Getting Started with Malware Analysis
The basics of malware analysis and how to apply the results in your organization
There are many reasons that organizations and individuals conduct malware analysis. Some have specific goals in mind including collecting Indicators of Compromise (IOC)s that can help advance their security goals. Examples include: command and control protocol, persistence, spreading and lateral movement, encryption method and possible kill switch/prevention methods. While it can take years to be an expert, there are a number of ways to get started. In this technical whitepaper, we discuss the basics of malware analysis and how to apply the results in your organization.
Why Conduct Malware Analysis
• General research – It may be worth looking at trends and techniques of malware authors and malicious actors.
• Signatures – Malware analysis can be applied to create antivirus signatures and signatures for IDS/IPS.
• Vulnerability and exploit search – Malware can utilize vulnerabilities and exploits to get itself on a system. Analyzing samples to figure out how it infects the system can be very useful.
• Incident response or forensics – You may want to analyze samples during an IR or forensics scenario to figure out capabilities or persistence mechanism. This aids in response and recovery and provides your client with more information regarding what access and capabilities malware had.
What are the Best Ways to Get Malware Samples?
In order to examine the common methods for obtaining actual malware samples, we must first start by mentioning operational security. Every organization should begin this activity by establishing solid OpSec surrounding their malware collection plans. In addition, as recommended by SecureList1, be sure all activities are reasonably accomplished by your team as “bad OPSec might be worse than no OPSec at all.” With these activities, it’s important to not leak information while gathering samples. Once that has been established, our recommendations for collecting Malware samples include:
• Setting up your own honeypot
• Checking spam emails for attachments
• Googling hacks for popular video games (seriously)
• Guides on building a malware analysis lab
Types of Malware Analysis
Once malware samples have been collected, there are various tools and techniques reverse engineers could use to analyze the samples. Including some of the following:
Static analysis is analyzing the sample without executing the code. This can include analyzing the properties of the malware sample or decompiling/disassembling code and analyzing that. Some of the common things to examine in Windows malware are file hashes, the import/export table, function calls or strings present in the binary.
Hashes can be looked up to see if anyone else has seen the sample before. Sometimes it’s easier to find data online and learn from existing analysis.
Import/export table and function usage can give a decent idea of what capabilities the malware sample has or what it may do. For Windows samples, Microsoft has plenty of documentation on some of the functions you may come across when doing analysis.
CFF Explorer and PEStudio are great for doing static analysis. PEStudio will even highlight malicious indicators for you.
Analyzing the strings included in the malware sample can give you more information about what the sample may be doing or what it interacts with. Sometimes strings can help you get URLs or IP addresses on which to conduct further research.
The program database (PDB) may also be useful for static analysis of Windows malware. It stores the symbols and addresses used in the binary and is useful for debugging. Often, it provides context around the sample and you can also use the information in the PDB for open sources intelligence (OSINT) or writing signatures.
Dynamic analysis is analyzing the sample by executing it. Dynamic analysis can be done to observe behavior or perform step by step reverse engineering. It’s especially useful when the sample is encrypted or encoded or when static analysis does not lead to enough information.
One item to analyze during dynamic analysis is the interaction with the system. Malware may read/write files, it may also modify the registry or even use built-in system features such as scheduling for persistence.
Regshot and Procmon are two great tools for monitoring registry changes. Regshot allows you to take a snapshot of the registry pre-infection and post-infection then compare. Procmon monitors registry amongst other things such as file operations, network connections, and processes and threads. For the visually inclined, the output from Procmon can be visualized using Procdot.
During dynamic analysis, you may also want to simulate the internet, to allow the sample to make web requests or connect to a simulated command and control server. This will allow observation of the sample’s networking capabilities. Inetsim, Fakenet, and Fakenet-ng provide some of these capabilities. Inetsim allows you to enable and simulate many different services and it runs on a separate virtual machine. Fakenet and Fakenet-ng run on the same system as the malware and are also able to capture some of the network requests that malware may make.
You can always run the sample and let it connect to the real C2 while also intercepting network data and collecting system data.
Sysinternals Suite comes with a lot of tools that can help with dynamic analysis.
