1- Practical Malware Analysis – Introduction

Hi everyone it has been a long time since I last updated this site. It’s been very busy and hectic time as I took on a role as an Information Security Analyst, which was a 12 hour shifts early morning and nights in a very busy environment.

Anyway I am really pleased to be back and thought I will start this with a series of malware analysis, where we will go through step by step.

After this series I have a number of other series to come and plenty of skills to share with you.

I will try to be brief and focus on the hands-on topics and those of you who are more interested in the details please look out for a book called: Practical Malware Analysis by Michael Sikorski and Andrew Honig. It is a great book that I’ve learned a lot from, in fact I am still using it and everything we will discuss here will be skills learned from this valuable book.

So Michael/Andrew if you are looking at this please kindly accept my thanks and appreciation for this marvellous piece of work, keep up the good work guys.

Finally don’t forget everyone, no one knows everything and we will always be learning from each other, therefore those with more experience please kindly don’t hesitate to share your knowledge with us and surely don’t hesitate to correct any mistakes you see here or any of my previous or upcoming articles.

So let’s start with laying some grounds…

What is Malware Analysis?

Malware analysis enables us to gain the information needed so we can respond when an incident occurs. The following highlights the main goals of Malware Analysis:

–       Find out what exactly happened?

–       Locate all infected systems and files.

–       Study and research what the suspected malware binary can do? And how to detect it on your or your client’s network?

–       And find out the level of damage it caused.

–       Create the signatures needed to detect the malware. These signatures can be Host-based or network based signatures.

Knowing the above we can describe malware analysis as the art of dissecting a malicious code.

The Methods used to Analyse Malware

As was described by Michael Sikorski and Andrew Honig: Practical Malware Analysis “The methods used to analyse malware can be categorised into the following two categories and each one is comprised of two categories:

–       Basic Analysis:

o   Basic Static Analysis.

o   Basic Dynamic analyses.

–       Advanced Analysis:

o   Advanced Static analysis

o   Advanced Dynamic Analysis”

Basic Static Analysis

This stage can be a quick process and requires you to examine the malicious file without looking at the instructions. Although this type of analysis will enable you to crate basic signatures; these signatures can be useless against more complex malware.

Basic Dynamic Analysis

This method requires you to examine behaviour of the malicious code by running it in a test environment, which will allow you to remove the infection and create more effective signatures.

Please note the word test and make sure you have a test environment to perform this. Infect you should perform all of your analysis in a test environment.

Don’t say I didn’t warn you!

Advanced Static Analysis

When performing advanced static malware analysis, we go deep into the code by reverse-engineering it and loading the malware into a disassembler so we can look at the program’s instructions. This will enable us to know exactly how the program works and what it does and thus it will allow us to create strong and more effective signatures that can be further enhanced and fine tuned by using the advanced dynamic analysis techniques.

Advanced Dynamic Analysis

At this stage you will still be running the code to examine its behaviour; however you will be using debuggers to run the program to examine its internals.

All of these techniques we will go through them together step by step in this series of Malware Analysis blogs. So be patient with me and keep a look out for the upcoming articles.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s