Forensic Malware Analysis is an important part of preventing and detecting future cyber-attacks. Using malware analysis tools, cyber security experts can analyze the attack lifecycle and glean important forensic details to enhance their threat intelligence. Malware stands for malicious software, designed to damage or to infiltrate a computer system without the owner’s informed consent. Viruses, Worms, Trojan, Keyloggers and Spyware are the examples of malware. In other words we can also say Software that “deliberately fulfils the harmful intent of an attacker” is commonly referred to as malicious software or malware. Terms, such as “worm”, “virus”, or “Trojan horse” are used to classify malware samples that exhibit similar malicious behaviour.

Forensic Malware Analysis

Forensic Malware Analysis is the process of determining the purpose and functionality of a given malware sample such as a virus, worm, or Trojan horse. This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. The process of analyzing a given program during execution is called dynamic analysis; while static analysis refers to all techniques that analyze a program by inspecting it.

  • Malware Static Analysis
  • Malware Dynamic analysis
  • Malware Memory Analysis

Malware Static Analysis

Static or Code Analysis is usually performed by dissecting the different resources of the binary file without executing it and studying each component. The binary file can also be disassembled (or reverse engineered) using a disassembler such as IDA. The machine code can sometimes be translated into assembly code which can be read and understood by humans: the malware analyst can then make sense of the assembly instructions and have an image of what the program is supposed to perform. Some modern malware is authored using evasive techniques to defeat this type of analysis, for example by embedding syntactic code errors that will confuse disassemblers but that will still function during actual execution.

Malware Dynamic Analysis

Dynamic or Behavioral analysis is performed by observing the behavior of the malware while it is actually running on a host system. This form of analysis is often performed in a sandbox environment to prevent the malware from actually infecting production systems; many such sandboxes are virtual systems that can easily be rolled back to a clean state after the analysis is complete. The malware may also be debugged while running using a debugger such as GDB or WinDbg to watch the behavior and effects on the host system of the malware step by step while its instructions are being processed. Modern malware can exhibit a wide variety of evasive techniques designed to defeat dynamic analysis including testing for virtual environments or active debuggers, delaying execution of malicious payloads, or requiring some form of interactive user input.

Malware Memory Analysis

Forensic Malware Analysis is extremely important in incident response, malware analysis and reverse engineering to examine memory of the infected system to extract artifacts relevant to the malicious program. Memory analysis has gained popularity in the context of reverse-engineering malware. Memory analysis can help identify malicious code and explain how the specimen was used on the suspect system.

When performing memory analysis on the suspect system, I try to answer some simple questions in an attempt to identify malicious code:

  • What processes were running on the suspect system at the time memory image was taken?
  • What artifacts of previous processes existed?
  • Are there any active or previous network connections?
  • What is the purpose and intent of the suspected file?
  • Are there any suspicious DLL modules?
  • Are there any suspicious URLs or IP addresses associated with a process?
  • Are there any suspicious files associated with a process?
  • Are there any suspicious strings associated with a particular process?
  • Are there any suspicious files present? Can you extract them?

Benefits of Malware Analysis

Gain insight into cyber-attacks to lower business risk

  • Inform future prevention strategies by providing deeper insight into attacker tools and tactics
  • Stop the spread of attacks using auto-generated local attack profiles, instantly shared across the FireEye ecosystem

Automated analysis to improve efficiency

  • Load suspicious files or file sets through a simple interface
  • Identify signature-less (never-seen-before) malware
  • Integrate with antivirus products for deeper inspection of known malware

Single-test environment for Windows and MacOS

  • Host both Microsoft Windows and Mac OS X virtual machines in a customized hardened hypervisor
  • Eliminate the cost and overhead of creating and maintaining multiple test configurations
  • Automate setup, baselining and restoration of virtual machines to match actual OS usage