Malware Analysis 101

Brief Basics of Malware Analysis

I have had requests recently to post about the basics of malware analysis techniques, tools, and knowledge. I recently gave a talk at the CT HTCIA meeting on this topic, so I figured I’ll do a blog post with some notes to back that up.

  • Malware analysis is the process of scrutinizing malware to identify its functionality, the overall threat, how to prevent & eliminate the infection, and to determine its attack path (how it got into a system)
  • Common malicious files
    • Executables (exe)
    • Dynamic Link Libraries (dll)
    • Portable Document Format (PDF) — uses javascripts
    • Microsoft Office files (doc, xls, ppt, etc.) — uses VBA Macros

Basic Methodology

  • Identify & extract malicious file(s)
    • AV scans, running processes in task manager, RAM dump
  • Generate hash vales
    • Helps identify different variants of malware.exe
    • *It’s a good idea to rename the malware as the hash value without the file extension to prevent accidental execution (Windows won’t automatically run an exe when double clicked unless .exe is attached to the file name)
  • Research to see what its reputation is
  • Build and configure sandbox/analysis environment
  • Analyze
  • Respond

Sandbox Environment

  • Virtual Machine and/or designated computer
    • No patches — the more vulnerable the better
    • No VMware tools — we want to eliminate as much of the VMware traces as possible
    • Take frequent snapshots — clean, tools configured, infected (I like to name them Ready, Set, Go 😀 )
    • Both 32-bit and 64-bit operating system (XP or 7 works fine) because sometimes 32-bit malware won’t run properly in a 64-bit OS
    • Use a Unix based host OS (if using a virtual machine for analysis) because being new to malware, if something accidentally leaks out, your host OS won’t be infected (theoretically)
    • If you’re really ambitious, use hacks to hide traces of VMware
    • Run it under an admin account (I like to see what it will do worst case scenario)
  • Install and configure analysis tools
  • Set the VM to host-only network — this will use the host machine to create its own LAN and limits internet access
    • Or just set up a totally different, isolated Malware network

Static Analysis

“Dead/Code Analysis” — scanning the malicious file without executing it

  • Goal – to get an idea of what the code does before executing it
    • Imports
    • Functions
    • Strings
    • Timestamps
    • Programming language it’s written in
  • *STATIC ANALYSIS IS ONLY APPROXIMATE AT BEST
  • Tools
    • AV/Malware removal scanners
    • www.virustotal.com — allows you to upload a malicious file and it will do (most) of your static analysis for you (not 100% accurate every time)
    • Heaventools PE Explorer — identifies imports, functions, and headers
    • PEiD — determines if the malware is obfuscated or packed (scrambled and compressed)
    • Strings — command line tool that will pull out strings of unicode within the file

Dynamic Analysis

“Live/Behavioral Analysis” — running the malware live in a sandbox

  • Goal – to see how the code behaves in-action
    • Changes made
    • Downloads/uploads
    • Network connections
    • Processes
    • Symptoms
  • Tools
    • RegShot — take a registry snapshot before and after infection, compare, and identify the changes made to the registry
    • Process Monitor — real-time registry, process, network, and file system activity monitor (this data can be incredibly overwhelming, I did a post awhile back on filtering in Process Monitor here)
    • ApateDNS — Fake DNS — tricks the malware into thinking it’s connecting to the internet to activate, when it’s actually just getting responses from ApateDNS. Also logs the DNS requests
    • Microsoft Network Monitor — It’s just a network monitor that’s NOT Wireshark, which is important (see Obstacles)
    • Fiddler — website debugger
    • Memory capture tools of your preference

Obstacles

Not every piece of malware behaves the same

  • Won’t execute if certain tools are installed (VMware related tools, Wireshark) because then it knows it’s being analyzed
  • Won’t run without internet access (needs to call home to “activate”)
  • Won’t run in certain OS versions (SP3, 64-bit vs 32-bit, etc)
  • Wont’ run in a Virtual Macine because then it knows it’s being analyzed (that’s where a separate computer or VMware hacks come in handy)
  • Kill the processes for all monitoring tools so you lose all data
  • Waits until a certain time/day/action to activate (waits for 3 days after infection, or until you launch IE, etc..that’s where research comes in handy)
  • Runs differently during every execution (I usually run malware 3 times)
  • Infects too quickly
  • Morphs (changes IP addresses, process names, etc)
  • Packed or obfuscated (hinders static analysis)
  • Deletes themselves
  • Incredibly sneaky (unsure if you actually infected the sandbox)

1 thought on “Malware Analysis 101

  1. You can definitely see your expertise in the article you
    write. The arena hopes for more passionate writers such as you who aren’t afraid to mention how they believe.
    All the time go after your heart.

Leave a Reply

Your email address will not be published. Required fields are marked *