By: Divya Bora
October 11, 2021
Malware Analysis: Techniques and Tools
By: Divya Bora
October 11, 2021
What is Malware Analysis?
Malware is malicious software used to cause extensive damage to data and systems by gaining unauthorized access. Malware Analysis understands the purpose, functioning, or behavior of the suspicious file, particularly malware. The outcome of malware analysis is helpful in the detection and mitigation of any potential threats related to the malware.
Types of Malware Analysis
Malware Analysis can be either static, dynamic, or hybrid of the two. Let us discuss them in detail:
1. Static Malware Analysis
Here, the malware components or properties are analyzed without actually executing the code. Static malware analysis is used to examine the file for signs of malicious intent. It is a signature-based technique, i.e., the signature of the malware's binary is determined by calculating its cryptographic hash. The malware's binary can be reverse engineered using a disassembler. Static malware analysis also includes fingerprinting, virus scanning, and memory dumping. Since it is signature-based, it will be ineffective against the latest or unknown malware types or in situations where more sophisticated attack scenarios conceal the malware.
2. Dynamic Malware Analysis
Malware components are executed within a safe virtual environment (called sandbox) to observe its behavior. Dynamic malware analysis is a behavior-based approach to detect and analyze the malware under observation. The malware's binary can be reverse engineered using a disassembler and debugger to understand and control the functions of the malware while executing it. It also includes memory writes, registry changes, and API calls. It is more efficient, effective and provides a higher detection rate than static analysis.
3. Hybrid Malware Analysis
Static malware analysis cannot detect sophisticated malicious codes, and dynamic malware analysis might not succeed in detecting sophisticated malware as they hide in the presence of a sandbox environment. Therefore, security teams resort to a combination of static and dynamic malware analysis, known as hybrid analysis that is the best of both approaches. Hybrid Malware Analysis can easily detect hidden malicious codes and extract indicators of compromise (IOCs) statically from the unseen code. It also helps in the detection of unknown threats from some of the most sophisticated malware.
Stages of Malware Analysis
Malware analysis is a process that requires a few formulated steps. These steps form a pyramid, and the complexity and skill requirements increase as we approach the top of the pyramid. Let's discuss the steps in detail:
1. Fully Automated Analysis
This is one of the easiest and quickest ways to assess suspicious files. This type of analysis is used to determine the potential effects of the malware if it were to infiltrate the network and function. It also produces a detailed, easy-to-read report regarding the security teams' file activity, network traffic, and registry keys. Fully automated analysis is considered the best way to sift through large quantities of malware on network infrastructure.
TOOLS: Cuckoo Sandbox is an open-source automated malware analysis platform used to perform fully automated analysis. It can also be adjusted to run some custom scripts and also generate comprehensive reports.
A few other tools that can be used for fully automated analysis are: Malheur is used to analyze the data collected by behavioral sandboxes. Zero Wine is a full-featured tool used for dynamic analysis of Windows malware on Linux. REMnux is a lightweight Linux distribution used to analyze reverse-engineered malware, and Buster Sandbox Analyzer is a wrapper around the Sandboxie tool in Windows used for analyzing key malware actions executed by Sandboxie in our lab.
2. Static Properties Analysis
This is done to get a deeper look at the malware. The static properties of malware are examined like header details, metadata, malware code, hashes, and embedded resources. All this data is required to create IOCs and can be easily collected as malware execution is not required to capture the static properties. So the insights gathered during static properties analysis assists in deciding whether a deeper investigation with more comprehensive techniques is required and helps determine further steps.
TOOLS: PeStudio is a tool used to automate static properties analysis that flags suspicious artifacts within executable files and displays file hashes that can be searched on malware repositories like TotalHash or VirusTotal to analyze the malware further. It can also be used to examine libraries, embedded strings, imports, or other IOCs. It can also compare unusual values that differ from the values commonly used in regular executable files.
A few other tools that can be used for static properties analysis are Peframe, a command-line tool written in Python that automatically extracts the static file properties and other useful information. ExifTool is used to extract metadata embedded into the files and also extracts Windows executables. Strings2 is a command-line tool used for static properties analysis and can extract ASCII and Unicode-encoded strings in a single step. Signsrch is used to statically examine spot patterns of compression, multimedia, and encryption algorithms from a file. Exeinfo PE is a tool used to examine Windows executables and can effortlessly identify commonly used packet signatures. CFF Explorer is used to editing the contents of the file's PE header and examine the static properties of the file.
