Malware is still going strong as a major threat to organizations and individuals everywhere. Since the umbrella term refers to any type of malicious software or file, there are myriad malware types. Something as simple as an email attachment can start a disaster that costs a company millions of dollars.
When responding to a security incident, analysts use malware analysis online tools to better understand how serious it is and help with their investigation. In this post, we’re giving you a primer into malware analysis practices and what to look for in a malware analysis online tool.
What is malware analysis?
Malware analysis is the group of techniques and tools used to understand the purpose and behavior of a suspicious file. Analysts follow this practical process to assess and learn how each specific type of malware functions.
By studying malware behavior, analysts can then learn how to detect and eliminate it. The process involves analyzing the suspicious file in a safe environment to completely understand its characteristics by using malware analysis tools.
4 stages of malware analysis
Security professionals conduct malware analysis in four stages:
Analysts first look at components like strings that may be embedded in the malware code, headers, metadata, and other indicators of compromise. Security teams can acquire this data quickly because they don’t need to run the code to detect it.
Next, analysts focus on how the malware sample behaves. To do that, they conduct dynamic analysis on a malware sample running in a lab. This helps them understand details about the sample and its activity. The controlled environment can help them test the malware capability.
Fully automated analysis
The next stage involves conducting a fully automated analysis of suspicious files. The goal of this analysis is to determine the consequences of malware infiltrating the network. This analysis is very useful when you need to process malware at scale.
Manual code reversing
Finally, analysts try to understand the logic behind the malware code and identify if there are any hidden capabilities they haven’t found yet in the malware. To achieve that, analysts often reverse-engineer the code. Since this is a time-consuming task, some security teams will skip this stage.
Types of malware analysis
Analysts conduct malware analysis in a static or dynamic way or a hybrid of the two.
Static Malware Analysis
This type of analysis examines the file at rest. It doesn’t require the code to run. Static analysis is used to assess infrastructure, libraries, and resting files for malicious intent and indicators.
Some indicators you may look at when doing a static analysis include filenames, IP addresses, headers to determine if the file is malicious or not. Analysts use tools like network analyzers to observe the malware characteristics without the need of running it.
The downside of static analysis is that it can overlook malicious runtime behavior. For instance, if a file triggers a download of a malicious file based on a dynamic string, the static analysis cannot detect it.
Dynamic Malware Analysis
This type of malware analysis actually runs the code, executing it in a safe environment called a sandbox. This protected system helps security professionals to observe the malware running without the risk of infecting the network and system.
Dynamic malware analysis enables security teams, threat hunters, and incident responders with a deeper understanding of how the malware works and its level of severity.
The problem with dynamic malware analysis is that attackers are becoming increasingly good at detecting sandboxes. Adversaries usually hide code inside sandboxes that stays dormant until triggered into running the code.
To overcome the limitations of both methods, security teams often combine both static and dynamic analysis. By doing so, it combines the best of both approaches, helping detect unknown threats. For example, it can detect hidden code by static analysis of behavioral data, then apply dynamic analysis to check detected changes.
Why do you need malware analysis?
The obvious benefit of doing malware analysis is to extract information from the malware sample and use this information to respond to the incident and prevent further attacks. The goal of malware analysis is to understand how serious the malware is, how to detect it, and contain it. It also helps to identify patterns you can use to prevent a future attack.
Some reasons organizations should implement malware analysis:
- When conducting malware analysis during an incident, to understand how much the system got compromised and the impact of the attack.
- To identify if there are network indicators associated with the malware that you can use to detect similar infections. For instance, if the malware calls back home a specific IP address, then you can block it.
- You can use malware analysis to triage events by the level of severity.
- To give more context to threat hunting activities.
What features do you need in a malware analysis tool?
There are free and paid malware analysis online tools. You can find a list of free tools here. Organizations that need stronger security capabilities would like to opt for paid versions that offer robust features. Some features that appear in malware analysis tools top vendors include:
- Provide visibility over processes running on a device.
- Provides hashes of the malware and a list of strings.
- Identifies if the malware is packed or not and displays the level of entropy of the file.
- It allows importing functionalities and creating new running processes.
- Logging and recording sandbox sessions. There, you can identify the process created and where the software was run.
- Debugging and reverse engineering capabilities.
Ultimately, there is no tool that offers all capabilities, so most organizations combine several tools for different stages of the malware analysis process. Since malware is constantly changing, it is not always easy to gather information about a specific file. Hopefully, the practices outlined in this article will give you an understanding of malware analysis.