Hi Guys,
Welcome back and I shall continue to provide some more insight about malware and it's analysis.
Generally it has been seen that people do not differentiate between the different kinds/types of malware. It simply is termed "Virus" whether it really is or not a virus.
Here are some common and different types of malwares listed below:
1. Virus: A computer virus is a program that recursively replicates and explicitly copies a version of itself.
2. Worms: Worms are basically network viruses. Generally a worm executes itself auomatically without any outside help from the user.
3. Trojan Horses: It is one of the simplest kind of malicious program. These programs try to appeal the user with some interesting functionality and entice the user to run the program. Most people fall for this.
4. Password Stealers: These are another kind of trojans which are used to capture and send a password to the bad guy who may use this against you. ex. credit card password, mail account password etc.
5. Downloaders: It is yet another malicious program that installs a set of files on an compromised machine. It comes in mails as attachments and upon execution downloads malicious content from a site and then runs the malicious program.
Also there a few more categories like backdoor, droppers, exploits, key loggers etc. Having said that , and now that you know some of the common threats we face in the cyber world, we shall dwell into the process of malware analysis.
Malware analysis has some steps involved in it and broadly can be done via Static Analysis or by Dynamic Analysis or a combination of both.
Some of the steps involved in Static Analysis are given below:-
a) A quick look at the suspected file and see it's properties like if it is a known system file, the icons, if it is an executable etc
b) The next step is to filter it out with an Anti-Virus and see if the AV finds something malicious... in the sense that if it is a known threat or if it is a new variant that requires more analysis.
c) The third step is to examine the file for viral code in the usual locations. This can be done with a binary (hex) view such as hiew and quickly identify the type of file. For eg If it is a PE file, then I will be seeing the letters MZ at the beginning of the file, followed by the PE signature and the section names.
Note: In hex, MZ will be converted to 4D 5A....... may be now it makes some sense to see the URL of the blog (http://if4d5athenpe.blogspot.com) :)
d) The fourth step is to look for some strings in the file being analyzed with tools like Plucker, VBStrings etc. and see if you can get some information out of it.
There are many more methods/steps of analyzing a malicious file like disassembling, debugging. To see if the file is packed as most computer viruses are packed with either UPX or ASPACK.
The different steps involved in Dynamic Analysis involves the following:
a) Running the suspicious file in a safe environment such as VM Ware or on a dedicated test system and then monitoring file changes. Generally viruses/worms etc do change lot of files stored in the system.
b) Monitoring the registry changes and keeping a track of what values and keys were created during the execution of the file
c) Monitoring for different processes and threads that have been started. Another thing to watch out for is to see if the suspicious process gets injected/hooked onto some other running processes.
d) Also we can check out and see/monitor the list of network ports that are open on the system. Generally backdoors open a single port or a set of ports for the attacker to gain entry to your system remotely.
e) Another way is to trace system calls while the application is running. This is quite difficult to use but done when the threat is really complicated.
I hope I have covered some more stuff into what malware analysis is about.
Please let me know if you liked the information given and as always open to constructive criticism.
Regards,
Anand
No comments:
Post a Comment