This month we are addressing an emerging area of security tools, at least in the corporate arena. Reverse engineering and analysis of malware is well-known in some areas of security practice. However, those are rather narrow niche practices. Generally, organizations that are not in the business of reversing malware don’t. That doesn’t mean that these organizations could not benefit from a deeper dive into malware when there is a widespread infection.
Malware analysis consists of two parts: static and dynamic. Static analysis is, essentially, reversing the code. Dynamic analysis is analysis of the malware’s behavior when it fires. Static analysis can lead to a sort of trivial – but very important – dynamic analysis.
For example, if we find IP addresses hard-coded into the malware we can examine them in the context of the rest of the code to ascertain their meanings. In a dynamic analysis, we simply watch what the malware does and draw conclusions from what we see.
Realistically, we need both but that means that we need a serious malware lab and trained specialists to man it. There is a place for that and there also is a place for a malware analysis sandbox in the cloud that returns and an analysis all ready for you to interpret it. True, you still need trained people but the time to an answer is comparatively short and you don’t the cost of a fully equipped malware lab.
In our very small group this month we are addressing both the “hard way” and the easy way of performing malware analysis. The hard way requires good tools in you kit and we have the granddaddy – or, perhaps, grandmother would be more appropriate in this case – of manual, assisted code reversing tools. We also have two cloud sandboxes that take somewhat different approaches to automating your analyses.
Every time mention adding malware analysis to a typical organization we hear that analysis if for the anti-malware companies. Well, it is, of course. But it also is for mid-to-large organizations as well. For example, knowing where the malware is calling home helps you blacklist the address in your security tools. Knowing what kind of damage it does helps you ensure that you have the proper patches in place. It also helps you recover should the malware get past your defenses.
So, it is a niche market, but it’s a very important one and we predict that we’ll see a lot more of this in the next couple of years. While there are open source sandboxes – such as Cuckoo – but they can be challenging for many organizations to set up. Once they are set up, tuned and in operation, there still is the problem of interpreting their results. For all but the most junior analysts, that’s not a big problem, but it is time consuming. Using a cloud-based system will give you the advantage of what the cloud has learned from all the malware it has analyzed.
If you’re hard-core, you’ll need a good tool set and we have one of them as well. But the real message is, it’s time to devote some resources to understanding the malware that is entering – or trying to enter – your enterprise.