It’s that time, malware has entered the network and the analyst needs to inspect this infiltration…or maybe it hasn’t entered and due diligence needs to be done in order to properly identify if the threat is real.
Cybersecurity analysts have as many tools at their disposal to do their jobs as the number of malware, viruses, and other nasties out there.
We’re going to dive into two forms of analysis for inspecting malware in order to make sure the threat is real or not.
To Be Dynamic, or Not to Be Dynamic…Static
Malware analysis can be separated into two groups: static and dynamic.
- Static malware analysis: examines a malware file without actually running the program. It’s a safer way to analyze malware, as running the code could infect the system. In its most basic form, static analysis gleans information from malware without the need to execute or launch.
- Dynamic malware analysis: is when a malware sample is executed in a test environment to observe its behavior. This can be done with readily available tools such as VMWare, OllyDbg, and more.
What is Static Malware Analysis?
Static malware analysis refers to performing code-based analysis on malware binaries without executing them in a sandbox environment or on real machines.
Static analysis is normally the first step of analysis and can tell an analyst how the malware is designed and maybe what it actually does. Hashing and conducting searches in Virus Total (VT) would be a static analysis. It lets the analyst know what might be needed to conduct dynamic analysis.
It’s also helpful in studying unknown malware or malware whose behavior does not depend on other factors (e.g., user input).
What is Dynamic Malware Analysis?
Dynamic malware analysis can be considered as the process of interacting and activating malicious functionality, often following a specific logic or commands written by the malware’s author.
Dynamic analysis is running the malware in a sandbox while monitoring actions and changes. The analyst will typically run multiple tools to capture network traffic, changes in the registry, or monitor running processes to determine what the intent of the malware is.
Public sandboxes execute the malware and record the actions (dynamic analysis). Unless the malware is programmed to not function under certain conditions, an analyst will typically get to see what it does.
The more complex malware samples will be aware of the environment it is running in and not execute if it believes it is under analysis. This is where reverse engineering comes into play.
Another advantage is that it enables the analyst to uncover novel characteristics of the malicious code without implementing too many false positives. This is particularly important when dealing with more complex pieces of malware that do not have enough information in VT or other public sandboxes out there.
It’s Go Time
Those two forms of analysis are but only two tools or procedures that analysts go about properly identifying potential threats.
To recap: static examines a malware file without actually running the program and dynamic is when a malware sample is executed in a test environment to observe its behavior. Oversimplified, but a quick go-to if short and simple is needed.
Neither is better, just different. Single sides of a coin that make up a whole and are better if used when appropriate, together.
Malware analysis can be a dangerous and complex process to undertake, requiring a great deal of specialized knowledge and skill in order to be successfully carried out.
With tools like this, it helps the good guys win (a lot of the time)…against the bad guys.