7/20/2020 Malware analysis - Wikipedia

Malware analysis
Malware analysis is the study or process of determining the functionality, origin and potential impact
of a given malware sample such as a virus, worm, trojan horse, rootkit, or backdoor.[1] Malware or
malicious software is any computer software intended to harm the host operating system or to steal
sensitive data from users, organizations or companies. Malware may include software that gathers user
information without permission.[2]

Contents
Use cases
Types
Stages
Software
Binary analysis tools
Disassemblers
Debuggers
Sandboxes
More Resources
References

Use cases
There are three typical use cases that drive the need for malware analysis:

Computer security incident management: If an organization discovers or suspects that some

malware may have gotten into its systems, a response team may wish to perform malware analysis
on any potential samples that are discovered during the investigation process to determine if they
are malware and, if so, what impact that malware might have on the systems within the target
organizations' environment.
Malware research: Academic or industry malware researchers may perform malware analysis simply
to understand how malware behaves and the latest techniques used in its construction.
Indicator of compromise extraction: Vendors of software products and solutions may perform bulk
malware analysis in order to determine potential new indicators of compromise; this information may
then feed the security product or solution to help organizations better defend themselves against
attack by malware.

Types
The method by which malware analysis is performed typically falls under one of two types:

https://en.wikipedia.org/wiki/Malware_analysis 1/4
7/20/2020 Malware analysis - Wikipedia

Static malware analysis: Static or Code Analysis is usually performed by dissecting the different
resources of the binary file without executing it and studying each component. The binary file can
also be disassembled (or reverse engineered) using a disassembler such as IDA or Ghidra. The
machine code can sometimes be translated into assembly code which can be read and understood
by humans: the malware analyst can then read the assembly as it is correlated with specific
functions and actions inside the program, then make sense of the assembly instructions and have a
better visualization of what the program is doing and how it was originally designed. Viewing the
assembly allows the malware analyst/reverse engineer to get a better understanding of what is
supposed to happen versus what is really happening and start to map out hidden actions or
unintended functionality. Some modern malware is authored using evasive techniques to defeat this
type of analysis, for example by embedding syntactic code errors that will confuse disassemblers but
that will still function during actual execution.[3]
Dynamic malware analysis: Dynamic or Behavioral analysis is performed by observing the
behavior of the malware while it is actually running on a host system. This form of analysis is often
performed in a sandbox environment to prevent the malware from actually infecting production
systems; many such sandboxes are virtual systems that can easily be rolled back to a clean state
after the analysis is complete. The malware may also be debugged while running using a debugger
such as GDB or WinDbg to watch the behavior and effects on the host system of the malware step
by step while its instructions are being processed. Modern malware can exhibit a wide variety of
evasive techniques designed to defeat dynamic analysis including testing for virtual environments or
active debuggers, delaying execution of malicious payloads, or requiring some form of interactive
user input.[4]

Stages
Examining malicious software involves several stages, including, but not limited to the following:

Manual Code Reversing

Interactive Behavior Analysis
Static Properties Analysis
Fully-Automated Analysis

Software

Binary analysis tools

pestudio[5]
PEiD
exeinfope
PEView
Resource hacker : freeware resource editor for Windows by Angus Johnson
HxD : hex editor for Windows by Maël Hörz
Detect It Easy

Disassemblers
IDA Pro: Disassembler by Hex-Rays

https://en.wikipedia.org/wiki/Malware_analysis 2/4
7/20/2020 Malware analysis - Wikipedia

