Malware Analysis is a study or process of determining the origin, purpose, functionality, and potential impact of a malware specimen. Malware analysis also consists of two popular methods: static analysis and dynamic analysis. These two methods can be used either separately or in tandem as part of a more comprehensive defense-in-depth approach.
Static analysis works by examining a file or program’s code and contents ‘from the outside’. It then cross-checks these contents against a database of known malware indicators for any similarities that may hint at a dangerous payload.
Dynamic analysis (or behavioral analysis), on the other hand, studies specimens ‘from the inside’ by executing or “detonating” suspected programs inside a virtual sandbox that mimics a real system. Once executed, the malware specimen is closely monitored, and any actions it takes are meticulously logged, allowing security researchers to see how the sample would perform in a real system without putting one at risk.
A static malware analysis involves examining the hash, strings, imported functions, and DLLs of a suspected sample, as well as any embedded scripts, macros, and other elements that may indicate potentially-malicious intent. Clean files are quickly flagged as safe, while those exhibiting higher risk are passed along for more in-depth dynamic analysis.
Once a suspicious specimen is flagged and passed along for deeper analysis, it is immediately placed within a specially prepared sandbox environment which is a virtual environment where files can be executed without risking damage to a real system or potentially interfering with the proper analysis of suspicious specimens.
This is where dynamic analysis is conducted. This level of malware analysis is crucial for uncovering novel threats that have not yet been studied or identified by the broader computer security community. Such threats are called zero-day (or zero-hour) threats. Zero-day threats don’t match the profiles of known malware examples and can slip easily past signature-based detection methods as a result.
Once placed within this sequestered sandbox environment, the specimen program is executed or “detonated.” From there, all of the program’s behavior is monitored and plotted very carefully. Analysts will then monitor for any behavior that may indicate nefarious intent, and will pay particular attention to changes the program attempts to make within the registry, calls it tries to make using APIs, and writes it tries to make to memory. Researchers may also reference network data to uncover the kinds of data the suspicious program is intent on leaking to the outside the network, which can potentially be indicative of a remote command and control apparatus.