What Is Malware Analysis? Definition, Types, Stages, and Best Practices

essidsolutions

Malware analysis is defined as “the process of breaking down malware into its core components and source code, investigating its characteristics, functionality, origin, and impact to mitigate the threat and prevent future occurrences.” This article will touch upon the types of malware analysis, best practices, and key stages. 

Table of Contents

What Is Malware Analysis?

Malware is defined as “a software designed to infiltrate or damage a computer system without the owner’s informed consent. Any software performing malicious actions, including information stealing, spying, etc., can be referred to as malware.” As our reliance on technology and the number of connected endpoints increases, traditional malware variants like a virus, Trojan, or worm will also start to mutate. This gives rise to new forms of malware, which attack your systems in unfamiliar ways, and cause damage without any explicit signal. 

For example, this year, we saw the birth of a new ransomware family called WastedLocker that attaches a customized string containing the word “wasted” to each encrypted file. To decrypt the file, the malware originator could ask for millions of dollars in ransom. According to the 2020 State of Malware ReportOpens a new window , the total ransomware activity against businesses is at a historic high. It is, therefore, critical that business and the ethical hacking community improve their understanding of malicious software to stay a step ahead of threat actors. 

This is where malware analysis comes into the picture. Basically, malware analysis is defined as “The process of dissecting malware to understand its core components and source code, investigating its characteristics, functionality, origin, and impact to mitigate the threat and prevent future occurrences.” 

Let’s unpack the definition of malware analysis and its objectives: 

  • It breaks down the malware: A big part of malware analysis is demystifying malware and cyberthreats to increase awareness. After all, malware is only a software program written with the expressed purpose of causing harm. Understanding the code and how it works is integral to blocking malware entry or, at least, its spread across your ecosystem.
  • It investigates its characteristics: Every software will leave a unique digital footprint, and malware is no different. How does a specific malware variant or family approach data? How does it spread? What is its pace of replication and tactic for camouflage? Knowing the exact characteristics of malware makes it easier to detect it.
  • It unravels its functionality: This is a critical element of malware analysis, and it is difficult to get right. Malware will typically wait in hiding until the right time to attack. This means its functionality will not become clear to the user before it is too late. Malware analysis tries to determine the intended functionality of the software by reviewing its code.
  • It traces the malware’s origin: Malware can be notoriously hard to trace, and hackers take advantage of this by holding data ransom for large amounts. Malware analysis tries to see beyond the anonymization of the coder and trace it back to its origin — a person, an IP, a geographic location, or even an organization, among others. This helps in the swift intervention of legal authorities during an attack.
  • It tries to predict the impact: By putting the above threads of investigation together, it is possible to arrive at a probable impact profile. Its functionality, nature of target systems, the pace of growth, and preferred distribution channels indicate the worst-case scenario impact of malware. This enables companies to plan and deploy mitigation procedures.

Malware analysis is a highly technical skill and requires years of practice. That is why specialists, like malware analysts, are some of the most sought-after profiles in an organization. Malware analyst is a rapidly emerging job profile, seeing a steady increase in demand across the US and other digitally mature economies. In June 2017, there were 1,726 job postings for malware analysts for which only 52 candidates applied. This is because malware analysis is an arduous process, requiring a wealth of knowledge, a lot of patience, and, occasionally, disruptive thinking. 

Also Read: What Is Malware? Definition, Types, Removal Process, and Protection Best Practices

Malware Analysis Process

Here’s a more in-depth insight into the malware analysis process: 

Step 1: Capture the malware. 

Before the actual analysis, you need access to a malicious piece of code in an uncompressed format. You can use a tool like HoneyDB to attract malware and capture it in an investigation-friendly environment. 

Step 2: Build a malware lab. 

A malware analysis lab is a safe environment where you can test different malware functionalities without any risk to nearby files. Typically, malware labs rely on virtual machines (VMs) to sandbox the entire exercise. 

Step 3: Install your tools. 

You can use several tools to analyze malware, including open-source and paid options. There is plenty of support to be found on GitHub. You could also use Cuckoo Sandbox and other equivalent analysis enablers. These tools must be installed in your VMs. 

Step 4: Record the baseline. 

Before running the malware, assess the operating environment and document it as your baseline. The tools installed in the VMs will help here — running these same tools later (after the malware is activated) indicates malware behavior and impact. 

Also Read: Top 10 Malware Scanners and Removers in 2021

Step 5: Commence your investigation. 

There are several phases involved in the investigation step. Some require intense manual involvement, while others can gain from automation tools. Take the malware apart before initiating these phases to reveal its properties at every layer. 

Step 6: Document the results. 

Depending on the tools you’re using, you will have detailed information on malware behavior, tendencies, and interaction patterns with its surrounding digital environment. Consolidate these results into an exhaustive document that forms the deliverable for your malware analysis exercise. 

Malware analysis is at the heart of cybersecurity innovation today. Analysts can work with governments, non-profit organizations, research institutions, and corporates to develop the body of knowledge around malware.

