The Goal of Malware Analysis
The goal is always having information to prevent network intrusion.
This also means having the all of the copies of the malware eradicated
from all devices on the network. For this to work, you will, more times
than not, be looking into a specific binary that’s the lynch pin of the
whole thing. It’s the key to detecting it next time on the network. Not
only that but measuring and containing its damage.
- host based signatures detect malware on end points and in files
- network based signatures detect malware through network traffic
Malware Analysis Technqiues
- Basic Static & Basic Dynamic Analysis
In the former, you’ll be able to look at the file and tell if it’s
malicious or not. In the latter, you get to watch it run from a safe
vantage point and see what it does to your computer.
- Advanced Static & Advanced Dynamic Analysis
In the advanced static analysis, you’ll be looking directly at the
binary code, which is not human friendly. In the advanced dynamic
analysis, you’ll be watching the code run from a safe virtual
environment while it goes through a debugger, where you’ll be able to
see what line of code does what action.
Types of Malware
~To get you up to speed, here’s what you can look for~
- Backdoor
-
Malicious code that is installed which allows the hacker access without
authentication or needing to sound alarm
- Botnet
-
Kinda like the backdoor, only here the computers are infected with the
same botnet program, where the attacker can hit a single command and
they all follow
- Downloader
-
A malicious code that installs more malicious programs. First installed
by the attacker and then does the heavy lifting after
- Information stealing malware
-
Malware the collects information such as passwords through keyloggers,
sniffers, and password grabbers. This is done to get into your email or
online banking.
- Launcher
-
Stealthy malicious programs, made to evade detection, that launch
already downloaded malware.
- Rootkit
-
Malicious code designed to hide other malicious programs. They are
usually coupled with backdoors to let the attacker continue their
access.
- Scareware
-
Malware created to scare people into buying a program to get rid of the
scareware. Looks like anti-virus websties or something similar.
- Spam Sending Malware
-
Malware which sends an infected machine spam. Attackers make money off
of this buy selling spam-sending services.
- Worm or Virus
-
Malware desgined to make more of itself in the pursuit of infection.
While there are various categories, it’s important not to get all
caught up in the weeds. In any case, malware can take one of two
approaches. Shotgun or Targeted.
Shotgunning is when the malware goes after any and everything it can
infect like scareware. The targeted approach requires more finesse and
it directed either at a specific company, people, or person.
General Malware Analysis
Tips
- Get an overview of the whole program and what it does
- Use different tools if the tool you’re using isn’t cutting it for
analysis
- This is a cat-and-mouse game; malware authors are always looking for
ways to thwart malware analysis. It is up to you to understand and
respond to the many ways malicious code may change