Malware Analysis

Jonathan Trull, Chief Information Security Officer

Malware, short for malicious software, is software that is intended to damage or disable or do unwanted actions on a computer system. Malware has become the scourge of the Internet and plays a role in most computer intrusions and security incidents. According to an independent German security research institute (http://securityaffairs.co/wordpress/32352/malware/av-test-statistics-2014.html), there were 143 million new malware samples identified by security experts in 2014 or 12 million new variants per month.

Malware analysis is the process of dissecting malware to understand how it works and to understand how to defeat and eliminate it. The primary goal of malware analysis is to develop signatures to detect and stop the malware from causing harm. The analysis of the malware will lead to one of the following two types of signatures:

  • Host-based signatures – indicators used to detect malicious code on a computer system. These indicators typically include the MD5 hash of the malicious binary, processes spawned by the binary, files created or modified, and/or changes made to the registry.
  • Network signatures – indicators contained within network traffic such as attempts to contact domain names or IP addresses of known command and control systems or illegal TCP flags.

There are two fundamental approaches to malware analysis: static and dynamic. Static analysis involves studying the malicious binary without running it, while dynamic analysis is just the opposite and learns about the malware by running it in a safe environment.

For basic static analysis, there are several techniques that can yield valuable results for most malware. One technique is to run the malware through a website such as VirusTotal (http://www.virustotal.com). VirusTotal contains the signatures for many different commercial anti-virus software vendors and offers the best chance to identify the malware if someone else has already analyzed it. Next, you should obtain the hash of the binary file by running it through a hashing program. The hash allows you and others to uniquely identify the malware. Once you have the hash, you should search online to see if someone else has identified it. Next, although most binary files are not readable by humans, they do contain strings, human readable text, that may provide hints about what the malware does on the system. The best way to search for strings is to use the Strings program that is built into Microsoft’s SysInternals suite. Finally, you should search the binary for imported libraries and functions. Again, this may help you identify the purpose of the malware.

Now, let us briefly turn our attention to dynamic analysis. The first step in dynamic analysis is to create a safe environment to run the malicious code. For most purposes, this requires you to setup a virtual machine and take a snapshot of the machine prior to running the malware. Then, once you run the malware, you can easily return your machine back to a clean state. Now, using tools like Process Explorer and Regshot, you run the malware and identify changes that it makes to your test system. These changes could include the spawning of new processes, writing and modification of system files, and changes to the registry on a Windows machine. These changes will provide the clues necessary to determine what the malware is doing and to ultimately develop a signature to identify and remove it.

Basic static and dynamic analysis will equip you to deal with most types of malware. Some malware, however, requires advanced skills, but that topic is best left for another blog post.

Are you interested in learning more about information assurance? Request more information or call 877-820-0581.