Analysis of malware, viruses and other types of harmful programs and scripts is quite complicated and requires a lot of knowledge. To properly understand how a program works, what it connects to, and what damage it can cause, it is useful to know programming and not only in one language but preferably several and good knowledge of construction and operation of a computer network.
Reverse engineering is often used to analyze such a program. It is the process of testing a product (device, computer program) to determine how exactly it works, as well as how and at what cost it was made. Usually guided to obtain the information necessary to construct a counterpart.
For example, we decompile the program by obtaining partial program code so that we know exactly how it works. We can also analyze the program itself and its processes and network connections using additional tools.
When analyzing a malicious program, we must be extremely careful not to accidentally infect ourselves during the analysis. Everyone who wants to start the adventure with the analysis of this type of programs should build their own virtual environment separated from the network (or operating in a separate adapted network) in an isolated environment built only for the purposes of analysis.
There are programs on the market called sandboxes, they enable the program to run in the sandbox, i.e. an isolated environment, thus allowing for safe analysis by simulating the real environment of the potential victim. Most of these programs are paid and due to costs only available to large corporations.
Nowadays, malicious software has evolved to such an extent that it not only tries to detect and bypass anti-virus software but also checks whether it runs on a virtual machine or in a sandbox. Sometimes it launches its malicious functions with a delay and sometimes it deactivates completely so as not to attract attention by acting like an ordinary harmless application.
Although the analysis requires a lot of knowledge and skills, nothing prevents you from starting your adventure with analysis with simple examples and free tools.
Below I will describe a few tools and pages that will help you take the first steps in this difficult field.
Static - also called static code analysis, is a process of software debugging without executing the code or program. In other words, it examines the malware without examining the code or executing the program. The techniques of static malware analysis can be implemented on various representations of a program. The techniques and tools instantaneously discover whether a file is of malicious intent or not. Then the information on its functionality and other technical indicators help create its simple signatures.
Dynamic - the dynamic analysis runs malware to examine its behavior, learn its functionality and recognize technical indicators. When all these details are obtained, they are used in the detection signatures. The technical indicators exposed may comprise of IP addresses, domain names, file path locations, additional files, registry keys, found on the network or computer.
These definitions are taken from Comodo Blog.
The first question is where to start, because it is hard to say how properly configure your own test environment. Therefore, it is worth starting with a ready-made environment with a set of tools so that in the future you can build your own, tailored to your needs. Ready solutions allow you to see how industry professionals do it, what tools they use and how they approach the topic. Just as Kali Linux is a ready environment for pentesters, flare-vm is a ready environment for malware analyzers. Check this official article to get more information about it. Download it, install and play with the tools that you will find there. There are tools like Debuggers, Decompilers, Delphi, Developer Tools, Android Tools, Disassemblers, Flash, Forensic, Hex Editors, Java, Networking, Office, PDF, PE, Pentest, Text Editors, Visual Basic, .net, Python and modules, Web and other useful utilities.
Once you will work with that some time you can then create your own virtual machine and install only tools you like.
Below are some paid and free sandboxes.
Sandboxie - runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.
Firejail - is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.
SHADE Sandbox - s an alternative for antivirus and a tool for virtualization. It locally virtualizes applications (i.e. internet browsers) and locks all incoming internet files and possible viruses in its safe virtual environment.
PyREbox - is a Python scriptable Reverse Engineering sandbox. It is based on QEMU, and its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective.
FAME - is a recursive acronym meaning “FAME Automates Malware Evaluation”. It is meant to facilitate analysis of malicious files, leveraging as much knowledge as possible in order to speed up and automate end-to-end analysis.
You can find several free, online sandboxes. Remember, however, that if you want to scan and analyze a private file, by uploading it to an online scanner you share it to the owners of the service or even publicly. Hence, you should not upload sensitive data there, especially company data.
CAPE Sandbox - malware configuration and payload extraction.
Hybrid Analysis - free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology.
AnyRun - Interactive online malware analysis service for dynamic and static research of most types of threats using any environments. Replaces a set of tools for research.
Sanbox Anlyz - online malware sandbox.
Opswat Metadefender - malware/IP/URL/hash/CVE/Domain analysis and sandbox.
JoeSandbox - detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities. It performs deep malware analysis and generates comprehensive and detailed analysis reports.
Personally, I know only one free solution that can be self hosted. This solution is called Cuckoo Sandbox. Cuckoo Sandbox is the leading open source automated malware analysis system and it is available on most popular platforms.
Antivirus-like tools are also useful for analyzing files, but they provide more details and scan a given file using various anti-virus engines.
AVCaesar - is a malware analysis engine and repository. Your suspicious files can be analyzed by a set of antivirus.
VirusTotal - analyze suspicious files and URLs to detect types of malware, automatically share them with the security community.
NoDistribute - similar to VirusTotal but do not distribute scan results. For your own privacy and the privacy of your files, you may not want to share the contents of your files with the antivirus companies.
