Now that we’ve covered what malware is let’s delve into why we want to analyze it. Generally speaking, there are 3 reasons we analyze malware:
- Antivirus – The most publicly visible reason is antivirus. Any antivirus company will employ a small army of malware reverse engineers whose entire purpose in life is to analyze malware an extract unique data points to include in antivirus signatures.
- Security Operations – Security Operations and Incident Response requires the performance of malware analysis in order to scope incidents and generate IOCs (Indicators of Compromise). IOCs may include specific filesystem changes, network communications, and any other activity which can be monitored for in order to detect malware compromise of endpoints and network assets.
- Threat research – Lastly, threat researchers will often analyze malware, either to discover novel techniques and capabilities, or to attribute a malware sample to a given threat actor (abbreviated hereafter as TA).
These three objectives require very different approaches to malware analysis, as the information we gather will be very different depending on our objectives. Antivirus researchers will generally look for unique byte sequences which can be easily used to identify a malicious file. Security Operations personnel will primarily be concerned with the behavior of malware on a system – what domains or IPs it contacts, what MUTEXes it creates, and what filesystem changes it makes, such that it can be detected rapidly. Threat researchers will generally be more concerned with very unique portions of code, linguistic anomalies, etc., which help them to attribute malware to a TA, or else with the fine technical details of how a malware sample does whatever it does.
The majority of my experience is in security operations and incident response, and it’s from this perspective that I’ll write the remainder of this series.
Article Link: Malware 101, part 2 – why should we analyze malware? – It's Biebs the malware guy!!