As described by Mr. Lenny Zeltser, malware analysis can occur in 4 distinct phases. These steps and methods are listed in order from easiest to hardest. They are:
Fully Automated Analysis
Static Properties Analysis
Interactive Behavior Analysis
Manual Code Reversing
Fully automated analysis involve the use of tools that scan files and produce reports on its findings. Such tools are usually commercially developed with canned reports and recommendations on how to address malware. The downside of fully automated tools is they often don’t provide as much insight about a piece of malware as a investigator would using more manual processes.
The next step and\or method of analyzing malware is examining the static properties of a file. Static properties include things like hashes, file header details, packer signatures and metadata. This type of information helps to identify malware quickly which allows for quick searches for known ways to address it. This method can be very effective for widely known pieces of malware but not for more unique ones where not as much information may be available to identify and address it.
The next step or method is interactive behavioral analysis. This involves a technician with the appropriate skill sets to actually run and observe the malware in a number of controlled environments. The malware may run in an isolated lab environment or it could run in an environment that allows it to connect back to command and control servers elsewhere. When this is done the technician is able to monitor and in some cases duplicate the behavior of the malware which ultimately allows for a much deeper understanding of how the malware works and what it is capable of. The most important aspect of this method is the skill sets of the person performing the work. It would be helpful if the person had a background in network administration and some coding experience as well.
Fully automated analysis involve the use of tools that scan files and produce reports on its findings. Such tools are usually commercially developed with canned reports and recommendations on how to address malware. The downside of fully automated tools is they often don’t provide as much insight about a piece of malware as a investigator would using more manual processes.
The next step and\or method of analyzing malware is examining the static properties of a file. Static properties include things like hashes, file header details, packer signatures and metadata. This type of information helps to identify malware quickly which allows for quick searches for known ways to address it. This method can be very effective for widely known pieces of malware but not for more unique ones where not as much information may be available to identify and address it.
The next step or method is interactive behavioral analysis. This involves a technician with the appropriate skill sets to actually run and observe the malware in a number of controlled environments. The malware may run in an isolated lab environment or it could run in an environment that allows it to connect back to command and control servers elsewhere. When this is done the technician is able to monitor and in some cases duplicate the behavior of the malware which ultimately allows for a much deeper understanding of how the malware works and what it is capable of. The most important aspect of this method is the skill sets of the person performing the work. It would be helpful if the person had a background in network administration and some coding experience as well.
The last method I will discuss is manual code reversing. This method requires the use of a code disassembler and a debugger which could be accompanied by a de-compiler, various plug-ins and other tools as needed. The ability to capture and dump the contents of the memory of a system is important as well. Reverse engineering malware can provide the following benefits.
- Decoding of encrypted data stored by the malware
- Logic determination and algorithm generation
- Understanding other malware capabilities not discovered in other steps
All or one of the above methods can be used during the investigation of an incident or intrusion. It really depends a lot on the expertise of the technician performing the analysis, what information they are seeking, and how far he or she is willing to go to get it information. Reverse engineering will provide the most comprehensive understanding of a piece of malware when compared with the other methods. See a short video on protecting yourself from malware here. Click here to get review some malware analysis tools and techniques.
References
Zeltser, L. (2015, February 19). Mastering 4 Stages of Malware Analysis. Retrieved June 17, 2018, from https://zeltser.com/mastering-4-stages-of-malware-analysis/
Aubert, M. (2017, February 01). Malware Analysis for the Incident Responder. Retrieved June 17, 2018, from https://blogs.cisco.com/security/malware-analysis-for-the-incident-responder
With thanks! Valuable information!
My brother recommended I may like this web site. He used to be totally right. This submit truly made my day. You can not believe just how so much time I had spent for this info! Thanks!
With thanks! Valuable information!
With thanks! Valuable information!