What is malware analysis? It’s a useful tool for deciphering the features, intentions, origins, and possible consequences of various forms of malicious software (malware) and code. It entails analysing and studying how each individual sample works, as well as how its code varies from that of other forms of malware. This includes malware found in suspicious files and connections to websites.
Why Malware Analysis Is Important
If you’re a careful Windows user, you might sometimes come across a file with an unusual or suspicious name that you want to investigate. If you’re an ethical hacker or part of an organization’s incident management team, you may be charged with reviewing files to see if they’re legitimate or malicious. In any case, you’ll need a way to distinguish between legitimate and malicious code and software.
There are a few key reasons to perform malware analysis:
- Malware detection — To better protect your organization, you need to be able to identify compromising threats and vulnerabilities.
- Threat response — To help you understand how these threats work so you can react accordingly to them.
- Malware research — This can help you to better understand how specific types of malware work, where they originated, and what differentiates them.
What Is Malware?
Computer scientist John von Neumann is credited with inventing the concept of a self-replicating computer programme. However, according to Scientific American, Bell Labs popularised the theory in the 1950s with the creation of a game called “Core Wars” (which wasn’t published until 1984). Now, decades later, cybercriminals use malware to encrypt files, disrupt networks, and steal data.
Malware is any malware that is harmful to your computer, such as worms, viruses, trojans, spyware, and so on. As attackers write increasingly sophisticated programmes to evade detection, finding them remains a challenge. Malware analysis will help you figure out whether a suspicious file is malicious, investigate its origins, processes, and capabilities, and analyse its effect to make detection and prevention easier.
Malware can be spread through a variety of methods, including emails (phishing attacks), USB drives, and downloading software from websites. They use obfuscation techniques to imitate legitimate files or software in order to trick users into installing them. If malicious software has gained access to a host system, it utilises a number of persistence strategies (such as changing system files or inserting malicious code) to stay there until a trigger event initiates the attack.
The Two Types of Malware Analysis Techniques: Static vs. Dynamic
The malware detection method can be approached in two ways: static analysis or dynamic analysis. The malware sample is analysed without detonating it in static analysis, while the malware is actually performed in a managed, isolated environment in dynamic analysis.
The distinctions between these two malware detection methods are summarised in the table below:
|Static Malware Analysis||Dynamic Malware Analysis|
|The malware components and properties are analyzed without running the code.||The malware is executed within a virtual environment, and its behavior is observed.|
|Static malware analysis is signature-based — i.e., the signature of the malware binary is determined by calculating the cryptographic hash.||Dynamic malware analysis takes a behavior-based approach to malware detection and analysis.|
|The malware binary can be reverse-engineered by using a disassembler.||The malware binary can be reverse-engineered using disassemblers and debuggers to understand and control certain aspects of the program when executing.|
|Static malware analysis involves virus scanning, fingerprinting, memory dumping, etc.||Dynamic malware analysis involves registry changes, API calls, memory writes, etc.|
|It can be rendered ineffective against unknown or new malware types or in more sophisticated attack scenarios.||It is more effective and provides a higher detection rate than static analysis.|
The Four Stages of Malware Analysis
You gradually learn how to write and read code as you progress. Malware analysis is somewhat similar. It’s a method that involves following a set of pre-determined steps that get more complicated as you advance.
Malware analysis is divided into four levels, each of which is depicted by a pyramid diagram that becomes more complicated as you progress further into the process. We’ll break down each of the four stages of malware detection from the ground up for simplicity’s sake.
Stage One: Fully Automated Analysis
Using detection models created by analysing previously found malware samples in the wild is referred to as automated malware analysis. This is the best approach for processing malware at scale and assessing the impact of a sample on the network infrastructure rapidly.
Cuckoo Sandbox, an open-source automated malware detection framework that can be tweaked to run custom scripts and produce detailed reports, can perform fully automated analysis. There are a plethora of other commercial and free alternatives available on the market.
Stage Two: Static Properties Analysis
Without executing the malware, static properties analysis examines the metadata of a file. This procedure is usually carried out in a separate environment, such as a virtual machine, that is not connected to the internet.
