FeaturePlaying hackers at their own game
Section snippets
Different approaches
When it comes to reverse engineering a piece of malware, there are several approaches that you can take, depending on both your goals and the nature of the malware sample itself. First, if you’re curious, you can completely reverse engineer a piece of malware from beginning to end. However, this can take a significant amount of time and so is not typically the preferred method when you’re looking for specific answers. Another approach is to focus just on the exploitation techniques used by a
Techniques
Static analysis is an important technique to use when examining malware. This is the process of analysing malware or binaries without actually running them. It can be as simple as looking at metadata from a file, but can also involve disassembly or decompilation of malware code to symbolic execution, which is something like the execution of a binary in a virtual rather than real environment. In contrast, dynamic analysis is the process of analysing a piece of malware by running it in a live
Tools
Here is an outline of some of the most common and useful tools that we use for analysing malware samples. These will allow you to set up an inexpensive and flexible laboratory to examine the inner workings of malicious software and uncover the characteristics of real-world malware samples.
IDA Pro is a really good tool for analysing various samples of malware with diverse backgrounds.1 It also has a good add-on called HEX Rays Decompiler, which
Conclusion
Understanding the capabilities of malware is critical to an organisation's ability to derive threat intelligence, respond to information security incidents and fortify its defences.
Malware analysis can help incident responders assess the severity and repercussions of a situation that involves malicious software so that they can plan their recovery accordingly. Forensic investigators can use it to learn about the key characteristics of malware discovered during the examination and to establish
About the author
Patrick Snyder joined AlienVault (www.alienvault.com) as senior manager of the Labs team in 2015. His extensive background includes a strong focus on security research and malware analysis as well as more general IT experience in software development, implementation and technical support. He works with the Labs team to identify and analyse global threats and vulnerabilities and transform raw threat data into actionable threat intelligence.
References (17)
‘IDA: About’. Hex-Rays
Radare
- GDB: The GNU Project Debugger, home page. Accessed Oct...
‘Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)’. Microsoft
Wind River, home page
PEiD, home page. Aldeid
PEStudio, home page
Personal Editor 32/64, home page
Cited by (0)
About the author
Patrick Snyder joined AlienVault (www.alienvault.com) as senior manager of the Labs team in 2015. His extensive background includes a strong focus on security research and malware analysis as well as more general IT experience in software development, implementation and technical support. He works with the Labs team to identify and analyse global threats and vulnerabilities and transform raw threat data into actionable threat intelligence.