Malware analysis is a very interesting topic, will continue to evolve in size, density and specialization. Additionally is intellectually challenging. One goal of performing this activity might be to analyze malware in order to determine its actions and get insight into its behavior and inner workings by analyzing its code. By doing this we can find answers to pertinent questions such as:
- What are the malware capabilities?
- What is the worst it can do?
- Which indicators of compromise (IOC) could be used identify this malware in motion (network), at rest (file system) or in use (memory)? – This IOCs can then be used across our defense systems.
- What tactics, techniques and procedures (TTP) are used?
- Which category does it falls i.e., criminal, commodity malware or targeted attacks?
To find answers to these and other questions there are several processes, procedures and tools. One well established process is called dynamic or behavioral analysis. This process consists of executing the malware specimen in a safe, secure, isolated and controlled environment in order to determine its actions, behavior and how it interacts with host system at network, file system, registry and others. The instruments used during this process will allow us to gain better understanding of the malicious code and its capabilities and are mainly based on monitoring and capturing system changes at network, memory, I/O level, etc. Different tools exist to accomplish this. The tool choice is different depending on the operating system the malware runs on, the individual experience/preference and company culture. One great toolbox is the REMnux Linux distro which brings together a great number of tools for analyzing malicious executables. Among other things it can also emulate a variety of networking services that assist during the behavioral analysis.
Another process is called static or code analysis and consists of analyzing the code or structure of the executable to determine its function. In contrast to the behavioral analysis, the static analysis does not execute the malware. Static analysis is normally a much more complex process that requires understanding of several techniques that should be ideally supported by knowledge of operating system internals and software development. This process might consist of disassembling, debugging and decompiling the executable. Different tools exist to assist this process and it might take you to complex topics such as unpacking and decrypting. As so it might be overwhelming to find the needle in the haystack when going through this techniques. You might want to focus on the execution flow, code blocks, where it starts, what does it call? to start shaping an understanding.
So, which process should I use? Which tool to execute first? There is no right or wrong answer! Several approaches exist and a combination of both process is normally used. Start step by step in a incremental and controlled fashion. Use more than one tool to substantiate evidence. Use the internet, books and research papers to assist you gathering knowledge about operating systems, networking, programming or security. How well are you educated in such topics will assist you during the malware analysis. Jump from the behavior analyses process to the static code analysis and vice-versa in order to move forward. If you get stuck, don’t give up!
As you look more and handle the tools better you slowly train yourself to determine what is normal and what is unusual. Soon you start recognizing differences and deviations from the norm. If you are doing malware analysis as part of a forensic analysis, incident response or just for fun this is a fascinating journey!
For further reference you may want to look into the following books: Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code, the Practical Malware Analysis and Malware Forensics: Investigating and Analyzing Malicious Code . More formal training is available from SANS with GREM course authored by Lenny Zeltser. Free resources are the Dr. FU’s Security blog on Malware analysis tutorials. The Binary Auditing site which contains free IDA Pro training material. Finally, the malware analysis track in the Open Security Training site is awesome. It contains several training videos and material for free!