Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/15/2008
03:45 AM
50%
50%

Tech Insight: Analyze This Malware

When you want to know what it is and where it came from, you've got a range of choices

No matter how you measure it, malware is proliferating at unprecedented levels.

Last month, PandaLabs and AV-Test each joined the lists of vendors and researchers reporting massive malware growth in 2007. PandaLabs says it now receives an average of over 3,000 new strains of malware every day. AV-Test saw an increase from 973,000 unique malware samples in 2006 to almost 5.5 million in 2007. (See Malware Quietly Reaching 'Epidemic' Levels.)

If generic malware weren’t enough of a concern, determined attackers will create -- or pay someone to create -- custom malware written specifically to target financial institutions, government agencies, and other enterprises rich with sensitive information. The sensitive nature of these targets may prevent them from using online antivirus scanners like VirusTotal and malware sandboxes like Anubis and CWSandbox.

And to make matters worse, there are easy-to-use remote-access Trojan creation tools like Shark that can "hide" from virtual machines and sandboxes, making analysis next to impossible.

How can your organization analyze new malware or unknown binaries? The easiest option is to outsource the analysis to a company like Mandiant or HBGary. But such services can be expensive, and the turnaround time may not be quick enough to assist with internal investigations.

Another approach is to do the analysis in-house, using static or dynamic analysis. Static analysis involves using tools to analyze the actual file without ever executing it. Dynamic analysis, often called behavioral analysis, involves running the malware and observing its behavior.

During static analysis, simple utilities such as “strings” on Unix-based systems or BinText from Foundstone for Windows, can be used to view text within the file to help determine its intent. Detailed analysis of malware can reveal URLs, IP addresses, and locations within the Microsoft Registry, which may help you get a clue as to the file’s purpose.

Unfortunately, the majority of today’s malware is run through packers (compression) and crypters (encryption). You may end up with virtually no extractable text to analyze, leaving you with no clues except perhaps which packer and crypter were used.

Dynamic analysis requires at least one computer (either physical or virtual) that can run the malware, allowing it to be observed both at the system level and the network layer. System utilities such as Sysinternal’s Process Monitor and TCPView can be used to monitor file activity, registry changes, network port usage, and changes in running processes.

To obtain the same level of information, static analysis requires the use of advanced tools like IDA Pro or HBGary Inspector to examine and disassemble the file, tracing the flow of the executable to determine what it does. While extremely powerful, static analysis can be very time consuming and requires specialized knowledge of reverse engineering that most IT shops don't have.

Static analysis techniques don’t suffer from virtual environment (sandbox) checks within the malware, but dynamic analysis efforts may be affected to the point that the malware will change its behavior to appear benign or simply not run. Realizing this problem, Joe Stewart, senior security researcher for SecureWorks, came up with the idea of a sandnet and created The Reusable Unknown Malware Analysis Network (TRUMAN) for analyzing malware in a closed environment using physical machines.

In TRUMAN, one host is used as the controller that records and responds to all network traffic, essentially emulating the Internet and any services the malware expects to see. For more information about sandnets, check out the video of Stewart's presentation at Shmoocon 2006 as well as KoreLogic's Tyler Hudack's "Burying Your Head in the Sandnet" session at the recent Computer Forensics Show in Washington, D.C.

Both static and dynamic analysis can be very effective at determining the features and intent of malware. Which one you use will depend on how you view each technique's pros and cons, as well as the situation in which the malware was discovered. When time is of the essence, use dynamic analysis as part of the triage process to determine what needs to be done first. Then proceed with static analysis to be sure that nothing was missed.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Mandiant
  • Microsoft Corp. (Nasdaq: MSFT)
  • Panda Security
  • SecureWorks Inc.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 10/23/2020
    Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
    Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
    David Pearson, Principal Threat Researcher,  10/21/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-27187
    PUBLISHED: 2020-10-26
    An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related command...
    CVE-2020-7752
    PUBLISHED: 2020-10-26
    This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
    CVE-2020-7127
    PUBLISHED: 2020-10-26
    A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
    CVE-2020-7196
    PUBLISHED: 2020-10-26
    The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the ur...
    CVE-2020-7197
    PUBLISHED: 2020-10-26
    SSMC3.7.0.0 is vulnerable to remote authentication bypass. HPE StoreServ Management Console (SSMC) 3.7.0.0 is an off node multiarray manager web application and remains isolated from data on the managed arrays. HPE has provided an update to HPE StoreServ Management Console (SSMC) software 3.7.0.0* U...