The threat of malicious software can easily be considered as the greatest threat to Internet security these days

The threat of malicious software can easily be considered as the greatest threat to Internet security these days. Earlier, Viruses were, more or less, the only form of Malware. However, nowadays, the threat has grown to include a vast range of highly sophisticated applications viz. network-aware worms, Trojans, DDoS agents, IRC Controlled bots, Spywares, Rootkits and many more. Malicious agents now use many mechanisms and technologically advanced techniques of infection.

Most of these Malwares are detected by Antivirus software, Spyware removal applications and other similar tools. However, this protection is not always enough and there are times when a small, benign looking binary sneak through all these levels of protection and compromises the system and the users data.

The purpose of MalwareInfo.Org is to help users analyze and determine if an executable \ process \ binary running in their system is a harmful Malware. Here we will learn to do the analysis by analyzing it in a controlled environment without the use of antivirus software, debuggers, code disassembly or any other sophisticated tools or applications. However, we would take the help of certain freely available tools and utilities to fulfill our requirements.

Traditionally, Malware analysis has been considered to be very complicated, and in fact some of the techniques or methodologies involved are very complicated and way beyond a normal user's access or understanding. However, in context of today's scenario, we can see that there is a clear need for people to learn how to analyze Malware themselves. But the most important factor is that the analysis techniques should be simplified enough so that even the average computer user can understand it. Unfortunately, information dealing with Malware analysis techniques are either too complicated for the people interested in learning Malware Analysis or they are in a scattered form, beyond their reach.

Here @ MalwareInfo.Org we would try to fill in this disparity and also would like to make it easy and simplified enough for the people interested in learning Malware Analysis and also try some of the steps hands on.

Support the

Security Awareness Program (SAP)

Join the Malware Analysis Forum and fight back this menace of Malwares

Background of Malware Analysis

A relatively large percentage of the software that a normal internet user encounters in his/her online activities are/or can be malicious in some form or other. Most of these Malwares are detected by Antivirus software, Spyware removal applications and other similar tools. However, this protection is not always enough and there are times when a small, benign looking binary sneak through all these levels of protection and compromises the system and the user’s data. The reasons for this breach can be:

# Users not updating their Antivirus signatures regularly

# Users not keeping their systems well patched

# Failure of Antivirus Software’s heuristics engine

# New or low-profile Malware that has not yet been discovered by Antivirus vendors

# Custom coded Malware which cannot be detected by Antivirus

# Firewall not installed or not properly configured

Techniques for Malware Analysis

There are basically two techniques that are used for analyzing a Malware:

# Code analysis # Behavior analysis

In most cases, a combination of both these techniques is used. However, we will consider Behavior Analysis first.

The best thing about behavior analysis is that it is within the scope of an average Administrator or even a normal user. Though reverse engineering using behavior analysis does not lead to the generation of the binaries code, however it is sufficient for most users' needs. For instance, it is not sufficient for an antivirus research analyst but for most other users or Administrators, behavior analysis can fulfill all their needs. Here we will deal mainly with the behavioral analysis of the Malwares and the ways and tools with which we can do that.

Tools used in Malware Analysis

We take the help of certain freely available tools and utilities for our analysis requirements. The tools or applications we normally use for our analysis part are:

# Microsoft Virtual PC 2007: Virtual PC 2007 is a powerful software virtualization solution that allows you- to run multiple PC based operating systems, simultaneously on one workstation. We will be using it to create the “Sandbox” or the “Victim Computer”.

# SysInternals Process Explore: To find out what files, registry keys and other objects the running processes have opened, which DLLs they have loaded, and more.

# SysInternals AutoRuns: To see what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.

#SysInternals FileMon: This monitoring tool lets us see all file system activity in real-time.

# SysInternals RegMon: This monitoring tool lets you see all Registry activity in real-time.

# SysInternals Process Monitor: This is an advanced monitoring tool for Windows that shows real-time file system, Registry and Process/thread activity.

# 7th Sphere Port Scan: This is probably the best Windows port scanner I've used. It’s fast and accurate. Fport is also a good choice as it will map the owing process to the open port.

# FileAlyzer: This is a file analysis tool that can be used as a standalone utility or with SpyBot S&D.

# Trend Micro HijackThis v2.0.0: This program will scan the system and will generate a log file containing the registry, file and BHO settings, which are commonly manipulated by Malwares.

# ESUG Loadpoint Diagnostic: This is a tool that I have received from the Symantec Support guys and I don’t think it can be downloaded, however I will try to upload it for people to get benefited. This command line tool scans the system and generates a zip file that contains a detailed HTML summary of the entire system.

# Network Active PIAFCTM: This is a packet Sniffer. You can use any other good packet Sniffer if you wish to.

# InstallWatch: A utility that tracks changes made to your system during the installation or removal of software or hardware. It tracks deletions, or modifications to files and directories, INI files, and the Registry.

# Resource Hacker: A freeware utility to view, modify, add, delete and extract resources from 32bit Windows executables.

However there are many more that we use for specific purposes like GMER for analyzing Rootkits, PE File Editors, Hex Editors, BinText, OllyDBG, IDA Pro etc. The search for good tools is a never ending process and always we have to keep ourselves updated about the latest tools available in the internet.

Methodology of Malware Analysis

There are certain methodologies to go ahead with the activity of Malware Analysis and we will be broadly dividing them into six stages. These stages has been taken from the article "Malware Analysis for Administrators" posted by S.G. Masood of F-Secure (http://www.securityfocus.com/infocus/1780). The basic methodologies proposed by him in the document have been kept the same but I have tried to explain those methodologies in a much more detailed fashion.

The steps for carrying out Malware Analysis are:

# Creating a controlled environment

# Baseline the environment

# Information collection

# Information analysis

# Reconstructing the bigger picture

# Documenting the results

To read further about the detailed steps for carrying out Malware Analysis, please download the 'Malware Analysis : How To...' article.