Elsevier

Network Security

Volume 2016, Issue 11, November 2016, Pages 14-16
Network Security

Feature
Playing hackers at their own game

https://doi.org/10.1016/S1353-4858(16)30105-2Get rights and content

To really understand how something is made, you need to take it apart and then put it back together again. Similarly, when it comes to comprehending the damage that a piece of malware could inflict on your network – and to really get inside a hacker's mindset – it's important to retrace their steps and find out how a piece of malware really works.

Section snippets

Different approaches

When it comes to reverse engineering a piece of malware, there are several approaches that you can take, depending on both your goals and the nature of the malware sample itself. First, if you’re curious, you can completely reverse engineer a piece of malware from beginning to end. However, this can take a significant amount of time and so is not typically the preferred method when you’re looking for specific answers. Another approach is to focus just on the exploitation techniques used by a

Techniques

Static analysis is an important technique to use when examining malware. This is the process of analysing malware or binaries without actually running them. It can be as simple as looking at metadata from a file, but can also involve disassembly or decompilation of malware code to symbolic execution, which is something like the execution of a binary in a virtual rather than real environment. In contrast, dynamic analysis is the process of analysing a piece of malware by running it in a live

Tools

Here is an outline of some of the most common and useful tools that we use for analysing malware samples. These will allow you to set up an inexpensive and flexible laboratory to examine the inner workings of malicious software and uncover the characteristics of real-world malware samples.

Radare is a free, open-source reversing framework.

IDA Pro is a really good tool for analysing various samples of malware with diverse backgrounds.1 It also has a good add-on called HEX Rays Decompiler, which

Conclusion

Understanding the capabilities of malware is critical to an organisation's ability to derive threat intelligence, respond to information security incidents and fortify its defences.

Malware analysis can help incident responders assess the severity and repercussions of a situation that involves malicious software so that they can plan their recovery accordingly. Forensic investigators can use it to learn about the key characteristics of malware discovered during the examination and to establish

About the author

Patrick Snyder joined AlienVault (www.alienvault.com) as senior manager of the Labs team in 2015. His extensive background includes a strong focus on security research and malware analysis as well as more general IT experience in software development, implementation and technical support. He works with the Labs team to identify and analyse global threats and vulnerabilities and transform raw threat data into actionable threat intelligence.

References (17)

  • ‘IDA: About’. Hex-Rays

  • Radare

  • GDB: The GNU Project Debugger, home page. Accessed Oct...
  • ‘Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)’. Microsoft

  • Wind River, home page

  • PEiD, home page. Aldeid

  • PEStudio, home page

  • Personal Editor 32/64, home page

There are more references available in the full text version of this article.

Cited by (0)

About the author

Patrick Snyder joined AlienVault (www.alienvault.com) as senior manager of the Labs team in 2015. His extensive background includes a strong focus on security research and malware analysis as well as more general IT experience in software development, implementation and technical support. He works with the Labs team to identify and analyse global threats and vulnerabilities and transform raw threat data into actionable threat intelligence.

View full text