Radare2 : Disassembler by pancake

BinaryNinja : Disassembler by Vector 35
Ghidra : Disassembler by the NSA

Debuggers
GNU Debugger
WinDbg
OllyDbg
x64Dbg

Sandboxes
Hybrid Analysis: Free malware analysis service powered by Payload Security. Using this service you
can submit files for in-depth static and dynamic analysis.
ANY.RUN: Interactive malware hunting service with real time interaction and process monitoring.
Available for free use since 2018.[6]
CWSandbox: Early malware sandbox solution c. 2006-2011[7] from Sunbelt Software, became
GFISandbox.
GFISandbox: Sandbox solution c. 2011-2013[8] from GFI Software, became ThreatAnalyzer.
Cuckoo Sandbox: Sandbox solution c. 2012?, open source on GitHub, designed for automated
malware detection and profiling.
Joe Sandbox: Sandbox solution c. 2010 from Joe Security. First solution introducing Hybrid Analysis.
Enables analysis on any device, including bare metal laptops, PCs and phones. Supports analysis
on Windows, Android, MAC OS X and iOS.
ThreatAnalyzer: Sandbox solution c. 2013–present[9] from ThreatTrack Security, designed for
automated malware detection and detailed profiling.
VMRay: Sandbox solution c. 2015 from VMRay. Created by the original author of CWSandbox.
Instead of hooking, the target machine is unmodified and monitoring and control is done at the
hypervisor layer.[10]

Note: Some hosted sandboxes, such as Malwr, use one of the above products under the hood (Malwr
uses Cuckoo).

More Resources
MalwareAnalysis.co: Hub for various resources.

References
1. "International Journal of Advanced Research in Malware Analysis" (https://web.archive.org/web/2016
0418151823/http://www.ijarcsse.com/docs/papers/Volume_3/4_April2013/V3I4-0371.pdf) (PDF).
ijarcsse. Archived from the original (http://www.ijarcsse.com/docs/papers/Volume_3/4_April2013/V3I
4-0371.pdf) (pdf) on 2016-04-18. Retrieved 2016-05-30.
2. "Malware Definition" (http://searchmidmarketsecurity.techtarget.com/definition/malware). Retrieved
2016-05-30.

https://en.wikipedia.org/wiki/Malware_analysis 3/4
7/20/2020 Malware analysis - Wikipedia

3. Honig, Andrew; Sikorski, Michael (February 2012). Practical Malware Analysis (https://www.safariboo
ksonline.com/library/view/practical-malware-analysis/9781593272906/). No Starch Press.
ISBN 9781593272906. Retrieved 5 July 2016.
4. Keragala, Dilshan (January 2016). "Detecting Malware and Sandbox Evasion Techniques" (https://w
ww.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36
667). SANS Institute.
5. http://www.winitor.com
6. "Any.Run - An Interactive Malware Analysis Tool - Is Now Open To The Public" (https://www.bleeping
computer.com/news/security/anyrun-an-interactive-malware-analysis-tool-is-now-open-to-the-
public/). BleepingComputer. Retrieved March 7, 2018.
7. Utter, David (October 25, 2006). "CWSandbox Automates Malware Analysis" (http://www.securitypro
news.com/cwsandbox-automates-malware-analysis-2006-10). SecurityProNews. Retrieved 5 July
2016.
8. "GFI® Software Makes Dynamic Malware Analysis Easier For Businesses" (http://www.businesswire.
com/news/home/20110803006213/en/GFI®-Software-Dynamic-Malware-Analysis-Easier-Businesse
s). BusinessWire. August 3, 2011. Retrieved 5 July 2016.
9. "ThreatTrack Security Introduces ThreatAnalyzer 5.0" (http://www.darkreading.com/threattrack-securi
ty-introduces-threatanalyzer-50/d/d-id/1140925). Dark Reading. 2013-11-19. Retrieved 5 July 2016.
10. "Hypervisor-Based, Hardware-Assisted System Monitoring, C Willems, R Hund, T Holz - Ruhr-
Universitat Bochum" (http://syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2012/11/2
6/TR-HGI-2012-002.pdf) (PDF).

Retrieved from "https://en.wikipedia.org/w/index.php?title=Malware_analysis&oldid=963081117"

This page was last edited on 17 June 2020, at 18:24 (UTC).

Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site,
you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a
non-profit organization.

https://en.wikipedia.org/wiki/Malware_analysis 4/4