Malware Analysis: Your Options to Understanding Their Behavior

Author Reynaldo Gonzalez

Black background, red bug under magnifying glass

Photo Source: InfoSec Insights via https://sectigostore.com/blog/malware-analysis-what-it-is-how-it-works/

Ever wonder what a malware infection can do to your computer or organization? If you are curious about how malware behaves, then performing malware analysis is the way to go. Often, while you browse the Internet, you may visit a site that is malicious; accidentally click on a malware ad or download software containing embedded malware that can infect your system without your knowledge. If this occurs, then your computer becomes victim to a malware infection or may take part of a larger scheme to infect other devices on your own network and beyond.

The art in performing malware analysis is a great skill to achieve, whether for personal interest or as part of your cyber career. It’s important to understand what your malware analysis options are. Malware analysis is the process of understanding what malware does, how it behaves, where it tries to connect, and ultimately the purpose it tries to achieve.

There are four main stages of malware analysis:

(From less detailed and decreased complexity, to more detailed and increased complexity.)

  1. Fully automated analysis

  2. Using a sandbox to analyze malware samples with pre-built analysis tools

  3. Static property analysis

  4. Looking at malicious file metadata in an isolated environment without execution

  5. Interactive behavior analysis

  6. Executing malware in an isolated environment and observing its behavior

  7. Manual code reverse engineering

  8. Using debuggers and disassemblers to reverse engineer the code and identify what it tries to achieve

Generally, the techniques for these stages in malware analysis fall within static vs dynamic vs hybrid. Static malware analysis involves the stages for static property analysis and manual reverse code engineering. This is where you analyze malware behavior by dissecting the malicious program, file, or executable through various static analysis tools and without executing the malware. Dynamic malware analysis involves the stages for a fully automated analysis and interactive behavior analysis. This is where you observe and analyze the malware behavior by executing the malware in a sand boxed or controlled environment, thereby, identifying how, where, or what it tries to do in an automated fashion. Hybrid malware analysis is the process of combining techniques from both static and dynamic analysis using various tools, techniques, and solutions. There is no one way to perform malware analysis and any of these approaches provide the means to understand what malware tries to accomplish.

When preparing for malware analysis, the first thing to consider the use of a sand boxed environment with the right tools to dissect the malware behavior. The decision to choose a specific virtual environment can be influenced by which approach you take, so it is a good idea to have a path in mind. This can be done by using online malware analysis tools, a virtual machine (VM) environment with VirtualBox or VMware and using a Linux distro or any pre-built VM image with pre-installed malware analysis tools. Some examples for malware analysis environments include:

One of the main things to consider when dealing with a virtual environment is to use a separate physical computer with the malware analysis VMs loaded and ready to use. That is, keep your personal computing use and needs separate from the malware VM environment. This ensures that y