AntiScan - similar to VirusTotal but do not distribute scan results.
Malwares - is a malware analysis engine.
Nowadays not only files can be harmful, but also entire pages or scripts contained in them. Therefore, it is also worth using sandboxes for URLs. Not only VirusTotal mentioned earlier has such a function.
URLhaus - is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.
URLscan - a sandbox for the web.
MetaDefender - trust no file, trust no device. Analyze IP, HASH, CVE, URL.
URLVoid - service helps you detect potentially malicious websites.
Zulu by Zscaler - Zulu is a dynamic risk scoring engine for web based content.
Cyren URL - Cyren URL Category Check.
IPVoid - offer a vast range of IP address tools to discover details about IP addresses. IP blacklist check, whois lookup, dns lookup, ping, and more.
MXToolbox - everything you need to analyze any IOC’s.
CyberChef - A simple, intuitive web app for analysing and decoding data without having to deal with complex tools or programming languages. CyberChef encourages both technical and non-technical people to explore data formats, encryption and compression.
Phishtank - phishing analysis.
Isitphishing - phishing analysis.
Domaintools Whois - WHOIS online.
Robtex IP Lookup - IP lookup.
AbuseIPDB - Check the report history of any IP address to see if anyone else has reported malicious activities.
Cyren IP - Cyren IP Reputation Check
Message header analyzer - analyze message headers.
Pulsedive - sweet spot between enriched intelligence and technical information.
ThreatMiner - data mining for threat intelligence
Talos - Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
IBM X-Force Exchange - Research, Collaborate and Act on threat intelligence.
These are just a few of thousands you can use. You have to start somewhere.
Spybot File Analyzer - FileAlyzer shows basic file content, a standard hex viewer, and a wide range of customized displays for interpreted complex file structures that help you understand the purpose of a file.
wxHexEditor - a free cross platform hex editor.
IDA Pro - The IDA Disassembler and Debugger is an interactive, programmable, extensible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X. IDA has become the de-facto standard for the analysis of hostile code, vulnerability research and commercial-off-the-shelf validation.
Ghidra - A software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission.
OllyDbg - is a 32-bit assembler level analysing debugger for Windows.
Binary Ninja - is an interactive disassembler, decompiler, and binary analysis platform for reverse engineers, malware analysts, vulnerability researchers, and software developers that runs on Windows, macOS, Linux.
Radare2 - A free/libre toolchain for easing several low level tasks like forensics, software reverse engineering, exploiting, debugging.
Objdump - is a command-line program for displaying various information about object files on Unix-like operating systems. For instance, it can be used as a disassembler to view an executable in assembly form.
Xori - is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data.
x64dbg - An open-source x64/x32 debugger for windows.
Windbg - The Windows Debugger (WinDbg) can be used to debug kernel-mode and user-mode code, analyze crash dumps, and examine the CPU registers while the code executes.
ImmunityDebugger - is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry’s first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility.
Scylla - Imports Reconstruction.
OllyDumpEx - This plugin is process memory dumper for OllyDbg and Immunity Debugger.
RegShot - is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product.
Process Explorer - advanced process explorer.
Process Monitor - advanced process monitor.
ProcDOT - way of visual malware analysis.
Process Hacker - powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware.
Noriben - Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In a nutshell, it allows you to run an applications, hit a keypress, and get a simple text report of the sample’s activities.
Autoruns - This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players.
Detect It Easy(DiE) - is a packer identifier.
Exe info PE - Packer, compressor detector / unpack info / internal exe tools.
Peframe - peframe is a open source tool to perform static analysis on Portable Executable malware and generic suspicious file. It can help malware researchers to detect packer, xor, digital signature, mutex, anti debug, anti virtual machine, suspicious sections and functions, macro and much more information about the suspicious files.
Flare-Floss - uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
XORSearch - XORSearch is a program to search for a given string in an XOR, ROL, ROT or SHIFT encoded binary file.
Balbuzard - malware analysis tools to extract patterns of interest and crack obfuscation such as XOR.
INetSim - is a software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behaviour of unknown malware samples.
FakeDNS - A regular-expression based python MITM DNS server with support for DNS Rebinding attacks.
File - The file command is a standard program of Unix and Unix-like operating systems for recognizing the type of data contained in a computer file.
Strings - is a program in Unix and Unix-like operating systems that finds and prints text strings embedded in binary files such as executables.
Readelf - is a program for displaying various information about object files on Unix-like systems such as objdump. It is part of the GNU binutils.
PEStudio - The goal of pestudio is to spot artifacts of executable files in order to ease and accelerate Malware Initial Assessment.
Flare VM - a fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.
Remnux - is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools.
