Thursday, November 5, 2009

Malware @ work 2

Since last year, i have been doing "research" on malware (during leisure) and sharing some research finding in w01f Labs. Many friends (including myself initially) thought that malware analysis is just about infecting the virtual system and see how the it works. They are partially correct but malware analysis is more than that.

Malware analysis basically consist of 2 main stages:
  • Behaviour analysis

  • Code/Static analysis (reverse engineering)
Behaviour analysis, one will infect a isolated system or virtual machine. Running analysis and monitoring tools to track the registry, system and network changes:
- Registry such as changes to registry entry "..\Windows\CurrentVersion\run".
- System such as changes to file "..\drivers\etc\hosts".
- Network such as system connecting to port 6667.

After identifying those changes, setup an isolated environment to interact with the malware. Configure a DNS to resolve and route any domain that the malware is trying to connect. Setup services such as IRC or Web service if the malware is trying to connect to those services.

You may need to modify the environment and re-infect the system several times as you find out more about the malware.

Code Analysis. There will be activities or behaviours that you may not have triggered or identified during the behaviour analysis. You will need to carry out some code analysis to confirm on those behaviour descovered and discover further.

Debugger and disassembler are commonly used for code analysis. Breakpoints are set on debugger to examine and identify the flow of the program. Patching maybe required to bypass or control certain function of the malware.

Advanced code analysis techniques will be needed to analysis malware that uses anti analysis techniques. Refer to "Counter malware analysis" for more details on these techniques.

To fully understand a malware is very time consuming. Recently a researcher from McAfee told me that the degree of analysis is normally based on the deadline given and the type of request from the customer. Normally, they are given less than a week to analyse a malware. If the request from customer was just to provide detection signature, in depth analysis will not be done.

No comments: