The term dynamic analysis represents one of the two major malware analysis methods used by security experts to analyze potentially harmful malware. The first method, basic static analysis, methodically examines the contents of files and programs from the inside out for signs of potentially malicious intent, looking specifically for known malware signatures.
Dynamic analysis, on the other hand, involves executing or “detonating” suspicious programs within a virtual sandbox environment and closely monitoring their behavior. This method allows security analysts to safely analyze potentially harmful malware without putting the target system at risk. This method is also crucial in uncovering novel threats that the security community has not yet identified. These novel threats which don’t match previously recognized malware signatures are referred to as a zero-day (or zero-hour) threats and are impossible for the more traditional, simple static analysis method to detect.
A dynamic analysis method begins after suspicious files are flagged and sequestered within a sandbox environment. At this point, they are executed (or “detonated”), and the dynamic analysis begins its behavior-based approach, observing and logging the program’s actions from outside the sandbox environment.
The dynamic analysis tracks the program’s behavior looking for any signs of potentially malicious intent. This process may include analysis of any changes it makes within the registry, any writes it makes to memory, and any calls it makes to servers using APIs. Supplementary network analysis can also uncover useful data concerning the type and quantity of data the suspicious program leaks, and potentially, the specifics of its remote command and control structure.
While employing a dynamic analysis approach generally results in a higher detection rate than simple static analysis, increasingly sophisticated malware authors have developed malware that is purpose-built to defeat dynamic analysis methods.
These more advanced malware include context-aware malware that can delay its attacks, malware that can detect sandbox artifacts and hide its true functionality, and malware that exploits innate weakness in the sandbox environment.