Your Network has been compromised by a Virus, Worm, Trojan, a botnet client or some other form of Malware. As the Systems or Network Administrator, you know Malware Analysis is necessary because your system (or network) has been exposed. The goal is to figure out what that malware has done so you can determine the destruction or the damage caused by this activity. You also need to figure out the threat or vulnerability your company has been exposed too and determine if (there is a risk) information is leaving your enterprise.
Depending on the nature of your business (Cybersecurity facilitates the conduct of business); the Administrator investigates to determine if there could be damage to individual users (or consumers) through the loss of credit card or personal information. The Administrator must also check to see if there is damage to the company through the loss of intellectual property which Malware has caused to be taken. An initial assessment of the loss or damage is made. Although Malware attacks have permeated every platform, the Windows environment remains the most popular platform (to attack) among Malware authors.
The Security minded Administrator will have a Virtual or traditional controlled (isolated) laboratory set up to examine Malware specimens. The Virtual lab allows the Administrator to run multiple clients or servers (and multiple operating systems) on a single computer system to examine how Malware specimens interact with other computer systems within a network. The Virtual lab also allows you to record the state of a system or network (before the Malware is introduced) by taking snapshots. This also allows the Administrator to return a system or network to its original state after the analysis is complete.
Networking in the Virtual environment allows the Administrator to observe the Malware exhibit its full potential in a controlled environment as the malicious program reveals its network interactions. When you employ this laboratory set up, you must employ a large hard drive (for the files on the physical system’s hard drive) and you must install as much RAM into the physical system as you can ( which is an important performance factor for virtualization tools). You will employ an inexpensive hub or switch where applicable.
The Professional Malware writer has begun producing Malware that can detect if it is being run in a virtualized environment. This makes it practical to also have physical machines available for laboratory systems also. The Isolated Test Lab is a necessity for proper analysis and developing the skills critical to an Administrator and Incident Response (IR) team responding to security incidents. The free tools that will aid the Administrator’s analysis in the lab are:
- Network monitoring: Wireshark – We can use this network sniffer to observe lab traffic for malicious communications
- Process monitoring: Process Explorer (and Process Hacker) – We can replace Windows Task manager and observe malicious processes.
- Change detection: Regshot – We can compare the system’s state (Registry and File System) before and after the infection.
- File system and registry monitoring: Process Monitor (with ProcDOT) – We can observe how local processes read, write, or delete registry entries and files. These tools can help you understand how malware attempts to embed into the system upon infection.
An Administrator who has gained a sense of the key capabilities of the malicious executable may seek to discover details of the Malwares characteristics through code analysis. There are disassemblers, debuggers and memory dumpers freely available that will assist with the process of reverse engineering the malicious executable.
Malware Behavioral Analysis
In the Behavioral Analysis of the Malware specimen we have isolated it allows an Administrator to figure out what the Malware has done and what it is capable of doing as it interacts with its environment. When we are subject to a Malware attack, we can see if it maintains contact with an attacker, what actions it performs within an infected system and how it spreads. Analyzing the Malware in a controlled (isolated) environment can answer all of our IR questions and guide the IR team to the proper response.
In the case of zero day infections (signatures), the IR team has a virus loose on the system or the network performing tasks that are contrary to operations while the Administrators don’t really know what it is doing. The antivirus software does not get the signatures up-to-date and we do not get the Malware removed. We must take precautions to isolate the malware-analysis lab from the production network, to mitigate the risk that a malicious program will escape (and infect the operations environment).
Online Malware Analysis Tools
There are many websites that can be of assistance in performing malware analysis. People are concerned enough to understand the value of malware analysis because of the overbearing amount of malware we are inundated with and the destructive nature of what it does. There are many sites that will perform the malware analysis for you.
The first website we will mention is “Virus Total”. It is a community driven website. It allows you to upload a file and have “Virus Total” perform the analysis. The site will analyze your upload and tell you if it’s a piece of malware, identified by name or class, and give you some understanding of what that malware has done or what it can do which gives the user a better understanding of what they are dealing with.
A second website I would like to mention is “Cuckoo”. It gives you the ability to perform an analysis from file properties and from a hash of the file. “Virus Total” looks at the characteristics of the file that has been uploaded. “Cuckoo” will actually run the software for you and capture what is going on in real time.
This is actually done in a very safe environment. It performs these actions through the use of virtual machines. “Cuckoo” automates the process with virtual machines running the executable malware so we can actually see what is going on in the machine or on the network. Basically, “Cuckoo” is a virtual sandbox that allows us to observe and analyze malware.
There are other websites that perform free automated behavioral analysis (malware analysis) on compiled Windows executables (that an Administrator may supply). The primary difference is each website employs a different analysis technology on the back end. The advantage for the Administrator (who is submitting the executable) is that it broadens the field of analysis on the executable. These tools include:
Anubis
BitBlaze
Comodo (Automated Analysis System)
EUREKA
Malwr
ThreatExpert
Conclusion
When we have software that is being used for malicious purposes, the Administrator needs to understand what is happening on the systems or network. The Administrator needs to know the damage this piece of executable software has introduced into the network that is causing problems so we can determine what contingency to undertake to correct the problem. The Administrator can also figure out what is needed to protect the network or recover from the malicious activity that has gone on with this malware that was introduced into operations
