Every organization is keener in investing in security because they don’t want to lose their entire assets by negligence. Most organizations have information security officers who implement policies, model threats, investigate security breaches, etc. The role of a malware analyst is closely aligned to what engineers in security incident management team or forensic investigators do. Now organizations want more people to act as malware analysts in identifying the behavior pattern of the malware and to take preventive measures to protect networks. Malware analysts are usually people with good knowledge of programming and proficient in using tools that are needed to analyze the malicious program. It is a cat-and-mouse game if you are quite interested and if you have the core skills, or else it can be frustrating waste of time.
Any software that does something that causes harm to a user, computer, or a network can be considered malicious software or malware. Malware plays a part in most computer intrusions and security incidents. Different types of malware, such as viruses, Trojan horses, worms, rootkits, spyware, and scareware, have different architectures, and behaviors and may also have specific goals for each of them. Malware analysis helps in understanding a malware fully, how to identify it, how it works, and, most important, how to eliminate it.
Malware authors develop malware with a specific goal in mind, which implies that the architecture inside malware will be much complicated and also it may possess high sensitivity. Any mistake while dissecting a particular malware to analyze its behavioral aspects may end in a harmful situation. In this scenario, a well-planned, systematic approach to analyzing malware will make its way to the safe end. Moreover, the outcome will be much more precise and much more informative.
A systematic approach may involve different steps, such as building a safe environment to run the malware, analyzing the malware statically by reverse engineering with the help of a disassembler, analyzing the malware dynamically using a debugger to examine the internal state of a running malware, and more. A strategic analysis needs to be used for sophisticated malware while disassembling, debugging, or packing techniques.
Malware Analysis Division
Malware analysis may be divided into three types:
- Surface analysis
- Static analysis
- Dynamic analysis
The time consumed to carry out these analyses may be different and the amount of information retrieved after the analyses also differs between each of them.
Before we go on the malware analysis part, I want everyone to be proficient in virtualization.
A virtual machine is like a computer inside a computer. Let’s say you want two or more operating systems running on your computer at the same time: How it is possible? Only via virtualization. The operating system (OS) that you install over the base OS is called the guest OS and the base OS is called host OS. Many virtual machines are available right now in the market. Some of the most popular are VMware, Oracle Virtual box, Microsoft hyperv, etc.
A guest OS is installed within the host OS on a virtual machine and the OS running on the virtual machine is kept isolated from the host Operating System. So malware running on a virtual machine cannot harm the host OS. And if the malware damages the virtual machine, you can simply reinstall the OS in the virtual machine or return the virtual machine to a clean state.
Running and analyzing malware using VMware and virtual machines involves the following steps:
- Start with a clean snapshot with no malware running on it.
- Transfer the malware to the virtual machine.
- Conduct your analysis on the virtual machine.
- Take your notes, screenshots, and data from the virtual machine and transfer it to the physical machine.
To analyze malware, we usually need to run it to observe its behavior. When running malware, we need to analyze it in an isolated environment so that we are careful not to infect any computer or networks. Oracle Virtualbox allows us to run malware in a safe, controllable environment, and it provides the tools we need to clean the malware when you have finished analyzing it.
Surface analysis is usually the first stage of the malware analysis process; it is almost always carried out. A surface analysis consists of opening the sample and quickly searching for information in the sample file without executing it. Information like strings can provide significant of information. Surface analysis also includes running scanner programs on the sample to detect whether they can provide any information. Anti-virus programs and online scanners may recognize a signature and be able to disclose some information on the sample.
|Antivirus scan||Virus total|
|Executable packer detector||PEiD|
|Web search||Firefox or IE|
Virustotal and virus jyoti are some of the best tools to do an AV scan on the reported file. The output of the scanning will result in the MD5 and SHA values of the file.
Basic Static Analysis
Basic static analysis consists of examining the executable file without viewing the actual instructions. Static analysis is ineffective against some malware and it can miss some important behavior. Static analysis on all malware is not highly recommended. However, it is quick and easy to perform. By doing static analysis one can find out the functionality of the program, can confirm whether a file is suspicious, and can determine the attributes of malware if you want to create an IOC (Indicator of compromise) or MAEC.
Advanced Static Analysis
Advanced static analysis comprises reverse-engineering the malware’s internals by loading the executable into a disassembler and looking at the program instructions in order to discover what the program does. The instructions are executed by the CPU, so advanced static analysis tells you exactly what the program does.
