The different types of Malware Analysis
What is a Malware?
A Malware is an executable with an malicious functionality. Malware is generally any code that performs malicious activity, i.e, any software that does something that causes harm can be considered malware.Malware can be further classified into various types like virus, trojan, worm, rootkit, ransomeware, etc, based on their origin & functionality.
What Is Malware Analysis?
Malware analysis is the process of determining the purpose and functionality of a given malware sample. Malware analysis equips us with the understanding on how the malware functions, how to identify the malware and how to eliminate it.
Why Malware Analysis?
Malware analysis can be conducted with various objectives in mind.
- To understand the capabilities of the malware
- Determine how the malware functions
- Asses the intrusion damage
- Identify indicators that will helps us determine other infected machine by the same malware and the level of infection in the network
- Help us identify if the malware is exploiting any vulnerability or on how it is persisting on the system
- Determine the nature & purpose of the malware
- To understand who is targeting & how good they are.
- To understand what information did they steal.
Malware analysis types
There are basically 2 types of malware analysis :
A basic static analysis is analyzing software without executing it. Basic static analysis is straightforward and can be quick, but it’s largely ineffective against sophisticated malware, and it can miss important behaviour.
Advanced static analysis consists of reverse-engineering the malware binary by loading the executable into a disassembler like Ollydbg or IDA to get assembly language source code from machine-executable code, we then look at the program to discover what the program does.
Some of the techniques use in static analysis is determining file type, strings encoded in the binary file, Check for file obfuscations in order to determine if the file has been packed or determine if they have used any cryptors), Hash and comparison, checking hash against multiple AV database.
Dynamic analysis techniques involve running the malware and observing its behaviour on the system, where the system is setup in a close and isolated environment. Dynamic analysis help us in order to remove the infection, produce effective signatures, or both. The lab environment is the totally isolated and if the malware is sending any network requests and is expecting an response, the response is usually simulated.
Dynamic analysis usually focuses on the following activities, file system , Registry, process, network and system calls.
In investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer’s hard drive, the memory of the computer must be analyzed for vital information.Memory Analysis is the science of using a memory image to determine information about running programs, the operating system, and the overall state of a computer.
Steps in memory Forensics
a) Memory Acquisition — This step involves dumping the memory of the target machine. On the physical machine you can use tools like Win32dd/Win64dd, Memoryze, DumpIt, FastDump. Whereas, on the virtual machine, acquiring the memory image is easy, you can do it by suspending the VM and grabbing the “.vmem” file.
b) Memory Analysis — Once a memory image is acquired, the next step is to analyze the grabbed memory dump for forensic artifacts, tools like Volatility and others like Memoryze can be used to analyze the memory
Memory forensics helps us to gather the following information
- List of all past and current network connections
- List of all running process
- List of DLL’s loaded
- Keystrokes entered
- Unpacked / Uncrypted version of the malware file
- list open files associated with a process
- list open registry keys associated with a process
- Kernel Modules
- Code injection
- Rootkit detection
- Detect hidden artifacts
Our Cyber security specialist Sajan would be conducting two full day hands-on training on “Malware Analysis & Memory Forensics” at Black Hat Asia (Singapore) on March 28th & 29th.
Stay tuned to this space for more information.