Dynamic Malware Analysis

Running malware in controlled environment to observe its behavior.

Basic Dynamic Analysis

Malware should only be analyzed in controlled environment, ideally virtual machine.

• Sandbox setup:

  • Isolated machine (virtual machine) not connected to live/production systems.
  • Ability to save initial clean state and revert to it after analysis (snapshot).
  • Monitoring tools to analyze malware while executing inside VM.
  • File-sharing mechanism to introduce malware into VM and send analysis data/reports out.

• Virtualization:

  • Commercial/free tools available: Oracle’s VirtualBox, VMware’s Player/Workstation.
  • VMWare Workstation/VirtualBox have snapshot creation option, suitable for malware analysis.
  • Server-based virtualization software: XenServer, QEmu, ESXi.

• Analysis Tools:

  • Install analysis tools on VM before running malware.
  • Take snapshot before running malware. Revert to snapshot after analysis to ensure no contamination.

• File-sharing:

  • Options: shared folder, creating/mounting iso, clipboard copy/paste.
  • More isolated option = safer for host OS.

Top dynamic analysis tools:

• ProcMon: Process Monitor (ProcMon) is a tool that monitors and displays real-time file system, registry, and process/thread activity. It can help identify the actions taken by a program or malware during execution.

• API logger and API monitor**: These tools allow you to monitor and control API calls made by a process. They can help identify the functions being called by a program or malware during execution.

• Process Explorer: Process Explorer is a tool that provides detailed information about running processes, including their open handles and loaded DLLs. It can help identify the resources being used by a program or malware during execution.

• Regshot: Regshot is a tool that takes snapshots of the registry and compares them to identify changes. It can help identify the changes made to the registry by a program or malware during execution.

Advanced Dynamic Analysis

Malware hides/looks like legitimate software to evade static/dynamic analysis.

Focus of evading static analysis: obfuscate true functionality until executed.

Techniques for evading static analysis:

• Change hash: slightly change malware to change hash/bypass hash-based detection.
• Defeat AV signatures: change patterns in malware to evade signature-based detection.
• Obfuscate strings: decode important strings at runtime.
• Runtime loading of DLLs: use LoadLibrary/LoadLibraryEx to load DLL at runtime.
• Packing/Obfuscation: pack malware in wrapper, decode at runtime.

Techniques for evading dynamic analysis:

• Identify VMs: check for registry keys/device drivers associated with virtualization software. Take non-malicious execution path if identified.
• Timing attacks: time out automated analysis systems by sleeping for a long time.
• Check for user activity: take benign execution path if no/few traces found.
• Identify analysis tools: check for popular monitoring tools among running processes. Take benign execution path if identified.

Debugging

Debugging: identify/fix bugs in program. Malware reverse engineer debugs program to remove roadblocks preventing malicious activity.

Interactive debugging: essential for advanced malware analysis. Monitor running program closely, look at changes in registers/variables/memory regions.

Debugger: allows analyst to change variable values/control program flow at runtime.

Types of Debuggers:

• Source-Level Debuggers: work on source code level. High-level debugger. See local variables/values.
• Assembly-Level Debuggers: debug compiled programs at assembly level. See CPU registers/values and debuggee’s memory. Most common for malware reverse engineering.
• Kernel-Level Debuggers: debug program at kernel level. Two systems required. If kernel stopped using breakpoint, whole system stops.