Malware analysis is the study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, trojan horse, rootkit, or backdoor. Malware or malicious software is any computer software intended to harm the host operating system or to steal sensitive data from users, organizations or companies. Malware may include software that gathers user information without permission.
There are three typical use cases that drive the need for malware analysis:
- Computer security incident management: If an organization discovers or suspects that some malware may have gotten into its systems, a response team may wish to perform malware analysis on any potential samples that are discovered during the investigation process to determine if they are malware and, if so, what impact that malware might have on the systems within the target organizations' environment.
- Malware research: Academic or industry malware researchers may perform malware analysis simply to understand how malware behaves and the latest techniques used in its construction.
- Indicator of compromise extraction: Vendors of software products and solutions may perform bulk malware analysis in order to determine potential new indicators of compromise; this information may then feed the security product or solution to help organizations better defend themselves against attack by malware.
The method by which malware analysis is performed typically falls under one of two types:
- Static malware analysis: Static or Code Analysis is usually performed by dissecting the different resources of the binary file without executing it and studying each component. The binary file can also be disassembled (or reverse engineered) using a disassembler such as IDA or Ghidra. The machine code can sometimes be translated into assembly code which can be read and understood by humans: the malware analyst can then read the assembly as it is correlated with specific functions and actions inside the program, then make sense of the assembly instructions and have a better visualization of what the program is doing and how it was originally designed. Viewing the assembly allows the malware analyst/reverse engineer to get a better understanding of what is supposed to happen versus what is really happening and start to map out hidden actions or unintended functionality. Some modern malware is authored using evasive techniques to defeat this type of analysis, for example by embedding syntactic code errors that will confuse disassemblers but that will still function during actual execution.
- Dynamic malware analysis: Dynamic or Behavioral analysis is performed by observing the behavior of the malware while it is actually running on a host system. This form of analysis is often performed in a sandbox environment to prevent the malware from actually infecting production systems; many such sandboxes are virtual systems that can easily be rolled back to a clean state after the analysis is complete. The malware may also be debugged while running using a debugger such as GDB or WinDbg to watch the behavior and effects on the host system of the malware step by step while its instructions are being processed. Modern malware can exhibit a wide variety of evasive techniques designed to defeat dynamic analysis including testing for virtual environments or active debuggers, delaying execution of malicious payloads, or requiring some form of interactive user input.
Examining malicious software involves several stages, including, but not limited to the following:
- Manual Code Reversing: Only professional analysts can dig into this stage of malware analysis. Disassemblers and debuggers are those who get involved in malware analysis, while Manual Code Reversing, so analysts can gain a better insight into the malicious programs identity.
- Interactive Behavior Analysis: Interactive Behavior tools get involved in malware analysis procedure when analysts have done using automated tools and examining static properties to provide better insight into the specimen. when an analyst decides to interact with malicious programs instead of observing them passively.
- Static Properties Analysis: Static Properties tools provide static properties metrics for analysts to help them have a more accurate look at suspicious files. There is no need to run malicious programs to provide static details, so reaching this data is not difficult to achieve. Header details, hashes, embedded resources, packer signatures, metadata are instances of Static Properties.
- Fully-Automated Analysis: Fully-Automated Analysis is what is needed to implement to save humans’ time and organizations’ budget. Organizations cannot benefit from better insight into malware while using these sorts of tools. However, they provide more time for human researchers to focus on serious issues. Therefore, Fully-Automated tools allow human researchers to focus on cases that would not be solved without humans’ attention.
This section needs additional citations for verification. (August 2016) (Learn how and when to remove this template message)
Binary analysis toolsEdit
- Resource hacker : freeware resource editor for Windows by Angus Johnson
- HxD : hex editor for Windows by Maël Hörz
- Detect It Easy
- IDA Pro: Disassembler by Hex-Rays
- Radare2: Disassembler by pancake
- Binary Ninja: Disassembler by Vector 35
- Ghidra: Disassembler by the NSA
- Hybrid Analysis: Free malware analysis service powered by Payload Security. Using this service you can submit files for in-depth static and dynamic analysis.
- ANY.RUN: Interactive malware hunting service with real time interaction and process monitoring. Available for free use since 2018.
- CWSandbox: Early malware sandbox solution c. 2006-2011 from Sunbelt Software, became GFISandbox.
- GFISandbox: Sandbox solution c. 2011-2013 from GFI Software, became ThreatAnalyzer.
- Cuckoo Sandbox: Sandbox solution c. 2012?, open source on GitHub, designed for automated malware detection and profiling.
- Joe Sandbox: Sandbox solution c. 2010 from Joe Security. First solution introducing Hybrid Analysis. Enables analysis on any device, including bare metal laptops, PCs and phones. Supports analysis on Windows, Android, MAC OS X and iOS.
- ThreatAnalyzer: Sandbox solution c. 2013–present from ThreatTrack Security, designed for automated malware detection and detailed profiling.
- VMRay: Sandbox solution c. 2015 from VMRay. Created by the original author of CWSandbox. Instead of hooking, the target machine is unmodified and monitoring and control is done at the hypervisor layer.
Note: Some hosted sandboxes, such as Malwr, use one of the above products under the hood (Malwr uses Cuckoo).
- MalwareAnalysis.co: Hub for various resources.
- "International Journal of Advanced Research in Malware Analysis" (PDF). ijarcsse. Archived from the original (pdf) on 2016-04-18. Retrieved 2016-05-30.
- "Malware Definition". Retrieved 2016-05-30.
- Honig, Andrew; Sikorski, Michael (February 2012). Practical Malware Analysis. No Starch Press. ISBN 9781593272906. Retrieved 5 July 2016.
- Keragala, Dilshan (January 2016). "Detecting Malware and Sandbox Evasion Techniques". SANS Institute.
- "Any.Run - An Interactive Malware Analysis Tool - Is Now Open To The Public". BleepingComputer. Retrieved March 7, 2018.
- Utter, David (October 25, 2006). "CWSandbox Automates Malware Analysis". SecurityProNews. Retrieved 5 July 2016.
- "GFI® Software Makes Dynamic Malware Analysis Easier For Businesses". BusinessWire. August 3, 2011. Retrieved 5 July 2016.
- "ThreatTrack Security Introduces ThreatAnalyzer 5.0". Dark Reading. 2013-11-19. Retrieved 5 July 2016.
- "Hypervisor-Based, Hardware-Assisted System Monitoring, C Willems, R Hund, T Holz - Ruhr-Universitat Bochum" (PDF).