Practical Malware Analysis — Beginning

I have been planning to start learning about Reverse Engineering and Malware Analysis for few years now but i wasn’t able to focus much on finding and figuring out how to get started. After searching online for months and asking help from my colleagues and friends i have decided to start with the book “Practical Malware Analysis”.

The book can be downloaded from @Nostarch and can also be purchased from Amazon @Amazon

This is going to be series in which i will be sharing my learning outcomes and will also be sharing the solutions of the labs.

You can call these as my notes and i hope that this will add value to the resources for beginners.

Goals of Malware Analysis

The main purpose of the malware analysis is to actually provide all the necessary information regarding the malware/network intrusion that has taken place and have infected the machines/assets. Also you need to find out how many of the machines/files were infected and how they got infected. You need to do this all by yourself and have to generate a valuable report.

You need to find out the infected files and then choose the one which requires the complete analysis. At this moment the signatures are made of the files which got infected or the signature of the malware.

There are two different ways of creating a signature.

1. Host Based (Signatures created on the basis of infected files on the system)
2. Network Based (Signatures created on the basis of captured network traffic)

KEY POINT: The signatures created after malware analysis are effective and efficient.

Malware Analysis Techniques

In most cases we are provided with the executable or a binary which is infected or is a malware. That is for sure not directly readable by humans. So we need to apply some techniques in order to analyze it. There are two primary techniques used in analyzing the malware.

1. Basis Static Analysis (Analyzing the malware without running it)
2. Basic Dynamic Analysis (Analyzing the malware after running it)

Now these were the basics one. As the malware became advanced the techniques have also been revised. So there are two more techniques based on the basic ones.

1. Advanced Static Analysis (Analyzing the executable by loading it into the disassembler, looking onto the codes in order to discover what the program actually does). This technique tells us exactly what the executable is doing.
2. Advanced Dynamic Analysis (Analyzing the executable by loading it into the debugger to examine the internal state of the running malicious executable)

Now before we begin with the chapter 1 and start analyzing the malware via basic static analysis techniques. We should be familiar with some one the common types of malware. The reason is to have an idea what different malware does and how they do it. This will also help us categorize the newly detected malware's.

1. Backdoor (Malicious code which installs itself onto the computer and allow the attacker to access)
2. Botnet (Infected computers connected to a C&C Server. Instructions are same for all the systems within the botnet)
3. Downloader (A malicious software on the system which is used to download other malicious software's/programs)
4. Information-stealing Malware (These malware collects the information from the system such as keyloggers)
5. Launcher (Programs which are used to run other malicious programs)
6. Rootkit (Malicious code which hides the existence of other code making the code more difficult to obtain)
7. Scareware (Malicious programs which frighten the users into doing someting)
8. Spam-Sending Malware (Send the mails via the infected system)
9. Worm or Virus (Keeps on infecting other files and replicating itself to infect other computers)

That is enough to move on onto the Chapter 1 — Basic Static Techniques.

Thanks!