In addition to all the things mentioned above, many organizations analyze malware samples in order to find what’s known as a kill switch. Malware authors often build in some specific things that would prevent the malware from running. This gives the authors or attackers control to prevent multiple versions of the malware from running or to prevent their tools from running in sandboxes or research environments. Often, the kill switch is as simple as checking for the existence of a particular file or if a particular file contains a specific thing. Both static and dynamic analysis can help researchers discover and share these kill switches. Nevertheless, be sure to practice good OpSec with this information as attackers could easily change the kill switch if it is known!
Speeding Up Analysis
If you are collecting and looking at analyzing a lot of samples, there are some options to speed up the process. You can partially automate both static and dynamic analysis using existing tools.
For static analysis, tools such as Laikaboss and Strelka can be used.
For dynamic analysis, Cuckoo sandbox can be used. Results from these tools can be used to trigger alerts or write detection signatures. Estonia CERT 2 has a public Cuckoo instance that you can use as well. However, please be mindful of uploading private or sensitive files to sandboxes or multi-AV sites as those sites will retain those samples.
Utilizing open sources intelligence (OSINT) can help save time as well. Malware samples the author distributed may all have different hashes but may have some properties that are the same. Using OSINT to look for IOCs or data obtained from static analysis can help find other samples, C2’s, analysis reports, etc.
Many times, we notice a malware sample using a specific file name (or format), file drop location or service name. Searching for those things on Google or sandbox sites can lead to discovering similar samples that have already been analyzed.
Virustotal3 is a great resource. Relationships featured on Virustotal can help find samples that are related to your sample. Virustotal also has a behavior analysis tab that has results from multiple dynamic analysis sandboxes.
Searching for a unique string or PDB symbols can be very helpful as well. In the past, we’ve seen PDB strings that relate to an open source project. In this case, the author had modified an open source project by adding malicious code to it and recompiling it.
Applying your analysis results & preventing malware
• Block malicious IPs and domains – If similar malware is executed, you will at least prevent communication with C2.
• Create signatures – Depending on the products used, you may be able to create signatures. IDS/IPS signatures can also be created if C2 protocol can be detected.
• Do historical IOC lookups – If you collect network data or logs, you should be able to lookup IOCs to ensure that your environment has not had those IOCs.
• Share IOCs – CIRCLU MISP is a great place for organizations and researchers to share IOCs. AlientVault OTX is another place IOCs can be shared.
• ClamAV — If you are performing incident response or post-incident cleanup, using ClamAV and Yara can make life easier. Yara rules also work with ClamAV. ClamAV provides an option to move or remove the files it finds as well. Using file hashes is the easiest way to create a ClamAV signature file. You can have samples in one directory, run Sigtool and create a hash-based database. This is very useful in a scenario where an attacker has deployed the same malware on multiple systems.
• Yara signatures — Yara signatures are pattern-based. You can look for a certain pattern that’s common for malicious files. In the past, we have created Yara rules using a string that turned out to be common throughout multiple samples with different hashes.
• Kill switch and prevention — Kill switch is a technique used to prevent malware from running. The malware authors often build in a kill switch. For example, it could be a check for a particular file and if that file exists or contains something specific, the malware will not run due to the kill switch.
• Mutex 4 — Mutex is sometimes used by malware to ensure that only one copy of the malware is running. Creating a mutex that malware samples use before malware starts can potentially prevent the malware from running. Mutex is not the only thing that can be used for malware prevention. Malware may detect the presence of a sandbox or virtual machine and quit running.
Malware authors consistently make updates to add new capabilities and features. This includes malware’s ability to be used in all manners of cyberattacks. Some malware, like Formbook, is easy to acquire and sold on dark web forums at a relatively low cost. With the ease of use increasing for malware actors, it is important to keep up to date with their practices and ensure that your organization has the best research, detection and prevention methods in place.
Pondurance customers benefit from our 24/7 malware analysis capabilities. Want to analyze your malware research and prevention techniques? Contact us to discuss!
Pondurance delivers world-class managed detection and response services to industries facing today’s most pressing and dynamic cybersecurity challenges including ransomware, complex compliance requirements and digital transformation accelerated by a distributed workforce.
By combining our advanced platform with our experienced team of analysts we continuously hunt, investigate, validate and contain threats so your own team can focus on what matters most.
Pondurance experts include seasoned security operations analysts, digital forensics and incident response professionals and compliance and security strategists who provide always-on services to customers seeking broader visibility, faster response and containment and more unified risk management for their organizations.
Visit pondurance.com for more information.