Sooner or later you would like to practice your skills on real samples. Once you know the tools you will have to test them. It’s best to use examples from everyday life. There are two nice repositories of malware on Github. First one is Malware Sample Library and the second Malware Samples. By searching Github you will surely find more equally interesting examples that will give you the necessary experience.
More malware samples and virus signatures are also available on websites like:
Das Malwerk - Malware samples.
MalShare - a free Malware repository providing researchers access to samples, malicous feeds, and Yara results.
PacketTotal Malware Archive - search for URL, IP, file hash.
ViruSign - virus signatures, to make antivirus more efficient, and of course to benefit the users with a better detection rate.
Some examples of malware source code to analyze.
- Parat (Python based RAT) – https://github.com/micle-fm/Parat
- Ammyy Admin v3 source code – https://github.com/Coldzer0/Ammyy-v3
- EvilOSX (Python, post-exploitation macOSX Remote Administration Tool) – https://github.com/Marten4n6/EvilOSX
- Reptile (LKM Linux rootkit) – https://github.com/f0rb1dd3n/Reptile
- iMessagesBackdoor (AppleScript handler that can be set to execute a shell commands) – https://github.com/checkyfuntime/iMessagesBackdoor
- Diamorphine (LKM rootkit for Linux Kernels 2.6.x/3.x/4.x) – https://github.com/m0nad/Diamorphine
- Ransomware – https://github.com/mauri870/ransomware
- win.rokkaku (fileless Windows keylogger that exfils over the DNS protocol) – https://github.com/0ren/win.rokkaku
- Jellyfish (GPU rootkit) – https://github.com/x0r1/jellyfish
- Jellucuda (Windows GPU Rat) – https://github.com/x0r1/WIN_JELLY
- Demon (GPU keylogger) – https://github.com/x0r1/Demon
- Cypher – https://github.com/NullArray/Cypher
- vlany (Linux LD_PRELOAD rootkit) – https://github.com/mempodippy/vlany
- cub3 – https://github.com/mempodippy/cub3
- Linux.Mirai Source Code – https://github.com/jgamblin/Mirai-Source-Code
- Win32.Stolich – https://github.com/empinel/Win32.Stolich
- Capcom Rootkit – https://github.com/FuzzySecurity/Capcom-Rootkit
- TinyNuke aka Nukebot aka Nuclear Bot – https://github.com/aainz/TinyNuke
- Alina Spark (PoS Trojan) – https://github.com/fdiskyou/malware/tree/master/Alina
- Bleeding Life 2 (Exploit Pack) – https://github.com/fdiskyou/malware/tree/master/BleedingLife2/Bleeding%20Life%20v2
- Carberp Botnet – https://github.com/fdiskyou/malware/tree/master/Carberp%20Botnet
- Crimepack 3.1.3 (Exploit Pack) – https://github.com/fdiskyou/malware/tree/master/Crimepack3.1.3
- Dendroid (Android Trojan) – https://github.com/fdiskyou/malware/tree/master/Dendroid
- Dexter v2 (PoS Trojan) – https://github.com/fdiskyou/malware/tree/master/Dexter
- Fancy Bear, APT28, Sofacy (Gmail C2C), Python Trojan – https://github.com/fdiskyou/malware/tree/master/FancyBear
- GMBot (Android Trojan) – https://github.com/fdiskyou/malware/tree/master/GMBot
- Gozi-ISFB (Banking Trojan) – https://github.com/fdiskyou/malware/tree/master/Gozi-ISFB
- Grum (Spam Bot) – https://github.com/fdiskyou/malware/tree/master/Grum
- Hidden Tear (Ransomware) – https://github.com/fdiskyou/malware/tree/master/Hidden-tear
- KINS (Banking Trojan) – https://github.com/fdiskyou/malware/tree/master/KINS
- Pony 2.0 (Stealer) – https://github.com/fdiskyou/malware/tree/master/Pony
- PowerLoader (Botnet) – https://github.com/fdiskyou/malware/tree/master/PowerLoader
- RIG Front-end (Exploit Kit) – https://github.com/fdiskyou/malware/tree/master/RIG
- Rovnix (Bootkit) – https://github.com/fdiskyou/malware/tree/master/Rovnix
- Tinba (Tiny ASM Banking Trojan) – https://github.com/fdiskyou/malware/tree/master/Tinba
- ZeroAccess (Toolkit for ZeroAccess/Sirefef v3) – https://github.com/fdiskyou/malware/tree/master/ZeroAccess
- Zeus (Banking Trojan) – https://github.com/fdiskyou/malware/tree/master/Zeus
- Trochilus – https://github.com/5loyd/trochilus
This article is also occasion to mentioning about the test, harmless sample that may interest people who want to test the security and effectiveness of anti-virus programs.
EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO), to test the response of computer antivirus (AV) programs. Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use a real computer virus.
You can download Eicar and use it for free. On download page there is also a more detailed description.
If you want more information, more tools and more knowledge you should definitely visit GitHub repository called Awesome Malware Analysis.