Malware Analysis- The art of understanding malware

Man vector created by Sentavio

So by now, you guys might have heard about the malware, virus, trojan horse, worms, spyware and all the scary and too cool to handle stuff (Spoiler Alert: malware is not cool to handle xD). So let us begin with the basics when I say malware it can be anything from malicious software to suspicious PDF that some random creep sent you. There are types of malware starting from the most accustomed word “Virus”, Worm. Ransomware, Spyware, Trojan Horse, Adware let me also give you a brief meaning of what they actually are…

1. Virus- Malicious software that needs the help of the user to execute, propagate and infect a system.
2. Worm- Malicious software that doesn't need help from the user to propagate and infect the system and network.
3. Ransomware- Malicious software that encrypts all your data/files so that you have to pay some ransom to the attackers to access or decrypt your files.
4. Spyware- Malicious software that logs all your activity and sends it to the attacker.
5. Trojan Horse- Malicious Software that behaves like legitimate software tricking you to think it is legit software. (y’all better be careful next time when you try to download movies from shady websites.)
6. Adware- Malicious Software once installed shows unnecessary pop-ups/advertisements on your screen which you will hate.

Now you guys might be wondering about these questions right?

1. Why does anyone need to perform Malware Analysis?
2. What does anyone conclude or find after malware analysis?

Why Malware Analysis? When malware is developed, malware authors sophisticate the malware such that it is hard to detect and be as silent as possible and once the malware is found one can further detect and avoid similar malware in the future by understanding the malware and how it is functioning by doing Malware Analysis and then using the data from the Malware Analysis in their detection and protection services.

What does one conclude by performing malware analysis?

1. Malware’s propagation and infecting methods
2. Anti-virus and Defensive software evasion
3. What vulnerability/zero-day is being used to exploit.
4. Changes made to the device
5. How persistence being attained
6. Command & Control communications
7. The possible information about who might be the malware authors

And once the information that we get after analysis will be used to feed the data into our Anti-virus/Defense solutions, patch the vulnerabilities that have been exploited to mitigate further similar attacks.

Malware Analysis can be classified into 2 types 1) Static Analysis 2) Dynamic Analysis. To understand the malware completely and use it further individual needs to perform both Static and Dynamic Analysis as it gives you the big picture and helps you with countering similar attacks in the future.

Static Analysis: The analyst doesn't need to execute the malware but use decompilers and disassembles such as IDA, Ghidra(a free tool by NSA) etc… and look into functions being used and libraries that will be loaded into the executable. There is a difference between decompilers and disassemblers such as Decompiler give you the executable code in a high-level language such as x86 Arch while disassemblers do the same as decompilers but it also gives you executable in a low-level language such as C and C++ snippets.

Most of the times malware authors obfuscate or pack their executable to make static analysis harder for the analyst to perform. This debugger would be attached to the malware and the analyst will study it by running and setting breakpoints for the executable.

Tools: IDA-Pro, Ghidra, x32 &x64 debugger, ILSpy, DNSpy, dotPeek.

Packer information: DiE(Detect-it-Easy), PEstudio, PEview.

Data collected from Static Analysis:

1. If the malware is packed/obfuscated or not.
2. Libraries and functions being used.
3. Exploit being used or vuln being abused.
4. Can sometimes provide master key/imp info hardcoded in the executable.

Dynamic Analysis: The analyst lets the malware execute in an isolated environment know as a sandbox where every process and every system call is logged and monitored and capturing communications being made by the malware to it C2 Command & Control.

Data collected from Dynamic Analysis:

1. Registry key changes done to maintain persistence.
2. Scheduled Tasks being added.
3. How malware is starting its process to infect and if it's attaching to any known processes.
4. How the vuln is being exploited to gain privilege or persistence.
5. How and who does the malware communicate after being deployed like contacting C2, and what the remote attacker is doing with C2.

But the dynamic analysis does provide more information than these as we change from windows to Linux malware. By performing Dynamic analysis one can find the true IoC’s(Indicator of Compromise) which help in countering and detecting similar malware in the wild. These IoC’s can be anything from the Registry key changes, change of file extension, new users with Administrator privileges, Connection from a system to blacklisted IP and many more.

So, how is this data used in future? Once both static and dynamic analysis is completed individual maps the attack procedure to ATT&CK matrix and uses the mapping for future threat intel and if possible can find the Nation backed malicious actor APT’s. Malware that has been executed offline sometimes behaves differently than that of being online like one kind of ransomware executed offline stored the key of decryption in the devices volatile memory for which security researchers were able to make a tool that extracts the decryption keys from the memory to decrypt without actually paying the malicious actor. In some cases, malware authors hardcode their important details which can be used to bring down the malware or sometimes find the malware author.

One such case is the story of Marcus Hutchins one who brought down one of the worlds worst-hit ransomware WannaCry ransomware with infecting more than 2,30,000 devices globally and disrupting the entire UK Hospitals infrastructure. In May 2017 WannaCry ransomware started to infect UK hospitals and it grew infected a lot faster than traditional ransomware while exploiting a patched zero-day windows vulnerability of SMBv1 also known as EternalBlue(exploit developed by NSA). As Marcus Starts to do the static analysis he finds an accidental kill switch to the ransomware which a domain where malware is communicating after seeing this Marcus finds the domain to be not registered and he buys the domain and then he created a sinkhole for the malware from spreading further. To this day we can Marcus might have saved the internet for us by simple static analysis of the WannaCry Ransomware. This month i.e. Feb 2021 DoJ (Dept of Justice) has released an arrest warrant against malware authors of WannaCry for fraud and damage of almost $1.3 Billion.

But one might start thinking this is easy and cool to do the malware analysis but let me say this at the start Malware Analysis has a “Honeymoon period” as it looks and feels easy as you might not be dealing with sophisticated malware or simply practising on known malware that has already been analyzed. But once you found the malware in the wild, It is difficult to analyze as nowadays are implementing Anti-analysis features like detect if the malware is being run on sandbox, disassemblers, PE studio or event logging tools.

But with this Analyzing malware requires experience, patience and a lot of understanding about Dynamic-link libraries, x86 assembly language if needed, messing with debuggers and many more…

Malware Analysis holds an important part in cybersecurity for defence and mitigation as it’s peer spectrum and with more and more sophistication of malware we might fall behind to detect, understand and mitigate malware in the future. But with proper investment and training from organizations, we can counter it effectively.

Thanks for Reading. Stay tuned for more ❤

Connect with me on Twitter @krihnasai_456. Feedback is much appreciated ❤