Malware variants continue to increase at an alarming rate since the advent of ransomware and other financial malware. You must have right tool in order to analyse these malware samples. In this article, we will explore best malware analysis tools to study behavior and intentions of malware.
Malware Analysis Techniques
It is the process of analyzing a malware sample without actually running the code. This is accomplished through two techniques:
- Signature based technique – Malware detector looks for known pattern matching in the signatures.
- Heuristic detection – Instead of looking for a particular, known signature, the malware detector is searching for commands and instructions that are not present in the application program.
It is the process of analyzing malware by running the sample and then studying its behaviour and intentions. This is carried out in a closed and isolated environment either virtual machine or Sandbox.
This kind of analysis involved both static and dynamic techniques. Initially, code is analysed without running the sample and then its behaviour is studied.
Malware Analysis Tools
When malware is executed, it dramatically makes changes to system environment. This includes modification of core system files, registry keys and other settings. It can lead to damage to the system used to carry out test.
Sandbox solves this problem by providing isolated environment to run malicious samples without fear of getting damaged. Any impact of malware run in virtualized sandbox doesn’t impact the actual system.
However, some malware are clever enough to detect being run in sandbox. They do not execute in malicious way to trick the analysts. So, analysis must be done with proper care and emulation must be done to match actual system configuration.
Cuckoo Sandbox is one of the popular and reliable program to create sandbox. It’s an open source platform that automates malicious file analysis for Windows, OS X, Linux and Android and gives detailed and meaningful feedback regarding how each file presented behaves in isolated environments.
Behavior Analysis Tools
In the initial days, malware analysis was carried out by matching against the file signature of known malware database. If the file doesn’t match any signature present in the database, it was considered to be safe. However, with the rapid development of malware and enormous variants being pushed into the cyber web, this method became obsolete.
To combat the problem, Behavior analysis tools were introduced which do not rely on signature. Rather, they monitor the processes and events on the machine and notify user if certain behavior seems to be suspicious. An example could be rapid modification of core registry keys or changes to security settings.
Sophisticated, modern tools use artificial intelligence to identify patterns that human analyzers may not see, such as files being rapidly modified, or the system itself being altered.
Reverse Engineering Tools
Reverse engineering is a complex analysis method. It is generally carried out manually and not possible to be a part of automated testing environment. It involves use of a debugger, disassembler, and other specialized tools to trace back content of the malicious program. Some popular tools are:
- Jad Debugger
Network Traffic Analysis
In this method, malicious program is identified through their actions, rather than through identifying characteristics of the program itself. Network traffic analysis focuses on the network activities like file being uploaded across the network or downloaded or encrypted at the rate which is unusual.
Just like behavior analysis, analyst can learn by observing network activities. This method is more effective when used in combination with malware behaviour analysis. Some sophisticated malware might be modified to appear legit but their actions cannot be hidden. When anomaly is detected in network usage or some program’s behaviour, it can be cross checked to confirm detection.
One of the popular tool is Zeek. It is a powerful network-based analysis framework that turns network traffic into events to trigger scripts. Zeek makes use of both signature based and behavior based analysis to give a bird’s eye-view of network activity. This can also be used to conduct forensics investigations, network monitoring and protocol analysis.
Analysing of threats isn’t enough, we must also act upon it. A good malware analysis tool can detect as well as provide elimination or remedy for it. Malware response time is inversely proportional to the amount of damage. Response time should be as fast as possible to avoid any severe damage.
Yara is an open source malware attribution tool used to classify malware samples based on textual or binary patterns once they have been analyzed in Sandbox. Analysts can write descriptions of malware families based on patterns using Yara. It allows researchers to recognize and categorize seemingly similar variants of malware.
Google Rapid Response
GRR is used to analyse malware footprints at specific workstation. Incident response team can perform various forensic tasks on the client machine, such as analyzing the memory, searching various settings and managing configuration options.
Using these combination of tools, we create an ultimate malware detection tool.