The article is meant for people who want to start their career in Malware Analysis . Malware analysis is a growing need in the cyber security industry with increase in attacks involving malware. The article talks about how to approach malware analysis. Before that it’s important to know how the malware works. Here are some of the topics I would be covering in the article.
- Malware Components
- Malware Analysis Steps
Malware Components
In order to understand malware in a better manner I have broken down the malware into components. Below is a diagram for understanding the various components.
I have broken down the malware into the following components:
- Payload
- Packer
- Persistence
- Armoring
- Stealth
- Communication
- Propagation
 |
| Malware Components |
Payload is the mandatory component while malware while rest are optional.
- Payload is the core component of the malware. Payload executes the final intention of the malware. A malware may steal credentials from browser, steal banking credentials . Malware should be classified or provided name based on the payload .
- Password Stealer(PWS)-steals passwords from browser,ftp clients etc
- Banking Malware-Specially meant to steal banking credentials or do a man in the middle attack.
- Ransomware-Asks the victim to pay ransom. Usually does by hijacking sensitive data or system resources.
- Adware-displays unwanted advertisement to victims
- Point of Sales-This is used to steal credit card information from system linked to POS devices
Packer is a enevepe over the payload. While reverse engineering malware , you need to remove this envelope in order to see the actual payload or functionality of the malware. Packer has algorithms which are used to compress code . Since the actual malware code is compressed by packer, it’s hard to see the actual payload by static analysis(I will talk about static analysis of later in the article. For the time being consider static analysis in this case as viewing an executable in an hex editor). Packer is a program that takes an executable as input and produces packed executable. The original executable and the packed executable will look different if static analysis is done on it. A polymorphic packer takes one executable program as input and creates multiple(can be in millions) packed executables which look different from each other with static analysis .These executable are released in the wild through various channels like spams , exploit kit. These packed executables are different from other if the analysts performs static analysis on them but their behavior (dynamic analysis would be same). So if an antivirus engineer writes static detection signature on few of the packed executables ,there are chances that the signature may not detect all the executables created by the polymorphic packer . This is one of the methods by which malware can evade static antivirus signatures.
 |
| Polymorphic Packer |
Persistence:
Malware needs to stay in the system and sustain reboots. A banking malware or stealer needs to stay active in the system even after reboot. The techniques with which malware survives reboot are called persistence mechanism. Most of the malware exploit the operating system features to persist .
Armoring:
Malware’s don’t want to analysed or detected. Security researchers try to break the maware. Armoring is used by malware to protect itself . Anti-debugging,VM-Detection , Sandbox detection , Analysis tool detection are various armoring techniques employed by malware.
Stealth:
Malwares need to hide themselves in the system so that user does not suspect it. Stealth technique can range from simply changing the file property hidden to Code injection techniques and Rootkits can be considered as stealth mechanism . Often Rootkit is considered as type of malware but I would say rootkit is a technique to hide a malware. The payload could be something like a banking trojan that wants to hide itself . Most of the rootkits alter the functionality of the API’s or data structures used by operating system . For example windows task manager refers to a double linked list in which nodes represent a process. Removing a node from the linked list can hide a process . This rootkit technique is called DKOM.
Communication:
Malwares would like to communicate with the hacker through command and control servers (CnC). The reason could be anything uploading stolen data, receive commands etc.
Propagation:
Malware need to spread across computers in a network or outside network . Autorun worms used pen drive to spread from one machine to another. The infamous Wannacry used Eternal Blue exploit to propagate through the network . PE File infection(File Infectors) is a spreading mechanism used by
Malware Analysis
Malware analysis is done in order to find if a program is malware and if so find the impact on the system.
- Static
- Dynamic
- Reverse Engineering
Static Analysis:
Static analysis is done without executing the sample. A sample is opened in a static analysis tool to view static properties.
It’s hard to derive conclusion from static analysis as malwares maybe obfuscated. Then why do we perform static analysis?
Static analysis can form the basis of dynamic analysis. Here is an analysis step. I get a sample and check its first few bytes in a hex editor . I see that first MZ at the start of the file. I consider this as a windows executable . Then I check if it 32 bit or 64 bit executable. If it is 64 bit,I would use a 64 bit windows OS for dynamic analysis.
 |
| Malware Analysis Steps |
If I find a file is a microsoft document file(.docx) then I would need to install a microsoft word in my analysis machine for further dynamic analysis.
Dynamic Analysis:
Dynamic analysis is performed in order to find the changes done by the malware to the system. The changes can include :
- file modification
- configuration changes
- network communication
- Process changes -code injections,API hooks
- Mutexes created
- System code modifications(kernel level API hooks and data structure modifications)
Reverse Engineering:
Reverse Engineering is performed if it is hard to conclude from dynamic analysis . A malware may not execute completely if it detects virtual machine environment(armoring) hence we won’t get conclusive results from dynamic analysis . In this case reverse engineering is performed to locate the code that detects virtual machines and patch the code in order to execute the malware . There can be many other purposes of reverse engineering:
- Finding out algorithms used my malwares
- Writing better antivirus signatures
- Finding out more secrets in malware like similarity with any existing malware used in some attack
Malware Analysis Training:
All the topics are covered in detail my training. Apart from this malware detection is also included in the training. Contact me abhijit.mohanta.15.08@gmail.com for training's.
No comments:
Post a Comment