Advanced Malware Analysis

Back to Home
The necessity for advanced malware analysis has never been greater, as malware is developed much like the software applications used today. Sophisticated teams have the development cycles to create malware packages that seek to persist and perform malicious tasks as instructed by their authors. Malware continues to advance as malware analysis techniques they look to subvert mature. The authors of malware have adapted to modern security approaches allowing for quicker and more successful attacks.
Malware authors look to develop malicious code, often designed to defeat malware analysis techniques, based on functionality that can be broken down into the following four general categories, each which describe specific characteristics of the operation of malware.
  • Infection
  • Propagation
  • Mission
  • Defense
Infection generally describes the initial phases of a malware compromise. Often, infection methods are the most trivial from the attacker’s point of view but the most complicated to identify from an analyst’s standpoint during malware analysis. In order to truly identify infection methods, an analyst often has to utilize several different tools, conduct detailed malware analysis of infected systems, and retrieve sets of logs in order to make this determination.
Persistence, or the method by which a piece of malware continues operating following a reboot of the target system, is also contained in this category. Malware must be able to survive long enough to propagate and complete its mission.
Propagation describes the method by which malware moves or replicates from one system to another. Malware may propagate via email, trojanizing files on an infected system or replicating onto external drives or network shares. If propagation of malware across the network is successful, the attacker has increased the amount of time it will take for an analyst or a team of incident responders to identify the true scope of the breach.
Mission describes the functionality of a piece of malware which focuses on the end result desired by the attacker. The purpose of the malware may be to simply add the infected system to an army of compromised systems or it may involve the compromise of data on the target system, to include financial data, intellectual property or user credentials.
Defense embodies a wide array of malware operation and capability and is arguably the most important aspect to the lifespan of malware. The longer malware is able to persist undetected on an infected system, the more likely it is to defeat malware analysis, complete its mission and propagate to other targets. "Anti-forensic” techniques are more commonly being employed by malware authors to inhibit static malware analysis of malicious binaries once they are detected on compromised systems. This last category acts as a barrier for the malware, to allow it to carry out its mission.
A multi-layered methodology to malware analysis has the benefit of targeting the weaker and less protected aspect of malware, its execution. It provides an analyst with multiple avenues for malware analysis which complement each other and provide a means to analyze advanced malware which may employ defenses designed to obfuscate the binary.