A Guide to Malware Analysis: Day 1
Security researcher fairycn delivers a comprehensive guide to malware analysis, explaining how to understand and prevent computer viruses.
Note: This article is an English translation of an article written in another language. If you have are having trouble reading it, I will improve the translation.
What is a computer virus?
- Definition: A computer virus is "a set of computer instructions or program code that is inserted into a computer program by the programmer to disrupt computer functions or destroy data, affect the use of the computer and is capable of self-replication".
- Broadly speaking: Because a virus in a computer can affect the speed of the machine, or crash and destroy the system, a virus can cause a lot of damage to the user, and usually in this case we call the program with a destructive effect a computer virus, which can also be any malicious program that causes damage to the user, the computer network in some way, such as: Trojan horses, worms, rootkits, adware, bundling software, spyware, spyware, spyware, computer viruses, etc, bundled software, spyware, ransomware, etc.
- In summary: Programs that can cause harm.
Famous cases of computer viruses
- Mydoom – $38 billion
- Sobig – $30 billion
- ILOVEYOU – $15 billion
- WannaCry – $4 billion
- Zeus – $3 billion
- Code Red – $2.4 billion
- Slammer – $1.2 billion
- CryptoLocker – $665 million
- Sasser – $500 million
How are computer viruses classified?
To better understand computer viruses, they are often classified in the following ways.
Vector classification
- Boot virus: A computer virus that resides in the boot area or master boot area of a disk. This type of virus takes advantage of the disadvantage that the system does not discriminate between the correct and incorrect contents of the master boot area when booting, and invades the system during the boot type system, resides in memory, monitors the system operation, and infects and destroys it on standby.
- File-based viruses: mainly by infecting executable files (.exe) and command files (.com) in the computer. File-based viruses modify the computer's source file to make it a new virus-bearing file. Once the computer runs the file it becomes infected and thus spreads.
- Hybrid virus: A computer virus that has both a boot virus and a file virus parasitic method
Linking method
- Source code type virus: Attacks a program written in a high-level language, where the virus is inserted into the source program before the program written in the high-level language is compiled, and becomes part of the legitimate program upon successful compilation.
- Embedded virus: A virus that embeds itself into an existing program, linking the main program of the computer virus with the object it attacks by insertion.
Operating system type virus: A virus that adds itself to an operating system or replaces part of it with its own program to do its job is so destructive that it can bring down an entire system. Moreover, because it is infected with the operating system, this virus replaces the legitimate program modules of the operating system with its own program fragments when it is running
Systems attacked
- DOS viruses: Computer viruses that can only run in a DOS environment (boot viruses are not limited to the DOS operating system and exist; certain early viruses that simply take up the boot record to use as a virus body can still destroy the boot record of a computer's hard disk), infectious computer viruses, and were the first computer viruses to appear.
- Windows virus: A virus that infects Windows executable programs and can run under Windows.
- UNIX, Linux viruses: viruses that infect only Unix and Linux operating systems.
- IoT viruses: Infections that target hardware.
- APP viruses: Infections carried out on mobile APPs.
Functional classification
- Worm: can replicate itself and infect other computer viruses.
Backdoors: attackers can bypass security authentication and take remote control of an infected computer. - Botnet: A network of a large number of infected computers that can launch large-scale network attacks, such as DDOS attacks.
- Trojan horse: A specific programmed Trojan horse that takes control of another computer. Unlike normal viruses, it does not reproduce itself and does not deliberately infect other files. It provides the perpetrator with a portal to open the host computer by disguising itself to attract users to download and execute it, so that the perpetrator can destroy and steal the files of the perpetrator at will, or even remotely manipulate the host computer.
- Downloaders, launchers: used to download and execute malicious code from other viruses.
- Spyware: malicious code that collects information from the victim's computer and sends it to the attacker.
- Adware: computer programs with advertisements that are used as a source of profit. This type of software often forces installation and cannot be uninstalled; collects user information in the background for profit, endangering user privacy; and frequently pops up ads, consuming system resources and making it run slower, etc.
- Bundled software: Bundled software is software that automatically installs single or multiple pieces of software when the user installs a piece of software. It is installed silently at the time of installation and does not tell the user if they want to install this software.
