This article is an introduction to analyzing malware. I will take you through the basic steps you need to perform in order to understand what malware is doing to your systems.
Author: JASON CARPENTER
Source: Hakin9 2/2009 http://hakin9.org
WHAT YOU WILL LEARN…
- Why analyzing malware is important
- How you should get started
WHAT YOU SHOULD KNOW…
- The Basics of X86 assembly language, logical thinking and a clear understanding of how software works
Malware is software designed to infiltrate or damage a computer system without the owner’s informed consent. The expression is a general term meaning a variety of forms of hostile, intrusive, or annoying software or program code. Simply put, Malware is software designed to make a computer do something an attacker wants it to do. It is not always designed to destroy a computer. It may, for example, just sit on a computer, using processor cycles to crack the encryption of a certain file. Nowadays, Malware has become so prevalent in our computer systems that most people do not take it seriously. Malware infects the average user at least once, yet we continue to operate the recently infected machine to perform personal confidential transactions, such as online banking or shopping. Malware poses a serious threat to an enterprise and can do anything the attacker can envision. It can use system resources such as CPU cycles or bandwidth, or it can send official and confidential corporate data offsite to the attacker. Most corporations have antivirus systems in place, and some even have antispyware capabilities. However, most of the time corporations use these systems to prevent or clean up infections after their machines are compromised. Most organizations do not take the time to recognize and understand the extent in which malware has inflicted their systems before attempting to eliminate it. Unfortunately, being infected with malware is usually much easier than getting rid of it, and once you have malware on your computer it tends to multiply. Determining how a malware is constructed and operates in order to study its potential to inflict damage is called analyzing malware. Analyzing malware is beneficial to the enterprise. Most malware detection systems, such as an antivirus protection system, require signature files that match the malware in order to enable them to detect and block the malware from penetrating your machine. When a new malware hits the net, you are virtually unprotected since your antivirus or antispyware software does not contain the identifying signature of the new malware. For a new malware to be detected there is often a time delay until the new signature is distributed, since anti-malware companies need to identify it, analyze it, find a signature, test the signature and deploy the new updates. If you have already been infected, the time involved is unacceptable, especially if you have no idea that you are infected and/or the extent of damage. An example of this would be an online shopping site. If a new malware hits the net, and it takes two weeks for your antivirus vendor to deploy a signature file, your site is exposed and entirely susceptible to the infection.