Before we dive deep into more difficult topics and techniques, we first need to lay down some foundations and terminology.
We’ll refer as a malware any executable that will cause detriment to a user, a computer or a network system.
If we want to be more specific, instead of saying that a program or a little piece of code is a malware or malicious software, we should first understand what kind of malware it is, since we can label it upon his behaviour.
Different types of malware
Identifying the right malware family and type will incredibly speed up the analysis phase, allowing us to guess its behaviour or at least know what to expect from it. Here’s a list with every malware type we have:
- Backdoor: malicious code that gets installed on a host in order to allow attackers to access it remotely without needing any authentication method we have on our host;
- Botnet: a botnet is a collection of infected (backdoored) computers that can be remotly accessed or execute commands by the criminal (typically for DDoS attacks);
- Dropper: malicious code that will download additional malicious code on the host machine;
- Information Stealing malware: a specific category of malware aimed to steal users’ credentials or sensitive data on the target machine;
- Launcher: as the name says, it’s a malicious code that will launch additional code execution or programs to gain more system privileges or stealthy launching programs;
- Rootkit: it’s a toolset of malware that will ease the attacker’s when deciding what kind of attack to perform. Usually this type of malware will be really difficult for the user to detect;
- Scareware: malware that its maybe objective is to scare the end user into performing some kind of actions like buying or giving out personal information (related to social engineering attacks);
- Spamware: malware that sends spam to a target machine;
- Worm: malicious code that will self replicate and infect additional computers inside of the target’s network.
Malware analyst’s goal
A malware analyst’s goal is to analyse and understand what files can be malicious to our system and what might happen if it gets executed in an environment. Analysing malware will always broaden your knowledge about its behaviour and either is malicious or not, leading to further analysis and signature creation.
By creating a signature specific to that malware, other systems can detect it using your signature, alerting the end user about it and blocking the threat.
Different analysis techniques
In most of the cases, we’d be given a malware sample, unreadable by humans, that we have to analyse and find out what’s behind it. There’re two type of analysis that an analyst can perform: static analysis and dynamic analysis.
Static analysis is the easies and fastest approach an analyst can take since we just have to scan the sample with any antivirus or online scanning tools. This approach will tell you if the sample is malicious, what type of malware it might be and if there are any signature created by any analyst in the world for that sample.
In order to better understand the behaviour of the sample, we’d need to disassamble it and analyses the assembly code. This is an advanced static analysis that will help the analyst to understand what it really does, if it communicates with a C&C server or any other interesting information.
If we have a sandboxed environment, we can try launching the sample and see what happens. By doing this, we can record everything it does, every process it creates, every socket opened and any communication it does with the C&C server (if any). We’ll better understand how it works and what the end user will see if accidently the sample will get executed.
This kind of analysis is more challenging since it requires a special environment where you can detonate the sample and using a debugger. And to make it even worse, sophisticated malwares might be programmed in such a way to avoid launching if they detect a debugger attached to them or if they thinks that we’re using a virtual machine to analyse it.
In the next few chapters, we will better understand this two types of analysis and how to create a sandboxed environment in order to detonate and analyse samples without infecting our host or network.