Malware, or malicious software, is often used by the cybercriminals to cause a significant amount of damage at the victim’s end. The phrase ‘cybercriminals’ include attackers, hacktivists, group of hackers and even nation-states. The damage caused can include disrupting normal operations of a computer or a computer network, stealing information stored in the systems, bypassing access controls, or causing harm to the victim in every possible way. The victims may be individuals, businesses, organizations, and even the government and its bodies. Malware includes virus, trojan, ransomware, keyloggers, rootkits, etc.
As reported by Barkly, more than 200,000 malware samples are being captured every day. Considering the seriousness of this situation and how adversely a malware attack can affect a business and its operations, appropriate security measures must be put in place by the concerned business. Having an incident response plan is one such measure which helps a business in minimizing the damages when it is under an attack. Moreover, it lays down a proper procedure so that recovery time, as well as costs, are reduced.
During an incident response, malware analysis plays a vital role in helping the security team in understanding the extent of the incident along with identification of hosts or systems that have been affected or could be affected. With the help of information gathered during malware analysis, an organization can effectively mitigate the vulnerabilities and prevent any additional compromise.
Why is a Malware Analysis Performed?
A malware analysis can be performed by keeping a variety of goals in mind. It also depends upon the requirements of an organization and impact of the security incident. Some of the general goals include –
- Assessing the damages from an intrusion or a security incident,
- Discovering points or indicators of compromise and locating the affected machines,
- Determining the level of sophistication of the malware involved,
- Identifying the vulnerability exploited by the malware and preparing for patching it accordingly,
- Identifying the source of the attack, and
- Learning from the present incident and taking appropriate measures to ensure that the same cause is not the reason behind any security incident in the future.
Questions Involved in a Malware Analysis
When a malware attack is being analysed, certain questions must be answered when the analysis is concluded. These questions can be –
- What are the changes made by the malware?
- Is the attacker identifiable? If yes, what is his purpose?
- Has any data been stolen?
- Has this malware spread to other machines as well?
- What should be done to prevent the infection from spreading to other machines?
- Is this malware based on any previously known malware? If yes, then which?
- Does this malware keep on running even after the machine is rebooted?
- What are various host-based and network-based indicators which reveal the presence of malware?
- Which language has been used to write the code for this malware?
- What are the precautionary steps that must be taken to prevent this incident from happening in the future?
Creating a Safe Environment for Malware Analysis
Right from the start, a malware is created with a malicious intent to cause damage or loss to the victim. So, it is definitely not logical for an analyst to perform malware analysis on a system which he or she uses for work or personal things. To solve this problem, a dedicated lab can be created with a number of computers having their own physically partitioned networks. These computers shall have a standard operating system which can be easily restored using the system image after it has been infected by a malware and an analysis has been carried out. Various tools such as Ghost, UDPcast, Truman, etc. can be used in performing malware analysis.
Moreover, an analyst can also create a simulated lab environment using virtual machines. Various software are available on the Internet which can be used to create VMs (virtual machines). One of the most prominent software is VMware which has the ability to create a snapshot-tree by capturing the system state at the various point of times. With the help of these snapshots, the analyst can easily revert back to the previous state of the system. Using a simulated lab environment has its own disadvantages such as –
- The malware can detect that it is running on a VM and it can then try to modify its behaviour.
- A piece of information might be shared by the virtual machine to a host machine in an unexpected way because of infection by malware.
- A zero-day malware might escape VM sandbox by exploiting a listening service on the operating system of your host machine.
Types of Malware Analysis
Malware analysis is classified into two types – static and dynamic. Static techniques involve analysis of code while dynamic techniques analyse the behaviour of a malware. The behavioural analysis includes questions such as –
- How does the malware get installed?
- What happens on its execution?
- How does it run?
- Does it try to connect to the Internet?
Both these types accomplish the same goal of explaining the working of a malware, but differences arise when it comes to the time required to carry out an analysis, tools to be used, and skill set of the personnel deployed. It is always recommended to carry out both types of analysis to get a clear view of a malware’s working and its impact on the business processes.
In addition, malware analysis can also incorporate reverse engineering techniques to analyse the source code of a malware. With the help of source code, the result of behavioural analysis can be verified as well as appropriate steps can be taken to better the defences of an organization.
It can be safely stated that 2017 was the year of ransomware. Ransomware, a type of malware along with other types are prominent threats to any business. When a security incident occurs and malware is the reason behind it, malware analysis plays an integral role in incident response as one needs to know what has happened in order to take the required steps for recovery.
(This is our first post in the Malware Analysis Series. The upcoming posts will talk about various techniques used in the static and dynamic analysis along with the importance of malware analysis in endpoint devices.)