Understanding Malware Analysis with Dr. Ali Hadi
WHAT IS MALWARE ANALYSIS?
Malware analysis is the art of dissecting malicious software with the objective of answering three core questions:
- How does it work?
- How can we detect it?
- How can we eliminate the threat created by malicious software?
I consider malware analysis artful because analysts all have their own style, and each dissects threats differently. There are standard approaches and methods, but the techniques and tools used could be different from one person to another, which makes it more of an art.
What is the difference between static and dynamic analysis?
Static analysis breaks down malware without actually executing it. This could be further divided into two approaches:
- Basic: this is where the analyst tries to understand the malware by analyzing the file, file structure, and functions being used by the malware.
- Advanced: this is where the analyst must dig deeper and try to understand the malware based on the low-level instructions being used. This is where the malware sample is usually disassembled.
In dynamic analysis, analysts study the malware by executing it and monitoring its behavior. This could also be further divided into two approaches:
- Basic: this is where the analyst runs the sample in a contained environment with different monitoring tools and tries to understand what the malware is doing.
- Advanced: this is where the analyst could not understand the malware using the basic method for many reasons, therefore must run the sample using a debugger. This way, the analyst has more control on how the sample is being executed.
One of the important aspects to keep in mind is that the final goal is to provide answers to the three core questions mentioned above. You are not required to understand every single instruction in the malware sample and waste time, effort and money on details that provide no benefit to the three core questions. Therefore, you might not need to apply all the listed methods but instead only use one or two of them. Do not waste your time with the "The devil is in the detail" idiom!
What’s the difference between malware analysis and reverse engineering?
While malware analysis could involve reverse engineering, it does not mean you can’t analyze malware without reverse engineering. On the other hand, reverse engineering is the art of dissecting a product to understand its blueprint or how it was made. Reverse engineering could be taking apart an unknown file format or a cryptographic algorithm to crack and break a software’s protection mechanism, or to reverse a malware.
Each one of these fields is a separate, valuable skill and having both is excellent to your arsenal. But could you be a malware analyst without reverse engineering? Yes, and the same applies for reverse engineering. The more skills you have, means the more complicated challenges you can overcome.
What are some of the basic tools used in malware analysis?
An experienced malware analyst has many tools at their disposal covering the following needs:
- File Format Analyzers
- System and Network Monitoring Tools
- Debuggers and Disassemblers
- Small Gadgets: data converters, decryptors, editors, registry tools, etc
- Virtualization Tools to create contained environments to run your malware samples
- A good IDE if you need to write code
Why is malware analysis important for businesses?
Hundreds and maybe thousands of breaches occur on a daily basis and most of them involve the threat actor planting some malicious software to gain a foothold in those compromised environments. If you read the different threat reports that are published annually by security vendors, you will notice that this ongoing cat-and-mouse battle hasn’t stopped, and it never will! There are always new techniques being used by threat actors and it is very important for business owners to not only be aware, but ready!
Now, how can they be prepared for tomorrow’s malicious software? By investing in their cybersecurity teams and helping employees understand and implement malware analysis. It is better to wake up on a call were a system has been compromised and we have a team capable of acquiring and analyzing the sample collected, than to send the sample to a third party company to analyze the sample for you. Therefore, the options you have are simple:
- Send the sample to a company that does malware analysis and pay them thousands or maybe hundreds of thousands to do the job for you.
- Or invest in an internal staff that “Let us Dare.” Let’s do it ourselves and only send it to a company if we fail or don’t have the proper skills for this sophisticated sample.