Software Based Malware Analysis and Mitigation in Virtual Machines

Abstract

In this thesis, two types of Cuckoo, a malware analysis software, were compared in two different virtual machines: KVM and VirtualBox. The goal is to ascertain which Cuckoo software can be used by a newbie malware analyst to carry out a quick malware analysis and on which virtual machine, the software performed more efficiently. The comparison revealed that the updated version of the original Cuckoo sometimes performs better than the accuvant Cuckoo, a modified version of Cuckoo. From the comparison results, it became evident that the only time that accuvant Cuckoo performed better than original Cuckoo was when it was running in VirtualBox. When both Cuckoo variants are running in KVM, the results generated after the analysis are almost the same or the original Cuckoo generated a better result than accuvant Cuckoo. Hence, based on the produced results, Cuckoo can be used solely by an analyst to make a quick security decision without recourse to any basic static analysis tool. This is because, its malware detection capability is superior to most basic static analysis tool. Lastly, in the test lab, a more detailed analysis report was obtained when both variants are used than would be obtained by using just one of them. While using software like Cuckoo for malware analysis, an organisation or individual should also understand that malware attacks and other security attacks can be prevented by preventing common human security mistakes. It is also significant to have the ability to start a forensic analysis of the network when an attack occurs.