Malware Analysis is an art of dissecting malware functions to understand its functioning like what it does behind the scene, how it works and you can defeat or what steps you will take into consideration for its elimination. Carefully analyzing the suspecting malware and its functions will help us in creating both host-based and network signatures. It is, however, important to understand that malware functionalities can differ from malware to malware and can be complex as well. It also comes in various forms which we discussed earlier and so each one will be having a different functionality from the other.
Malware Analysis Techniques
Malware samples which you will be having will only be an executable file which won’t be human-readable and so you will be needing a variety of different tools in your arsenal before you actually start with that analysis part. All these tools will reveal a small amount of information which you can later combine together and have an idea of what the malware actually does.
There are two fundamental approaches to malware analysis: static part and a dynamic part. However, both these are further categorized as basic and advanced.
Basic Static Analysis
Basic static analysis is a process where you analyze the malware sample without executing it. Basic static analysis is a straightforward process and can be quick but it is largely ineffective where the malware file is too complex to understand. This process can confirm whether the file is malicious, provide some of the information about its functionality. This process doesn’t require you to go through the code to understand the internals of the malware but that is a key part if you want to understand the inner functionality of the binary.
Basic Dynamic Analysis
This part of the dynamic process involves actually executing the malware and observing the behaviour onto the system so as to remove the infection and prepare signatures, or both. But before we get into this step it is highly recommended that we have a separate isolated environment so that we don’t risk our system or network to some damage.
Advanced Static Analysis
This technique consists of reverse-engineering the malware’s internals by loading up the malware into the disassembler like IDA Pro and looking at the program instructions in order to understand what the program does. This process can help you a lot in identifying what the program actually does.
Advanced Dynamic Analysis
Advanced dynamic analysis requires specialized knowledge in assembly language and in this process we use a debugger to actually examine the internals of the running malicious executable file. This process can provide us with a handful of information about the malicious file and is useful when other process fails to provide you with the information that is difficult to gather.