3. Interactive Behavior Analysis
Behavior Analysis involves examining how the sample interacts in a lab to clearly understand its file system, network activities, processes, and registry. Analysts may further conduct memory forensics to learn how the malware functions and how much memory it utilizes. If the analysts find out that the malware has specific capabilities, they set up a simulation to test their observations. Behavioral analysis needs a creative analyst who possesses advanced skills as the process is complex and time-consuming and needs automated tools to perform effectively.
TOOLS: Wireshark is used to observe network packets. Process Hacker is used to observing processes being executed in the memory. Process Monitor is used to observe the real-time file system, process activity, and registry for Windows. ProcDot provides the user with an interactive and graphical representation of the recorded activities.
4. Manual Code Reversing
Reversing the malicious code of the file can decode encrypted data stored by default, determine the file domain's logic, and see the functionalities of the file that were overlooked or conceded while performing behavioral analysis. Hence to manually reverse a code the analysts require debuggers and disassemblers aided by a decompiler and a variety of plugins or specialized tools that automate some aspects. Code reversing is a rare skill. Executing code reversals takes up a lot of time, so malware investigators often skip this step and miss out on valuable insights into the malware's nature.
TOOLS: IDA Pro is one of the best and most popular reverse engineering software tools and is an interactive disassembler with a built-in command language that supports various executable formats as well as processors and operating systems. It has many plugins that extend the disassembler's functionality like Hex-Rays Decompiler, Lighthouse, ClassInformer, BinDiff, and IDA-Function-Tagger.
A few more tools that can be utilized for manual code reversing are API Monitor, an application used to intercept API function calls made by apps and services and can easily display input or output data. WinHex is a hex editor that provides useful features and development tools for Windows. It can display checksums or code of software or malware files, which a regular text editor is incapable of doing. Hiew is a binary file editor that works with code but consists of a built-in disassembler and assembler for x86 and x86-64. Scylla is an application used for dumping the running application processes and restoring their PE import tables. It also assists in completely restoring the PE files run by the operating system. PEiD is also considered to be one of the best reverse engineering tools to detect the packer. By analyzing the entropy, it can determine if the application is packed or not.
Use cases for Malware Analysis
Some of the use cases for Malware analysis are as follows:-
1. Malware Research
Be it for academic or industrial usage, malware researchers perform malware analysis to gain a thorough understanding of the latest tools, techniques, and exploits being used by the adversaries.
2. Incident Response
Every major organization consists of an Incident Response team whose goal is to provide the organization with the root cause analysis of any major threat that has taken place. It is also responsible for determining the impact of the damage caused and should ensure proper remediation and recovery. So they perform malware analysis to increase the efficiency and effectiveness of their tasks.
3. Malware Detection
To avoid traditional detection mechanisms, adversaries have started employing more sophisticated techniques. Threats can be efficiently detected by performing deep behavioral analysis, identifying malicious functionality, infrastructure, or shared codes. Malware analysis results assist in extracting IOCs, which can be utilized by Security Information and Event Management software (SIEMs) and Threat Intelligence Platforms (TIPs) and security tools to alert the team about potential threats in the future.
4. Threat Hunting
Malware analysis assists in exposing the behavior and artifacts utilized by the threat hunters to imitate activities like access to a specific port, domain, or network connection. So by intricately examining firewall and proxy logs, the teams use the data to identify similar threats.
5. Threat alerts and Triage
Malware analysis provides solutions that comprise higher fidelity alerts in an easier attack life cycle. Hence, teams should prioritize the results of such alerts to save time.
Malware Fundamentals is a course designed for beginners to understand what malware is, and Malware Threats is a course for intermediates to strengthen their basics of malware. Intro to Malware Analysis and Reverse Engineering is a detailed course that is the advanced level for people who have experience in malware. Advanced Malware Analysis is a course that will consist of hands-on training for the people who have their basics clear and are looking for some practice.
- https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.cybrary.it%2Fcatalog%2Fskill-assessment%2Fmalware-analysis%2F&psig=AOvVaw3NnXJKO7IJjR9-Jur0n6dw&ust=1632589893156000&source=images&cd=vfe&ved=0CAwQjhxqFwoTCJjD-raNmPMCFQAAAAAdAAAAABAD(Image 1)
- https://zeltser.com/mastering-4-stages-of-malware-analysis/(Image 2)