Malware / Malicious Software is a type of program that contains malicious or harmful code embedded inapparently harmless programming or data in such a way that it can take control of a system or its operations and cause damage, such as running the file allocation table on a hard drive.
Malware poses a major security threat to the information security. Malware writers explore new attack vectors to exploit vulnerabilities in information systems. This leads to ever more sophisticated malware attacks, including drive by malware, 'maladvertising' (or 'malvertising'), Advanced Persistent Threats (APT), and so on. Though organizations try hard to defend themselves using comprehensive security policies and advanced anti-malware controls, the current trend indicates that malware applications are targeting 'lower-hanging fruit': undersecured smartphones, mobile applications, social media, and cloud services. The problem is further complicated because of threat predictions. As McAfee stated in its McAfee Labs Threats Report published in December 2017, 'The biggest number of the quarter is our count of new malware, which reached an all-time high of 57.6 million new samples, an increase of 10% from Q2. The total count in the McAfee Labs sample databases is now more than 780 million. New ransomware rose by 36% this quarter, largely from widespread Android screen-locking malware. The easy availability of exploit kits and dark web sources fuel the rapid creation of new malware'.
Malware analysis provides an in-depth understanding of each individual sample and identifies emerging technical trends from the large collections of malware samples without actually executing them. The samples of malware are mostly compatible with the Windows binary executable. There are variety of goals in performing Malware analysis.
Malware analysis can be conducted with various objectives in mind:
- To understand the capabilities of the malware.
- Determine how the malware functions Asses the intrusion damage.
- Identify indicators that will helps us determine other infected machine by the same malware and the level of infection in the network.
- Help us identify if the malware is exploiting any vulnerability or on how it is persisting on the system.
- Determine the nature & purpose of the malware.
- To understand who is targeting & how good they are.
- To understand what information did they steal.
- Static analysis: is the process of analyzing malware without executing or running it. The objective is to extract as much metadata from the malware as possible. (Strings, PE Headers)
- Dynamic analysis: is the process of executing malware and analyzing it's functionality and behaviour. The objective is to understand exactly how and what the malware does during the execution. This is done in a debugger.
- Code analysis: is the process of analyzing/reverse engineering assembly code. This can be both statically and dynamically done (Static and Dynamic code analysis).
- Behavioural analysis: is the process of analyzing and monitoring the malware after execution. It involves monitoring the processes, registry entries and network monitoring to determine the workings of the malware.