PeStudio is a free tool that you might find useful for this reason. This tool is intended for automated static properties analysis and detects unusual objects inside executable files. PeStudio displays the file hashes, which can be used to check VirusTotal, TotalHash, or other malware repositories to see whether the file has been examined previously. It can also be used to look at the embedded strings, libraries, imports, and other signs of compromise (IOCs) and compare any irregular values to those found in standard executable files.
Static property analysis can, in principle, give a malware researcher a clear idea of whether or not to investigate the investigation further.
Stage Three: Interactive Behavior Analysis
The malware sample is then executed in isolation while the analyst monitors how it communicates with the machine and the changes it makes in the next step, behaviour analysis. When a piece of malware detects a virtual environment, it can refuse to execute or be programmed to avoid execution without user interaction (i.e., in an automated environment).
There are many acts that could raise an urgent red flag, including:
- Adding or changing current or new files,
- Modifying the registry or modifying device configurations, as well as installing new services or procedures.
Some malware can attempt to link to suspicious host IPs that are not part of the environment. Others can try to infect the same host multiple times by creating mutex artefacts (to preserve operational stability). These results are important signs of a breach of trust.
The following are some of the techniques you can use:
Wireshark for observing network packets, Process Hacker for observing in-memory processes, Process Monitor for observing real-time file system, registry, and process operation for Windows, and ProcDot for providing an interactive and graphical representation of all documented activities
Of course, you can use any malware detection database to do more research on the new data points you’ve gathered. Similarly, additional network research will reveal information about the malware specimen’s command and control system, the amount and type of data it leaks, and so on.
Stage Four: Manual Code Reversing
Reverse engineering is the process of creating something from nothing. The code of a sample malware will reveal a lot of information. This method can be used to:
Shed some light on the malware’s logic and algorithms, expose the malware’s secret capabilities and manipulation tactics, and provide insight into the command and control communication protocol between the client and the server.
Analysts usually use debuggers and disassemblers to manually reverse the file. Though code reversals are a time-consuming operation, and the skills required to perform them aren’t widely available, this phase can yield a lot of useful information.
How to Prevent Malware Infection
Now that we’ve covered how an investigator can examine a malware sample, we’re curious as to what precautions you take to keep your systems safe from malware attacks. Let’s look at a few simple pointers to help you protect your company or organisation:
- Maintain the most recent versions of the systems and software. Installing daily updates and patches for all of your programmes, plugins, and operating system is a good place to start. Furthermore, avoid using legacy applications or obsolete hardware.
- Keep an eye out for social engineering attacks that could compromise your knowledge. Since social engineering attacks are on the rise, it’s important to be careful when handling email, opening files or links on social media sites, communicating with tech support, and so on.
- Use antivirus and anti-malware solutions to search the systems on a regular basis. Scan your system on a regular basis, and don’t disable your security features (firewall, anti-malware, etc.) just to instal or run a programme.
- Use protection best practises such as using a safe link and blocking advertisements, among others. Make sure you’re surfing safely by using a secure link (i.e., websites that run on HTTPS). By allowing click-to-play plugins, you can prevent malicious ads from executing automatically. Malvertisements are blocked before you directly click and run them on your computer.
- Make backups of all of your mission-critical data. Back up all of your data on a regular basis and have at least one copy offsite. Using a third-party network other than your hosting service if you’re storing your backups online (for website backups). When things go wrong, you’ll have access to data that you can recover easily and get your company back up and running.
In Conclusion: Final Thoughts on Malware Analysis
Hopefully, after reading this post, you have a better understanding of malware and why it is important to analyse it. Not only have we discussed the various methods malware researchers use to examine these malicious files, but we’ve also discussed how to avoid malware infecting your devices and IT systems in the first place.
Professional attackers are almost always one step ahead of the game, finding ways to avoid detection or exploiting zero-day vulnerabilities. Script kiddies and the uninitiated, on the other hand, are cybercriminals who can be deterred by taking the requisite precautions. We’ll look at a sample of malware in future blog posts and walk you through each of the stages mentioned above. Keep an eye out!