Now days Malwares are most prominent threats in world, each and every day a new variant of malware attack comes into scenario , which compromise system security and integrity as well , here i am explaining few basic steps and requirement for malware analysis these steps may vary as per malware but most of the basic concept of analysis won’t change:
As we all aware that analysis of malware is like playing with live bomb so we need to remain alert and try for not to harm our workstation. so Before digging into analysis we need to fullfill basic prerequisite:
- Build a Malware lab: Install VM system in host.
- Now install different OS in vm-ware: in these OS one should be Windows based OS another one is Windows based server ,one Linux based host os and Linux based server.
- Now copy and Install(if required) tool in each and every OS .after installing take a hash of each OS and tool as well.
- Now baseline of system will be taken , means system snapshot, registry detail will be taken. same tools for taking system details like system snapshot,registry detail will be used again after execution of malware
- every time keep VM in “host only” mode
Malware analysis can be categorize into two category
1. Static Analysis/Code Analysis
2. Dynamic Analysis/Behavioral Analysis
Code Analysis is Understanding of malware code and walking through through it to get better understanding of code to know what it is doing. on contrary Dynamic/Behavioral Analysis is how the malware behaves when executed, who it talks to, what gets installed, and how it runs. when performing malware analysis both static and Dynamic Analysis is required to get better understanding of malware functioning.
1. Scan system using two or more than two Anti-virus(AV) software and make sure that AV detects malware.
2. After Detection of malware open malware in HEX editor, try to identify if malware is using any packer application like UPX .
3. Some packers like UPX allow decompression of malware. if you are able to decompress the malware other analysis tool can be run against the malware.
Note: One thing to be to noted that before decompressing make a copy of malware ,because sometime while performing decompression your malware sample get corrupt .
4. There are many tools are available that can be run against malware
- String: this tool can search ASCII,unicode,port, IP address about malware.
- After string search you can disassemble the malware the result of disassembly will vary malware to malware, by using disassembly we can figure out system dll are being used by malware and what changes are being made.
1. Here malware is executed and system behavior is observed, before begining dynamic analysis make sure that are services packs and applications are installed properly.
In general a person must have following tool
1. Process Explorer
2. TCP View
Process Explorer shows any processes that are started during the execution of the malware. TCPView shows attempted or completed network connections the malware makes. Windump is used to record all network traffic. Explorer is used to browse to the location of the malware so that it may be executed.
2. Execute the malware while watching Process Explorer and TCPView for changes in the system status. Be sure to note changes that occur after executing the malware. Allow the malware some time to run. Fifteen minutes is usually sufficient.
3. Using Winanalysis, take another system snap shot. Upon completion, compare this snap shot to the original snap shot. Run Process Explorer and TCPView again, looking for changes from the baseline taking earlier. Make notes of changes that were made. Finally, examine the network traffic captured with windump.
4. While reviewing Process Explorer, observe new process that may be running and note where they are located. These new process may be loaded into the registry which could allow the malware to be loaded every time at boot. Any new process installed by malware must be thoroughly investigated.
5. Use TCPView to look for new listeners, which might receive instructions from Command and Control servers, installed on the system by the malware. If a new listener is installed on the system, investigate the listener. Attempt to connect to it with various tools such as telnet, netcat, or a web browser. Trace the listener back to the process that spawned the listener and investigate thoroughly.
6. While examining network traffic, observe how the malware functions. Make notes on what the traffic looks like. This will be used to assist with writing access list and IDS rules. For example, if the malware installs a backdoor, set up a server so that it can download a backdoor. By allowing it to download a back door, you can now connect to the system and see what the malware author sees.
*although Above explain methodology is used for malware analysis but this approach may change according to malware sample.