Malware Analysis Tools Explained
When it comes to malware infections, you can never get comfortable with your own system and paranoia is your best friend, as we can observe in the second episode of the third season of Mr Robot, when Elliot uses rkhunter to control if a malware has been installed on his computer. In this article we’ll see that is possible to create a virtual environment to test and debug a malicious file, trying to understand how it spreads, what are the actions it performs on the infected computer, what network communications it implements. A series of free and open source tools are easily disposable for this purpose; we will download and install some of them to understand how they work.
To successfully create a laboratory to test with malware, you basically have two options: you can use virtualization software like VirtualBox or VMware, or you can use old but still working computers that you find in your home or are available with little expense. With the first option you can create a virtual environment, test it with some malware and once you’re done you can reset the status of your machine back to a previous uninfected one. With a physical environment you’ll have to pay more attention to your actions, keeping your lab well isolated from your everyday network, just to be sure the viruses won’t spread in any undesired manners. How will you study the way it spreads and its way to communicate back with its creator? Let’s see the tools that will help in these crucial activities.
A wealth of tools
You’ll be surprised to know that a wealth of tools exists for your malware analysis purposes, many of them free, so you are literally spoiled with choice. While you look up to some interesting lists like this one for malware analysis or this other one for malicious sites analysis, let’s clarify a little what these tools do and what are the skills that you need from them.
1) A process monitor, apparently similar to your windows’ task manager, but more focused on malware activities
2) A network analyzer like wireshark, to study the way the malware connects back to its creator
3) A code analyzer. It is really hard to deobfuscate the code of a malware but if you succeed in this, you’ll have plenty of information to work on.
3) Free online malware analyzer like the ones listed here to automate these time-consuming activities
Once arrived at this point, you should have clear what are your weapons against a virus, so let’s try to go more in depth with a couple of interesting tools of our lists.
I decided to cite this one because ProcDOT is unique in its genre. In fact, it joins the two main functionalities of a process monitor and a network analyzer. Usually you find these two things separated but having the results of the process monitor not linked to the results of the network analyzer, will end in a lot of effort trying to understand how a process shares info. ProcDOT resolves this problem being an all-in-one tool and for this reason I think it’s essential in a malware analysis lab. The functionalities of ProcDOT are:
- Correlation of Procmon and PCAP data
- Visualization as an interactive graph
- Animation mode to easily understand timing aspects
- Smart following algorithms to focus only relevant stuff
- Detection and visualization of thread injection
- Correlation of network activities and the causing processes
- Activity timeline
- Full text search and find of graph content also showing up in activity time-line
- Filters to cleanup noise (global and session wise)
- Support of various matching modes
And many, many others…
Process Monitor v3.40
Process Monitor v3.40, like you can guess from its name, is only focused on a task and it is produced by Microsoft. It is designed to work exclusively with Windows and it’s an advanced task manager capable of performing real-time system activities checking, process details capturing showing user, session ID, command line and so on. Process Monitor v3.40 also allows boot time logging for all operations, cancellable search and non-destructive filters that keep your data when you set another search. Process Monitor v3.40 combines the features of two sysinternal utilities no more used, Filemon and Regmon. Filemon provided a useful system activities’ display, while Regmon provided the forensics about the usage of the Windows registry.
All these features make Process Monitor v3.40 a useful tool used for system administration, computer forensics, and debugging of applications and all of this is incredibly for free.