How it Works
Malware analysis can be a complex process. Malware developers design their creations to evade detection and the various defenses on an infected computer. Malware analysts must use various techniques to bypass and overcome these defenses. Often, malware analysis is a multi-stage process. Initially, malware analysts will use automated tools and techniques to gain a high-level understanding of how a piece of malware works. Then, they dive deeper with manual analysis into the identified areas of interest.
Types of Malware Analysis
Malware analysts can use a few different tools and techniques to understand how malware works. Some of the most common include:
- Static Analysis: Static analysis involves examining the code of a program to understand how it works without running it. Often, this uses disassemblers like the Interactive Disassembler (IDA) or Ghidra to convert machine code into human-readable assembly. Static analysis can also use various static application security testing (SAST) tools to scan the code of an application for known vulnerabilities or other issues.
- Dynamic Analysis: Dynamic analysis involves running a program and examining how it operates at runtime. Often, this is accomplished using a debugger that permits the malware analyst to start and stop the code, and examine the state of the program and make changes at any point in the execution. Dynamic security analysis testing (DAST) tools can also be used to perform runtime analysis of how an executable works.
- Hybrid Analysis: Hybrid analysis combines the tools and techniques of static and dynamic analysis. This can provide greater insight into how the malware works and enables the malware analysts to extract more useful information to use in detecting and remediating an infection by the malware.
Increasingly, malware analysis is performed using sandboxes that automatically apply these techniques. For example, online tools like VirusTotal allow files to be uploaded to the system where they are automatically analyzed and key results are provided to users. Sandboxes are also often used by security platforms to identify novel and zero-day threats so that they can be blocked from entering or infecting an organization’s systems.
Malware Analysis Use Cases
The goal of malware analysis is to learn about how a cybersecurity threat works. This knowledge has various applications within an organization, including the following:
- Threat Detection: Malware analysis is commonly used to extract indicators of compromise (IoCs) for new malware variants. These IoCs can then be used by security tools or analysts to identify malware infections.
- Threat Hunting: Malware analysis and its IoCs can also be useful for proactive threat hunting efforts. An understanding of a malware variant and how it works can be used to search for signs of an infection on an organization’s systems.
- Incident Response: Malware analysis provides an understanding of the actions that malware takes on an infected system. This understanding is invaluable for incident response efforts when incident responders are trying to determine the scope of the infection and how to eradicate it from affected systems.
Benefits of Malware Analysis
Some of the primary benefits of malware analysis include the following:
- Threat Intelligence: Malware analysis is commonly used to extract IoCs from identified malware variants. These IoCs can be used to identify infections on other systems.
- Malware Understanding: Malware analysis provides an understanding of malware’s purpose and how it works. This can be used to develop more effective defenses against it or eradicate an infection.
- Vulnerability Analysis: A zero-day malware sample may exploit a previously unknown vulnerability. Analyzing how the malware exploits the vulnerability can provide insight into the vulnerability and how to remediate it.
- Education and Skills Development: Malware analysis is a useful skill for cybersecurity analysts, and practicing can help to build these skills. Also, analyzing malware can help an analyst to learn how a particular objective — such as stealing sensitive data or evading detection by defensive tools — can be accomplished.
Malware Analysis with Check Point
Check Point Research performs extensive analysis of malware to gain insight into the evolving cyber threat landscape and to improve its ability to prevent various cyberattacks. The information extracted from this analysis feeds into its cybersecurity tools, enabling them to stay ahead of new malware campaigns.
Check Point Harmony also integrates malware analysis capabilities to help them identify novel and zero-day malware variants. To learn more about Harmony’s use of malware analysis and how it can protect your organization against malware, sign up for a free demo today.