Post

Malware Analysis

Posted Updated
By Vukašin Dobromirović 3 min read

The Goals of Malware Analysis

Incident Response

  • Case history – A medical clinic with 10 offices found malware on one of their workstations – Hired a consultant to clean & re-image that machine

  • All done—case closed?

    Absolutely not

  • After malware is found, you need to know – Did an attacker implant a rootkit or trojan on your systems? – Is the attacker really gone? – What did the attacker steal or add? – How did the attack get in
  • Root-cause analysis

Malware Analysis

  • Dissecting malware to understand – How it works – How to identify it – How to defeat or eliminate it
  • A critical part of incident response

Goals

  • Information required to respond to a network intrusion – Exactly what happened – Ensure you’ve located all infected machines and files – How to measure and contain the damage – Find signatures for intrusion detection systems

Signatures

Host-based signatures

  • Identify files or registry keys on a victim computer that indicate an infection
  • Focus on what the malware did to the system, not the malware itself
  • Different from antivirus signature

Network signatures

  • Detect malware by analyzing network traffic
  • More effective when made using malware analysis

Malware Analysis Tehniques

Static v. Dynamic Analysis

  • Static Analysis – Examines malware without running it – Tools: VirusTotal, strings, a disassembler like IDA Pro
  • Dynamic Analysis – Run the malware and monitor its effect – Use a virtual machine and take snapshots – Tools: RegShot, Process Monitor, Process Hacker, CaptureBAT – RAM Analysis: Mandant Redline and Volatility

Basic Analysis

  • Basic static analysis – View malware without looking at instructions – Tools: VirusTotal, strings – Quick and easy but fails for advanced malware and can miss important behavior
  • Basic dynamic analysis – Easy but requires a safe test environment – Not effective on all malware

Advanced Analysis

  • Advanced static analysis – Reverse-engineering with a disassembler – Complex, requires understanding of assembly code
  • Advanced Dynamic Analysis – Run code in a debugger – Examines internal state of a running malicious executable

Types of Malware

  1. Backdoor – Allows attacker to control the system
  2. Botnet – All infected computers receive instructions from the same Command-and-Control (C&C) server
  3. Downloader – Malicious code that exists only to download other malicious code – Used when attacker first gains access
  4. Information-stealing malware – Sniffers, keyloggers, password hash grabbers
  5. Launcher – Malicious program used to launch other malicious programs – Often uses nontraditional techniques to ensure stealth or greater access to a system
  6. Rootkit – Malware that conceals the existence of other code – Usually paired with a backdoor
  7. Spam-sending malware – Attacker rents machine to spammers
  8. Worms or viruses – Malicious code that can copy itself and infect additional computers

Mass v. Targeted Malware

  • Mass malware – Intended to infect as many machines as possible – Most common type
  • Targeted malware – Tailored to a specific target – Very difficult to detect, prevent, and remove – Requires advanced analysis – Ex: Stuxnet

General Rules for Malware Analysis

  • Don’t Get Caught in Details – You don’t need to understand 100% of the code – Focus on key features
  • Try Several Tools – If one tool fails, try another – Don’t get stuck on a hard issue, move along
  • Malware authors are constantly raising the bar
Cybersecurity, Malware Analysis
malware analysis
This post is licensed under CC BY 4.0 by the author.