Basic static analysis in practice
- Hashing is a common method used to uniquely identify malware. The malicious software is run through a hashing program that produces a unique hash that identifies that malware (a sort of fingerprint). The message-digest algorithm 5 (MD5) hash function is the one most commonly used for malware analysis, though the secure hash algorithm 1 (SHA-1) is also popular. There are different websites available where we can search whether a particular file is malicious based upon the hash value (threat expert).
- A string in a program is a sequence of characters either as a literal constant or as some kind of variable. By examining the string value of a malware program, we can simply get hints about the functionality of that program. A hexadecimal editor can be used for this.
- Legitimate programs almost always include many strings. Malware that is packed or obfuscated contains very few strings. One way to detect packed files is with the PEiD program. You can use PEiD to detect the type of packer or compiler employed to build an application, which makes analyzing the packed file much easier.
Static Analysis and Reverse engineering
Static analysis is often referred to as reverse engineering. Reverse engineering is the opposite of engineering, disassembling a product instead of creating it. Static analysis involves examining the machine code of the binary sample in order to further discover functionality . The sample is not executed to monitor behavior; it is the machine code in the binary file that is examined. Static analysis is code analysis. The advantage is that static analysis is safe. The sample is never really executed uncontrolled and hence cannot create any damage or do anything unintended by the analyst
The disassembler consists of a GUI, where we can load the malware executable. Examining the assembly codes obtained we can analyze the static behavior of the given executable.
Advanced Static Analysis Steps
A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler. IDA Pro is a widely used disassembler. Analyzing malware statically involves different steps:
- When we load the file (such as a pe file) or other executable into the disassembler, the program maps the file into memory as if it had been loaded by the operating system loader.
- IDA Pro will disassemble an entire program and perform tasks such as function discovery, stack analysis, local variable identification, etc.
- In the disassembler interface, the “Functions” window shows all functions in the executable and the length of each; the “Names” window lists every address with a name, including functions, named code, named data, and strings; and the “Strings” window shows all strings. By default, this list shows only ASCII strings.
- The “Imports” window lists all important files and the “Exports” window lists all the exported functions for the file.
- During analysis of the code after disassembly, navigation can be carried out using links within the assembly window and the cross-references feature.
- Functions can be analyzed using the disassembler, which allows one to recognize functions, label them, and break down the local variables and parameters.
- After analyzing every code and all functions within the assembly window, we can rename the locations that are meaningless and some meaningful ones. This will also help ensure that you reverse-engineer a function only once.
Basic dynamic analysis
Basic dynamic analysis techniques involve running the malware and observing its behavior on the system in order to remove the infection, produce effective signatures, or both. However, before we can run malware safely, we must set up an environment that will allow you to study the running malware without risk of damage to your system or network.
Advanced dynamic analysis
Advanced dynamic analysis uses a debugger to examine the internal state of a running malicious executable. Advanced dynamic analysis techniques provide another way to extract detailed information from an executable.
Basic dynamic analysis in practice
Basic dynamic analysis is typically performed after basic static analysis has reached a dead end, whether due to obfuscation, packing, or the analyst having exhausted the available static analysis techniques. It can involve monitoring malware as it runs or examining the system after the malware has executed. Unlike static analysis, dynamic analysis lets you observe the malware’s true functionality. Common techniques followed in dynamic analysis:
- A sandbox is a security mechanism for running entrusted programs in a safe environment without fear of harming “real” systems.
- Process monitor, or promo, is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activity.
- Regshot is an open source registry comparison tool that allows you to take and compare two registry snapshots to use Regshot for malware analysis.
Malware often tries to connect to the command and control server eventually. We can create a fake network with indicators such as ip addresses, dns names, and packet signatures. To fake a network successfully, you must prevent the malware from realizing that it is executing in a virtualized environment.
- ApateDns is a tool used to view the DNS requests made by a malware. It also helps to spoof the DNS requests to a user-specified IP address and responds to the DNS requests.
- Wireshark is an open source sniffer, a packet capture tool that intercepts and logs network traffic. Wireshark provides visualization, packet-stream analysis, and in-depth analysis of individual packets.
- INetSim is the best free tool for providing fake services, allowing you to analyze the network behavior of unknown malware samples by emulating services such as HTTP, HTTPS, FTP, IRC, DNS, SMTP, and others.
