An Introduction to Malware Analysis

Before getting to the depths of malware analysis, we need to understand what malware is. Malicious software (Malware) are either programs or files that are intended to cause harm to a system and thereby its user. There are different types of malware, be it viruses, worms, Trojan horses, ransomware, or any other spyware.

Malware can be used to carry out various functions like stealing data, encrypting files, deleting data, altering files, or even adding these systems to one huge botnet and monitor them without the user knowing their device is infected. Generally, malware is written by hackers and cybercriminals.

Based on the surface of attack, these cybercriminals follow two types of ideology:

Now that we have a basic understanding of malware, let us have a look at how we can carry out malware analysis and what techniques are to be used in the process.

There are two different types of malware analysis techniques in general. They are: Static Analysis and Dynamic Analysis

Static Analysis is the collection of all the examinations of the malware where we do not actually execute the malware, but try to find out what the malware is trying to do.

Dynamic Analysis is carried out when we actually execute the malware (in a sandboxed environment) and try to figure out the functionality of it.

These two can further be divided into four subcategories.

From Basic Static Analysis, we can determine if the file has malicious content and provide information on its functionality.

It’s quick and straightforward, but it is highly ineffective against any sophisticated malware and might miss important behaviors.

Basic Dynamic Analysis techniques involve the running of malware and observing its behavior on the system. This is meant to remove the infection, to produce effective signatures, or both simultaneously.

Before the execution of the malware, an environment that will allow the study of running malware without damaging our system or network is needed.

These techniques are used by most people who do not have deep programming knowledge. However, they aren't very effective due to the malware.

This analysis consists of the process of reverse-engineering the internals of a malware by loading the executable file into a disassembler & observing the program instructions to discover what the program actually does.

Since instructions are executed by the CPU, advanced static analysis tells us what the program actually would do.

However, the Advanced Static Analysis has a steeper learning curve than that of Basic Static Analysis and hence requires specialized knowledge of code construction, disassembly and concepts of the Windows operating system.

In this, a debugger is used to test the internal state of a running malicious executable file.

Advanced Dynamic Analysis techniques come up with another way of extracting detailed information from an executable file.

These techniques are best used when we try to obtain information, gathering which using the other techniques is difficult.

We, at Adiroha Solutions, are planning to write further articles, explaining these techniques in depth and also on how to perform them in the most optimized way.

In general, malware analysis has three golden rules that we need to definitely keep in mind while carrying out our examination of the programs to improve our productivity and also not to fall prey to the attackers trap.

Do not be too caught up in the details. Most of the malware programs are large and complex to be able to understand every detail.

Instead, focus on the key features. When we run into any complex sections, we need to try to get a general overview before getting stuck.

Have it in mind that different tools and different approaches are available for different jobs according to the requirements.

There is no single approach. Every other situation is different, and
hence the various tools & techniques that we learn will have similar or
even overlapping functionality.

If we don’t get lucky with one tool, we’ll try another. If we get stuck, we shouldn’t spend too long on any single issue; we should move on to something else.

Try to analyze the malware from a different angle, i.e., a different approach.

Remember the point that analyzing a malware is like playing a cat-and-mouse game.

As we have new malware analysis techniques, malware authors come up with new techniques to prevent analysis.

To become a successful malware analyst, we should be able to recognize, understand, & defeat these new techniques, and respond to changes made to the art of malware analysis.

Now that we’ve known different types of malware analysis and the three golden rules, let us have a bird’s eye view on things to be done when a malware is encountered on our system or network.

Malware analysis is to provide the information we need, in order to handle a network intrusion. We should determine what exactly happened & ensure that we locate all the infected data and systems.

When analyzing a suspected malware, our goal will typically be to exactly determine:-

i) what a particular suspect binary is capable of

ii) how it can be detected on our network

iii) how to measure it’s damage and contain it.

After identification of files needing complete analysis, we should develop signatures to be able to detect malware infections. Host-based signatures are used for detection of any malicious code on the victim’s device. Malware indicators do not focus on the characteristics of the malware, rather they focus on what it does to the system. Network signatures are used for detecting malicious code by monitoring the network traffic.

Creating network signatures without malware analysis is possible, but signatures created involving malware analysis are way more effective.

The final motive is to figure out how exactly the malware works & functions that try to execute when present on the system.