Malware Analysis - Overview (Part 1)
This article is part of the malware analysis series. This document will take a look at the basics and fundamental understanding of malware for analysis. Here is what you can expect from each part:
- Part 1: Overview (Understanding malware and malware analysis is)
- Part 2: Static Analysis (Taking a look at static analysis approach with a demonstration)
- Part 3: Dynamic Analysis (Taking a look at dynamic analysis approach with a demonstration)
Malware is such a prevalent topic within Cybersecurity, and often an unfortunately recurring theme among global news today.
Not only is malware analysis a form of incidence response, but it is also useful in understanding how the behaviours of variants of malware result in their respective categorisation. This room will be a practical introduction to the techniques and tools used throughout malware analysis - albeit brief, I hope to expand on these techniques a lot more in-depth within the future.
When analysing malware, it is important to consider the following:
Point of Entry (PoE) I.e. Was it through spam that our e-mail filtering missed and the user opened the attachment? Let’s review our spam filters and train our users better for future prevention!
Malware can be classified into two types.
There are many variants of malware, attacks can be classified into two types:
Literally targeted. Targeted malware is commonly designed for a specific purpose against a specific target.
Let’s take a look at “Stuxnet”. This is a computer worm that was originally designed to target Iran’s nuclear facilities but has since mutated and spread to more industrial and energy-producing facilities.
Originally, targeted the programmable logic controllers (PLCs) used to automate machine processes. This was created by the U.S. National Security Agency, the CIA, and Israeli intelligence. The worm reportedly destroyed numerous centrifuges in Iran’s Natanz uranium enrichment facility by causing them to burn themselves out. It travelled on USB sticks and spread through Windows machines. Stuxnet would look for signs of Siemens Step 7 software, which industrial computers serving as PLCs use for automating and monitoring electro-mechanical equipment. Once it found itself on the correct victim, it would update itself and send malicious instructions to the electro-mechanical equipment the PC controlled. It would be difficult to identify this was happening until the equipment actually began to self destruct.
There is some cross over with these categories, some may argue that Stuxnet is part of the mass campaign but I consider this a targeted attack as it was created with a specific intention. Its methods of mitigation may be that of a mass campaign but it will only find itself performing its main malicious activities on the desired victims.
On the other hand, this classification may be the most familiar with many real-life examples as this is the most common type of attack. The entire purpose of this type is to infect as many devices as possible and perform whatever it was designed to do.
Another well-known malware-strain is Emotet. Also known as Geodo and Mealybug. This was originally developed in the form of a banking torjan.
Once infected, the malware spreads like a computer worm and attempts to infiltrate other computers in the network.
Identifying a malware attack
Fortunately / unfortunately malware is largely obtrusive. This means that it can be noisy and leave a lot of trails for evidence. Hence the reason for this article on malware analysis.
Here is a common process of how we can expect malware to behave:
Each step can generate lot’s of noise, like network traffic (communicating to the internet) and file interaction / behaviour.
Delivery - Does it mitigate by USB? Email? (Phishing campaigns)? Vulnerability enumeration?
Execution - What does it do? Does it encrypt files (Ransomware)? Does it record information (Spyware)? This stage is understood through the analysis of the malware sample.
Maintaining Persistence - Malware is often designed to stay on a system after it executes.
Persistence - Malware can employ techniques to ensure the execution is worth its while.
Propagation - Once the device has been infected, does it try to infect more? Host discovery can also generate a lot of network traffic.
When understanding a malware sample, it’s common to categorise the fingerprints that malware leaves behind:
Host-Based Signatures - Results of extraction and persistence by the malware. Any encrypted files? What else has been installed? These are 2 of many host-based signatures.
Network-Based Signatures - Observation of any networking communication during the delivery, execution and propagation.
Static vs Dynamic Analysis
Static Analysis is used for a high-level view of the malware sample. This is a fairly simple approach and can be used easily to decide whether or not something is malicious or not. This method does not execute the code.
Dynamic Analysis is a lot more involved. This method involved the execution and observation of the sample. This is less safe if not done properly.