Author Reynaldo Gonzalez
Photo Source: InfoSec Insights via https://sectigostore.com/blog/malware-analysis-what-it-is-how-it-works/
Ever wonder what a malware infection can do to your computer or organization? If you are curious about how malware behaves, then performing malware analysis is the way to go. Often, while you browse the Internet, you may visit a site that is malicious; accidentally click on a malware ad or download software containing embedded malware that can infect your system without your knowledge. If this occurs, then your computer becomes victim to a malware infection or may take part of a larger scheme to infect other devices on your own network and beyond.
The art in performing malware analysis is a great skill to achieve, whether for personal interest or as part of your cyber career. It’s important to understand what your malware analysis options are. Malware analysis is the process of understanding what malware does, how it behaves, where it tries to connect, and ultimately the purpose it tries to achieve.
There are four main stages of malware analysis:
(From less detailed and decreased complexity, to more detailed and increased complexity.)
Fully automated analysis
Using a sandbox to analyze malware samples with pre-built analysis tools
Static property analysis
Looking at malicious file metadata in an isolated environment without execution
Interactive behavior analysis
Executing malware in an isolated environment and observing its behavior
Manual code reverse engineering
Using debuggers and disassemblers to reverse engineer the code and identify what it tries to achieve
Generally, the techniques for these stages in malware analysis fall within static vs dynamic vs hybrid. Static malware analysis involves the stages for static property analysis and manual reverse code engineering. This is where you analyze malware behavior by dissecting the malicious program, file, or executable through various static analysis tools and without executing the malware. Dynamic malware analysis involves the stages for a fully automated analysis and interactive behavior analysis. This is where you observe and analyze the malware behavior by executing the malware in a sand boxed or controlled environment, thereby, identifying how, where, or what it tries to do in an automated fashion. Hybrid malware analysis is the process of combining techniques from both static and dynamic analysis using various tools, techniques, and solutions. There is no one way to perform malware analysis and any of these approaches provide the means to understand what malware tries to accomplish.
When preparing for malware analysis, the first thing to consider the use of a sand boxed environment with the right tools to dissect the malware behavior. The decision to choose a specific virtual environment can be influenced by which approach you take, so it is a good idea to have a path in mind. This can be done by using online malware analysis tools, a virtual machine (VM) environment with VirtualBox or VMware and using a Linux distro or any pre-built VM image with pre-installed malware analysis tools. Some examples for malware analysis environments include:
One of the main things to consider when dealing with a virtual environment is to use a separate physical computer with the malware analysis VMs loaded and ready to use. That is, keep your personal computing use and needs separate from the malware VM environment. This ensures that your personal data is protected from the risk of malware leaking out of your VM.
Once you’ve decided on the approach (type of analysis and environment) that you want to take, understand there are various malware analysis tools at your disposal. Consider the following tools:
Many of these tools are pre-loaded on VMs such as Flare VM or Remnux, but you can also build your own VM with a customized set of malware analysis tools, whether a Windows environment or a Linux distro environment.
For more information and resources to malware analysis, check out these great links:
A great number of recommended books for malware analysis and other great resources can also be found on these sites.
About the Author: Reynaldo Gonzalez is a member of CSNP leading the Houston Chapter, a Principal Cybersecurity Architect at United Airlines, and is an adjunct professor at Lonestar College CyFair teaching Cisco networking and cybersecurity courses.
Disclaimer: The content and information provided in this blog is provided for informational purposes as the sole opinion of the author for CSNP dedicated to providing cybersecurity knowledge to the community and in no way represents the author’s employers and employer affiliation.