Malware analysis is a practical process for identifying and assessing threats — here’s a quick explanation of the malware analysis process and how it works
What is malware analysis? It’s a practical way of understanding the individual functions, purposes, origins and potential impacts of different types of malicious software (malware) and code. It involves assessing and learning how each specific sample functions and how its code differs from other types of malware. This includes malware that’s contained within suspicious files and website links.
In this article, we’ll cover:
- Why malware analysis matters,
- The two types of malware analysis techniques,
- The stages of the malware analysis methodology, and
- Some of the tools you can use to perform malware analysis.
Why Malware Analysis Is Important
If you’re a vigilant Windows user, you sometimes may see a file with a strange or suspicious name that you’d like to investigate. Or, if you’re an ethical hacker or are on the incident response team of an organization, you may be tasked with analyzing files to determine whether they’re legitimate or malicious. Either way, you need a way to be able to differentiate good code and software from malicious varieties.
There are a few key reasons to perform malware analysis:
- Malware detection — To better protect your organization, you need to be able to identify compromising threats and vulnerabilities.
- Threat response — To help you understand how these threats work so you can react accordingly to them.
- Malware research — This can help you to better understand how specific types of malware work, where they originated, and what differentiates them.
What Is Malware?
The idea of a self-replicating computer program it thought to have originated with computer scientist John von Neumann. However, Scientific American reports that Bell Labs brought that hypothesis to life in the 1950s with the conception of a game called “Core Wars” (which wasn’t released until 1984). Now, decades later, we have cybercriminals encrypting files via malware, disrupting networks and exfiltrating data.
Malware is any piece of software that’s harmful to your system — worms, viruses, trojans, spyware, etc. Discovering them continues to be a challenge as attackers are writing increasingly sophisticated programs to evade detection. Malware analysis can help you to determine if a suspicious file is indeed malicious, study its origin, process, capabilities, and assess its impact to facilitate detection and prevention.
Malware can be distributed via various channels like emails (phishing attacks), USB drives, downloading software from websites, etc. They disguise themselves using obfuscation methods to mimic legitimate files or applications to trick users into downloading them. Once malicious software compromises a host system, it uses various persistence techniques (such as altering system files or adding malicious code) to remain there until a trigger event launches the attack.
The Two Types of Malware Analysis Techniques: Static vs. Dynamic
There are two ways to approach the malware analysis process — using static analysis or dynamic analysis. With static analysis, the malware sample is examined without detonating it, whereas, with dynamic analysis, the malware is actually executed in a controlled, isolated environment.
In the table below, we break down the differences between these two malware analysis techniques:
|Static Malware Analysis||Dynamic Malware Analysis|
|The malware components and properties are analyzed without running the code.||The malware is executed within a virtual environment, and its behavior is observed.|
|Static malware analysis is signature-based — i.e., the signature of the malware binary is determined by calculating the cryptographic hash.||Dynamic malware analysis takes a behavior-based approach to malware detection and analysis.|
|The malware binary can be reverse-engineered by using a disassembler.||The malware binary can be reverse-engineered using disassemblers and debuggers to understand and control certain aspects of the program when executing.|
|Static malware analysis involves virus scanning, fingerprinting, memory dumping, etc.||Dynamic malware analysis involves registry changes, API calls, memory writes, etc.|
|It can be rendered ineffective against unknown or new malware types or in more sophisticated attack scenarios.||It is more effective and provides a higher detection rate than static analysis.|
The Four Stages of Malware Analysis
When you learn how to write and read code, you do so little by little. Malware analysis is much the same. It’s a process that you approach through a series of formulated steps that become increasingly complex the further you go.
There are four stages to malware analysis, often illustrated using a pyramid diagram that increases in complexity as you go deeper into the process. For the sake of ease, we’ll break down each of the four stages of malware analysis from the ground up.
Stage One: Fully Automated Analysis
Automated malware analysis refers to relying on detection models formed by analyzing previously discovered malware samples in the wild. This is the most suited method to process malware at scale and quickly assess the repercussions of a sample on the network infrastructure.
Fully automated analysis can be done using tools like Cuckoo Sandbox, an open-source automated malware analysis platform that can be tweaked to run custom scripts and generate comprehensive reports. There are several other alternative tools, both commercial and free, that are available in the market.
Stage Two: Static Properties Analysis
Static properties analysis involves looking at a file’s metadata without executing the malware. This process is typically something you do within an isolated environment — such as a virtual machine — that’s disconnected from the internet.
One of the free tools that you may find useful for this purpose is PeStudio. This tool flags suspicious artifacts within executable files and is designed for automated static properties analysis. PeStudio presents the file hashes that can be used to search VirusTotal, TotalHash, or other malware repositories to see if the file has previously been analyzed. Moreover, it can be used to examine the embedded strings, libraries, imports, and other indicators of compromise (IOCs) and compare any unusual values that differ from those typically seen in regular executable files.
Conducting static property analysis should ideally leave a malware analyst with a fair idea of whether to continue pursuing or cease the investigation.
Stage Three: Interactive Behavior Analysis
In the next phase, behavior analysis, the malware sample is executed in isolation as the analyst observes how it interacts with the system and the changes it makes. Often, a piece of malware might refuse to execute if it detects a virtual environment or might be designed to avoid execution without manual interaction (i.e., in an automated environment).
There are several types of actions that should immediately raise a red flag, including:
- Adding or modifying new or existing files,
- Installing new services or processes, and
- Modifying the registry or changing system settings.
Some types of malware might try to connect to suspicious host IPs that don’t belong to the environments. Others might also try to create mutex objects to avoid infecting the same host multiple times (to preserve operational stability). These findings are relevant indicators of compromise.
Some of the tools that you can use include:
- Wireshark for observing network packets,
- Process Hacker to observe the processes that are executing in memory,
- Process Monitor to observe real-time file system, registry, process activity for Windows, and
- ProcDot to provide an interactive and graphical representative of all recorded activities.
Of course, you can conduct additional research on the new data points you gather by using any malware analysis database. Likewise, additional network analysis can disclose details about the command and control infrastructure of the malware specimen, the volume and kind of data it leaks, etc.
Stage Four: Manual Code Reversing
Reverse engineering the code of a sample malware can provide valuable insights. This process can:
- Shed some light on the logic and algorithms the malware uses,
- Expose hidden capabilities and exploitation techniques the malware uses, and
- Provide insights about the communication protocol between the client and the server on the command and control side.
Typically, to manually reverse the code, analysts make use of debuggers and disassemblers. Though code reversals are an extremely time-consuming process — and although the skills to perform them aren’t particularly common — this step can provide plenty of important insights.
How to Prevent Malware Infection
Now that we’ve gone over the ways in which an analyst can go about studying a malware sample, it still leaves us wondering what steps you take to protect your systems from malware attacks. Let’s take a look at a few basic pointers to help make your business or organization more secure:
- Keep your systems and applications up to date. You can start by installing regular updates and patches for all your applications, plugins, and operating system. Additionally, refrain from using legacy software or outdated hardware.
- Stay wary of social engineering attacks that can compromise your data. Social engineering attacks are on the rise, so staying cautious when handling email, opening files, or links on social media platforms, dealing with tech support, etc. should be taken seriously.
- Perform regular scans on your systems using antivirus, anti-malware solutions. Scan your system regularly and don’t turn off your security protections (firewall, anti-malware protection, etc.) to install or run a program.
- Employ security best practices like using a secure connection, blocking ads, etc. Practice safe browsing by doing so over a secure connection (i.e., websites that run on HTTPS). Block malicious ads from executing automatically by enabling click-to-play plugins. It stops malvertisements till you specifically click and run them on your machine.
- Create backups for all your business-critical data. Regularly back up all your data and store at least one copy offsite. Additionally, if you’re storing your backups online, use a third-party platform other than your hosting provider (for website backups). This way, when things go wrong, you have access to data from where you can quickly restore to get your business up and running.
In Conclusion: Final Thoughts on Malware Analysis
Hopefully, after reading this article, you now have a good idea of what malware is and why malware analysis is necessary. We’ve covered not only the different processes malware analysts use to examine these malicious files but also how to prevent malware from infecting your devices and IT systems in the first place.
Skilled attackers are almost always a step ahead of the game and usually find ways to evade detection or execute zero-day exploits. However, script kiddies and the uninitiated, are the sections of cybercriminals who can be dissuaded by taking necessary preventive measures. In future blog posts, we’ll examine a sample of malware and walk you through each of the stages described above. Stay tuned!