Malware Analysis — Introduction:
Before getting to the depths of malware analysis, we need to understand what a malware is. Malicious softwares (Malwares) are either programs or files that are intended to cause harm to a system and thereby its user. There are different types of malware present in the big internet world of ours, be it viruses or worms or Trojan horses or ransomware or any other spyware. A malware can be used to carry out various functions like stealing of data, encrypting of files, deleting any data, altering files or even adding these systems to one huge botnet and monitor them without the user knowledge about their device being infected. Generally, malwares are written by hackers. Based on the surface of attack, they follow two types of ideology:
1. A mass attack, in which they write a malware supposedly to infect huge amounts of data.
2. Targeted attacks, in which the hacker focussedly writes malware for specific data.
We now have a basic understanding of malware, let us have a look on how we can actually carry out any malware analysis and what techniques are to be used in the process.
Various techniques used in Malware Analysis:
There are two different types of malware analysis techniques in general. They are: Static Analysis and Dynamic Analysis
Static Analysis is the collection of all the examinations of the malware where we do not actually execute the malware, but try to find out what it (malware) is trying to do.
Dynamic Analysis are carried out when we actually execute the malware (in a sandboxed environment) and try to figure out the functionality of it.
These two can further be divided into four sub categories.
(i) The Basic Static Analysis
The Basic static analysis is the process where, without reading the actual instructions, the executable is examined.
From Basic Static Analysis, we can confirm whether the file has malicious content, and provide information on it’s functionality.
Sometimes, information that will allow us to produce simple network signatures can also be provided.
It’s quick and straightforward, but it is highly ineffective against any sophisticated malware, and might miss important behaviors.
(ii) Basic Dynamic Analysis
Basic Dynamic Analysis techniques involve the running of malware & observation of its behavior on the system, so as to remove the infection, to produce effective signatures, or both simultaneously.
Before the execution the malware, we need to have an environment that will allow the study of running malware without damaging our system or network.
These techniques are used by most people who do not have deep programming knowledge, however they won’t be much effective due to the malware.
(iii) Advanced Static Analysis
This analysis consists of the process of reverse-engineering the internals of a malware by loading the executable file into a disassembler & observing the program instructions to discover what the program actually does.
Since instructions are executed by the CPU, advanced static analysis tells us what the program actually would do.
However, the Advanced Static Analysis has a steeper learning curve than that of Basic Static Analysis and hence requires specialized knowledge of code construction, disassembly and concepts of the Windows operating system.
(iv) Advanced Dynamic Analysis
In this, a debugger is used to test the internal state of a running malicious executable file.
Advanced Dynamic Analysis techniques come up with another way of extracting detailed information from an executable file.
These techniques are best used when we try to obtain information, gathering which using the other techniques is difficult.
We, at Adiroha Solutions, are planning to write further articles, explaining these techniques in depth and also on how to perform them in the most optimized way.
The Three Golden Rules Of Malware Analysis
In general, malware analysis has three golden rules that we need to definitely keep in mind while carrying out our examination of the programs to improve our productivity and also not to fall prey to the attackers trap.
Rule 1:
Do not be too caught up in the details. Most of the malware programs are large and complex to be able to understand every detail.
Instead, focus on the key features. When we run into any complex sections, we need to try to get a general overview before getting stuck.
Rule 2:
Have it in mind that different tools and different approaches are available for different jobs according to the requirements.
There is no single approach.
Every other situation is different, and hence the various tools & techniques that we learn will have similar or even overlapping functionality.
If we don’t get lucky with one tool, we’ll try another. If we get stuck, we shouldn’t spend too long on any single issue; we should move on to something else.
Try to analyze the malware from a different angle, i.e., a different approach.
Rule 3:
Remember the point that analyzing a malware is like playing a cat-and-mouse game.
As we have new malware analysis techniques, malware authors come up with new techniques to prevent analysis.
To become a successful malware analyst, we should be able to recognize, understand, & defeat these new techniques, and respond to changes made to the art of malware analysis.
Now that we’ve known different types of malware analysis and the three golden rules, let us have a bird’s eye view on things to be done when a malware is encountered on our system or network.
Measures against a Malware Attack:
Malware analysis is to provide the information we need, in order to handle a network intrusion. We should determine what exactly happened & ensure that we locate all the infected data and systems.
When analyzing a suspected malware, our goal will typically be to exactly determine:-
i) what a particular suspect binary is capable of
ii) how it can be detected on our network
iii) how to measure it’s damage and contain it.
After identification of files needing complete analysis, we should develop signatures to be able to detect malware infections.
Host-based signatures are used for detection of any malicious code on the victim’s device.
Malware indicators do not focus on the characteristics of the malware, rather they focus on what it does to the system.
Network signatures are used for detecting malicious code by monitoring the network traffic.
Creating network signatures without malware analysis is possible, but signatures created involving malware analysis are way more effective.
The final motive is to figure out how exactly the malware works & functions that try to execute when present on the system.