Ethical hacking: Basic malware analysis tools by Blackhat Pakistan 2023
In this article we will learn about Ethical hacking: Basic malware analysis tools.
Ethical hacking:Introduction to Malware Analysis
Malware analysis is a common part of the incident response process. Once malware is identified on a system, it is often useful to investigate its specific functions and learn more about its specific functions.
Malware analysis can have many possible goals. High-level analysis can be designed to extract several indicators of compromise that can be added to a security tool’s signature list. More detailed investigation may be required to determine the functionality of a particular sample to identify behavioral and persistence mechanisms that will aid in its elimination. Finally, an organization may want to perform a comprehensive analysis of a particular sample to understand the specifics of APT operations and share information about the new threat with the community.
Related article:UEFI Boot vs. the MBR/VBR Boot Process-byBlackhat Pakistan 2023
Basic Malware Analysis Tools in Ethical hacking
When starting out with malware analysis, there are a number of useful tools at your disposal. Depending on the goals of the analysis, a malware analyst may need to gather different information. Different tools are ideal for different purposes, so it’s helpful to familiarize yourself with them as much as possible.
Hex editors
Hex editors are some of the easiest tools for malware analysis, but they can also be very useful. A hexadecimal editor like HxD is designed to display both the raw hexadecimal representation of the file and the ASCII interpretation.
Looking at a potential malware sample in a hex editor can be useful for extracting basic features from a file. Reading the file’s magic number can help identify a specific file type, and examining the raw hex file can help identify obfuscation methods such as using weak XOR encoding. A malware analyst can also manually extract printable strings from a file by looking at its ASCII representation.
String extraction
Extracting strings from a file can be very useful in getting information about what the malware is doing, its origin, and other embedded information (such as IP addresses or domain names). The Windows executable contains the names of the imported libraries in plain text, which can be useful for determining the purpose of the file based on the functions it is trying to access to Ethical hacking.
The strings command is available as a terminal program in both Linux and Windows. It is designed to extract any ASCII or Unicode strings from a file. However, this list can contain a lot of garbage, since any sequence of at least three (Windows) or four (Linux) printable characters will be printed.
FireEye has open-sourced StringSifter, a tool to streamline string output for malware analysts. The tool uses machine learning to rank strings based on their likely usefulness to the analyst, reducing the time spent sifting through garbage strings.
Disassemblers
When most people think of malware analysis tools, they think of disassemblers. These tools are designed to help with static code analysis by turning machine code into more human-readable assembly instructions. Disassemblers can also come with decompilers that convert code back to source code; however, these are often more expensive and less reliable.
There are a number of different disassemblers available on the market. Interactive Disassembler (IDA) is the best known and provides old builds as a free version or the latest version for an annual fee. Another paid disassembler is Hopper, which is available for Mac and Linux operating systems.
Various free and open-source disassemblers are also available in the market. The NSA recently released Ghidra, a tool they developed themselves. Another popular open-source disassembler is radare2, which has a wide range of features and enjoys frequent updates.
Debuggers
Disassemblers are useful for static analysis, but sometimes you need to run the code to understand how it works. Disassemblers run code in an environment controlled by the malware analyst, allowing them to execute step-by-step instructions, set breakpoints, and inspect process memory and other runtime functions.
OllyDbg is a commonly used debugger for the Windows operating system with a wide range of features. WinDbg is another Windows-based debugger in Ethical hacking. Its main selling point is the fact that it can be used for kernel-mode debugging. On Linux, the most popular debugger for malware analysis is the GNU debugger (gdb).
Sandbox
While debuggers are useful for performing dynamic malware analysis, they execute malware directly on the target system. If the analyst is using a disposable virtual machine, this might be fine, but otherwise it might be a problem.
Sandboxes are designed to run malware in an isolated environment to prevent it from being released and infecting the host computer or other devices. Sandboxes also commonly contain a large number of instruments designed to observe the execution of malware and draw conclusions from it. Running malware in a sandbox is often a good starting point for malware analysis because it requires minimal hands-on interaction from the analyst and provides a large amount of information about the sample.
There are a number of different malware analysis sandboxes, including Cuckoo Sandbox, Falcon Sandbox, Joe Sandbox, and many others. Each has its own advantages that balance the cost with the set of features available.
Online tools
Malware analysis is not limited to the desktop. Many online tools are designed to provide the user with a large amount of sample information with little or no work. Examples include Hybrid Analysis and VirusTotal, which automatically run all of the above tools and compile the results into an easy-to-read (and scrapable) format. These tools also allow you to search for malware based on hashes and examine the relationships between uploaded files.
However, these tools should not be used lightly. These tools are commonly used to check whether a particular file is malicious and work by making data about files uploaded by anyone available to anyone.
This can be a security concern for an enterprise if a potential malware sample could contain sensitive internal data. Companies can leak their own internal data by uploading malware to VirusTotal or Hybrid Analysis, and third parties can find this data using the search and correlation functionality available on the site.
Conclusion: Starting the malware analysis
Malware analysis can seem like a daunting task. Trying to figure out what a compiled executable is doing is very different from reading some source code. Many malware samples are specifically designed to resist easy analysis.
However, in many cases the goal of malware analysis is not to understand every line of code in the malware in front of you. Malware analysis for incident response is designed to understand what a particular sample can do on a computer and extract indicators of compromise that can be used to detect it.
The tools described here can be used with minimal knowledge. Many of them are just point and click. However, they often provide enough information to allow an analyst to achieve their goals even with limited knowledge of malware reverse engineering.
Sources
- HxD – Freeware Hex Editor and Disk Editor, mh-nexus
- stringsifter, GitHub
- About IDA, Hex-Rays
- Hopper Disassembler v4, Hopperv4
- ghidra, GitHub
- radare2, GitHub
- OllyDbg, OllyDbg
- Download Debugging Tools for Windows, Microsoft
- GDB: The GNU Project Debugger, gnu.org
- What is Cuckoo?, Cuckoo Sandbox
- Hybrid Analysis, Hybrid Analysis
- VirusTotal, VirusTotal
- Caution: Misuse of security tools can turn against you, Malwarebytes
