February 19, 2004

Analyzing malware

Author: Ed Skoudis

Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do. I strongly encourage you to run attack and defensive tools in a laboratory of your own. Here's how.

To start the process, you need to make sure your lab systems are prepared before the malware specimen is even loaded onto them. You can use this checklist (RTF format) for verifying that your systems are up to snuff. Before conducting an analysis, I always update the antivirus tools on my lab systems to make sure they have the latest signature files. Then, I verify that all of the tools listed in the checklist are loaded onto my malware analysis machines, both the system where the malware will be installed (the victim machine) and the other systems in the lab. I also rerun my file integrity checking tools to verify that they have a snapshot of the current clean state of the system that I can compare against after I install and run the malware.

This article is excerpted from the recently published book Malware: Fighting Malicious Code.

The checklist provides a high-level view of each tool we'll use in our analysis. We'll be using numerous helpful tools from a variety of sources around the world. However, when analyzing Windows-based malware, it quickly becomes clear that one source of tools dominates: the Sysinternals Web site. These tools, including Filemon, Process Explorer, and Regmon, were written by Mark Russinovich and are invaluable in this research.

I install each of these tools on the target system, but my final preparation step is to make sure I have a copy of each tool burned to a CD-ROM as well. That way, with a CD-ROM full of analysis tools, I can check the integrity of the results reported by the tools included in the operating system. So, for each of the steps we'll follow, I run the tool installed on my hard drive. Then, I run the exact same tool on the CD-ROM to get corroborating results. When the results differ, the malware has likely altered the system by changing a component of the tool itself or something the tool relies on (e.g., the kernel).

When you conduct your analysis, it's a great idea to document
each step in writing using a paper notebook. A written record of your analytic techniques and the malware's actions is incredibly useful in understanding how the malware works, tracing through its functions in a repeatable fashion, warning others about the beast's nature, and improving your own analysis skills. If you ever decide to sue the perpetrator who foisted the malware into your environment with evil intentions, your notes act as excellent evidence in prosecuting the case in a court of law. You might start your analysis without intending or knowing whom to prosecute. Yet, by the end of your analysis, you might have valuable clues about the perpetrators, and could decide to go after them on civil or criminal legal grounds.

While you take notes during the process of analyzing malware that was used to harm your organization, keep in mind that these notes could be used as evidence in a court of law, even if you don't want them to be. If you do prosecute a perpetrator, your notes will likely be provided to the defense team so that they can analyze your evidence. Thus, don't put wild guesses in your notes. Also, don't doodle or record your innermost fantasies and sensitive personal information in these documents that might be provided to your legal adversaries. Simply record the actions of the bad guy and the malware, as well as reasonable theories about what the attacker's motivation might have been. In short, stick to the facts and the motivations revealed by those facts.

I recommend paper-based, not electronic, notes to jot down your analysis. If you use a computer with text editing software for taking notes, the malware could destroy your notes as you analyze it! Separate, physical notes scrawled in pen avoid this potential problem. Your notes don't have to include detailed flowery language describing each and every aspect of your analysis. Instead, jot down the high points: what you did at each step, and the actions taken by the malware itself.

To help you organize your notes, I've prepared a template to fill in while you go through the malware analysis process.


  • Security
Click Here!