Quartz 4

malware

7 min read

Introduction

Malware analysis is a complex, ever-evolving skill, with tools continually being created and updated to analyze modern malware. On the other side, malware authors are creating complex samples that cannot be fully analyzed without a combination of tools and techniques.

Normally when analyzing malware, the analyst will have limited time to learn what the malware is doing (and how to deter it). For example, is the malware using a static web domain? Block that domain. There are a number of questions that analysts need to answer as quickly as possible; these are:

  • What classification is the malware?
  • Is the malware making any connections?
  • Is the malware changing the system in any way?
  • What functions is the malware using?

In this lab, you will be shown the different tools and techniques used by modern-day malware analysts to quickly but effectively understand what malware is doing.

When discussing malware analysis, there are two types of techniques: static and dynamic analysis. This lab focuses on static analysis.

Static analysis

Static analysis is analyzing a piece of malware without ever executing it. This means that the malware never gets loaded into memory, and the instructions are never run. An analyst can look through the instructions stored in the .text section to see what the program would do if it were loaded into memory. Static analysis is difficult as there is no memory being used, such as the stack. Therefore you cannot check values in memory at certain points, rendering this type of analysis slow and quite difficult.

However, there are many tools that can be used to make this process easier. The analyst does not need to read machine code to understand what is going on – there are tools (such as disassemblers and executable viewers) that aid this process.

Disassemblers

Disassemblers are a static analyst’s dream: they take machine code and convert it into corresponding assembly code. The analyst then has to read the assembly language to understand what the program is doing. There are a variety of disassemblers on the market, but to get the best tools, you’ll have to pay. Luckily, there are free demo versions of the paid-for tools.

  • IDA pro (demo version IDA free)
  • Binary Ninja (demo version)
  • Radare2
  • Objdump
  • Xori

Executable viewer

When analyzing a piece of malware, it can be worth looking at the type of data that is not just instructions to be run. Sometimes malware holds valuable information in other sections – such as the .data section, where initialized global variables are stored. Other tools can be used to get data about a file, which will change the way you analyze it. Is the file a PE file or an ELF file? Knowing this changes the way you will analyse the file. These tools are all available as open-source or free tools.

  • File
  • Strings
  • Readelf
  • PEStudio

The tools listed in this lab are by no means an extensive list. There are other tools that some analysts prefer; however, those listed are the most commonly used.

Considerations

When analyzing malware, always be sure that you are in an environment to analyze it properly. Make sure that you understand how connections will affect the system that you are on, or there may be issues (and you could start another malware epidemic without meaning to!).

Think: should I send the malware through a VPN or have INetSim running?

Whenever you’re analyzing malware, have a goal in mind. Do you want to spend a while analyzing it or quickly update your network team on what to do to defend against it? These decisions are important and definitely affect the way you analyze malware.

Dynamic Analysis Intro

Malware analysis is a complex, ever-evolving skill, with tools continually being created and updated to analyse modern malware. On the other side, malware authors are creating complex samples that cannot be fully analyzed without a combination of tools and techniques.

Normally when analyzing malware, the analyst will have limited time to learn what the malware is doing (and how to deter it). For example, is the malware using a static web domain? Block that domain. There are a number of questions that analysts need to answer as quickly as possible; these are:

  • What classification is the malware?
  • Is the malware making any connections?
  • Is the malware changing the system in any way?
  • What functions is the malware using?

In this lab, you’ll be shown the different tools and techniques used by modern-day malware analysts to quickly but effectively understand what malware is doing.

When discussing malware analysis, there are two types of techniques: static and dynamicanalysis. This lab covers dynamic analysis.

Dynamic analysis

Dynamic analysis is interacting with malware in a way that executes it. Once the malware is executed and running, there is an active effort to understand what it is doing to the system it’s running on. This can be done in a number of ways. Firstly, the Malware Analyst can execute the malware before taking a snapshot of the system for further investigation to see what has changed. Have any files changed? Or any connections been made?

The analyst can also use a debugger to execute a program step by step; this is definitely a form of dynamic analysis because in order for the debugger to attach itself to the process, there needs to be a process running.

Running malware can be scary, especially when the result is unknown. Because of this, the analyst needs to think about the system that they are running the malware on. There are a few guidelines that are important to think about when executing malware:

  • Do not connect the system to the internet
  • Do not run on a host machine that has important information stored
  • Give the malware the lowest possible privileges and work your way up

If the malware needs internet to fully unpack itself, then there are a few tools that can be used to simulate network connections. These tools will reply to any request with the relevant acknowledgement that the protocol specifies. For example, it will respond with a SYN ACK packet to a SYN TCP packet.

Debuggers

There are multiple debuggers used in the industry – some paid, others free. The ones discussed here are specifically open source and have a huge community supporting them.

  • Ollydbg
  • X64dbg
  • Windbg
  • ImmunityDebugger

Analysis environments

There are tools that will execute the malware, and then record any changes to the system that the malware makes, including any connections created and any odd behavior that is relevant to the analyst. These are a couple of malware analysis environments to note, both of which are open source:

  • Cuckoo
  • VxStream

Network simulation tools

As previously stated, there are multiple tools that can be used to fake different network protocols. These will respond in a way specified by the configuration file. These tools are also free to use.

  • INetSim
  • FakeDNS

Operating system

There are many operating systems around, but a few are worth noting for their benefit to malware analysis. Windows is one, as many malware samples are created specifically for it. The OS needs to either be emulated or fully used to understand what changes the malware makes to the system.

  • Ubuntu
  • REMnux (Reverse Engineering Malware Linux)
  • Windows

Considerations

When analyzing malware, always be sure that you are in an environment to analyse it properly. Make sure that you understand how connections will affect the system that you are on, or there may be issues (and you could start another malware epidemic without meaning to!).

Think: should I send the malware through a VPN or have INetSim running?

Whenever you are analyzing malware, have a goal in mind. Do you want to spend a while analyzing it or quickly update your network team on what to do to defend against it? These are important and definitely affect the way you analyze malware.

runbooks

  • What classification is the malware?
  • Is the malware making any connections?
  • Is the malware changing the system in any way?
  • What functions is the malware using?

Graph View

Backlinks