What is Malware Analysis? Defining and Outlining the Process of Malware Analysis
Learn about malware analysis as well as how to use malware analysis to detect malicious files in Data Protection 101, our series on the fundamentals of information security.
Malware analysis is the process of learning how malware functions and any potential repercussions of a given malware. Malware code can differ radically, and it's essential to know that malware can have many functionalities. These may come in the form of viruses, worms, spyware, and Trojan horses. Each type of malware gathers information about the infected device without the knowledge, or authorization of the user.
Use Cases for Malware Analysis
- Computer security incident management: If an organization believes that malware may have entered into its system, a response team will react to the situation. Next, they will want to perform malware analysis on any potentially malicious files that are discovered. This will then determine if it is indeed malware, what type, and the impact that it might have on the respective organizations’ systems.
- Malware research: Academic or industry forum where malware researchers perform malware analysis. This creates the best understanding of how malware works and the newest methods used in its creation.
- Indicator of compromise (IOC) extraction: Sellers of software solutions and products may conduct bulk malware analysis in order to determine potential new indicators of compromise which will in turn help the organizations to defend themselves against malware attacks.
Four Stages of Malware Analysis
Investigating malware is a process that requires taking a few steps. These four stages form a pyramid that grows in intricacy. The closer you get to the top of the pyramid, the stages increase in complexity and the skills needed to implement them are less common. Here, we start from the bottom, and show you what goes into finding malware, every step of the way.
- Fully-automated analysis: One of the simplest ways to assess a suspicious program is to scan it with fully-automated tools. Fully-automated tools are able to quickly assess what a malware is capable of if it infiltrated the system. This analysis is able to produce a detailed report regarding the network traffic, file activity, and registry keys. Even though a fully-automated analysis does not provide as much information as an analyst, it is still the fastest method to sift through large quantities of malware.
- Static properties analysis: In order to get a more in depth look at malware, it is imperative to look at its static properties. It is easy to access these properties because it does not require running the potential malware, which takes a longer time. The static properties include hashes, embedded strings, embedded resources, and header information. The properties should be able to show elementary indicators of compromise.
- Interactive behavior analysis: To observe a malicious file, it might often times be put in an isolated laboratory to see if it directly infects the laboratory. Analysts will frequently monitor these laboratories to see if the malicious file tries to attach to any hosts. With this information, the analyst will then be able to replicate the situation to see what the malicious file would do once it was connected to the host, giving them an advantage over those who use automated tools.
- Manual code reversing: Reversing the code of the malicious file can decode encrypted data that was stored by the sample, determine the logic of the file’s domain, and see other capabilities of the file that did not show up during the behavioral analysis. In order to manually reverse the code, malware analysis tools such as a debugger and disassembler are needed. The skills needed to complete manual code reversing are very important, but also difficult to find.