Introduction To Malware Analysis

a1l4m
4 min readApr 15, 2023
Malware Analysis Introduction

What is a Malware?

Malware is a program that is inserted into a system, usually covertly, With the intension to:

  1. Affect the CIA of the system or annoy the victim.

2. Can spread throughout the system and take actions.

Note: CIA stands for Confidentiality, Integrity and Availability

Types of Malwares

Virus

inserted into a program or data file.

Worm

Travel from one network to another

Trojan

written to look like something else.

Backdoor

Create a reverse shell on the victim machine. There are a lot of tools that do that, like RATs (Remote Access Trojans).

Some hackers use backdoors in a large number of machines that they compromised previously to create a network of bots and use it to make denial-of-service attacks “DOS” on the victims.

BOTNET, Network of hijacked internet-connected computers. They are controlled remotely by the attackers.

Botnet

Logic/Time Bomb

A piece of code inserted into a software system that will set off a malicious function when specified conditions are met, or after a certain amount of time.

Ransomware

Encrypts the data on the device or the machine and threatens to publish the victim’s data or block access to their machine, unless the victim pays a certain amount of money.

This type used a lot nowadays, especially by the people that try to download programs and games that are paid in an illegal way.

Spyware

Data sent from the infected device to the attacker.

You can guess why from the name :)

Adware

Data sent from the attacker to the infected device.

Used to advertise ads.

Fileless Malware

Fileless Malware Cycle

Named fileless as this malware doesn’t create any files on the system “hard drive”, but when you open the link, it just takes up space in the memory.

It uses legitimate, otherwise benevolent programs to compromise your computer instead of malicious files.

APT “Advanced Persistent Threat”

A state sponsored group. Which have another level of malware stuff. And it remains undetected for an extended period of time.

With this level of threat. The world of cyber security has seen different levels of malware, which are way more advanced than the previous ones, as there is a group of talented, sponsored people who are working 24/7 to develop the malware.

Bootkit & Rootkit Danger

Rootkits

Designed to hide the existence of certain processes form normal methods of detection; in order to enable continued access to a computer.

The name combined of two words actually. Root: Runs in kernel-mode. Kits: Has more than one component

Examples: Stuxnet, Flame.

Bootkits

Are rootkits in which the first point of control is during the boot process. This allows the malicious program to be executed before the operating system boots.

The issue with this malware is that even if antivirus software detects it, it cannot be removed because deleting anything will corrupt the boot files. So, you can’t mess with files without damaging the computer.

At least once in your life, you have seen a notification on your mobile device or desktop that tries to advertise something.

But we can’t consider this as malware, On the other hand, it is called PUPs.

PUPs stand for “Potentially Unwanted Programs”, and they are programs which don’t do anything good for you, thus they are unwanted.

The user mostly agrees to install the PUP. The End User License Agreement “EULA” informs the user that this additional program is being installed, and the user accepts it.

Steps of Malware Analysis

Steps Of Malware Analysis

We have two methods that don’t require you to run the malware “Static.”

Basic: which is like maybe run strings on the file or doing some basic stuff, which gives you a hint of what this malware is about.

Advanced: It requires you to have knowledge of assembly and the instructions of the CPU, Also, I have to mention that it takes a lot of time.

For the methods that requires you to run the code “Dynamic”

Basic: you just run it in an isolated environment and observe the changes on the system, you can get signatures from that. It doesn’t require a deep knowledge of programming.

Advanced: You have to use a debugger to examine the internal state of the malware while it’s running. You have the ability to modify the execution path and state.

Thanks for reaching this point.

--

--