Practical Malware Analysis Intro

The Goal of Malware Analysis

The goal is always having information to prevent network intrusion. This also means having the all of the copies of the malware eradicated from all devices on the network. For this to work, you will, more times than not, be looking into a specific binary that’s the lynch pin of the whole thing. It’s the key to detecting it next time on the network. Not only that but measuring and containing its damage.

• host based signatures detect malware on end points and in files
• network based signatures detect malware through network traffic

Malware Analysis Technqiues

1. Basic Static & Basic Dynamic Analysis

In the former, you’ll be able to look at the file and tell if it’s malicious or not. In the latter, you get to watch it run from a safe vantage point and see what it does to your computer.

2. Advanced Static & Advanced Dynamic Analysis

In the advanced static analysis, you’ll be looking directly at the binary code, which is not human friendly. In the advanced dynamic analysis, you’ll be watching the code run from a safe virtual environment while it goes through a debugger, where you’ll be able to see what line of code does what action.

Types of Malware

~To get you up to speed, here’s what you can look for~

• Backdoor

  Malicious code that is installed which allows the hacker access without authentication or needing to sound alarm

• Botnet

  Kinda like the backdoor, only here the computers are infected with the same botnet program, where the attacker can hit a single command and they all follow

• Downloader

  A malicious code that installs more malicious programs. First installed by the attacker and then does the heavy lifting after

• Information stealing malware

  Malware the collects information such as passwords through keyloggers, sniffers, and password grabbers. This is done to get into your email or online banking.

• Launcher

  Stealthy malicious programs, made to evade detection, that launch already downloaded malware.

• Rootkit

  Malicious code designed to hide other malicious programs. They are usually coupled with backdoors to let the attacker continue their access.

• Scareware

  Malware created to scare people into buying a program to get rid of the scareware. Looks like anti-virus websties or something similar.

• Spam Sending Malware

  Malware which sends an infected machine spam. Attackers make money off of this buy selling spam-sending services.

• Worm or Virus

  Malware desgined to make more of itself in the pursuit of infection.

While there are various categories, it’s important not to get all caught up in the weeds. In any case, malware can take one of two approaches. Shotgun or Targeted. Shotgunning is when the malware goes after any and everything it can infect like scareware. The targeted approach requires more finesse and it directed either at a specific company, people, or person.

General Malware Analysis Tips

1. Get an overview of the whole program and what it does
2. Use different tools if the tool you’re using isn’t cutting it for analysis
3. This is a cat-and-mouse game; malware authors are always looking for ways to thwart malware analysis. It is up to you to understand and respond to the many ways malicious code may change