Any program that is intended to disrupt computer or network operation, gather sensitive information, gain access to private computer systems or networks is malware. Virus, Spyware, Worm, Adware, Trojan horse, Rootkit, Scareware are all examples of malware. Malware analysis is an art of dissecting the malware in order to understand how it works, and how to defeat or eliminate it.
There are two fundamental approaches to malware analysis:-
- Static analysis, which involves examining and analysing the malware without executing it.
- Dynamic analysis, which involves executing the malware on the system and analyzing it.
Static Analysis approach:
- A very first step to malware analysis is to run malware through multiple antivirus programs, which may already have identified it. It can save us from lot of time and work.A free online service that analyzes files enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by various antivirus engines and website scanners is available at https://www.virustotal.com
- Next, Hashing technique is used to uniquely identify a malware. The malicious software is run through a hashing program that produces a unique hash that identifies that malware. Searching for that hash online to see if the file has already been identified or not, can again save us from lot of effort. One of online malware hash DB may be found at https://isc.sans.edu/tools/hashsearch.html
- Use any Strings program like BinText or Strings to display all the strings within executable. A program contains strings if it prints a message, connects to a URL, or copies a file to a specific location. These strings can give us an idea of working of executable. However if the executable is packed or obfuscated, no useful strings can be seen. In that case dynamic analysis is the option.
- Check the dynamically linked list in the executable with any of the tools available. The libraries used and functions calls are often the most important parts of a program, and identifying them is particularly important, because it allows us to guess at what the program does. Dependency walker is one of the commonly used tools which lists all dependent modules within executable.
- Finally the most important and useful static malware analysis technique, disassembling of executable can be used with any of the available assembly level disassembler like IDA Pro. IDA Pro is a multi-platform assembly level disassembler that translate machine executable code into assembly language source code. It can be used to run in either text mode or graph mode. Text mode simply arranges source code into assembly level code, while as in graph mode code is divided into blocks and arranged according to the logic program uses while executing, highlighting jumps and branches. Other useful windows IDA Pro provides include Functions window, Strings window, Names window, Exports window, Imports window, Structures window.
Dynamic Analysis approach:
Check for the the File system and process activity using procmon or proc explorer or any other available tool. Procmon monitors all system calls it can gather as soon as it is run while as Process Explorer monitors the processes running on a system and shows them in a tree structure that displays child and parent relationships.
Determine the recent Registry activities, which keys have been added or deleted recently. Regshot is a good tool for this purpose. Regshot provides comparison of registry entries before and after running executable.
Monitor for Network activity using apate DNS, or wireshark. Apate DNS can be used to check the DNS requests made by malware while as wireshark can be used for packet sniffing.
Test or examine the execution of malware by means of any low level debugger like Ollydbg or Windbg. A debugger is a program that is used to test or examine the execution of another program. Low level debugger traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries. It also provides the function to pause the execution of program under test and check its state. Below is snapshot of Olly in action.