If you are an enterprise, you must perform malware analysis

By | September 06, 2012

Posted in: Network Security Trends

Malware analysis is essential for contemporary crime ware analysis in the enterprise. There are too many variants, using too many tricks to obfuscate their real intent out there. There were eight million new variants in the first quarter alone, according to McAfee. Antimalware and IPS can do just so much. It’s up to the organizations to do the rest.

The immediate goal is to contain the intrusion – find out what the intruder is attempting to do and stopping it before it does more damage, or if you are fortunate stopping it before it does anything truly nasty. It is essential incident response.

It’s not essential for you to reverse engineer everything and write a signature against it. Even with the right resources or deep pockets to farm it out, that is expensive and time consuming. Actionable intelligence means finding the infection and ones like it easily.

This requires a virtualized lab environment to run the malware and study its behavior, as well as capturing network traffic to analyze behavior. Be aware, however, that malware writers are often hip to your tricks and will shut down in virtual environments.

Among the tools to help are file system and registry monitoring to show you how processes read, write and delete files and how malware embeds itself in the system; process monitoring of malicious process attempts and network monitoring for malicious communication attempts (DNS traffic, botnets).

RegShot is a useful tool for comparing the state of the system before and after infection, to see what files have done and which don’t belong.

Look for filepath on the system, what is it dropping and where and registry keys, often changed so that malware can survive reboot. It’s generally a good idea to look for these bogus keys.

Finally, it’s very useful to detect the command and control path of the malware to see how and where it is receiving instructions. You can block DNS access to the offending servers or IRC, if that’s the channel being used, to just that server. Or if it uses an otherwise unused port, you can block it as well.

Sometimes, however, this isn’t enough. This is when you have to get into some serious reverse engineering, that is, you have to get into the guts of the malware by unpacking the binary. His is tricky because malicious code writers often use packers to hide the code. Legitimate uses for packers are for anti-piracy and compress file size. But it ‘s a terrific weapon for the bad guys.

Analysts will run the code and capture it in memory, running it in a free utility such as the popular OllyDbg debugger and grabbing in memory using the OllyDump plug-in. Now the fun starts. Step through the code line by line in a disassmbler program, such as OllyDbg or IDA Pro, which translates it from machine to assembly language.

This requires some education. You need to understand assembly language and know what to look for: registry language and memory management. There  are automated products available on the market that take a lot of the tough work out of this by unpacking and analyzing malware samples,

It’s not an option, especially in the era of advance persistent threats, to have at least the basics of malware analysis. Be ready to hit back, or you lose.

You May Also Be Interested In: