|
By Nick Harbour
In the previous article we introduced you to the discipline of Reverse Engineering known as Malware Analysis which is becoming a critical tool for computer crime investigations. We also discussed how the techniques of Malware Analysis can be divided into two distinct categories, and we focused on the category called dynamic analysis. Now we will turn our attention to the other category called Static Malware Analysis.
Static Malware Analysis encompasses all techniques used to examine an executable program which do not involve running the program. An analogy that can be made is with a caveman examining an automobile for the first time. In Dynamic Analysis, the caveman would sit in the car and press buttons and step on pedals until the car did something. In Static Analysis, the caveman would examine every component of the car from a mechanical perspective to understand each part’s individual function as well as their combined functionality.
While Static Analysis is often viewed as containing the more technically challenging portion of Malware Analysis, it also contains the easiest. Most computer programs contain several hard-coded “strings” within their executable files. A string is a sequence of bytes which make readable text. The strings contained within an executable program file usually relate directly to the functionality of the program and may even identify the creator of the program. For example, every computer program written by Mandiant Corporation is likely to contain the string “Mandiant” somewhere inside its program file, and finding such a string in an unknown program would be a strong clue that it was a program written by Mandiant.
By examining these strings of text, even a novice Malware Analyst may be able to extract evidence from an executable file. In the previous article we discussed hard-coded configuration items which may be contained within malicious programs. Examining the strings contained within an executable file is a fast method to extract these items, which may be of evidentiary or investigative lead-producing value.
The most advanced technique in Static Analysis, and arguably in all of Malware Analysis, is program Disassembly. When a computer programmer writes a program they typically write it in a high level language where they are able to focus on the logic of problem solving as opposed to the minutiae of computer operation. The high level language they wrote the program in gets compiled into the very low level machine code for a particular computer. All high level logical constructs written by the programmer are translated to machine code operations to control the computer hardware. Only this low level machine code is able to be executed and this is what is contained within most executable program files.
Disassembly is the process of analyzing a program’s machine code in an attempt to deduce the high level program logic. This process is considered to be very advanced because it requires the examiner to be familiar with how programs are written at a high level as well as being familiar with the low level computer hardware and machine code instructions.
All other Malware Analysis techniques besides Disassembly are not thoroughly conclusive in their results. With proper disassembly analysis an examiner should be able to determine the exact functionality of a program including its entire feature set, limitations, similarity to other programs and attribution. Disassembly has been used in investigations to connect multiple malicious programs with no direct relation back to a single author or group of authors due to multiple shared components and programming techniques.
As powerful as the techniques of Static and Dynamic Malware analysis are individually, the fastest and most logical approach is almost always a combination of techniques from both categories.
About the author: Nick Harbour is a Senior Engineer with MANDIANT and is a well-known innovator in the field of computer security with over seven years experience in computer forensics, network monitoring and software development. Prior to joining Mandiant, Nick spent two years as a government contractor. He has worked in the intelligence, counterintelligence, military and law enforcement communities.
|
