Hi Guys,
Welcome back and I shall continue to provide some more insight about malware and it's analysis.
Generally it has been seen that people do not differentiate between the different kinds/types of malware. It simply is termed "Virus" whether it really is or not a virus.
Here are some common and different types of malwares listed below:
1. Virus: A computer virus is a program that recursively replicates and explicitly copies a version of itself.
2. Worms: Worms are basically network viruses. Generally a worm executes itself auomatically without any outside help from the user.
3. Trojan Horses: It is one of the simplest kind of malicious program. These programs try to appeal the user with some interesting functionality and entice the user to run the program. Most people fall for this.
4. Password Stealers: These are another kind of trojans which are used to capture and send a password to the bad guy who may use this against you. ex. credit card password, mail account password etc.
5. Downloaders: It is yet another malicious program that installs a set of files on an compromised machine. It comes in mails as attachments and upon execution downloads malicious content from a site and then runs the malicious program.
Also there a few more categories like backdoor, droppers, exploits, key loggers etc. Having said that , and now that you know some of the common threats we face in the cyber world, we shall dwell into the process of malware analysis.
Malware analysis has some steps involved in it and broadly can be done via Static Analysis or by Dynamic Analysis or a combination of both.
Some of the steps involved in Static Analysis are given below:-
a) A quick look at the suspected file and see it's properties like if it is a known system file, the icons, if it is an executable etc
b) The next step is to filter it out with an Anti-Virus and see if the AV finds something malicious... in the sense that if it is a known threat or if it is a new variant that requires more analysis.
c) The third step is to examine the file for viral code in the usual locations. This can be done with a binary (hex) view such as hiew and quickly identify the type of file. For eg If it is a PE file, then I will be seeing the letters MZ at the beginning of the file, followed by the PE signature and the section names.
Note: In hex, MZ will be converted to 4D 5A....... may be now it makes some sense to see the URL of the blog (http://if4d5athenpe.blogspot.com) :)
d) The fourth step is to look for some strings in the file being analyzed with tools like Plucker, VBStrings etc. and see if you can get some information out of it.
There are many more methods/steps of analyzing a malicious file like disassembling, debugging. To see if the file is packed as most computer viruses are packed with either UPX or ASPACK.
The different steps involved in Dynamic Analysis involves the following:
a) Running the suspicious file in a safe environment such as VM Ware or on a dedicated test system and then monitoring file changes. Generally viruses/worms etc do change lot of files stored in the system.
b) Monitoring the registry changes and keeping a track of what values and keys were created during the execution of the file
c) Monitoring for different processes and threads that have been started. Another thing to watch out for is to see if the suspicious process gets injected/hooked onto some other running processes.
d) Also we can check out and see/monitor the list of network ports that are open on the system. Generally backdoors open a single port or a set of ports for the attacker to gain entry to your system remotely.
e) Another way is to trace system calls while the application is running. This is quite difficult to use but done when the threat is really complicated.
I hope I have covered some more stuff into what malware analysis is about.
Please let me know if you liked the information given and as always open to constructive criticism.
Regards,
Anand
Tuesday, September 7, 2010
Malware Analysis - What is it?
Hi All,
First of all I thank you for visiting my blog and a warm welcome to you guys.
From the day I have told my friends, cousins, relatives that I am a Virus Research Analyst, there are couple of things that come to them spontaneously:
1. Woww!! the title really looks cool and
2. "So what do you do - write viruses?"
People generally not working in the AV(anti-virus) industry do not know much about this field. Many of my friends/cousins are working in the IT industry. Even they ask me that I belong to which category (read: development or testing/QA) and my answer is "NO - I don't belong to either of these".
This is one of the main reasons behind this blog - let you know what exactly do we mean by Virus Research or in more common known as Malware Research or Malware Analysis.
The main question - What is malware?
Answer is : Malware means Malicious Software - it could be a software/program which sneaks in onto your computer and does the damage without your knowledge.
We all would have come across a certain situation where in you would see the same files being copied in different locations on your system or it becomes too slow or a pop-up coming up every 10 minutes asking you to click on some link etc. These are all nothing but different types of malware which come in varied forms and sizes.
So what is Virus Analysis(Malware Analysis)?
Virus Research or Virus Analysis is an art or the science of analyzing malicious programs(code) so as to provide appropriate prevention as there are lot of computer viruses in the wild.
Virus Research is also about knowing about vulnerabilities and the malicious code that exploits it.
This is such an exciting and vast field that the virus researchers and the virus writers are always engaged in some sort of battle to prove that they are the best and you need to constantly keep updating as new classes/variants of viruses keep appearing, the existing viruses too are modified into different forms.
As a start up, I have provided a very basic information as to what virus analysis is all about(for those of you who didn't know)
Will try to write something more technical in my next blog.
Your comments are always appreciated for me to improve.
Regards,
Anand
First of all I thank you for visiting my blog and a warm welcome to you guys.
From the day I have told my friends, cousins, relatives that I am a Virus Research Analyst, there are couple of things that come to them spontaneously:
1. Woww!! the title really looks cool and
2. "So what do you do - write viruses?"
People generally not working in the AV(anti-virus) industry do not know much about this field. Many of my friends/cousins are working in the IT industry. Even they ask me that I belong to which category (read: development or testing/QA) and my answer is "NO - I don't belong to either of these".
This is one of the main reasons behind this blog - let you know what exactly do we mean by Virus Research or in more common known as Malware Research or Malware Analysis.
The main question - What is malware?
Answer is : Malware means Malicious Software - it could be a software/program which sneaks in onto your computer and does the damage without your knowledge.
We all would have come across a certain situation where in you would see the same files being copied in different locations on your system or it becomes too slow or a pop-up coming up every 10 minutes asking you to click on some link etc. These are all nothing but different types of malware which come in varied forms and sizes.
So what is Virus Analysis(Malware Analysis)?
Virus Research or Virus Analysis is an art or the science of analyzing malicious programs(code) so as to provide appropriate prevention as there are lot of computer viruses in the wild.
Virus Research is also about knowing about vulnerabilities and the malicious code that exploits it.
This is such an exciting and vast field that the virus researchers and the virus writers are always engaged in some sort of battle to prove that they are the best and you need to constantly keep updating as new classes/variants of viruses keep appearing, the existing viruses too are modified into different forms.
As a start up, I have provided a very basic information as to what virus analysis is all about(for those of you who didn't know)
Will try to write something more technical in my next blog.
Your comments are always appreciated for me to improve.
Regards,
Anand
Subscribe to:
Posts (Atom)