Malware Analysis: A Beginner’s Guide

TL;DR

Want to understand how bad software works? This guide gets you started with malware analysis, covering setting up a safe environment, static and dynamic analysis techniques, and essential tools. It’s aimed at beginners but will also help those looking for a refresher.

1. Setting Up Your Lab

Malware is dangerous! Never analyse it on your main computer. You need an isolated lab environment.

• Virtual Machine (VM): Use software like VirtualBox or VMware Workstation Player. These let you run operating systems within your existing one, keeping the malware contained.
• Operating System: Windows is common for analysing PC malware. Consider a clean install of an older version to avoid compatibility issues with modern security features. Linux (e.g., Kali Linux) is useful too.
• Networking: Do not connect your VM directly to the internet! Use a bridged network adapter only if absolutely necessary, and be extremely careful. A host-only adapter is safer for initial analysis.
• Snapshots: Take snapshots of your VM before running any malware. This allows you to quickly revert to a clean state if things go wrong.

2. Static Analysis

Static analysis means examining the malware code without actually running it.

• Hashing: Calculate the hash (MD5, SHA-1, SHA-256) of the file. This creates a unique fingerprint to identify the sample and check if it’s been seen before. You can use tools like md5sum or online hashing services.

  md5sum malware_sample.exe

• Strings: Extract printable strings from the file. This reveals potentially interesting information like URLs, filenames, error messages, and API calls. Use a tool like Strings (available on most Linux distributions) or PEStudio.
• PE Header Analysis: Examine the Portable Executable (PE) header for details about the file’s structure, imports, exports, sections, and compilation timestamp. Tools like PEView or CFF Explorer are helpful.
• Disassembly: Convert the machine code into assembly language. This is more advanced but allows you to understand the malware’s logic. Use a disassembler like IDA Pro (commercial) or Ghidra (free and open-source).

3. Dynamic Analysis

Dynamic analysis involves running the malware in a controlled environment and observing its behaviour.

• Process Monitor: Use Process Monitor to track file system activity, registry changes, process creation, and network connections made by the malware.
• Resource Monitor: Observe CPU usage, memory allocation, disk I/O, and network activity in real-time.
• Network Analysis (Wireshark): Capture and analyse network traffic to identify communication patterns, command-and-control servers, and data exfiltration attempts.
• Regshot: Take a snapshot of the registry before and after running the malware to identify changes made by it.

4. Essential Tools

• VMware Workstation Player/VirtualBox: Virtualisation software (free).
• IDA Pro/Ghidra: Disassemblers (IDA is commercial, Ghidra is free).
• PEView/CFF Explorer: PE header analysis tools (free).
• Process Monitor: System monitoring tool (free from Microsoft Sysinternals).
• Wireshark: Network analyser (free and open-source).
• Regshot: Registry comparison tool (free).

5. Sandboxes

Automated sandboxes run malware in a virtual environment and provide reports on its behaviour.

• Hybrid Analysis: A popular online sandbox service that provides detailed analysis reports.
• VirusTotal: While primarily a multi-engine antivirus scanner, VirusTotal also offers some basic dynamic analysis information.

6. Further Learning

Malware analysis is a continuous learning process.

• Practical Malware Analysis: A highly recommended book by Michael Sikorski and Andrew Honig.
• Open Security Training: Offers free courses on malware analysis and reverse engineering.
• Blogs & Communities: Follow security blogs (e.g., Threatpost, KrebsOnSecurity) and participate in online communities to stay up-to-date with the latest threats and techniques.