What exactly is Malware Analysis?

Take it easy. Let’s start with what malware is first. It’s malicious software, or “malware” for short. It is intrusive software that can take many forms and result in many different consequences. Malware can steal information, damage computers and systems, overwhelm servers, assuming control of computers, etc. It also has many different types like viruses, ransomware, worms, trojans, and spyware. [2], [4] On top of the abundance of variation in malware, it is always changing and new malware is always being created. This is overwhelming, and makes security professionals’ jobs complicated.

One way we can learn about malware to help us build better systems, products, and response is through malware analysis. Malware analysis helps us learn the behavior, purpose, and scope of a piece of malicious software [1]. In addition, throughout the process, indicators of compromise (IOC’s) can be uncovered. These IOC’s can be used to improve detection and alerts to the presence of a piece of malware on a system.

When are you presented with a piece of malware to do an analysis, there are different techniques use in the process: basic static analysis, basic dynamic analysis, advanced static analysis, and advanced dynamic analysis [3]. The most simple difference between these is that static analysis does not involve running the code, while dynamic analysis does involve running the malware executable. In further blogs I’ll go more in depth here, as these topics and techniques deserve their own spotlight.

So what exactly is our goal for this capstone project? Well, we will be using example malware binaries on a isolated virtual network. Through static and dynamic analysis, we hope to find how each piece of malware behaves, how we can detect that malware on a network, and how we can contain the damage. Finally, and most importantly, this will produce a report with all our findings and recommendations for the malware files we analyzed. And now, step 1: basic static analysis.

References

[1] “Malware analysis explained: Steps & examples: CrowdStrike,” crowdstrike.com, 13-Jan-2022. [Online]. Available: https://www.crowdstrike.com/cybersecurity-101/malware/malware-analysis/. [Accessed: 18-Jan-2022].

[2] McAfee, “What is malware and why do cybercriminals use malware?,” McAfee, 26-Nov-2019. [Online]. Available: https://www.mcafee.com/en-us/antivirus/malware.html. [Accessed: 18-Jan-2022].

[3] M. Sikorski and A. Honig, Practical malware analysis: The hands-on guide to dissecting malicious software. San Francisco: No Starch Press, 2012.

[4] “What is malware? – definition and examples,” Cisco, 29-Sep-2021. [Online]. Available: https://www.cisco.com/c/en/us/products/security/advanced-malware-protection/what-is-malware.html. [Accessed: 18-Jan-2022].

Pro Tip: Don’t do Malware Analysis Directly on your Machine.

Some exciting news: the topic I will be focusing on for the Capstone project is malware analysis. This will be a great opportunity to dissect some malicious software, learn from it, gain experience using analysis tools, and report my findings and recommendations. This is all fine and dandy, but there’s an issue here. Interacting with malware and even having it on your machine could be very harmful and dangerous. So what do we do?

Well, Using virtual machines is not new to me, so I’m familiar with setting up a VM with VMware. Just doing this is not sufficient due to the risk of the malware escaping to the network your own machine runs on. But after some research, I was able to find a way to define a virtual network separate from my local network with multiple virtual machines. This separate virtual network has not connection to my local network, preventing malware escape.

To set this up, VMware should be installed (you can also create a few VM’s with your OS of choice). You need to navigate to the Virtual Network Editor either via the search bar in Windows,

Search for Virtual Network Editor App

or in VMware via Edit > Virtual Network Editor.

Virtual Network Editor App via VMware

Now, it’s really important to either choose a network not being used, or add a new network we can edit the specifications of. Here, I decided to add the VMnet4 network via Add Network:

Select/create VMnet not currently being used

Now, we can edit the VMnet information and specifications to fit our use case. First, selected Host-only to ensure the virtual network does not connect to the external local network. Second, uncheck Connect a host virtual adapter to this network as it is not needed. Lastly, we want to make sure Use local DHCP service to distribute IP address to VMs is checked so that IP’s are assigned automatically to our VM’s via DHCP (Dynamic Host Configuration Protocol). Select OK to setup this new virtual network.

Edit options for custom VMnet

So the network is set up, but we need to assign the VM’s that we have created to use that network, and that network only. In VMware, before starting a VM, go to VM > Settings:

Navigate to VM Settings

This will bring up a Settings window where you can navigate to the Network Adapter menu. In this menu, under Network connection, select Custom and the virtual network we just set up (in this case VMnet4). Select OK, and the VM is now on our custom virtual network!

Select custom VMnet to run on

We can now feel confident that our VM is on a virtual network that is isolated from our local network and that the malware we will be interacting with will stay on this same virtual network.

References:

L. Zeltser, “Virtualized network isolation for a malware analysis lab,” Lenny Zeltser Content, 09-Feb-2015. [Online]. Available: https://zeltser.com/vmware-network-isolation-for-malware-analysis/. [Accessed: 13-Jan-2022].

How did I get here?

I’ll start this blog with some introspection, but not too much. I think.

I’m honestly shocked I’ve come to my final term in this CS degree. Although I’ve been interested in computers my entire life, I did not think I was cut out for earning an education in CS and therefore did not chase this dream until only a few years ago. What started as learning some Python online on my own turned into enrolling in school again which was hugely intimidating. Those first introductory courses felt…intense? Even knowing I had only just started to breach the surface of CS, the first courses were such a culture shock.

I was able to fall into a rhythm at some point and classes became more manageable and less of a shock to the system. This is where I began thinking about where exactly I want to go with this degree. I wanted to answer the questions, “What kind of problems do I want to solve?” and “What am I truly interested in within CS?”. This took awhile. I enjoyed my classes and I love coding, but it took being a bit exploratory with my degree and internship options to start to figure things out. I’d say it was when I got through my intro to networking course things began to shift and become more intentional. To me, networking is really cool, highly challenging, and key in cybersecurity.

And so my internship hunt landed me a spot on an Security/IT team doing some coding and automation work. This was highly challenging for me, but I do think it lead to the most amount of professional growth I’ve had. It also led to me being more decided on pursuing a security path. Up until this point, I knew I had the basics in regard to CS, but needed more foundational security knowledge. I was able to focus my two remaining electives on security and study to obtain an entry level security certification.

Which brings me exactly where I started this post, being in my last term of my degree. I’m looking forward to hopefully focusing on a security-related project and working with folks who I have not worked with before.

All the best to my peers this term 🙂