What does malware analysis involve?
1 Nov 2018
5 minute read
Picture this: you are working for a large financial company and a computer virus is detected spreading through your network. The virus may have been created specifically to target your business. It is important to find out how it got through your defences, who created it, what they know about your company, how they got that information, and what the virus was designed to do. Answering these questions is an example of what malware analysis is about.
So what happens next? Obviously the threat needs to be quarantined and stopped from spreading, however the details of that won’t be discussed here. We will focus on the actual analysis of the malware.
Set up a fully isolated environment so that the malware cannot do any damage while it is being analysed. This involves creating one or more virtual machines and preventing them from communicating with the outside world.
Run the malware and watch what it does. This can sometimes give away very little, or sometimes plenty of information. Some malware tries to detect being analysed and does nothing. Running malware in a debugger and sniffing network traffic is standard practice to get an idea of what it is doing.
The file is analysed for pieces of text that might give away information. For instance, some malware contains error messages, function names, or the names of system files that it tries to infect or read data from. A lot of malware is encrypted or “packed”, often using standard packers/crypters that can easily be reversed, but sometimes with custom-made algorithms that must be painstakingly deciphered.
To gain further understanding of how the malware works, an analyst can reverse-engineer the malware. Basically this involves taking it apart, instruction by instruction, and determining what it is doing. Malware authors often place “red herrings” in their malware to make analysis take longer. Skilled analysts can often spot these tricks.
Sometimes slight modifications to the malware can be made to get past its security defences. For example, malware that attempts to detect a debugger or virtual machine can be “patched” to change this behaviour.
There are various tools to assist in the analysis of malware, such as IDA Pro, OllyDbg, and Radare2. Many tools allow plugins or extensions to be created, which is essential for analysing malware with unusual characteristics.
A lot of malware communicates with remote servers, either to exfiltrate information or to receive instructions in a “command and control” (abbreviated as C2 or C&C) setup. Discovering how the malware does this helps identify the source of the attack, and ideally, ways to neutralise the malware. For example, if a particular domain name or IP address is used as a remote server, law enforcement can seize it, and thus any attempts made to contact the server—by any copy of the malware—will fail.
Learning how the malware spreads is also important, as the malware may continue spreading unless the vulnerability is removed. In addition, malware analysts can create detection tools that can detect malware even if it is trying to hide itself.
Malware analysis is a fascinating area and always presents new challenges. It is important to stay up-to-date and refine one’s skills. Due to the many different skills that are required, ranging from assembly language to operating systems to networks to forensics, it is important to undertake a comprehensive educational programme such as Coder Academy’s Cyber Security Bootcamp if you want to enter the industry.
Want to become a junior developer? At Coder Academy we have Australia's first and only accredited fast-track coding bootcamp that will set you up for a new career in tech. Our immersive course helps students acquire in-demand skills through hands on, project-based training by industry experts over six months.
Now enrolling domestic & international students in Sydney, Melbourne & Brisbane! Study now, pay later with FEE-HELP!
Are you a woman interested in coding? Check out our Women in Tech Scholarship!