Also Read: Top 10 Malware Protection Software in 2021

Types of Malware Analysis

Broadly, there are two types of malware analysis — static and dynamic. You could also classify malware analysis based on the effort it requires, opting for either manual or automated analysis. A complete analysis exercise will combine all of these types to study the malware in detail and test how it reacts to different approaches. 

Types of Malware Analysis

1. Static malware analysis 

Malware code includes two types of elements — static and dynamic. This type of analysis focuses on the former, examining static properties like metadata, headers, embedded assets, etc. A quick static analysis often reveals enough information needed to create an indicator of compromise (IOC), a document recording the software’s malicious nature. In case the results of static analysis are optimistic, the code is usually discarded like a piece of bad programming, not meriting further investigation as malware. 

2. Dynamic malware analysis 

Dynamic analysis allows the malware to play itself out in a controlled environment while observing its behavior. VMs are critical when conducting dynamic analysis, as it is likely that the malware will cause irreparable damage to its host environment. 

Several behavioral signals require your attention during dynamic malware analysis — including its interactions with network traffic, its targeting patterns towards the file system, and any changes to the registry. 

For example, the Dynamic Malware Analysis Platform (DMA) is a purpose-built tool by the Computer Incident Response Center Luxembourg (CIRCL) to perform this type of analysis. VMRAY’s “Now, Near, Deep” architecture conducts dynamic analysis – among other things – to filter files.

By baselining the host environment before and after dynamic analysis, you can learn more about the malware’s behavioral tendencies. That’s why this type of analysis is also known as behavior analysis. 

3. Manual malware analysis 

In a manual analysis, an analyst may choose to break down the code manually, using tools like debuggers, decompilers, and decrypters. Manual analysis often reveals the strategic intent behind malicious software; because the analyst examines the core logic of the algorithm and tries to predict the logic behind elements that seem unnecessary at first appearance. 

Manual analysis is also known as code reversing since you are essentially beginning with the final software, moving backward into code, and then arriving at the original logic — instead of the other way around. 

4. Automated malware analysis 

Automated analysis passes the malware through an automated workflow where its different behavioral and static properties are tested. This may not provide insights into the software’s logic, but it is extremely useful for understanding its broader classification and to which malware family it might belong to. 

Automation can generate detailed reports and feeds data into an incident response system, bringing only the most necessary signals to a human analyst. Falcon Sandbox and the AI-powered SNDBOX are some of the tools that can help you do this. 

Each type of malware analysis has its own purpose. It’s advisable to execute all of them in conjunction to create a holistic picture of what the malicious app is capable of and how to prevent its entry into user systems. Particularly, the manual code reversal approach aids in getting to the very root of the problem — why the malware was created in the first place. 

Also Read: Malware Review: A Look Back and a Look ForwardOpens a new window

Key Stages of Malware Analysis

You can break down malware analysis into three key stages. These coincide with the types of malware analysis listed above, giving you a closer look at the various facets of the malware’s identity and traits. 

1. Observing malware behavior 

At the initial stages, malware analysts run tools or execute short, manual exercises to force it to react. Once the malware reacts to its surrounding environment (on a VM), it becomes easier to understand whether it is harmless or a potential threat. 

A popular tool used to observe malware behavior is Wireshark, a tool that simulates multiple network conditions and inspects malware behavior in the face of different protocols. Behavioral studies could be as simple as running antivirus in the virtual environment to cheek how the malware responds. 

Combining the benefits of automation and manual strategy, you can use behavioral analysis frameworks to create a reusable analysis script that puts the malware through its paces in a live virtual environment. 

2. Disassembling the code 

Disassembling the code involves both static analysis — where you look at the unchangeable elements of the malware code — as well as its inner logic. Code disassembly relies on manual efforts to a large extent, which is why it is recommended that malware analysts bring some knowledge in binary and assembly language. You could also leverage a ready-to-use disassembler to tear down the malware program, converting the logic from an original binary form into assembly language. Typically, three types of tools can help at this stage: 

  • A disassembler deconstructs the malware into its primitive binary form and reconstructs it into assembly language that’s comprehensible for a human analyst. 
  • A debugger conducts a code walkthrough and highlights unusual/suspicious-looking code elements where the malware analyst must investigate further. 
  • A decompiler recreates the original source code of a program and can help identify a coder’s digital fingerprint to trace its origin. 

The first two stages focus on the malware’s surface identity and ambient behavior, while the next stage combs through its potential impact. 

3. Examining the memory 

At this stage, we dive into the forensic artifacts left behind by the malware on your system’s memory. The average malware is often 1MB or less in sizeOpens a new window , so it is difficult to observe its memory imprint in everyday computing environments. A malware analysis lab provides the conditions necessary to benchmark the pre-malware memory state, run it, and then extract artifacts resulting from its functionalities. 

Memory analysis can be extremely difficult, as you are looking for the most minute of digital imprints left behind by an extremely light application designed for stealth. Fortunately, there are several tools out there to help at this stage, such as Memoryze, a free tool that analyzes memory images to list all running processes (including hidden ones), identify loaded drivers, verify driver signatures, and display any open network sockets. 

