Understanding Malware Analysis

  • January 18, 2018

The malware industry has come a long way and currently, it’s a very lucrative business. This is one of many reasons that makes studying malware so fascinating. It’s an interesting mix of technology, psychology, and commerce. Psychology is what makes malware effective, and commerce is what ensures more hackers continue to develop new and interesting malware. 

Information security has long been considered an arms race. According to G DATA Software, a new malware specimen emerges every 4.2 seconds. The good guys develop responses to things the bad guys do, causing the bad guys to develop new ‘weapons’ that get around the defenses the good guys put into place. Perhaps nowhere is this more evident than in malware. In 1987, the first antivirus software was released for the Atari ST. Coincidentally, also in 1987, Fred Cohen of IBM said, “There is no algorithm that can perfectly detect all possible computer viruses.” In spite of having detection and removal capabilities for 30 years, we are more plagued with virulent and destructive software than ever before.  

All this is to say that a need exists to better understand malware by performing malware analysis. This work is primarily relegated to the antivirus vendors. However, the details of how the malware behaves are often hidden, primarily because exposing the details in the code can provide others hints on how they could start and improve that code for future malware. This is, of course, happening already in the malware development community.  

To understand how to assess malware, you need to look at a few important elements. First, you inspect the infection vector – which is understanding how the malware infected your system in the first place. While there are many pathways, including compromising a system, the popular ones today are often based in social engineering, which relies on psychology and manipulation of the user. For example, using e-mail to either deliver the malware directly or to get a user to visit a website that includes the malware used to infect your system. This type of attack is called a drive-by attack. The idea is that you are “driving by” the website and get attacked in the process. 

Another, related, attack is the watering hole attack. In a watering hole attack, the malware is still hosted on a web server the user is expected to visit. The difference is that with a watering hole attack, the attack is more targeted. The attacker infects a website that the targets are known to use in order to infect the targets. The attacker may be aware of the demographics of a site like ESPN, for example, and infect that site to infect people who are regular visitors there.  

Knowing the infection vector and tracking the malware back to the point in time when it entered your system is important. The reason for that is in some cases, the initial infection may be small, but the malware may download a lot of other software, including other malicious software. A small infection program that installs more software is often called a dropper. Identifying the time when the malware entered a system can provide a reference point to look for other software that was installed about that time. This way, you aren’t just finding the initial attack and leaving all the other landmines behind. 

Understanding how malware works and gets onto your system is an important and complex task. It requires understanding operating system internals as well as a reasonably deep understanding of how programs are constructed. Considering what can be at stake with your system and the files that are stored on it, people who perform malware analysis with the goal of finding ways to prevent or remove the malware are performing a critical function in our interconnected world. 

Join Ric Messier for a LIVE webinar Saturday, January 20th at 12 pm ET.