LightBlog

Tuesday, 6 August 2019

What is Malware Analysis? Different Tools and Techniques of Malware Analysis

What-is-Malware-Analysis?

What is Malware Analysis?


Before we get into the specifics of Analyzing Malware, we need to define some terminology, cover common Types of Malware, and introduce basic approaches to Malware Analysis.

Any software that does something that creates a barrier to the user, computer, or networks — such as Viruses, Trojan Horses, Worms, Rootkits, Scareware, and Spyware — can be considered Malware Analysis.

While malware appears in many different forms, common techniques are used to Analyze Malware. Which technique your choice employs will depend on your goals.

The Goals of Malware Analysis


The purpose of Malware Analysis is usually to provide you with the information needed to respond to network intrusion. Your goals will usually be to determine what happened and to ensure that you are located on all infected machines and files.

When analyzing suspicious Malware, your goal will usually be to determine what a particular suspect binary can do, how to detect it on your network, and how to measure and contain its damage.

Once you identify which files require a complete analysis, it is time to develop a signature to detect malware infections on your network. Malware Analysis can be used to develop host-based and network signatures.

Host-based signatures or indicators are used to detect malicious code on victim computers.

These indicators often identify created or modified files. Malware or specific changes that make it to the registry.

Unlike antivirus signatures, malware indicators focus on what malware does in a system, and not on the characteristics of the malware itself, which makes them more effective in detecting malware, which changes the form or which is hard Has been removed from disk.

Network signatures are used to detect malicious code by monitoring network traffic. Network signatures can be created without Malware Analysis, but signatures created with the help of malware analysis are generally far more effective, offering a higher detection rate and lower false positives.


After obtaining the signature, the ultimate objective is to find out how the malware works. This is the most frequently asked question by senior management, who want a full description of a major intrusion.

Malware Analysis Techniques

Most often, when Analyzing Malware, you will only have a malware executable, which will not be human-readable.

To find out what this means, you will use a variety of tools and tricks, each of which reveals a little information. To see the full picture you have to use many types of devices.

There are two fundamental approaches to Malware Analysis: 

  1. Static Malware Analysis  
  2. Dynamic Malware Analysis.

Static Malware Analysis: involves testing malware without running it.

Dynamic Malware Analysis: involves running malware. Both techniques are classified as basic or advanced.

Basic Static Malware Analysis 


Basic Static Malware Analysis involves checking the executable file without looking at the actual instructions.

Basic static malware analysis can confirm if a file is malicious, provide information about its functionality, and sometimes provide information that will allow you to create a simple network signature.

Basic static malware analysis is straightforward and can be quick, but it is largely ineffective against sophisticated malware, and it can remember important behaviors.

Basic Dynamic Malware Analysis 


Basic Dynamic Malware Analysis techniques include running the malware and observing its behavior on the system to eliminate infection, producing effective signatures, or both.

However, before you can run malware safely, you will need to create an environment that allows you to study malware running without damaging your system or network.

Like basic static analysis techniques, basic dynamic analysis techniques can be used by most people without in-depth Programming Knowledge, but they will not be effective with all malware and may miss critical functionality.

Advanced Static Malware Analysis


Advanced static analysis involves reverse-engineering malware interns to load the executive into the disassembler and to see the program's instructions for viewing the program.

Instructions are performed by the CPU, so advanced static analysis tells you exactly what the program does.

However, there is a stator learning curve compared to advanced static analysis Basic Statistical Analysis and Disassembly, Building Code, and Special Knowledge of Windows Operating System Concepts.

Advanced Dynamic Malware Analysis


Uses advanced dynamic analysis debugger to check the internal state Malicious executable. 

Advanced dynamic analysis techniques provide another way to extract detailed information from an executable. 

Techniques are most useful when you are trying to get information It is difficult to assemble with other techniques.

Types of Malware Analysis


When analyzing malware, you'll find that you can often speed up
Your analysis by making educated guesses about what malware is trying to do And then confirm those hypotheses. Of course, you will be able to Better guess if you know the type of malware that malware usually does.

To that end, here are the categories that fall under most malware:

Backdoor malicious code that installs itself into the computer to allow Attacker Access. The backdoors usually allow the attacker to connect A computer with little or no authentication and executes commands on its local mode.

The botnet is like a back door, in which it allows access to the attacker The system, but all computers infected with the same botnet receive the same Instructions from a single command-and-control server

The downloader is malicious code that only exists to download other malicious code. Downloaders are usually installed by attackers when they Get access to a system first. The downloader will download the program and Install additional malicious code.

Information-stealing malware that collects information The victim's computer and usually sends it to the attacker. examples include Sniffers, password hash grabbers, and keyloggers.

This malware is commonly used to gain access to online accounts such as email or online banking.

Launcher malicious programs used to launch other malicious programs. Typically, launchers use nontraditional techniques to launch other malicious programs to ensure stealth or greater access to the system.

Rootkit Malicious Code designed to hide the existence of other
Code. A rootkit is usually associated with other malware, such as backdoor, Allow remote access to the attacker and make code difficult To locate the victim.

Scareware Malware is designed to scare you into buying an infected user. something. It usually has a user interface that makes it look like antivirus or any other security program.

This informs users that they have malicious code on their system and the only way to get rid of it is to buy their "software" when in fact, the sale of software does nothing more than removing the spyware.

Send spam-malware malware that infects a user's machine and then
Uses that machine to send spam This malware generates income for
By allowing attackers to sell spam-sending services.

Worm or virus malicious code that can copy itself and infect an additional computer.

Malware is often spread in many categories. For example, a program There may be a keylogger that collects passwords and a worm component Sends spam. Do not interrupt too much to classify malware according to working capacity.

Malware can also be classified as to what the purpose of the attacker is Massively or targeted. Mass malware, such as scareware, takes the shotgun approach and is designed to affect as many machines as possible.

Of the two objectives, it is the most common and is usually less sophisticated and able to be easily detected and defended as security software targets it.

Targeted malware, like back-to-back types, is tailored to a specific organization. Targeted malware is a greater threat than network
Malware on a large scale because it is not comprehensive and your security products Maybe this will not protect you.

Without a detailed analysis of targeted malware, it is almost impossible to protect your network from that malware and remove the infection.

Targeted Malware is usually very sophisticated,

General Rules for Malware Analysis


First of all, do not get caught in the details too. Most malware programs are Large and complex, and you probably can not understand every detail. Focus On key features instead. When you run into difficult and complex sections, try to get a general overview before you get caught in the weeds.

Second, remember that different tools and approaches are available.
Different jobs. There is no point of view. Every situation is different, and the different tools and techniques you learn have the same and sometimes overlapping functionality. If you don't have luck with one device, try another.

If you get stuck, don't spend too long on any one issue; Proceed to something else. Try analyzing malware from another angle, or simply try a different approach.

Finally, remember that malware analysis is like a cat-and-mouse game. As New malware analysis techniques have been developed, malware writers give feedback With new techniques to thwart the analysis.


To be successful as a malware analyst, you must be able to identify, understand and defeat these techniques, and respond to changes in the art of Malware Analysis.

Related:



1 comment: