Well, it is not a secret that malware programs have kept increasing on the internet over the years. Malware infection also rises with the rising malware programs. This made us invest resources in finding malware infections. So, we have created this post to share with you a structured approach that helps you analyze malware infection on your computer, mobile, server, and network. Let’s learn how to analyze malware infections.
Basic Tips To Analyze Malware Infections:
We’ll start this section with how malware infections occur, who the targets are, how do they get infected. We’ll analyze social engineering tactics that are used in most common phishing attacks so you have an idea of what to look for. Indicators of compromise will help us triage suspicious mails and artifacts and spot the ones that can put data at risk. Focusing on the bigger picture, we’ll go over the various stages of malware and its behavior. Stepping into dangerous territory, we will set up an analysis environment to avoid any accidental infections during an investigation. Let’s get started.
How Does Malware Get Infected?
Before we jump on the analysis of malware infections, let’s see the most common ways malware is delivered. Social engineering or phishing tactics are one of the easiest ways for attackers to deliver malware. Web and Emails stand out the first.
Web: Browsing on the web is the most common thing everybody does. 90% of the time, we land on websites that we have never accessed before. Attackers might compromise websites that are visited by many and spread virus infections whenever the website is accessed.
Emails: Another widely used attack vector is emails, used by all of us as a trusted means of communication. This is a widely-used avenue for malware infections. We will concentrate more on this category throughout this post, as this exploits the users’ trust, and therefore it’s harder to detect and prevent at an early stage. For example, you might receive an offer for collaboration by a peer within the IT industry. You can receive bills from various public services like water, gas, electricity that will require his attention. Cheap vacation tickets are very hard to refuse a good offer, and requests to review reports, attachments, or documents. And here comes the bad news. Each one of these scenarios might embed links to malicious websites controlled by the attacker. Archived computer viruses can be deployed as attachments that bypass email antivirus checks, and also infected documents that once opened will start deploying computer viruses in the background.
Basic Approach To Analyze Malware Infections:
First, we have to identify the indicators within the phishing mail, such as a URL or an IP address. Second, on the list is retrieving the remotely hosted pieces of malware for analysis. Next, we need to classify the artifacts we have gathered so we can choose the right strategy and tools. We also need to check if the artifacts are malicious, and the quick way to get some validation is to leverage open-source intelligence. The last piece of the puzzle, and probably the most important, is to implement safeguards to make sure we avoid any future infections.
- Analyze Suspicious Email
- Gather Malicious Links/URLS and files
- Download Artifacts
- Analyze Artifacts
- Implement Safeguards
We should create file hashes for the artifacts that we have gathered in order to be able to validate them against open-source intelligence. And the most interesting subject will be to use the IoCs gathered to develop defenses against future threats.
These are some of the issues that we have to address during our analysis. This is a good opportunity to introduce two important concepts in malware analysis. The first is called static analysis, and the second is called dynamic analysis.
With static analysis, we analyze the file passively. We do not execute it. We will use information stored in the header of the file, metadata to get a better understanding of its type, and also, we are able to look for embedded artifacts like other files in case of suffix archives.
On the other hand, dynamic analysis means we get to execute the virus. The scope of this is to be able to analyze its behavior, like what files it creates if it replicates to other locations. Also, when in execution, it might attempt connections to the internet to exfiltrate data, so we are able to analyze network activity as well.
How To Analyze A Suspicious Mail?
If you found an email suspicious and want to do the basic analysis. Start analyzing the email by noting down the following:
- Sender email address
- URLs or hyperlinks in the body of the email
- Attachment if it has, and
- The original header of the email.
Validate the IP address, URLs, domains, and the attached file in online OSINT tools like virustotal.com. Analyze the result. VirusTotal will tell you those are legit or suspected IoCs.Next, submit the original header to mxtoolbox.com, which would tell you about the real origination of the email. This would help to Analyze the email.
How To Analyze A suspicious URL?
What Is A malicious URL/Domain/Links?
We can define malicious links as websites or resources that either host malware components or make use of exploits to deliver malicious payloads.
How Do Attackers Abuse URLs To Spread Infections?
Malicious links are very common in terms of tactics preferred by hackers, and this is due to the fact that they are easy to set up. In terms of technical resources, they require only a web server for hosting. This raises some concerns, as anybody with malicious intent can set this up.
Another avenue for serving malware is comprised public websites or services. This tends to happen when owners don’t implement proper security controls, leaving their infrastructure vulnerable. From this point, hackers only need to compromise and access the front-end servers that are accessible by all public visitors, and the method for spreading malware infections is replacing legitimate software packages with infected versions.
These scenarios have a quick remediation time. After the user notices his computer getting infected and notifies the owner, the servers are patched and clean versions of the software are hosted once again. Hackers also leverage infected machines. Once they gain control of a server or a computer, they use this to host second-stage malware. The links to these are either included in phishing emails or embedded in malware delivery components. And now we’ll see how they manage to bypass email antivirus capabilities.
In some cases, attackers choose not to embed the malicious payload inside the phishing mail to avoid detection. Instead, they embed the link to the malicious payload hosted remotely. When a user receives the email with a malicious link, through various social engineering techniques, he’ll be tricked into clicking it. This will initiate the request to a server controlled by the attackers. As a response, the computer virus is deployed to the victim. This method is used by hackers to avoid triggering any alerts from the antivirus that is part of the mail server.
Why Should You Use cURL Instead Of Browser In Analyzing Malware Infection?
Using the right tools is the key to remediating a computer virus investigation. All the tools that we will be using are free command-line tools that come preinstalled with the most popular line of distributions, like Ubuntu. cURL is a tiny web client that enables us to craft web requests.
When you type in an address, the browser will initiate a web request to the server. The server will send out a response in the form of an HTML file. When the browser interprets this, it will look for additional dependencies like images, script files, cascading style sheets and make requests for these as well. After these are loaded, the browser will display the fusion of all of these resources on a single page. The browser handles a lot of communication with the server, and in some scenarios, we want to have better control over this.
Using cURL, we can craft our own requests with all the parameters like type of requests, custom User-Agent, and cookies. We get the response from the server. This will be in the form of static content. We will not get images, Flash objects, Java Applets, or other resources. Another benefit is that it can handle Transport Level Security. We use cURL to have more control over the requests that we make.
Analyzing Suspicious URL’s Or Links:
For this investigation, we will recommend using Linux VM. The reason for choosing Linux over Windows is that if the malware is targeted at Windows operating systems, performing analysis in a Linux environment should pose no threat of accidental execution.
Use cURL to download the remote resource that is located at this particular IP address. Save this to a file so we can just use greater than, and then the name of the file we want to save it to. Now that we have secured our artifact, it’s time to get some more information about it by running the file command-line utility against it.
Now let’s check VirusTotal.com to gather some more details about our sample. We could submit the file directly to be tested against a large number of antivirus solutions. Instead, we will generate the MD5 hash and check this indicator against the VirusTotal. This way, we can see if this sample is already submitted by others and if it’s flagged as malicious. So we’re running the command md5sum, and now we can check it against VirusTotal in the Search column. We will copy it, and surprisingly enough, this is identified as a Trojan-type virus. Now that we know it’s malicious, we can stop our research here and start elaborating on defensive courses of action.
What Tools Are Needed To Analyze Malware Infection?
Using the right tools is the key to analyzing malware infections. All the tools that we will be using are free command-line tools that come preinstalled with the most popular Linux distributions,
- cURL: This is a tiny web client that enables us to craft web requests. We will make use of it to retrieve malicious artifacts.
- File: This is the actual name of the tool. It uses information stored mostly in the header of the file to determine its type. This will be used by us to discover the types of artifacts that we gather during an investigation.
- md5sum: From its name, you probably guess this has to do something with MD5 hashes. Well, you are right. We will use it to generate file hashes that we could use later on in the investigation.
- VirusTotal.com: This is a publicly available service that runs suspicious files against a large number of antivirus solutions. So, what benefit does it bring to our investigation? The answer is validation. If we have a suspicious artifact, we can use VirusTotal.com to check if it’s flagged as malicious. This way, we can consume less time on analysis. It’s like taking a shortcut to the finish line.
- OSINT: There is another way to get even more intelligence? Instead of uploading the file directly, we could generate the hash value for the sample and query VirusTotal if this already exists. After this, we get the result of the previous analysis, in case the file was submitted previously, of course. On a side note, please be aware that submitting a file will modify the last submission date. Now that we understand this concept, we can go over the wealth of data we can gather. First, are others infected? Well, if the file was submitted previously and found malicious, that means this is a _____ infection. What type of virus is this? From the description of each antivirus, we get the type. It can be ransomware. It can be a Trojan. Is this an old infection? Have hackers started to reuse various parts of older malware? This leads us to, do defenses already exist? In the case of exploits, this might be patched with time, so we have less to worry about. All of this information leads us to the analysis of our current infection scenario.
We hope this post will help you know How to Analyze Malware Infections. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.