Page 25 - index
P. 25
Automated Static and Dynamic Analysis of Malware
by Andrew Browne, Director, Malware Lab, Lavasoft
With the advent of automated malware creation toolkits, it has become almost trivial for the bad guys
to pump out thousands of variants of malicious software at the push of a button. In the first half of 2013
AV Test registered almost 140,000,000 new malware samples. In the whole of 2012, “only” 100,000,000
1
were registered, in 2011, just over 60,000,000 . In 2007, when I started working in the anti-malware
industry, I was particularly concerned at the astonishing rate of malware coming through our lab.
Looking at AV Test’s figures for that year, I imagine that researchers new to the field chuckle at how easy
we must have had it.
2
Over the last 2 years we have seen the rise of the Advanced Persistent Threat (APT) such as the high
profile Stuxnet, Duqu, Flame and Madhi attacks. These APTs remained undetected for considerable
periods of time during which they carried out their malicious work. They remained undetected because
they were highly targeted, focusing on a small number of machines in a particular industry or company,
allowing them to stay under the radar.
Given both the extreme volumes of malware across the web and the highly targeted nature of other
attacks, it is inevitable that no anti-malware solution will be able to detect 100% of malware. So, what
tools does the IT administrator have at their disposal to analyse unknown files on their company
systems and networks? Malware analysis is a highly specialized discipline that can take years to acquire
the necessary skills. The tools used to dissect malware can be expensive and complicated to use even
before considering the time it takes to take a suspicious file apart to work out what it does. It’s
understandable that this is beyond the remit of the average admin.
However, there is a wealth of free and open source tools available that can assist with malware triage,
all of which are well within the capabilities of most. In this article, I will present some techniques and
tools that are easy to set up and use as well as being easily within the budget of anyone from the
hobbyist to a cash strapped IT department.
The article is broken down into two sections; static analysis and dynamic analysis. It is by no means
exhaustive – rather, it is intended to be a useful primer to help you gather information about suspicious
files you may be confronted with.
Static Analysis
The aim of static analysis is to get some insight into the sample’s functionality without having to execute
it. This avoids inadvertently launching any malicious payload.
1
http://www.av-test.org/en/statistics/malware
2
http://en.wikipedia.org/wiki/Advanced_persistent_threat
25 Cyber Warnings E-Magazine – August 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
