Tuesday, October 1, 2019

Malware Analysis - Part I - Basics

Malware Analysis

Hi guys, this blog is all about the Overview of Malware Analysis. It tells you about what kind of questions should be asked by Malware Analyst, types of Malware analysis and the general rules that should be followed.

Introduction

Malware analysis is a process of learning how malware functions. Any code that performs evil action is called malware. New malware's are being coded every day, and the number of malware is increasing exponentially. Malware code can differ, and it is essential to know that the malware can have multiple functionalities. These may come in the form of viruses, worms, spyware, and Trojan horses. Each type of malware gathers information about the infected device without the knowledge, or authorization of users.

Why should we analyze Malware?

The answer to this question is straightforward. The goal of Malware Analysis is to protect something or someone. Generally, there are two sets of questions that should be asked by the Malware Analyst, i.e., Business Questions and Technical Questions.

Business Questions:

  • What is the purpose of malware?
  • How did it get here?    
  • Who is targeting us and how good are they?
  • How can I get rid of it?
  • What did they steal?
  • How long has it been?
  • Does it spread on its own?
  • How can I find it on other machines?
  • How do I prevent this from happening?

Technical Questions:

  • Network Indicators?
  • Host-Based Indicators?
  • Persistence Mechanism?
  • Date of Compilation?
  • Date of Installation?
  • Language used?
  • Is it packed?
  • Does it have any rootkit functionality?

Types of Malware Analysis

The techniques by which malware analysis is performed typically fall under the following two categories:

  • Static Malware Analysis (Examine malware without running it)

Static Malware Analysis is usually performed without executing the malware and studying each component. It would include:

    • Basic Static Analysis


In Basic Static Analysis the executable files are examined without viewing the actual instructions. This analysis would confirm that the file is malicious or not, would give the basic idea of its functionality, and sometimes provide information that will allow you to produce simple network signatures. It is straightforward and quick, but is ineffective against sophisticated malware, and can miss important behaviors.

    • Advanced Static Analysis

Advanced Static Analysis consists of reverse-engineering malware internals by loading the executable into a disassembler and looking at the program instructions to understand programs logic. The CPU executes the instructions; thus advanced static analysis tells you exactly what the program does. However, Advance Static Analysis has a steeper learning curve than the Basic Static Analysis and needs specialized knowledge of, code constructs, disassembly, and Windows OS concepts.

  • Dynamic Malware Analysis (Examine malware by running it)

Dynamic Malware Analysis is performed by observing the behavior of the malware while it is running on a host system. It would include:

    • Basic Dynamic Analysis

Basic Dynamic Analysis technique would involve running the malware and observing its behavior on the system to remove the infection and produced effective signatures. However, before running a malware, a proper environment must be set up which would allow the study of running malware without any risk or damage to your system or network. Basic Dynamic Analysis techniques can also be used by people without in-depth programming knowledge similar to the Basic Static Analysis, but it won’t be effective with all malware and can miss important functionality.

    • Advanced Dynamic Analysis

The Advanced dynamic analysis uses a debugger to examine the internal state of running malware executable. This technique provides a different way to extract detailed information from an executable. These techniques are most useful when you’re trying to obtain information that is difficult to gather with other methods.

Rules for Malware Analysis

  • First, don’t get too caught up in details. Most malware programs are large and complex, and you can’t possibly understand every aspect. Focus instead on the key features. When you run into intricate and complex sections, try to get a general overview before you get stuck.
  • Second, remember that different tools and approaches are available for different jobs. There is no one approach. If a tool doesn't give you the information that you want, try another. If you get stuck, don’t spend too much time on one issue, move onto something else. Try analyzing the malware from a different angle, or try a different approach.
  • Finally, remember malware analysis is like a cat and mouse game. As new malware analysis techniques are developed, malware authors respond with new techniques to analyze. To succeed as a malware analyst, you must be able to recognize, understand, and defeat these techniques, and respond to changes in the art of malware analysis.

The above details are fundamentals that should be known before moving further. Part 2 of Malware Analysis would contain information on how to set up your lab to perform the Analysis.




2 comments:

  1. Hello! Improve your business operations with our BPO company. Our team of experts will help you to hire data analyst and more, offering you the support you need . Trust in our expertise and let us handle the wide range of tasks while you focus on business strategic initiatives.

    ReplyDelete
  2. Your blog has become my go-to resource for all things. The depth of information and the clarity with which you explain complex concepts is truly impressive. Your blog posts have been instrumental in expanding my knowledge and keeping me updated with the latest trends in the field. Thank you for sharing your expertise!

    Certified Forensics Expert

    ReplyDelete