Malware Analysis is the process of identification of a malware till its verification that malware is completely removed, including observing the behavior that malware, is scoping the potential threat to a system and findings other measures.
Before explaining the malware analysis, the need for malware analysis and goal to be achived by this analytics must be defined. Security analyst and security professional at some point in their career have performed malware analyst.
The major goal of malware analysis is to gain detailed information and observe the behavior of malware, to maintain incident response and defense action to secure the organization.
Malware Analyses process start with Preparing the Testbed for analysis. Security Professional get ready a Virtual machine as a host operating system where dynamic malware analyst will be performed by executing the malware over the guest operating system. This host operating system is isolated from another network to observe the behavior of malware by quarantine the malware from the network.
After Executing a malware in a Testbed, Static and Dynamic Malware analysis are performed. Network connection is also setup later to observe the behavior using Process monitoring tools and Packet monitoring tools and debugging tools like OllyDbg and ProcDump.
Goals of Malware Analysis
Malware analyst goals are defined below:-
- Diagnostics of threat severity or level of attack.
- Diagnostics of the type of Malware.
- Scope the attack
- Built defense to secure organization’s network and systems.
- Finding a root cause
- Bult Incident response actions
- Develop Anti-malware to eliminate.
Types of Malware Analysis
Malware analyst is classified into two basic types.
Static Analysis or Code Analysis is performed by fragmenting the resources of the binary file without executing it and study each component. Dissembler such as IDA is used to dissemble the binary file.
Dynamic Analyst or Behavioural Analyst is performed by executing the malware on a host and observing the behavior of the malware. These behavioral analyses are performed in a Sandbox enviorment.
Sandboxing technology helps in detection of threat in a dedicated manner in a sophisticated enviorment. During Sandboxing of a Malware, it is searched in the Intelligence database for the analyst report. It might be possible that diagnostics details are available if the threat is detected previously.
When a threat is dianosed before, its analytics are recorded for future use; it helps to diagnose now. If a match found is in the database, it helps in responding quickly.
The threat analysis is an on-going process that helps identify exemplars of malicious software. With hackers regularly reinstating network infrastructure, it is obvious to lose sight of the tools constantly being used and updated by these various actors. Beginning with malicious program family analysis, this process is centered on mapping vulnerabilities, exploits, network infrastructure, additional malware, and adversaries.
Use Cases for Malware Analysis :-
- Computer security incident management: If an organization believes that malware may have entered into its system, a response team will react to the situation. Next, they will want to perform malware analysis on any potentially malicious files that are discovered. This will then determine if it is indeed malware, what type, and the impact that it might have on the respective organizations’ systems.
- Malware research: Academic or industry forum where malware researchers perform malware analysis. This creates the best understanding of how malware works and the newest methods used in its creation.
- Indicator of compromise (IOC) extraction: Sellers of software solutions and products may conduct bulk malware analysis in order to determine potential new indicators of compromise which will in turn help the organizations to defend themselves against malware attacks.
Four Stages of Malware Analysis :-
Investigating malware is a process that requires taking a few steps. These four stages form a pyramid that grows in intricacy. The closer you get to the top of the pyramid, the stages increase in complexity and the skills needed to implement them are less common. Here, we start from the bottom, and show you what goes into finding malware, every step of the way.
- Fully-automated analysis: One of the simplest ways to assess a suspicious program is to scan it with fully-automated tools. Fully-automated tools are able to quickly assess what a malware is capable of if it infiltrated the system. This analysis is able to produce a detailed report regarding the network traffic, file activity, and registry keys. Even though a fully-automated analysis does not provide as much information as an analyst, it is still the fastest method to sift through large quantities of malware.
- Static properties analysis: In order to get a more in depth look at malware, it is imperative to look at its static properties. It is easy to access these properties because it does not require running the potential malware, which takes a longer time. The static properties include hashes, embedded strings, embedded resources, and header information. The properties should be able to show elementary indicators of compromise.
- Interactive behavior analysis: To observe a malicious file, it might often times be put in an isolated laboratory to see if it directly infects the laboratory. Analysts will frequently monitor these laboratories to see if the malicious file tries to attach to any hosts. With this information, the analyst will then be able to replicate the situation to see what the malicious file would do once it was connected to the host, giving them an advantage over those who use automated tools.
- Manual code reversing: Reversing the code of the malicious file can decode encrypted data that was stored by the sample, determine the logic of the file’s domain, and see other capabilities of the file that did not show up during the behavioral analysis. In order to manually reverse the code, malware analysis tools such as a debugger and disassembler are needed. The skills needed to complete manual code reversing are very important, but also difficult to find.