Malware Analysis: Decoding Danger

Battling Malware in this digital age — Part 1

Over the past few months, I’ve immersed myself in malware analysis as my specialization for my degree at Michigan State University.

This has broadened my understanding of cyber threats and the advanced methods used to analyze malicious software. In my upcoming blog series, I’ll be sharing what I’ve learned about malware analysis, exploring its technicalities, and conveying the excitement this field offers!

But first, What is Malware?

Malware is derived from the words: MALicious SoftWARE. Essentially, it is code that performs malicious activity.

It can come in different forms: Virus, Worm, Trojan horse, Rootkit, Adware, Botnet, Ransomware, just to mention a few. For purposes of this blog, I will not delve into the characteristics of the different types of malware.

Malware Analysis and why it is done.

This is the study of Malware’s behaviour. The goal is to understand how the malware woks, which helps in building better systems to detect and contain it.

Malware Analysts analyse malware to

• gain understanding of how systems get compromised. For example, dissecting malware might reveal that it takes advantage of a specific software vulnerability to gain unauthorized access. With this knowledge, teams can patch their systems / harden their systems against these attacks.
• to deduce the motive of attackers — For instance if the malware encrypts files and demands a ransom for decryption, it indicates a motive centered around extortion. By dissecting the malware’s functionality and targets, analysts can deduce whether the attackers aim for financial profit, espionage, sabotage, or other malicious intent.
• In addition, it is a great source of retrieving the host based indicators, that help to identify compromised systems. For example, by dissecting malware, you might find that it creates specific files in certain directories, modifies particular registry keys, or establishes unusual network connections. This can then be used as an indicator to create a signature that help detect and prevent these attacks.

Types of Malware Analysis

There are various methods that are used to analyse malware. In summary, they include:

1. Static Analysis
2. Dynamic/Behavioural Analysis
3. Code Analysis — This is broken down into:

• Static code analysis
• Dynamic code analysis

4. Memory forensics.

Note

When analyzing malware, you’ll often be working with executable files. You’re probably familiar with files bearing the .exe extension. — These are standard executables that systems can run. (Common in windows systems)

However, executable files can come in various other extensions and bad actors always attempt to disguise these to avoid detection. Some other executable file etensions will include: (not exhaustive list)

• .src screensaver files
• .bat batch files
• .com command files
• .vbs VBScript files
• .ps1 PowerShell Scripts
• .jar Java Archive files

By masking or altering these extensions, attackers attempt to make their malicious files less conspicuous and evade detection by users and security software. These executable files are often called binary files/portable executables (PE)

Now, let’s explore a brief overview of each method; I’ll delve into the details of how these analysis moethods are done in upcoming blog posts.

Static Analysis

This refers to analysing malware without executing it. When you have a suspect binary, static analysis can help extract metadata and other valuable information about the malware. This includes file’s headers, imported libraries and functions, embedded strings, and resources.

For example, by analyzing the file headers, you can determine the type of executable and its target architecture (such as 32-bit or 64-bit). You can also pull out the stringcharacters that cover the URLs, IP addresses, functions and commands that the malware might use during execution.

This is the best first step to understanding the general behaviour of malware without executing it.

However, when doing any form of malware analysis, it is always best to analyse it in an isolated environment such as a virtual environment.

Dynamic Analysis

This includes executing the binary in an isolated environment and monitoring the behaviour of the malware. The goal is to give insight into the activity of the binary file.

For example, suppose you have a binary that you want to analyze: You set up a virtual machine or sandboxed environment — a controlled setting that mimics a real system but is isolated to prevent any potential harm to your actual computer or network.

You then execute the binary within this environment while using monitoring tools to observe its behaviour.

As the malware runs, you might notice that the malware perfomes some actions such as:

• Creating or modifying files The malware might alter existing files, it might generate new ones in certain directories.
• Modifying system systems The malware might disable security features, it might change system configurations.
• Creating network connections You might observe the malware is attempting to remote servers
• capturing data You might observe the malware capturing keystrokes or even screenshots to gather sensitive information.

This will enable you to gain valuable information in what the malware is designed to do. This can be stealing data, disrupting operations, logging key strokes etc.

However, this might not fully show what the malware is capable of.

Code Analysis

This is an advanced analysis method that entails analyzing the code of the executable. This reveals information that will normally not be captured using the static and dynamic analysis methods. This requires programming knowledge and a knowledge of operating systems.

This is divided further into

• Static code analysis
• Dynamic code

Static Code Analysis

This is the process of examining software code without executing it. The process normally looks like this: — When you have an executable and want to analyse it using static code analysis, you will use tools that can decompile the binary to examine its assembly code, such as — IDA PRO, GHIDRA

With this method, you can dissect the executable to understand its functionality and behaviour without running it on a system.

This can reveal information such as

• file metadata Such as the type, size, timestamps, that will provide details about the origin of the malware
• obfuscation techniques Identifying methods used to conceal the code’s true purpose.

In summary this analyzes the code’s structure, syntax, and possible execution paths based on the static content.

Dynamic Code Analysis

Dynamic code analysis on the other hand is debugging the code/running the code in a controlled environment to understand it’s behaviour. This allows analysts to see how the code interacts with the system in real-time.

The analyst will employ various monitoring methods such as process monitors, file system monitors, memory analysis tools, registry monitors and network monitors among others.

It is worth noting that there are things that the malware will do, only when the code is run.

This will reveal the hidden functionalities activated only during execution and considering that some malware will employ obfuscation methods — This will help additional analysis by bypassing obfuscation techniques that hinder static analysis.

It is important also to note that there is malware designed to detect the environment in which it is running , it will then change behaviour depending on the environment. It can modify it’s behaviour when its’s being tested. The analyst needs to have this in mind!

Memory Forensics

This is an advanced technique that involves examining the (RAM) of a computer to uncover forensic artifacts left by the malware. Memory forensics allows analysts to capture and analyze data that exists only in memory during the system’s operation.

Lets take an example of fileless malware— which operates without writing files, residing entirely in memory: In essence, antivirus scans and disk analysis might not yield significant findings.

In this case, Memory forensics becomes a vital component of enabling security professionals to uncover hidden threats and understand the in-memory behaviours of malicious software.

In part 2 of this series, I will delve into Static Analysis methods: