Ethical hacking: Basic malware analysis tools - Security Boulevard

Ethical hacking: Basic malware analysis tools

Introduction to malware analysis

Malware analysis is a common component in the incident response process. Once malware has been identified on a system, it is often useful to investigate and learn more about its specific functionality.

Malware analysis can have many possible goals. A high-level analysis may be intended to extract a few indicators of compromise to add to a security tool’s signature list. A more in-depth investigation may be required to determine the functionality of a particular sample in order to identify behavior and persistence mechanisms to help with removing it. Finally, an organization may want to perform a comprehensive analysis of a particular sample in order to understand the specifics of an APT’s operations and share information about a new threat with the community.

Basic malware analysis tools

When starting out in malware analysis, there are a variety of useful tools available. Depending on the goals of the analysis, the malware analyst may need to collect different pieces of information. Different tools are ideal for different purposes, so it’s helpful to be as familiar with as many as possible.

Hex editors

Hex editors are some of the simplest of malware analysis tools, but they can also be extremely useful. A hex editor like HxD is designed to show both the raw hexadecimal representation of a file and the ASCII interpretation.

Looking at a potential malware sample in a hex editor can be useful for extracting basic features from the file. Reading a file’s magic number may help in identifying a particular filetype, and examination of the raw hex of the file can help with identification of obfuscation methods like the use of weak XOR encoding. A malware analyst can also manually extract printable strings from a file by looking at its ASCII representation.

String extraction

Extracting strings from (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/WabVDz3WcxA/