Malware analysis

What is a malware?

Malware or malicious software is a computer software intended to harm the host operating system or to steal sensitive data from users, organizations or companies.

What is a malware analysis?

Malware Analysis is the study of a malware by dissecting its different components and studying its behavior on the host computer's operating system.^[1]

What are the types and techniques of malware analysis?

There are two main techniques of malware analysis:

1. Static Malware Analysis: This is usually done by dissecting the different resources of the binary file and studying each component. The binary file can also be disassembled (reverse engineered) using a disassembler such as IDA. The machine code can be translated into Assembly code which can be read and understood by humans. A malware analyst can then make sense of the Assembly instructions and have an image of what the program is supposed to perform. Analyst can also learn ways to defeat and as a result sanitize the system from the infection of the disassembled malware.
2. Dynamic Malware Analysis: This is done by watching and logging the behavior of the malware while running on the host. Virtual machines and Sandboxes are extensively used for this type of analysis. The malware is debugged while running using a debugger such as GDB or WinDbg to watch the behavior of the malware step by step while its instructions are being processed by the processor and their live effects on RAM.

Prerequisites and needed skills for malware analysis

A malware analyst will have strong programming skills and must be very detail oriented.

Malware analysis is a branch of reverse engineering. Reverse engineering itself has many sub domains from binary auditing, exploits dev, intellectual property and algorithm analysis, to encryption analysis, protocol analysis and data format analysis among others. Bulk of the tools and techniques are created in tandem with the underground community of software crackers (+ORC/The Scene) and malware writers and the legacy is very rich. Much of malware does not come packed with a dongle protector from CodeMeter or FlexLM or VirtualProtect and most have size restrictions (unlike a few like Flame) hence they focus on packers and armourers which are not as intensive as copy protection. Most of the packers and compressors are already analyzed and subverted, thus the only impediment for successful malware analysis is dealing with the available anti-debugging and anti-disassembly tricks as well as obfuscation and packing. The rest boils down to API pattern analysis, disassembly of the executable to dissect the payload codes and supplementing information with sandboxes and monitoring. Sometimes you will have to combine areas from the above and deal with malware specific data formats or communication protocols and things like that.

Malware analysts have to be well informed and thorough and must be able to figure out procedures to extract as much detail as can be done from the malware. Strong knowledge of the execution environment (OS) and the tools of the trade are a sure shot recipe for success for any one looking to pursue this line of work, along with a healthy dose of patience.

Reverse engineering as seen from the perspective of software cracking and binary auditing takes a lot of skill to do it right. Malware analysis is a more specialized use of reverse engineering requiring a specific set of applicable skills to function properly on the job.

It also has to do with attitude and aptitude - there are excellent people who like to focus on network based security , write compilers and linkers, some like to make exploits and work with shellcode, others like to deal with hardware reversing, some like to write malware engines and some like to work specifically with malware. You choose where you fit and excel at that.

At some point the denominations blur.

References