You are sitting at your computer, casually browsing the Internet, and you accidentally click something. The next thing you know, your computer is infected by a malware program. Most people tend to continue working since there may be no visual indication of a problem other than a few popups, or the computer may start to run more slowly. However, in the background there is a lot more happening. An uninvited program is now sitting on the hard drive and its sole purpose is to steal your sensitive or personal information like stored passwords, credit card information, social security number, etc. This is what is generally known as malware and it is evil. The first line of defense against cyber invasions of malware is common sense. Don’t click on anything that is unfamiliar. Don’t install anything from an untrusted source and don’t install any software they comes in a bundle, which will likely install other “crapware” on your machine. In this instance, the damage has already been done and the computer is infected. Now what? No single antivirus software package can detect all the malware that exists. One defense concept called “defense in depth” advocates installing multiple antivirus programs on your system in order to increase the detection spectrum for malware. Most of the time, this approach does not work. Also, malware is very good at hiding from detection by compressing itself or by being encrypted. Most of the time, malware decompresses or decrypts directly in memory rather than on the hard disk, which makes it more difficult to be detected by conventional malware detection solutions.
I have also observed that most organizations with infected computers are not exactly sure how the computers got infected. If the incident response team does not have a plan of action in place, it tends to resort to trial and error and may even develop the incident response plan (IRP) while the incident is happening. In my opinion, this not a good practice.
So, how do we detect malware and how do we identify what the malware is stealing and what is happening that we cannot see? We must come up with new ways to analyze these destructive programs and their intent. The two main approaches that are currently being used are static analysis and dynamic analysis.
In static analysis, the examination of malware is performed not by executing the malware program, but by dissecting it using various tools like decompilers, analyzing the source code, etc. In dynamic analysis, the malware program is actually executed and the behavior is studied using various tools like PE Explorer, Wireshark, Sysinternals tools, etc. Because the malware code is executed in dynamic analysis, there is a lot at risk. To minimize the risk, it is highly recommended that a lab and virtual environment be created and be completely isolated from the production environment.
Now that we have established two basic approaches for analyzing malware, here are some common steps for purging infected computers:
- Configure the environment for analysis (physical or virtual).
- Obtain and put the malware in the analysis environment.
- Execute the monitoring tools (static or dynamic).
- Log the results.
- Clean or disinfect the environment.
In order to configure the environment for analysis, I highly recommend using a virtual machine (VM). Any of the VM technologies listed below can be used. The advantage of using virtual environment is that you can always revert back to the original state of the machine after you complete the analysis.
- Oracle virtual box
- Microsoft Virtual PC.
Obtaining malware can be easy but tricky. You can actually get the malware during the incident response or you can set up “honey pots” to obtain it. Once the malware is obtained, the next step is to analyze it.
First, you must identify the changes that are being caused by the malware. To make this determination, install the behavior analysis tools. These tools determine any change in the state of different process as well as changes made to the file system, registry, and memory of the infected system. To determine the changes, it is important to have observed and recorded the state of the system as it existed before the infection. Here are some important behavior analysis tools that can be helpful:
- Microsoft Sysinternal Process Explorer
- Process Hacker
- Regshot (for a registry snapshot)
- Wireshark (to determine the network traffic generated by the malware).
Once a general understanding of the malware’s behavior has been established, the next step is dig a little deeper. At this stage, the decompilers and disassemblers come in very handy. They will allow you to look into the source code and provide an understanding of why and how the malware was coded. Some of the most common disassemblers and decompilers that can be used include:
- IDA Pro
Malware analysis can be tedious when done manually. However, there are Web sites that help automate this process and provide detailed reports after you submit a Windows binary report. Malware is usually coded in binary format. One you upload the binary code to such a Web site, a complete report is then made available for you to download. Some of the major sites that provide automated assistance are:
There are a few offline automation tools available, the most notable being Minibus, which was inspired by online automation tool Anubis.
In this article, we have seen the most common ways to analyze malware. All organizations should have a good IRP in place that lists the step-by-step procedures for responding to a malware incident and how to analyze malware to determine what it is trying to do. The analysis will help the organization understand what the malware is trying to steal and where it may be sending your information. Following this process will help you understand the damage and identify the proper steps to take to avoid any future malware incidents.
Rehan Bashir (CISSP, CAP)