Even an organization most advance defenses such as antivirus, firewall and IPS are no match for the sophisticated attacks deployed today. Malware forensics investigation is the study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, Trojan horse, rootkit, or backdoor. The Malware Process can be summarized below.
Malware Investigation Steps
- Analysis of suspicious web code and executable files
- Performs deep forensic analysis through the full attack life cycle
- Disassembly analysis that examines elements of the code
Our Approach
The following first-level analysis is conducted to quickly tally threat scores.
- Product Name
- Product Version
- Company Name, etc.
- Functions included in the Import Table
- Network
- Process
- Security
- Registry
- Dynamic Loading, etc.
- Does the binary have high entropy (obfuscated)?
- Does the binary have signatures of:
- Internet Relay Chat ("IRC")
- Shellcode
- Cryptography ("Crypto")
- Does the binary contain strings associated with autoruns?
- Digital Signature Verification
Stage two:
Stage two involves more complex disassembly analysis to give you more detailed behavioral information. This simulation and data flow analysis is possible without running binaries in a sandbox, and there is no reliance on white lists or signatures.
- Integrated disassembly engine
- If using network functionality, potentially what host it is communicating with and over what protocol(s)
- If using network functionality, can it bypass proxy servers?
- For functions that require usernames and/or passwords, does the executable contain a static string, indicating insider or advanced knowledge?
- More advanced Functionality Interpretation
- IP addresses and Domain Names Used
- Debugger and Sandbox avoidance
- Command and Control Functionality
- Hooking Techniques
- Arbitrary Code Execution
- Host Forensic Artifacts
- Registry Settings
- Temp Files
- Configuration Files