“We worried for decades about WMDs – Weapons of Mass Destruction. Now it is time to worry about a new kind of WMDs – Weapons of Mass Disruption.”

― John Mariotti

Introduction

Malware analysis helps organizations understanding the malware behavior and thus mitigating the potential threat. Once a suspicious file is found, it goes through certain analysis process for a proper investigation. The aim of this investigation is to understand the malware, its potential threat and behavior. There are different types of malware from spywares to trojans. Understanding these types, functions and threats is important, as this is how organizations determine what the malware does, the risk it presents, and how to detect it in other systems.

For analysis there are tools but no tool or technique is going to give all the needed information. Each technique gives info in bits and pieces then we have to consolidate this to get the complete view of the malware. When a security incident happens, a malware analyst has to perform the analysis very quickly without spending much time. So, having a list of steps prepared beforehand is very helpful. We can start by looking what files it creates when it is executed. Or how other settings (Registry etc.) are modified after the execution. This info will be helpful to find malware in other places. Also, it is needed to find out what ports it is using to communicate or protocols/services/data it requires.

Why malware analysis is required?

• First and most important reason to analyze malware is to find out what it can does. When hundreds of new malwares are coming every month, each new malware needed a fresh analysis to understand its potential threat and behavior.
• As technology upgrades, Malware evolves overtime with it. Malwares 15 years ago were much less intelligent than today. Malware researcher studies malwares time to time for academic purpose and how they are evolving by implementing better functionalities.
• Malware analysis also discovers hidden Indicator of compromise (IOC) and once discovered these should be blocked.

Different phases of malware analysis process

Static analysis, where the characteristics of the malware are examined without executing it.

In the process of malware analysis, you first get the malware. The source of getting the malware can be from different places. You can get malware from another team, who has captured it, directly from an infected machine or while capturing the network traffic. When you have got the malware, there are three phases of analysis.

• Static analysis – In the static malware analysis, the file is not executed. However, the finding in this phase is important input to the dynamic analysis. Type of files, hashes and window PE executable header are some of the info acquired in this phase. Whether malware is packed and which packer is used may also be determined.
• Dynamic analysis –  During this, the malware is put in a sandbox and then executed before examining it. Sandbox protects the spread of malware. In this phase we can examine actions taken by the malware after it is executed. The tools used for the analysis are also executed at the same time. Registry entries, new file creation, call an API, call to a url are some of the examples info which are captured in this phase. 
• Hybrid – Many times analysis is not linear and we have to back and forth to static and dynamic ways. Hybrid analysis gives best result as it combines both approaches.

Use of Packers for malware compression

When analyzing a malware, it is important to check for the packers. In simple terms, packers compress files and unpacks when the software is ready to be executed.  During the early days of internet, bandwidth was limited, so the smaller a file was, the faster it could be transferred across the network. Thus, packers were created to reduce file size. However, malwares are using packers as one of the main protection mechanism.

Apart from compression packers can also encrypt the software. This encryption makes the analysis of malware much more difficult. If we are able to discover which packer is used, we can attempt to unpack the malware and view the underlying internals, which may reveal more information.

Sandboxing for malware analysis

A separate system is always needed to do a malware analysis otherwise it is a high risk that malware may spread. Virtual machines are used for this kind of job. There are many virtualization software available like Hyper-V, Oracle VirtualBox or VMware. Using these software we can create many virtual machine environment on a single physical machine.

When running malware even in the VM , the malware should not be communicating to our main network or the internet.  One of the reason for this is that malware may communicate to its author and then they may send a command back to destroy the file. Giving internet access also means that it can spread easily to other systems. For this reason, VMs should be configured in a way that they are in a private network or can communicate only to the host machine.

VM precautions for sandboxing

Some precautions are mandatory even when VM environment is used. For example, use a completely isolated system for this purpose which you can format any time. No matter how much careful you are malware can spread to the main system and it can destroy all the data. Also, create separate network for the malware and do not connect it to your main office or home network.

Anti-analysis capability of malwares

Malwares are becoming more and more intelligent. One proof of it is the anti-analysis capabilities which makes malware analysis much more difficult. Anti-analysis code in the malware detects that they are being analyzed or whether they are in a sandbox. And once they detect that they are being analyzed, they just stop any execution.

Some example of anti-analysis techniques are –

• WMI queries to get the BIOS version and manufacturer – this determines whether the machine is a real machine.
• WMI queries to check the number of CPU cores- Similar to above to check whether it is a real physical machine.
• Reading registry key values and verify substrings in them which are there in a virtual machine.

Evading anti analysis

There are certain configurations we can do in our VM to get around some of these checks. The VM must be given more than 1 CPU, which is quite common in a real machine now. Also RAM more than 512MB is recommended.

Installing some of the common program like MS office, One drive or Adobe acrobat is also useful to make malware believe that it is in a real system. If you install VM tools like virtual box addons then this gives an indication to malware that it is in a virtual environment. So, avoid addons.

Fakenet

Malwares also try to ping network and check if internet is accessible. No presence of internet might be a bad signal. As a precautionary measure if we configure the VM in a private network then internet will not be available.

There are other ways to let malware show that the machine is connected to the internet.  One of the ways is by creating a fake virtual network. It tricks the malware into thinking it’s online by providing DNS services and creating fake hosts for the malware. FakeNet is a tool which can be used for this. When Fakenet is on, it intercepts all network communications and responds to them. Fakenet will provide and IP address to malware if it tries to connect to website. Similarly it can respond to other network queries like HTTPS/SMTP. Fakenet logs all the communications and the packets. These can be then loaded in the Wireshark to analyze the behavior.

Conclusion

Malware analysis is an important process which can help organizations uncover the malware threats. But should be done with proper caution. Use of tools like virtual machines and Fakenet is recommended to create an analysis lab which will help in faster and easier analysis.

Review questions

What is the purpose of sandboxing?

What is the use of packers?

What is the use of Fakenet?

What is the difference between static and dynamic analysis?