Professional Documents
Culture Documents
Analysis of malware, viruses and other types of harmful programs and scripts is
quite complicated and requires a lot of knowledge. To properly understand how a
program works, what it connects to, and what damage it can cause, it is useful to
know programming and not only in one language but preferably several and good
knowledge of construction and operation of a computer network.
Malware
For example, we decompile the program by obtaining partial program code so that we
know exactly how it works. We can also analyze the program itself and its processes
and network connections using additional tools.
There are programs on the market called sandboxes, they enable the program to run
in the sandbox, i.e. an isolated environment, thus allowing for safe analysis by
simulating the real environment of the potential victim. Most of these programs are
paid and due to costs only available to large corporations.
Nowadays, malicious software has evolved to such an extent that it not only tries
to detect and bypass anti-virus software but also checks whether it runs on a
virtual machine or in a sandbox. Sometimes it launches its malicious functions with
a delay and sometimes it deactivates completely so as not to attract attention by
acting like an ordinary harmless application.
Although the analysis requires a lot of knowledge and skills, nothing prevents you
from starting your adventure with analysis with simple examples and free tools.
Below I will describe a few tools and pages that will help you take the first steps
in this difficult field.
Types of malware analysis
Dynamic - the dynamic analysis runs malware to examine its behavior, learn its
functionality and recognize technical indicators. When all these details are
obtained, they are used in the detection signatures. The technical indicators
exposed may comprise of IP addresses, domain names, file path locations, additional
files, registry keys, found on the network or computer.
The first question is where to start, because it is hard to say how properly
configure your own test environment. Therefore, it is worth starting with a ready-
made environment with a set of tools so that in the future you can build your own,
tailored to your needs. Ready solutions allow you to see how industry professionals
do it, what tools they use and how they approach the topic. Just as Kali Linux is a
ready environment for pentesters, flare-vm is a ready environment for malware
analyzers. Check this official article to get more information about it. Download
it, install and play with the tools that you will find there. There are tools like
Debuggers, Decompilers, Delphi, Developer Tools, Android Tools, Disassemblers,
Flash, Forensic, Hex Editors, Java, Networking, Office, PDF, PE, Pentest, Text
Editors, Visual Basic, .net, Python and modules, Web and other useful utilities.
Once you will work with that some time you can then create your own virtual machine
and install only tools you like.
Desktop sandboxes
Sandboxie - runs your programs in an isolated space which prevents them from making
permanent changes to other programs and data in your computer.
Firejail - is a SUID security sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications using
Linux namespaces and seccomp-bpf.
You can find several free, online sandboxes. Remember, however, that if you want to
scan and analyze a private file, by uploading it to an online scanner you share it
to the owners of the service or even publicly. Hence, you should not upload
sensitive data there, especially company data.
Hybrid Analysis - free malware analysis service for the community that detects and
analyzes unknown threats using a unique Hybrid Analysis technology.
AnyRun - Interactive online malware analysis service for dynamic and static
research of most types of threats using any environments. Replaces a set of tools
for research.
JoeSandbox - detects and analyzes potential malicious files and URLs on Windows,
Android, Mac OS, Linux, and iOS for suspicious activities. It performs deep malware
analysis and generates comprehensive and detailed analysis reports.
Self hosted sandbox
Personally, I know only one free solution that can be self hosted. This solution is
called Cuckoo Sandbox. Cuckoo Sandbox is the leading open source automated malware
analysis system and it is available on most popular platforms.
Online antivirus and malware analyzers
Antivirus-like tools are also useful for analyzing files, but they provide more
details and scan a given file using various anti-virus engines.
AVCaesar - is a malware analysis engine and repository. Your suspicious files can
be analyzed by a set of antivirus.
NoDistribute - similar to VirusTotal but do not distribute scan results. For your
own privacy and the privacy of your files, you may not want to share the contents
of your files with the antivirus companies.
Nowadays not only files can be harmful, but also entire pages or scripts contained
in them. Therefore, it is also worth using sandboxes for URLs. Not only VirusTotal
mentioned earlier has such a function.
URLhaus - is a project from abuse.ch with the goal of sharing malicious URLs that
are being used for malware distribution.
MetaDefender - trust no file, trust no device. Analyze IP, HASH, CVE, URL.
Zulu by Zscaler - Zulu is a dynamic risk scoring engine for web based content.
CyberChef - A simple, intuitive web app for analysing and decoding data without
having to deal with complex tools or programming languages. CyberChef encourages
both technical and non-technical people to explore data formats, encryption and
compression.
IP, domain and mail
Phishtank - phishing analysis.
AbuseIPDB - Check the report history of any IP address to see if anyone else has
reported malicious activities.
Talos - Talos Threat Source is a regular intelligence update from Cisco Talos,
highlighting the biggest threats each week and other security news.
These are just a few of thousands you can use. You have to start somewhere.
Automated malware analysis
Spybot File Analyzer - FileAlyzer shows basic file content, a standard hex viewer,
and a wide range of customized displays for interpreted complex file structures
that help you understand the purpose of a file.
Hexeditors
OllyDumpEx - This plugin is process memory dumper for OllyDbg and Immunity
Debugger.
Process and registry
Process Hacker - powerful, multi-purpose tool that helps you monitor system
resources, debug software and detect malware.
Autoruns - This utility, which has the most comprehensive knowledge of auto-
starting locations of any startup monitor, shows you what programs are configured
to run during system bootup or login, and when you start various built-in Windows
applications like Internet Explorer, Explorer and media players.
Packer identifier
Exe info PE - Packer, compressor detector / unpack info / internal exe tools.
XORSearch - XORSearch is a program to search for a given string in an XOR, ROL, ROT
or SHIFT encoded binary file.
Sooner or later you would like to practice your skills on real samples. Once you
know the tools you will have to test them. It�s best to use examples from everyday
life. There are two nice repositories of malware on Github. First one is Malware
Sample Library and the second Malware Samples. By searching Github you will surely
find more equally interesting examples that will give you the necessary experience.
More malware samples and virus signatures are also available on websites like:
This article is also occasion to mentioning about the test, harmless sample that
may interest people who want to test the security and effectiveness of anti-virus
programs.
EICAR test file is a computer file that was developed by the European Institute
for Computer Antivirus Research (EICAR) and Computer Antivirus Research
Organization (CARO), to test the response of computer antivirus (AV) programs.
Instead of using real malware, which could cause real damage, this test file allows
people to test anti-virus software without having to use a real computer virus.
You can download Eicar and use it for free. On download page there is also a more
detailed description.