In other words, this stage reveals further information on behavior, even after the malware has stopped running. 

Across these three stages, our goal is to learn more about the malware, how it works, and how it would respond in different scenarios. To simplify the process, malware analysts can follow a set of key best practices. 

Also Read: What Is Ransomware Attack? Definition, Types, Examples, and Best Practices for Prevention and Removal

Top 6 Malware Analysis Best Practices for 2021

As cyber threats grow more sophisticated, ethical hackers and malware analysts need to evolve in tandem. The end-to-end analysis procedure can be complex, requiring industry knowledge, innovative thinking, and the right tools. However, it is possible to simplify it significantly through the following best practices: 

1. Expand your malware sample size continuously. 

If you look at the definition of malware analysis, the first step is to capture the software in a controllable format. The results of your analysis depend directly on the sample you use, and the more unfamiliar your sample, the more game-changing your analysis outcomes. 

Remember, malware analysis isn’t a post-attack activity, where you undertake investigations to find out a solution. Rather, it is a research exercise to strengthen our understanding of malware and its different variants/families. That’s why malware analysts should seek new forms of threat, working with ethical hackers, corporates, and cybersecurity companies to analyze the most recent attacks observed. 

In contrast, a small and limited sample pool will give you similar results over and over again, without any meaningful outcomes. 

2. Use automation to optimize your efforts. 

While manual intervention will be needed at some point, automation can help to dramatically shrink your analysis timelines and ensure that your efforts are rooted in the right direction. For example, the static elements of the malware code can be easily checked by an automation script and don’t require a human analyst. Similarly, manually recreating network conditions and hitting the malicious app with different connectivity protocols isn’t very efficient. 

Automated tools can help achieve all of this, giving you an accurate profile of malware behavior in typical conditions and easily identifiable static traits that help classify it within a specific malware family. Free of these tasks, you can now invest in code reversal and delve into the application’s underlying logic. 

It is only by understanding malware’s core motivating logic that we can build systems that are immune. A judicious mix of human, creative thinking, and efficient automation can help get there faster. 

Also Read: What Is Social Engineering? Definition, Types, Techniques of Attacks, Impact, and Trends

3. Always use a secure environment to run malware.

Letting malware play itself out almost inevitably ruins the system on which it is hosted. Further, there’s always a risk that malware will attach itself to a portable file and transfer outside of the controlled environment. Virtual machines can be extremely useful in creating a sandbox environment that works as a malware analysis lab. The application gets plenty of space to interact with its surroundings, displaying specific behavioral traits, and reveal itself through its actions. 

A VM also makes it easier to run memory forensics as there are clear borders within which to run the investigation. And, if you’re looking for a physical environment, consider systems designed for malware analysis such as the AX Advanced Malware Sandbox series of products by FireEye. 

4. Only analyze malware whose remote infrastructure is running. 

Most malware variants are controlled remotely, recording data from the user’s system and relaying it to the malicious actor. However, if the application has been lying around for some time in an archive or quarantine, the chances are that its remote infrastructure will no longer be active. 

This is a common challenge of using slightly aging malware samples, where the analysis stage is interrupted midway as the malware stops responding. This best practice can help you filter your sample set to the best candidates and execute the malware analysis program end-to-end, across all three stages.

Also Read: What Is Application Security? Definition, Types, Testing, and Best Practices

5. Capture and store VM image snapshots.

Most virtual machines can take snapshots, encapsulating their current state in an image. As you prepare the environment for malware analysis — capturing the application, moving it into the system, and installing the tools — take snapshots at regular intervals. As you run the malware and observe its behavior over time, storing these snapshots will give you the option to revert to a historical version of the environment. 

This makes it possible to perfect your malware analysis technique, redo any errors, and regain access to the environment if necessary. 

6. Do your research and select the best-fit malware analysis tools.

This is an essential best practice as the malware analysis market evolves, introducing new tools and enablers that make an analyst’s job easier. 

In 2018, the malware analysis market was worth $3.27 billion worldwide, which is expected to reach $24.15 billion by 2026, at a stellar growth rate of 28.5%Opens a new window . By doing your research, you can zero in on the best tools for your project and develop an accurate proof of concept for the malware at hand. 

Here are some of the tools to watch out for in 2021: 

  • CIRCL Dynamic Malware Analysis Platform (DMA) – a public service that lets you analyze malware in a controlled environment, securely upload sensitive documents, and perform advanced tasks like memory forensics
  • Dinoflux – a malware analysis platform that studies behavior uses reverse engineering techniques and creates comfortable indicators of compromise outcomes, integrating with your security operations center (SOC)
  • Sndbox – a malware research platform powered by artificial intelligence (AI) and advanced driver analysis, with an invisible agent that convinces the malware to reveal its full functionality

Even a casual glance at today’s cybersecurity landscape will reveal countless malware variants, and the number is growing exponentially with each passing day. It is estimated that over 350,000 new pieces of malicious code are identified every day. Understanding malware analysis, its stages, and best practices are essential for staying ahead and staying safe.

Do you agree that breakthroughs in malware analysis are central to enterprise security? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA