Introduction to Malware & Malware Analysis

September 4, 2011, by | Start Discussion


Very often people call everything that corrupts their system as virus, not aware of what it actually means or does. This paper systematically gives an introduction to different varieties of beasts that come under the wide umbrella called as malware, their distinguishing features, prerequisites for malware analysis and an overview of malware analysis process.
What is Malware?
The genesis of Computer viruses started in early 1980 when some researchers came up with self-replicating computer programs. In 1984 Dr. Cohen provided a definition for computer viruses. Here is Cohen's informal definition of a computer virus: 
"A virus is a program that is able to infect other programs by modifying them to include a possibly evolved copy of itself."
This definition, based on the behavior of programs of that period was appropriate. However over time, viruses have evolved into dozens of different categories and are now termed as malware collectively instead of virus. Virus is considered as one category of malware.
Malware, short for, MALicious softWARE. It is software specifically designed to harm user’s computer data in some way or the other. Malwares have evolved with technology and have taken advantage of new developments.
Malware consists of programming (code, scripts, active content, and other softwares) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.
Symptoms of infected system
How do you know that your system is infected with possible malware? Following are some of the symptoms of an infected system:
  • System might become unstable and respond slowly as Malware might be utilizing system resources
  • Unknown new executables found on the system
  • Unexpected network traffic to sites where you don’t expect to connect
  • Altered system settings like browser homepage without your consent
  • Random pop-ups are shown as advertisements
  • Recent addition to the set are alerts shown by fake-security application that you never installed like “Your computer is infected!” and it asks to register the program to remove detected threats.
Overall, your system will have unexpected behavior.
Malware Classification
The category of malware is decided based upon different parameters like how it affects the system, functionality or the intent of the program, spreading mechanism, and whether program asks for users' permission or consent before performing these operations.
A program that can be regarded as malware if it does one of the following activities:
  • modifies another program
  • replicates through a network or a file system without users’ consent
  • allows an unauthorized person to take control over a remote system
  • sends personal or confidential information to a remote system without user’s consent
  • sends data to a system in order to disrupt normal functioning
  • opens port for listening on local machine to accept commands from control server
  • record keystrokes and send this information to remote servers
  • connects to suspicious remote servers
  • downloads and executes files from suspicious remote servers
  • copy itself to multiple locations
  • injects code into another program
  • makes unauthorized changes to the system
  • modifies a protected system setting
  • modifies a registry setting used for launching programs upon startup
Now we will specific malware categories based on distinguishing malicious features of the sample:
Virus is the first category of malware to appear on the horizon of Computer Security. They are self-replicating in nature and are referred to as parasitic infectors. They don't have separate existence; however they insert their code into existing files on the system. They could be executable programs or scripts of different programming languages like VBS, JS, Perl etc.
Worm are self-replicating; however they are stand-alone malware. They don't modify other files to spread, instead makes copies of own over network shares or on other systems. Worms are further classified based upon spreading mechanism used like Email, P2P, IRC etc.
Trojan Horse 
Trojan is disguised as useful software and tempts user to install it and it is bundled with hidden malicious functionality. They are non-replicating in nature, i.e. they don't spread themselves as in case of viruses or worms.
Backdoor allow unauthorized access to compromised system by opening a port on victim’s system. This creates a pathway for hackers to control the compromised system by sending commands of his choice. SubSeven, Netbus and Back Orifice are some of the well-known examples of Backdoor which enables unauthorized people to access users' system over the Internet without his/her knowledge.
Fig. 1 Backdoor.SubSeven
HackTool is used by a hacker to attack and exploit users' system to gain unauthorized access to system resources. They attempt to gain information on the system bypassing security mechanisms inherent to the system. netcat is an example of HackTool. Sometimes it is used by Network Administrators; however it is used by hackers to get unauthorized access and to transmit data on network. 
Spyware is software that gathers personal or confidential information from users' system without his knowledge. It includes monitoring on victims system to collect information like his browsing habits, recently visited sites, passwords, credit card information, and other such confidential information. Once Spyware is installed, it doesn’t have any visible notification to indicate it’s monitoring users' activities. It sends this information to the configured remote server. 
Rootkit use stealth technique to actively hide its presence by hiding it components like files, registry key, running processes and other objects. These techniques are used to hide its behavior from user and to bypass detection from security applications.
Rogue application
These are fake applications which pose themselves as Security Applications or System Tools to mislead user into paying for removal of non-existent malwares or issues with users' system. This category of malware is on rise of from last 4-5 years. They use different Social Engineering techniques to mislead the user into installing it. Its downloader component may come as a video codec to run certain video clips, P2P software or trojanized shared applications. Malware writers use SEO poisoning technique to push malicious urls based on recent popular news. When user visits such malicious urls, it gets downloaded using drive-by-download technique by exploiting vulnerabilities in web browser and its plugins. 

Fig. 2 Rogue Application – System Security
Infection Vectors
An infection vector refers to spreading mechanism used by malware.
  • Boot Sector: Infecting Master Boot Record of the physical disk
  • File infection: Parasitic infectors
  • Email: Email worms 
  • File shares: Parasitic infectors, worms
  • Network: Network worms, through vulnerabilities
  • IRC: Internet Relay Chat
  • P2P networks: IM, Kazaa, etc.
  • Removable Media: Floppy, USB Disks
  • Bluetooth: Worms for mobile devices
  • Web Apps: Using cross-site scripting vulnerabilities 
  • Vulnerabilities: Operating system, Web Browser & plugins, Adobe Reader vulnerabilities
Prerequisites for Malware Analysis
Now being equipped with the knowledge of what malware is, you may want to look at it more closely. Natural question might come to your mind is, “how to analyze malware?”Prerequisites for Malware Analysis include understanding of malware classification, essential x86 assembly language concepts[2], file formats like Portable Executable file format, Windows APIs, expertise in using Monitoring tools, Disassemblers and Debuggers. This section will introduce you with prerequisites for malware analysis.
Cheat sheet of x86 assembly language 
Portable Executable File Format
Microsoft uses the Portable Executable (PE) file format[3] for executables and system libraries from Windows 95. For reverse engineering one should be familiar with the Portable Executable file format.
The PE Header contains important information about linker version used, how the executable should be loaded, compatible version of Microsoft Windows, type of executable file etc.
Fig.3 PE File Format
Some important fields from PE Header are Address Of Entry Point and Image Base which points to address of first instruction to be executed when executable is loaded and Virtual Address where executable is loaded in virtual memory, respectively.
The PE header is followed by Data Directories including the import table, export table. The import table has information about functions that the program calls from DLL files. The export table, generally present in DLL files, has information of functions that call other programs. It is followed by Section Table which provides relative virtual addresses and characteristics of sections of the program. 
Windows APIs
Microsoft Windows operating system provides interface to applications through Windows Application Programing Interface (API). It is implemented as a set of system libraries like kernel32.dll, user32.dll etc. Reverse Engineer needs to be conversant with File System, Memory management, Process and thread management, Registry Management, Networking and Security related APIs. Understanding of APIs will help during detailed malware analysis. MSDN [4]provides comprehensive documentation of Windows APIs.
Malware Analysis
Microsoft Windows Operating System is the most popular and widely used over others Operating Systems thus making it first in the target list of Malware authors. We will see Malware Analysis on Windows Platform in this article. Malwares appear in different varieties like executable files, BAT scripts, VBScript, JavaScript, Macros in Microsoft office files, exploit code in JPG, GIF, SWF, PDF files. More than 80% malware samples received by Security Vendors are Windows executables. 
The purpose of Malware Analysis is to study a program's behavior and verify if it has malicious functionality or behavior.  If the analyzed sample is found malicious then comes classification of it and identification of specific malware family.
Environment for Malware Analysis
One should be very careful when analyzing malware samples. Malware Analysis should be done on the system separated from production environment and network isolated from public network. Virtualization software [10]like VMWare, Virtual Box provides option to create such environment.
Static Analysis
With static analysis, we study a program without actually executing it. Tools of the trade are Hex Editors, disassemblers and packer identifiers. We could look for suspicious strings related to file paths, registry keys, urls, messages intended for users if any are used in a program. APIs used also give an idea about functionality of the program.
Samples which are packed or obfuscated provide challenges for static analysis. If sample is packed, then it needs to be unpacked before diving into code analysis.
Dynamic Analysis
With dynamic analysis, we study a program as it executes. We need to monitor the changes made to file system, registry, processes and its network communication. Sys Internals tools [7] like Process Monitor, Process Explorer, TCPView, gmer[8] and WireShark[9] are useful for observing runtime behavior of a program. Debuggers like OllyDbg, IDA Pro and WinDbg are helpful to dig into details of encrypting malwares and for detailed analysis.
In case of non-availability of safe environment to execute suspicious samples, one could use online automated malware analysis systems[5]. User could submit suspicious sample for analysis and it generates report based on file system modifications, registry modification, network communication etc.
Hope this helps in some way to take your step forward into world of computer viruses, I mean Malware?


2. Art of Assembly
3. PE File Format
5. Online Automated Malware Analysis Systems
6. The Art of Computer Virus Research and Defense
7. SysInternals Suite
10. Virtualization Software

Rajesh Nikam works as Lead Research Engineer with Quick Heal Malware Analysis Team. He has over 10 years of experience in Security software development and Malware Analysis. His areas of interest include Automations that help Malware Analysis, Behavior based detections and Smart Phone Malware.

Leave a Reply