Traditionally, Malware analysis has been considered to be very complicated, and in fact some of the techniques or methodologies involved are very complicated and way beyond a normal user's access or understanding. However, in context of today’s scenario, we can see that there is a clear need for people to learn how to analyze Malware themselves. But the most important factor is that the analysis techniques should be simplified enough so that even the average computer user can understand it. Unfortunately, information dealing with Malware analysis techniques is either too complicated for the average users to understand or they are in a very much scattered form, beyond the reach of normal users. With the help of this, sort of tutorial, I would try to fill in this disparity and also would like to make it easy and simplified enough for the average users to understand and do hands on themselves.
Malwares has evolved into the cyber era as the most dangerous, damaging and menacing tantrum. It is not an exaggerated statement that if you are linked to the Internet, there’s every chance of being affected by this nuisance. So, it is very important that we should possess a peripheral view about this threat. We will look into some basic details of this thing called Malware.
What is Malware?
Malware is a malicious software, which is designed specifically to damage your system or interrupt the normal computing environment. A trojan horse, worm, virus or spyware could be classified as malware. Some advertising software can be malicious by trying to re-install itself after you have removed it. A binary is considered Malware on the basis of certain features.
Types of Malware
A Malware can be Viruses, Worms, Trojan horses, Rootkits, Spywares, dishonest Adware or other malicious and unwanted rogue softwares. Hence a Malware is something that usually contaminates the system and carries out malicious activities. The best-known types of Malware are viruses and worms. They are known for the manner in which they spread, rather than any other particular behavior.
Virus: A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such as a floppy disk, CD, or USB drive.
Worm: A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program.
Trojan horse: A piece of software which appears to perform a certain action but in fact performs another such as a computer Virus. Trojan horses are notorious for their use in the installation of backdoor programs in the system that can be exploited by the author of such programs. These systems now become zombies and they can be completely controlled by the attacker.
Spyware: A computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent. Spyware suggests software that secretly monitors the user's behavior, collect various types of personal information, interfere with user control of the computer in other ways such as installing additional software, redirecting Web browser activity, accessing websites blindly that will cause more harmful viruses, or diverting advertising revenue to a third party.
Adware: Computer software that comes with advertising functions integrated into or bundled with a program. It is usually seen by the programmer as a way to recover programming development costs. Some types of Adware are also Spyware and can be classified as privacy-invasive software. They automatically play, display, or download advertising material to a computer after the software is installed on it or while the application is being used.
There can be many more categories of Malware depending on their characteristics and malicious activities. However, detailed description of those is not within the scope of this article.
Background of Malware Analysis
The threat of malicious software can easily be considered as the greatest threat to Internet security these days. Earlier, Viruses were, more or less, the only form of Malware. However, nowadays, the threat has grown to include a vast range of highly sophisticated applications viz. network-aware worms, Trojans, DDoS agents, IRC Controlled bots, Spywares, Rootkits and many more. The infection vectors have also changed and grown drastically as malicious agents now use mechanisms like email harvesting, browser exploits, operating system vulnerabilities, and P2P networks and many more unknown, unheard and technologically advanced techniques of replication.
A relatively large percentage of the software that a normal internet user encounters in his/her online activities are or can be malicious in some form or other. Most of these Malwares are detected by Antivirus software, Spyware removal applications and other similar tools. However, this protection is not always enough and there are times when a small, benign looking binary sneak through all these levels of protection and compromises the system and the user’s data. The reasons for this breach can be:
> Users not updating their Antivirus signatures regularly
> Users not keeping their systems well patched
> Failure of Antivirus Software’s heuristics engine
> New or low-profile Malware that has not yet been discovered by Antivirus vendors
> Custom coded Malware which cannot be detected by Antivirus
> Firewall not installed or not properly configured
Malwares are continuously evolving, and Antivirus vendors are finding it difficult to keep up with this ever increasing threat list. In some cases, the vendors may opt not to include a signature for a particular piece of Malware. However, this should not prevent knowledge seekers from using freeware tools and techniques to analyze the files and develop their own prevention and detection mechanisms. Though the Antivirus Softwares are continually getting better and more sophisticated, a small but very significant percentage of Malwares escape this predefined screening process and manages to enter and compromise both the system and the network itself. Unfortunately, this percentage of the Malwares escaping this predefined screening process is also growing everyday.
It is essential for users and absolutely essential for administrators to be able to determine if a binary is harmful by examining it manually and without relying on the automated scanning engines. The level of information required after an analysis is done differs according to the user's needs. For instance, a normal user might only want to know if a binary is malicious or not, while an administrator might want to know more like the registry values the binary injects, the copies of infected files it creates, the types of files the binary infects and also the actual payload information and what it does. That means, he may want to completely reverse engineer the binary for his purposes.
Techniques for Malware Analysis
There are basically two techniques that are used for analyzing a Malware:
> Code analysis
> Behavior analysis
In most cases, a combination of both these techniques is used. However, we will consider code analysis first.
Code analysis is one of the primary techniques used for examining Malwares. The best way of understanding the way a program works is, of course, to study the source code of the program. However, the source code for most Malware is not available. Malicious software is more often distributed in the form of binaries, and binary code can still be examined using debuggers and disassembles. However, the use of these tools is often beyond the ability of all but a small minority because of the specialized knowledge that is required. Given sufficient time, any binary, however large or complicated, can be reversed completely by using code analysis techniques. We will deal with some aspect of code analysis and reverse engineering process later.
Behavior analysis is more concerned with the behavioral aspects of the malicious software. Like a beast kept under observation in a zoo, a binary can be kept in a tightly controlled environment and have its behavior scrutinized. It is mainly done in Virtual OS environment so that the effects of the Malware can be kept under control. Analysis of activities or changes it makes to the environment (file system, registry, network, etc), its communication with the rest of the network, its communication with remote devices, and so on are closely monitored and information is collected. The collected data is properly documented, analyzed and the complete picture is reconstructed from these different bits of information.
The best thing about behavior analysis is that it is within the scope of an average administrator or even a normal user. Though reverse engineering using behavior analysis does not lead to the generation of the binaries code, it is sufficient for most users' needs. For instance, it is not sufficient for an antivirus researcher but for most other users or Administrators, behavior analysis can fulfill all their needs. In this article, we will deal mainly with the behavioral analysis of the Malwares and the ways and tools with which we can do that.
For more details, download zipped PDF article from in my CastleCops post....
Please feel free to let me know about your suggestions and feedback about the article...
.:: Malicious Brains ::.
Article on Malware Analysis:
"THERE ARE NO PATCHES OR SERVICE PACKS FOR HUMAN IGNORANCE"
Edit to disable link...
Edited by Budfred, 10 March 2008 - 10:09 PM.