When it comes to fighting malware, you may be asking as a security professional, “Why would I need to perform malware analysis? I don’t work for an anti-virus vendor.” If you are responsible for the security of a network, at some point in your career you will most likely have to perform malware analysis.
The goal of malware analysis is to gain an understanding of how a specific piece of malware functions so that defenses can be built to protect an organization’s network. There are two key questions that must be answered. The first: how did this machine become infected with this piece of malware? The second: what exactly does this malware do? After determining the specific type of malware, you will have to determine which question is more critical to your situation.
Types of Malware Analysis
There are two types of malware analysis that security professionals perform: code (static) analysis or behavioral (dynamic) analysis.
Code analysis is the actual viewing of code and walking trough it to get a better understanding of the malware and what it is doing.
Behavioral analysis is how the malware behaves when executed, who it talks to, what gets installed, and how it runs.
Knowing how malware functions allows for better defenses to protect the organization from this piece of malware, and possibly malware that attempt to infect a host using the same vulnerabilities are weaknesses.
With any discussion of reverse code engineering, you MUST be aware of the laws in your country involved with reverse engineering software (if any). Before undertaking reversing, check the local (country) laws about reverse code engineering. I do not recommend breaking any laws, nor do I condone any actions for the same.
Code analysis is performed by looking at the software code of the malware to gain a better understanding on how the malware functions. While performing code analysis, antivirus software will run on the malware, string searches will be performed, and files such as shell scripts will be analyzed. Most likely, reverse engineering will have to be performed using programs such as disassemblers, debuggers and decompilers.
After successfully reversing malware, you will be able to see how the “source” code of the malware functions. Seeing how the code functions allows you to build better defenses to protect your organization as well as serve as a sanity check on the completed behavioral analysis.
Once the malware code has been reversed, an understanding on how the malware infects the system will become clear. With malware today becoming more targeted, understanding how malware infects systems can reduce infections to an organization, thus reducing the overall cost.
Behavioral analysis is the “quick and dirty” way of malware analysis. When performing a behavioral analysis, look at how the malware behaves and what changes the malware makes on a base lined system. It should be noted, when performing behavioral analysis it is critical the malware lab is not connected to another network. For the best protection of production networks, the malware lab should never be connected to any network. If files must be transferred use a read only media such as a CD-ROM.
When performing behavioral analysis, look for changes to the system as well as any unusual behavior on an infected system. Changes on the system that should raise a red flag include files that have been added and/or modified, new services that have been installed, new processes that are running, any registry modifications noting which modifications took place, and finally, if any systems settings have been modified. This would include DNS server settings of the workstation which have been changed. Beside the behavior of the system itself, network traffic will also be examined.