Scribd
Upload
276 views

Malware Analysis

Malware analysis is the study or process of determining the functionality, origin, and potential impact of malware. Malware is any software intended to harm operating systems or steal sensitive data. Malware analysis types include static analysis, which examines malware code without executing it, and dynamic analysis, which observes malware behavior while running in a sandbox. Proper malware analysis requires isolating lab systems, installing tools to monitor processes, files, networks and memory, and using online services to automate analysis and check website reputations.

Uploaded by

pavan kc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
276 views

Malware Analysis

Malware analysis is the study or process of determining the functionality, origin, and potential impact of malware. Malware is any software intended to harm operating systems or steal sensitive data. Malware analysis types include static analysis, which examines malware code without executing it, and dynamic analysis, which observes malware behavior while running in a sandbox. Proper malware analysis requires isolating lab systems, installing tools to monitor processes, files, networks and memory, and using online services to automate analysis and check website reputations.

Uploaded by

pavan kc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 9

Malware Analysis

Malware analysis is the study or process of


determining the functionality, origin and potential
impact of a given malware sample such as a virus,
worm, trojan horse, rootkit, or backdoor.
Malware or malicious software is any computer
software intended to harm the host operating
system or to steal sensitive data from users,
organizations or companies. Malware may include
software that gathers user information without
permission.
Malware analysis types:
Static Malware Analysis: Static or Code Analysis is usually performed by
dissecting the different resources of the binary file without executing it and
studying each component. The binary file can also be disassembled (or
reverse engineered) using a disassembler such as IDA. The machine code
can sometimes be translated into assembly code which can be read and
understood by humans: the malware analyst can then make sense of the
assembly instructions and have an image of what the program is supposed
to perform.
Dynamic Malware Analysis: Dynamic or Behavioral analysis is performed by
observing the behavior of the malware while it is actually running on a host
system. This form of analysis is often performed in a sandbox environment
to prevent the malware from actually infecting production systems; many
such sandboxes are virtual systems that can easily be rolled back to a clean
state after the analysis is complete. The malware may also be debugged
while running using a debugger such as GDB or WinDbg to watch the
behavior and effects on the host system of the malware step by step while
its instructions are being processed.
5 Steps to Building a Malware
Analysis :
Step1: Allocate physical or virtual systems for the
analysis lab
Step 2: Isolate laboratory systems from the
production environment
Step 3: Install behavioral analysis tools
Step 4: Install code-analysis tools
Step 5: Utilize online analysis tools
Step 1: Allocate physical or
virtual systems for the analysis
lab
•A common approach to examining malicious software involves
infecting a system with the malware specimen and then using the
appropriate monitoring tools to observe how it behaves. This requires a
laboratory system you can infect without affecting your production
environment.
•The most popular and flexible way to set up such a lab system involves
virtualization software, which allows you to use a single physical
computer for hosting multiple virtual systems, each running a
potentially different operating system. Free virtualization software
options include:

Virtual Box
 VMware vSphere Hypervisor
Step 2: Isolate laboratory systems
from the production environment
•You must take precautions to isolate the malware-analysis lab from the
production network, to mitigate the risk that a malicious program will
escape. You can separate the laboratory network from production using a
firewall. Better yet, don’t connect laboratory and production networks at
all, to avoid firewall configuration issues that might allow malware to
bypass filtering restrictions.
•If your laboratory network is strongly isolated, you can use removable
media to bring tools and malware into the lab. Consider using write-once
media, such as DVDs , to prevent malicious software from escaping the
lab’s confines by writing itself to a writable removable disk. A more
convenient option is a USB key that includes a physical write-protect
switch.
Step 3: Install behavioral analysis tools
•Before you’re ready to infect your laboratory system with the malware
specimen, you need to install and activate the appropriate monitoring tools.
Free utilities that will let you observe how Windows malware interacts with
its environment include:
•File system and registry monitoring: Process
Monitor with ProcDOT offer a powerful way to observe how local processes
read, write, or delete registry entries and files. These tools can help you
understand how malware attempts to embed into the system upon
infection.
•Process monitoring: Process Explorer and Process Hacker replace the
built-in Windows Task Manager, helping you observe malicious processes,
including local network ports they may attempt to open.
•Network monitoring: Wireshark is a popular network sniffer, which can
observe laboratory network traffic for malicious communication attempts,
such as DNS resolution requests, bot traffic, or downloads.
•Change detection: Regshot is a lightweight tool for comparing the
system’s state before and after the infection, to highlight the key changes
malware made to the file system and the registry.
Step 4: Install code-analysis tools
Examining the code that comprises the specimen helps uncover characteristics that
may be difficult to obtain through behavioral analysis. In the case of a malicious
executable, you rarely will have the luxury of access to the source code from which
it was created. Fortunately, the following free tools can help you reverse compiled
Windows executables:
•Disassembler and debugger: OllyDbg and IDA Pro Freeware can parse compiled
Windows executables and, acting as disassemblers, display their code as assembly
instructions. These tools also have debugging capabilities, which allow you to
execute the most interesting parts of the malicious program slowly and under
highly controlled conditions, so you can better understand the purpose of the code.
•Memory dumper: Scylla and OllyDumpEx help obtain protected code located in
the lab system’s memory and dump it to a file. This technique is particularly useful
when analyzing packed executables, which are difficult to disassemble because they
encode or encrypt their instructions, extracting them into RAM only during run-
time
Step 5: Utilize online analysis tools
To round off your malware-analysis toolkit, add to it some freely available online
tools that may assist with the reverse engineering process. One category of such
tools performs automated behavioral analysis of the executables you supply. These
applications look similar at first glance, but use different technologies on the back
end. Consider submitting your malware specimen to several of these sites;
depending on the specimen, some sites will be more effective than others. Such
tools include:
•Anubis
•EUREKA
•Malwr
•ThreatExpert
You can see a longer list of free automated malware analysis services that can
examine compiled Windows executables.
Another set of potentially useful online tools provides details about websites that
are suspected of hosting malicious code. Some of these tools examine the sites you
specify in real time; others provide historical information. Consider submitting a
suspicious URL to several of these sites, because each may offer a slightly different
perspective on the website in question:
Real-time threat assessment:  WebInspector and Wepawet
Historical reputation data:  URLVoid  and MxToolbox

You might also like