Malware Analysis
Malware Analysis
What is Malware?
Malware is the collective name for a number of malicious software variants, including viruses, ransomware and spyware. Shorthand for malicious software, malware typically consists of code developed by cyberattackers, designed to cause extensive damage to data and systems or to gain unauthorized access to a network. Malware is typically delivered in the form of a link or file over email and requires the user to click on the link or open the file to execute the malware.
Malware has actually been a threat to individuals and organizations since the early 1970s when the Creeper virus first appeared. Since then, the world has been under attack from hundreds of thousands of different malware variants, all with the intent of causing the most disruption and damage as possible.
What is Malware Analysis?
Analysis of malware, viruses and other types of harmful programs and scripts is quite complicated and requires a lot of knowledge. To properly understand how a program works, what it connects to, and what damage it can cause, it is useful to know programming and not only in one language but preferably several and good knowledge of construction and operation of a computer network.
Reverse engineering is often used to analyze such a program. It is the process of testing a product (device, computer program) to determine how exactly it works, as well as how and at what cost it was made. Usually guided to obtain the information necessary to construct a counterpart.
For example, we decompile the program by obtaining partial program code so that we know exactly how it works. We can also analyze the program itself and its processes and network connections using additional tools.
When analyzing a malicious program, we must be extremely careful not to accidentally infect ourselves during the analysis. Everyone who wants to start the adventure with the analysis of this type of programs should build their own virtual environment separated from the network (or operating in a separate adapted network) in an isolated environment built only for the purposes of analysis.
There are programs on the market called sandboxes, they enable the program to run in the sandbox, i.e. an isolated environment, thus allowing for safe analysis by simulating the real environment of the potential victim. Most of these programs are paid and due to costs only available to large corporations.
Nowadays, malicious software has evolved to such an extent that it not only tries to detect and bypass anti-virus software but also checks whether it runs on a virtual machine or in a sandbox. Sometimes it launches its malicious functions with a delay and sometimes it deactivates completely so as not to attract attention by acting like an ordinary harmless application.
Although the analysis requires a lot of knowledge and skills, nothing prevents you from starting your adventure with analysis with simple examples and free tools.
Types of Malware Analysis?
Static : Also called static code analysis, is a process of software debugging without executing the code or program. In other words, it examines the malware without examining the code or executing the program. The techniques of static malware analysis can be implemented on various representations of a program. The techniques and tools instantaneously discover whether a file is of malicious intent or not. Then the information on its functionality and other technical indicators help create its simple signatures.
Dynamic : The dynamic analysis runs malware to examine its behavior, learn its functionality and recognize technical indicators. When all these details are obtained, they are used in the detection signatures. The technical indicators exposed may comprise of IP addresses, domain names, file path locations, additional files, registry keys, found on the network or computer.
Malware Analyzing Tools
The first question is where to start, because it is hard to say how properly configure your own test environment. Therefore, it is worth starting with a ready-made environment with a set of tools so that in the future you can build your own, tailored to your needs. Ready solutions allow you to see how industry professionals do it, what tools they use and how they approach the topic. Just as Kali Linux is a ready environment for pentesters, flare-vm is a ready environment for malware analyzers.Below shows some paid and free sandboxes.
Sandboxie – runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.
Firejail – is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.
SHADE Sandbox – s an alternative for antivirus and a tool for virtualization. It locally virtualizes applications (i.e. internet browsers) and locks all incoming internet files and possible viruses in its safe virtual environment.
PyREbox – is a Python scriptable Reverse Engineering sandbox. It is based on QEMU, and its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective.
FAME – is a recursive acronym meaning “FAME Automates Malware Evaluation”. It is meant to facilitate analysis of malicious files, leveraging as much knowledge as possible in order to speed up and automate end-to-end analysis.
Online sandboxes
CAPE Sandbox – malware configuration and payload extraction.
Hybrid Analysis – free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology.
AnyRun – Interactive online malware analysis service for dynamic and static research of most types of threats using any environments. Replaces a set of tools for research.
Self hosted sandbox
Cuckoo Sandbox is the leading open source automated malware analysis system and it is available on most popular platforms.
Antivirus-like tools are also useful for analyzing files, but they provide more details and scan a given file using various anti-virus engines.
AVCaesar – is a malware analysis engine and repository. Your suspicious files can be analyzed by a set of antivirus.
VirusTotal – analyze suspicious files and URLs to detect types of malware, automatically share them with the security community.
NoDistribute – similar to VirusTotal but do not distribute scan results.
For your own privacy and the privacy of your files, you may not want to share the contents of your files with the antivirus companies.
URL analyzer
Nowadays not only files can be harmful, but also entire pages or scripts contained in them. Therefore, it is also worth using sandboxes for URLs. Not only VirusTotal mentioned earlier has such a function.
URLhaus – is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.
URLscan – a sandbox for the web.
MetaDefender – trust no file, trust no device. Analyze IP, HASH, CVE, URL.
Malware samples
It’s best to use examples from everyday life. There are two nice repositories of malware on Github. First one is Malware Sample Library and the second Malware Samples. By searching Github you will surely find more equally interesting examples that will give you the necessary experience.
More malware samples and virus signatures are also available on websites like:
Das Malwerk – Malware samples.
MalShare – a free Malware repository providing researchers access to samples, malicous feeds, and Yara results.
PacketTotal Malware Archive – search for URL, IP, file hash.
ViruSign – virus signatures, to make antivirus more efficient, and of course to benefit the users with a better detection rate.
Eicar test file
This article is also occasion to mentioning about the test, harmless sample that may interest people who want to test the security and effectiveness of anti-virus programs.
EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO), to test the response of computer antivirus (AV) programs. Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use a real computer virus.