- Rootkit: A tool that gains root access to a computer and can be used to hide other computer viruses.
- Ransomware: A virus that demands a ransom by encrypting the infected user's files or hard drive.
- Spamming virus: A virus that infects a user's computer and then uses system and network resources to send out large amounts of spam, such as advertising emails, phishing emails, etc.
Target of attack
- Popular computer viruses: Ransomware, for example, uses a cast-net approach and is designed to infect as many machines as possible. This type of malicious code is more common, with more obvious malicious behaviour, and is easily detected and defended against.
- Targeted computer viruses: such as idiosyncratic backdoor viruses that are developed to target specific organisations. Not widely spread and samples are difficult to collect. The code is very complex and virus analysis often involves the use of some high analysis skills. An example is the ShockNet virus, which targets nuclear industry systems.
So what is computer virus analysis?
Computer virus analysis, which usually provides the information needed for an emergency response to a computer virus incident, includes the following elements of analysis:
- What did the virus do to the system?
Locate the infected computer and the suspicious program.
Analyse suspicious files.
Extract the signature codes that can detect viruses on the system and network.
Measure and eliminate the damage caused by computer viruses.
So what is the goal of computer virus analysis
- Analyse how the infection was made
- Analyse the flow of the virus
- Analyse the risk of the virus running
- Analyse how to identify the virus
- Analyse how to eliminate the virus
So how do you find a computer virus in the first place?
You can start with computer virus signature codes, which can be used to detect and kill virus files and stop the spread of viruses, and can be subdivided according to the following categories
Host signature
The host signature is concerned with what the virus has done to the system, rather than the file characteristics of the virus itself, and is more effective than anti-virus software signatures (note: file information can be modified by technical means to render the signature invalid, e.g. by shelling the program, using flower instructions, etc.).
For example:
Specific file creation, reading and modification behaviour
Specific registry creation, reading and modification behaviour
Specific boot entry creation, reading and modification behaviour
Special behaviour, e.g. self-deletion
Network signature code
This is extracted by analysing the network communication data of computer viruses, which includes malicious IP addresses, URLs, emails, attack packets, communication protocols between computer viruses, etc. It can also be combined with the host signature to provide higher detection rates and fewer false positives.
For example:
Data interaction with published phishing sites and pharming platforms
Having said that, what are some of the common computer virus analysis techniques?
For a better understanding, the following categories are explained
- Static analysis: Static analysis methods are techniques related to the analysis of computer viruses when they are not present, and they include analysis of virus executable files without looking at specific CPU instructions.
Common analysis tools include CoBOT, Coverity, Klocwork, Checkmarx, Fortify, Testbed, PinPoint, C++ test, VirusTotal, strings, PC-Lint, QAC, IDA pro, cutter, GDA and many more.
Pros: Very fast, simple, in-depth analysis of computer viruses
Disadvantages: Difficult to analyse complex computer viruses and may miss important behaviours and be susceptible to code obfuscation techniques such as shelling, splash commands etc. - Dynamic analysis: Dynamic analysis methods require running the virus and using a debugger to analyse the internal state of a virus at the moment of operation, dynamically executing each instruction to verify the results of the static advanced analysis
Common analysis tools include RegShot, Process Mointor, ApateDNS, Netcat, Wireshark, INetSim, OllyDbg, x64dbg, dnspy, Sysinternals toolset, etc.
Pros: simple, can mitigate code obfuscation
Disadvantages: may exploit some important virus functions and only override one computer virus execution track
Do you have any analysis experience to share?
Firstly, implement good protection measures before beginning the analysis to prevent the spread of viruses, specifically before the static analysis. During the dynamic analysis, ensure multi-faceted thinking but be careful not to get too caught up in the details. Focus on identifying the main hazards posed by the virus before having an in-depth analysis to have a good overview of understanding.
Secondly, it's beneficial to try to analyse computer viruses from different angles, with different tools and methods without limiting yourself.
In conclusion, as computers continuously evolve with the times, so too should our analysis. Don't stop moving forward, but also stay at the forefront of virus publishers. Remember to identify the hazards first, and start defending, as well as analyzing