A day in the life of a Malware Analyst
When it comes to analyzing malware, each company has its own methods. Due to the volume of daily threats, most vendors will develop some sort of automation to process hundreds of signatures very rapidly. However, human analysts are needed to understand the mechanisms used by malware authors.
I can see at least two ways of analyzing a piece of malware:
- reverse engineer it
- execute it
Reverse engineering consists of taking apart the sample to understand how it works. Basically, the file is made of instructions written in the source code. When a malware author (or anybody) writes a program, they will compile all those instructions into a language that the machine can understand. The job of the security analyst is to go back to those lines of codes in order to reveal the hacker’s intentions.
Needless to say that this is a lengthy and sometimes difficult process. Also, the security analyst needs to have the proprer skills to understand different programming languages and identify the portions of code that present a security risk.
The other alternative to reverse engineering is much more simple and quicker but radically different. While the first method was mainly static, the second one consists of running the sample on a machine.
Security analysts use special machines, such as virtual environments, or machines that can be infected, formated and re-installed.
Samples are run and their behaviour is recorded. That behaviour is also called payload and includes: file creation, registry modification, network traffic etc.
At that point it is fairly easy to identify behaviours . When in doubt we upload the sample or a file from its payload to an online malware scanner. That can help us classify the sample into a category (i.e. Password Stealing Trojan).
In order to protect our end users, we must add the malware “payload” to our security products. Here we use the term signature which is made of file names, paths (i.e. c:\windows), and other uniquely identifiable information such as MD5.
We regularly release database updates that include the latest threats we found.
Another part of malware analysis deals with cleaning malware samples we have added to our products. Here we want to make sure that our software is capable of removing all infections without damaging the Operating System.
The loop has been completed, from malware infection, to detection and finally removal.
There goes the day of a Malware Analyst 
JSegura
|
Malware armoring is now the norm. :’(
Traditionally, we have seen advanced behavior in malware trickle down from the top tier threats to the more common samples. One such disturbing trend is armoring. This is when malware actively defends itself against removal and analysis. This can be achieved in many different ways and we often use the less subtle of these traits as a quick method of confirming infection. It is obvious that a system is infected with malware, if the user suddenly finds he cannot run common tools, such as the registry editor, or the task manager.
We now routinely encounter samples that go one step further, preventing common code analysis tools such as ollydbg, or IDApro from running, or executing a different payload altogether. This is an effort on the part of the bad guys to delay analysis for as long as possible. It also forces the development of expensive in-house tools to take malware apart.
Most security analyst use virtualization in one form or another as part of their day to day operations. Launching samples inside of a guest virtual machine, running on a host computer is much faster than actually infecting a real computer. You don’t have to re-image your machine once the malware has been scrutinized, simply reset the image. This makes virtual machines an ideally suited testing environment. The malware authors have become aware of this, and are now implementing methods in which malcode will actually verify if it in a virtual environment before executing.
As this trend gradually becomes the norm, we are seeing 3rd party software, that offer anti-virtualization armoring techniques for the less skilled attackers.
What was once reserved for advanced threats has now become the norm. It is disheartening to see how rapidly this occured. These new capabilities do have the strange side effect of making the use of virtualization safer, from an end user’s perspective, as most of the malware will assume it is in this environment for dissection purposes, and thus refuse to execute.
Jean Taggart
|
