Malware is becoming a hot topic considering recent cyber attacks. If we want to define Malware, we can simply say any software which is having malicious intent.
Mal(icious) + (Soft)ware = Malware
As mentioned above, we can think what kind of malicious intent a person can have. Considering Information Security, we focus on triad which describes the approach of Information i.e. CIA triad.
i) Confidentiality ii) Integrity iii) Availability
Confidentiality ensures the only authorized person has access to the data. Integrity ensures there is no unauthorized modification in the message sent to a recipient. Availability assures the services will be available for the agreed timeline to authorized requests.
When malware is spread, in the core, the intent of the hackers is to target one of the parameters of the triad.
In the case of information disclosure, Confidentiality is violated. Availability is violated when a website/network is unavailable to service the requests because of a malware attack.
If we try to break malware in different categories based on their motive or design, the following types can be defined.
Virus: It is capable of copying itself and spreading. But requires manual intervention to execute in the environment.
Worm: It is the next version of the virus which executes itself and doesn’t depend on manual intervention.
Adware: It serves unwanted advertisements to a user. Generally delivered with free software downloads.
Botnet: It can be considered a network of bots. Bots are systems infected with the same malware and can be made to work in sync. Attackers use these botnets to drive email campaigns/ DDoS Attacks/ Cryptomining etc.
Ransomware: Sophisticated form of malware which encrypts the system and demand ransom for decryption of the data.
Rootkit: This kind of malware is used to gain privileged access to the infected system and conceals its presence.
Trojan: Most common kind of malware. It is named after Trojan horse. The malware looks legitimate but they aren’t in reality. They have the dependency on manual intervention and also they can self propagate through the network.
Backdoor/Remote Access Trojan: These kinds of malware are used by hackers to execute commands on the compromised systems to achieve the goal.
By now, we have understood basic of Malware and it’s a different type. We can now try to understand how malware analysis helps us to fight malware.
Malware analysis is the domain of Information Security where we study the malware behavior to understand it’s design so that we can eliminate and stop them to do further destruction. Malware is analyzed in a safe environment and unique characteristics and functionalities are derived. This is done so that the intelligence can be used to detect another instance such malware and stop them before infecting systems. We try to collect different kind of information which can help us in detecting and containing it.
To identify the nature and family of malware.
To identify network indicators.
To extract host-based indicators such as filenames, registry keys etc. which can be used in host-based monitoring for future infection.
To gain an understanding of how the system was compromised and its impact.
To determine the attacker’s intention and motive behind the malware.
Malware Analysis process can be divided into below categories where each different approach helps in gathering information about the sample.
Static Analysis is the process of analyzing the binary without executing it. It is the easiest step to be performed and allows to extract a different kind of meta-data associated with an investigation sample.
Dynamic Analysis is the process of executing the sample in an isolated environment. The process is monitored to derive meaning from the dynamic behavior of the sample like what all IPs it is trying to connect or is it dropping some other file for infection etc.
Code Analysis is an advanced technique where malware code is analyzed to derive meaning by disassembling and debugging the sample.
Memory Forensics, infected system memory is analyzed which helps us to understand stealth and evasive capabilities of the malware.
I have tried to consolidate the basics from which we can build the next phase. In upcoming articles, we will discuss a different kind of approaches in detail with an example of a sample from the wild. We will talk about setting up the lab and then will move ahead with slow and cautious steps in the world of Malware Analysis.