In the mind of a Malware Analyst Part 2

CyberNotes
2 min readNov 27, 2024

--

Image from Stackzero

Before I delve into the Actual Malware Analysis, it is good to highlight what goes through the mind of a malware analyst as they analyse malware.

What’s the Goal?

The main goal of a malware analysis process is to provide sufficient information to respond to a network intrusion in the future.

As a malware analyst goes through a binary file, or potential malware code, the goal is to:

  • Determine what happened
  • Locate the files and machines/computers that were infected
  • Figure out — How can this be prevented in the future?

And in order to do this, especially figuring out how to prevent such an intrusion in the future, the analyst will have to understand what the malware can do, how to detect and contain it in a network, and how to contain it.

How?

Once the files are fully analyzed, then the team can develop signatures to help detect and prevent the malware

Signatures??

In order to understand what signatures do/are, we have to understand how antivirus software works.

Antivirus software works by scanning the files and system memory on a computer, and then comparing those to the database of well known malware signatures, and then takes the step to block/remove the files from your system.

The 2 main detection methods are:

Signature-based detection:

  • The primary method, where the antivirus software compares file patterns to a known database of malware signatures to identify threats.

Heuristic analysis:

  • Advanced antivirus programs can also use heuristic analysis to detect suspicious behavior patterns that might indicate malware even if they aren’t recognized by a signature alone.

How does this tie in?

Malware analysis will help develop the signatures for the malware. This can be either host-based signatures/network-based signatures

Malware analysis will help reveal some indicators of compromise, indicating what the malware does to the system, instead of the characteristics of the malware itself. This can create a type of signature and detection process that is more robust than the traditional method.

Something to keep in Mind!

  1. Malware programs can be quite complex. You have to know that you cannot possibly understand absolutely everything.
  2. Different tools — Some tools may work in some cases, and not others. Every case is unique, so be ready to switch things around in order to analyse the malware fully!
  3. Cat and Mouse game- Malware analysis is a never-ending cat and mouse game— just when you think you’ve caught that sneaky malware, it whips out some new trick . Analysts build new traps, malware authors find new escapes. It’s a game of “catch me if you can,” except no one’s got time for popcorn!

--

--

CyberNotes
CyberNotes

Written by CyberNotes

Data Science/Cyber - Student at Michigan State University.

No responses yet