Chapter 4.

Basic Malware
Analysis

1. Introduction
2. Basic Static Analysis
3. Basic Dynamic Analysis

Reading: Textbook – Chapter 18

1
Introduction
• Malware analysis:
• The art of dissecting malware to understand how it works, how to identify it, and how to
defeat or eliminate it.
• Purpose: usually to provide the information you need to respond to a network intrusion
• Can be used to develop host-based and network signatures.
• Techniques:
• Static analysis: involves examining the malware without running it.
• Basic: examining the executable file without viewing the actual instructions
• Advanced: reverse-engineering the malware’s internals by loading the executable into a disassembler
and looking at the program instructions
• Dynamic analysis: involves running the malware
• Basic: running the malware and observing its behavior on the system in order to remove the infection,
produce effective signatures, or both.
• Advanced: uses a debugger to examine the internal state of a running malicious executable. Advanced
dynamic analysis techniques provide another way to extract detailed information from an executable.

2
Basic Static Analysis
• Antivirus scanning
• When first analyzing prospective malware, a good first step is to run it
through multiple antivirus programs, which may already have identified it.
• Hashing
• a common method used to uniquely identify malware.
• Hash can be used to share the malware and search for info about it

• Finding strings
• can be a simple way to get hints about the functionality of a program
• can use the Strings program (http://bit.ly/ic4plL), to search an executable for
strings

3
Basic Static Analysis (cont.)
• Packing and Obfuscation
• Used to make malware files more difficult to detect or analyze.
• Obfuscated programs: malware whose execution the malware author has attempted to
hide. 混淆程序：恶意软件作者试图隐藏其执行的恶意软件。
• Packed programs: are a subset of obfuscated programs in which the malicious program
is compressed and cannot be analyzed.
When the packed program is
run, a small wrapper program
also runs to decompress the
packed file and then run the
unpacked file

打包程序：是混淆程序的子集，其中恶意程序被压
缩且无法分析。

4
Basic Static Analysis (cont.)
• Detecting packing
• When a program is packed, you must unpack it in order to be able to perform
any analysis.

• Detecting with PeID

• detect the type of packer or
compiler employed to build an
application

• Unpacking with UPX

• popular and easy to use for
unpacking
• Available at
• http://upx.sourceforge.net/ upx -d PackedProgram.exe 5
Basic Static Analysis (cont.)
• PE file format
• file format used by Windows executables, object code, and DLLs
• contains a header followed by a series of sections
• header contains metadata about the file itself
• most common and interesting sections in a PE file
• .text section contains the instructions that the CPU executes
• .rdata section typically contains the import and export information, and can also store other
read-only data used by the program
• .data section contains the program’s global data, which is accessible from anywhere in the
program.
• .rsrc section includes the resources used by the executable that are not considered part of
the executable, such as icons, images, menus, and strings.
• Tools
• PEview tool: used to browse through the PE information
• Resource Hacker tool can be used to browse the .rsrc section
• Available http://www.angusj.com/

6
Basic Static Analysis (cont.)
• Linked Libraries and Functions
• Imports: functions used by one program that are actually stored in a different
program, such as code libraries
• Knowing how the library code is linked is critical to our understanding of
malware
• Code libraries can be linked statically, at runtime, or dynamically
• While unpopular in friendly programs, runtime linking is commonly used in
malware, especially when it’s packed or obfuscated.

7
Basic Static Analysis (cont.)
• Dependency Walker
• Available at
http://www.dependencywalker.co
m/
• Allows listing and exploring
dynamically linked functions in an
executable

8
Basic Static Analysis (cont.)
• Common DLLs

9
Basic Dynamic Analysis
• Basic dynamic analysis of malware:
• typically performed after basic static analysis has reached a dead end
• can assist and confirm your basic static analysis findings

• Using a Malware Sandbox

• Sandbox: a security mechanism for running untrusted programs in a safe
environment without fear of harming “real” systems.
• Example of free sandbox: Norman SandBox, GFI Sandbox, Anubis, Joe
Sandbox, ThreatExpert, BitBlaze, and Comodo Instant Malware Analysis, etc.
• Provide quick results, but has many limitations, e.g., may miss important
aspects of malware execution behavior

10
Basic Dynamic Analysis
• Analysis Environment
• Before you can run malware to perform dynamic analysis, you must set up a
safe environment.
• allow you to investigate the malware without exposing your machine or other machines
on the network to unexpected and unnecessary risk.
• Air-gapped networks allow you to run malware in a real environment without
putting other computers at risk, but lack Internet connection and can be
difficult to clean up
• Virtual machines are most commonly used for dynamic analysis
• But some malware will not run in virtualized environment

11
Basic Dynamic Analysis (cont.)
• Analysis Environment (cont.)
• Setting up Host-only networking:
• commonly used for malware analysis
• creates a separate private LAN
between the host OS and the guest OS
• contains the malware within your
virtual machine while allowing some
network connectivity.
• Using multiple VMs
• Linked by a LAN but disconnected from
the Internet and host machine
• E.g. one VM is set up to analyze
malware, and the second VM provides
services.

12
Basic Dynamic Analysis (cont.)
• Analysis
environment –
Example:
• contains two hosts:
the malware
analysis Windows
VM and the Linux
VM running
INetSim
• ApateDNS is
configured on the
Win VM to redirect
to the Linux VM

13
Basic Dynamic Analysis (cont.)
• Running and analyzing malware using virtual machines involves the
following steps:
1. Start with a clean snapshot with no malware running on it.
2. Transfer the malware to the virtual machine.
3. Conduct your analysis on the virtual machine.
4. Take your notes, screenshots, and data from the virtual machine and transfer it
to the physical machine.
5. Revert the virtual machine to the clean snapshot.

14
Basic Dynamic Analysis (cont.)
• Analysis steps:
1. Running procmon and setting a filter on the malware executable
name and clearing out all events just before running.
2. Starting Process Explorer.
3. Gathering a first snapshot of the registry using Regshot.
4. Setting up your virtual network to your liking using INetSim and
ApateDNS.
5. Setting up network traffic logging using Wireshark.

15