Malware Analysis Primer
Goals of Malware Analysis
To determine what exactly has happened to ensure that you’ve located all infected machines and files and then develop signatures (host and network)
Types of signatures
Host based are used to detect malicious code on victim computers by identifying created or modified files by malware
Network based are used to detect malicious code by monitoring network traffic
Finally we figure out how the malware works
Malware Analysis Techniques
Types of techniques
Static Analysis
Examining the executable
Reverse engineering the malware’s internals by disassembling it and looking at it’s instructions
Dynamic Analysis
Running the malware and examining its behavior in order to remove it’s infection and create signatures
Quite often we use debugger to understand how malware is being
Types of Malware
Backdoor —> Malicious code that is installed and allows attacker to gain access to local system with little or no authentication
Botnet —> Similar to backdoor but it allows attacker to send command from a central command-and-control (C2) server
Downloader —> Malicious code which downloads additional malicious code
Information stealing malware —> Malware which steals sensitive data from victim’s computer and sends it to attacker
Launcher —> Used to launch other malicious programs
Rootkit —> Code designed to hide other malicious programs
Scareware —> Designed to frighten the user into buying “software”
Span-Sending Malware —> Sends spam allowing attackers to generate income by that process
Worm or Virus —> Code that can copy itself and infect additional computers
Tips and Tricks
Focus on key features rather than dissecting every details as malware is a complex piece of software
Try analyzing malware with different approaches and angles using different tools, don’t get stuck on one
Recognize, understand and defeat the new and approaching techniques written by malware authors on the fly
Last updated