i have enough RAM then, i must have made sure what that geek meant in a tutorial i read that "to setup VMware you will need enough RAM". I am on for VM's then, thanx for info.

So all i need to do is setup a virtual Machine, run the mnso.exe ( Malware) and attach olly debugger to it, that i will be able to understand the working of Malware, however isnt it obvious that i wont be able to know the packing scheme.
Reagrds,
_InSaNe_

when you are onto a malware

JUST ETCH THIS INTO YOUR MIND PERMANENTLY

THERE IS NOTHING CALLED RUNNING IT

YOU SIMPLY DO NOT RUN MALWARES

UNLESS AND OTHERWISE YOU HAVE A SUITBLE LABORATORY ENVIRONMENT (WHERE CONTROLLED EXECUTION IS POSSIBLE )

a vm is still a piece of complex unreliable (attackable by a determined malware)

if the malware falls into the catogory of a master piece it simply can
evade your vm and infect yours and or the whole world 's comps

so you always start with understanding it statically (hexeditor, ida, whatever rocks your boat (in my case i would say ollydbg -> view --> file --> right click -> peheader /// right click --> disassemble /// ctrl+g addresss // peek poke and get a preliminary grasp of its extents

then you should be almost ready to open it in ollydbg for tracing

and always start tracing from the earliest possible stage

if in windows userland i could state LdrLoadThunk ( after ntdll.dll is mapped and no other dlls are mapped )

the ntdll.debugbreakcomes next (ollydbg -> pause at system break point)

then comes tls,dllinits, and then comes the applications entry point
(if there are no stealth in the above then if this malware is coded in
a hight level language (compiler generated code) then _crtstartup codes will be executed and the the control will be transferred to the real applications code (main or winmain) (im assuming unobfuscated unpacked code here which is never the case in real world)

if it contains packers obfuscaters, crypters , foolers , cheaters then all thes will be executed before you end up on _crtstartup or main or winmain)

and winmain or main in most cases would be simply crap

so if you run and try to attach it you might have almost always lost the game right the second you double clicked the malware

Aye Aye sir, thanks for illumination, i will update as soon as i am able to atleast disassemble/debug one malware, downloading vmware workstation right now.
Regards,
_InSaNe_