Malware analysis

Analysis of malware, viruses and other types of harmful programs and scripts is quite complicated and requires a lot of knowledge. To properly understand how a program works, what it connects to, and what damage it can cause, it is useful to know programming and not only in one language but preferably several and good knowledge of construction and operation of a computer network.

Malware

Reverse engineering is often used to analyze such a program. It is the process of testing a product (device, computer program) to determine how exactly it works, as well as how and at what cost it was made. Usually guided to obtain the information necessary to construct a counterpart.

For example, we decompile the program by obtaining partial program code so that we know exactly how it works. We can also analyze the program itself and its processes and network connections using additional tools.

When analyzing a malicious program, we must be extremely careful not to accidentally infect ourselves during the analysis. Everyone who wants to start the adventure with the analysis of this type of programs should build their own virtual environment separated from the network (or operating in a separate adapted network) in an isolated environment built only for the purposes of analysis.

There are programs on the market called sandboxes, they enable the program to run in the sandbox, i.e. an isolated environment, thus allowing for safe analysis by simulating the real environment of the potential victim. Most of these programs are paid and due to costs only available to large corporations.

Nowadays, malicious software has evolved to such an extent that it not only tries to detect and bypass anti-virus software but also checks whether it runs on a virtual machine or in a sandbox. Sometimes it launches its malicious functions with a delay and sometimes it deactivates completely so as not to attract attention by acting like an ordinary harmless application.

Although the analysis requires a lot of knowledge and skills, nothing prevents you from starting your adventure with analysis with simple examples and free tools.

Below I will describe a few tools and pages that will help you take the first steps in this difficult field.

Types of malware analysis

Static - also called static code analysis, is a process of software debugging without executing the code or program. In other words, it examines the malware without examining the code or executing the program. The techniques of static malware analysis can be implemented on various representations of a program. The techniques and tools instantaneously discover whether a file is of malicious intent or not. Then the information on its functionality and other technical indicators help create its simple signatures.

Dynamic - the dynamic analysis runs malware to examine its behavior, learn its functionality and recognize technical indicators. When all these details are obtained, they are used in the detection signatures. The technical indicators exposed may comprise of IP addresses, domain names, file path locations, additional files, registry keys, found on the network or computer.

These definitions are taken from Comodo Blog.

Test environment

The first question is where to start, because it is hard to say how properly configure your own test environment. Therefore, it is worth starting with a ready-made environment with a set of tools so that in the future you can build your own, tailored to your needs. Ready solutions allow you to see how industry professionals do it, what tools they use and how they approach the topic. Just as Kali Linux is a ready environment for pentesters, flare-vm is a ready environment for malware analyzers. Check this official article to get more information about it. Download it, install and play with the tools that you will find there. There are tools like Debuggers, Decompilers, Delphi, Developer Tools, Android Tools, Disassemblers, Flash, Forensic, Hex Editors, Java, Networking, Office, PDF, PE, Pentest, Text Editors, Visual Basic, .net, Python and modules, Web and other useful utilities.

Once you will work with that some time you can then create your own virtual machine and install only tools you like.

Desktop sandboxes

Below are some paid and free sandboxes.

Sandboxie - runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.

Firejail - is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.

SHADE Sandbox - s an alternative for antivirus and a tool for virtualization. It locally virtualizes applications (i.e. internet browsers) and locks all incoming internet files and possible viruses in its safe virtual environment.

PyREbox - is a Python scriptable Reverse Engineering sandbox. It is based on QEMU, and its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective.

FAME - is a recursive acronym meaning “FAME Automates Malware Evaluation”. It is meant to facilitate analysis of malicious files, leveraging as much knowledge as possible in order to speed up and automate end-to-end analysis.

Online sandboxes

You can find several free, online sandboxes. Remember, however, that if you want to scan and analyze a private file, by uploading it to an online scanner you share it to the owners of the service or even publicly. Hence, you should not upload sensitive data there, especially company data.

CAPE Sandbox - malware configuration and payload extraction.

Hybrid Analysis - free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology.

AnyRun - Interactive online malware analysis service for dynamic and static research of most types of threats using any environments. Replaces a set of tools for research.

Self hosted sandbox

Personally, I know only one free solution that can be self hosted. This solution is called Cuckoo Sandbox. Cuckoo Sandbox is the leading open source automated malware analysis system and it is available on most popular platforms.

Online antivirus and malware analyzers

Antivirus-like tools are also useful for analyzing files, but they provide more details and scan a given file using various anti-virus engines.

AVCaesar - is a malware analysis engine and repository. Your suspicious files can be analyzed by a set of antivirus.

VirusTotal - analyze suspicious files and URLs to detect types of malware, automatically share them with the security community.

NoDistribute - similar to VirusTotal but do not distribute scan results. For your own privacy and the privacy of your files, you may not want to share the contents of your files with the antivirus companies.

URL analyze

Nowadays not only files can be harmful, but also entire pages or scripts contained in them. Therefore, it is also worth using sandboxes for URLs. Not only VirusTotal mentioned earlier has such a function.

URLhaus - is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.

URLscan - a sandbox for the web.

MetaDefender - trust no file, trust no device. Analyze IP, HASH, CVE, URL.

Malware samples

Sooner or later you would like to practice your skills on real samples. Once you know the tools you will have to test them. It’s best to use examples from everyday life. There are two nice repositories of malware on Github. First one is Malware Sample Library and the second Malware Samples. By searching Github you will surely find more equally interesting examples that will give you the necessary experience.

More malware samples and virus signatures are also available on websites like:

Das Malwerk - Malware samples.

MalShare - a free Malware repository providing researchers access to samples, malicous feeds, and Yara results.

PacketTotal Malware Archive - search for URL, IP, file hash.

ViruSign - virus signatures, to make antivirus more efficient, and of course to benefit the users with a better detection rate.

Eicar test file

This article is also occasion to mentioning about the test, harmless sample that may interest people who want to test the security and effectiveness of anti-virus programs.

EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO), to test the response of computer antivirus (AV) programs. Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use a real computer virus.

You can download Eicar and use it for free. On download page there is also a more detailed description.

Give me more!

If you want more information, more tools and more knowledge you should definitely visit GitHub repository called Awesome Malware Analysis.

Good luck!