Basic analysis using tools
- Running procmon and setting a filter on the malware executable name and clearing out all events just before running.
- Starting Process Explorer.
- Gathering a first snapshot of the registry using Regshot.
- Setting up our virtual network to our liking using INetSim and ApateDns.
- Setting up network traffic logging using Wireshark.
A debugger or debugging tool is a computer program that is used to test and debug another program (the “target” program). There are two types of debugging: Source-level debugging and assembly-level debugging. Assembly-level debugging is widely used by malware analysts because they do not require access to a program’s source code. There are two ways to debug a program. The first is to start the program with the debugger. When you start the program and it is loaded into memory, it stops running immediately at the execution of the entry point. At this point, we have complete control of the program. We can also attach a debugger to a program that is already running. All the program’s threads are paused and you can debug it. This is a good approach when you want to debug a program after it has been running or if you want to debug a process that is affected by malware. While using a debugger, to examine each code instruction of the executable and to take control over the debugger, we use the single-stepping and step-into features in the debugger, which allow us to examine each and every instruction in the code and the functions called by them.
Breakpoints are used to pause execution to allow you to examine a program’s state. Breakpoints are needed because you can’t access registers or memory addresses while a program is running, since these values are constantly changing. If we are unable to find where a function is called from an instruction, we can set a breakpoint at the instruction. Thus the execution stops at the enabled breakpoint and the debugger will show you the destination of the function clearly.
Exceptions are another way of taking control over the debugger. When non-debugging issues like invalid memory access and division by zero, exceptions take control. But exceptions can also be used to govern the flow of execution in a normal program without involving a debugger. There are two opportunities for a debugger to handle exceptions, the first-chance and second-chance exception. Analysts should decide when to handle the exceptions. Debuggers can be used to change program execution. You can change the control flags, the instruction pointer, or the code itself to modify the way the program runs.
Advanced dynamic analysis steps
While doing a dynamic malware analysis, the steps taken to run the executable and analyze it should be carried out in a systematic way with careful steps. Ollydbg, a common debugger, provides the ability to analyze malware while it is running.
- The initial step will be loading a malware executable in the debugger.
We can also attach the debugger to a running process by selecting the process and attaching the debugger, which will stop execution of the current code and display it in the window. On the interface of the debugger, the disassembler window shows the debugged program’s code, the register window shows the current state of registers for the debugged program, the stack window shows the current state of the stack in memory for the thread being debugged, and the memory dump window shows the dump of the live memory for the debugged programs. The following points need to be understood carefully.
The Memory Map window displays all memory blocks allocated by the debugged program. After executing the loaded executable, we can go through each instruction in the debugged program by stepping, which refers to the concept of executing a single instruction and then immediately pausing execution afterward, allowing you to track the program instruction by instruction.
Breakpoints are used to pause execution and allow you to examine a program’s state. DLLs cannot be executed directly, OllyDbg uses a dummy program called loaddll.exe to load them.
Tracing is a debugging technique that records detailed information of the execution for us to examine.
When an exception occurs while OllyDbg is attached, the program stops executing and the debugger is given control first. The debugger can handle the exception or pass it to the program. OllyDbg will pause execution when the exception happens, and we can decide to pass the exception to the program. OllyDbg makes it easy to modify live data, such as registers and flags. It also enables you to assemble and patch code directly into a program, which may be called patching. A good reverse engineer can unlock a software without paying a single penny from his pocket.
|Process and disk monitoring||
|Controlled execution of sample||OllyDbg|
|Dump process strings in memory||
Malware authors are inventing new ways to mess with malware analysis techniques every day. The persistence of the analysts makes the analyses effective in any scenario. The malware authors frequently implement new malware with a specific goal; carefully analyzing the nature of malware and systematically undergoing the analyzing procedures and techniques with legitimate tools will surely result in a good outcome. These outcomes directly or indirectly help or protect the entire network and our resources and even user privacies all over the world. This article cites the working model of malware analysis in brief by describing common techniques used by malware analysts. Most of the models are taken from the book Practical Malware Analysis by Michael Sikorski. It is highly recommended to read the following references, as this remains a bible for those who do Malware analysis.
- Practical Malware Analysis by Michale Sikorski and Andrew Honig
- Malware Analyst Cookbook by Michael Hale Ligh Steven Adair
- IDA Pro Book by Chris Eagle
- Network Forensics by Sherri Davidoff