How to Analyze Malware Infections?

Well, it is not a secret that malware programs have kept increasing on the internet over the years. Malware infection also rises with the rising malware programs. This made us invest resources in finding malware infections. So, we have created this post to share with you a structured approach that helps you analyze malware infection on your computer, mobile, server, and network. Let’s learn how to analyze malware infections.

Basic Tips to Analyze Malware Infections:

We’ll start this section with how malware infections occur, who the targets are, and how they get infected. We’ll analyze social engineering tactics that are used in most common phishing attacks so you have an idea of what to look for. Indicators of compromise will help us triage suspicious emails and artifacts and spot the ones that can put data at risk. Focusing on the bigger picture, we’ll go over the various stages of malware and its behavior. Stepping into dangerous territory, we will set up an analysis environment to avoid any accidental infections during an investigation. Let’s get started.

How Does Malware Get Infected?

Before we jump on the analysis of malware infections, let’s see the most common ways malware is delivered. Social engineering or phishing tactics are one of the easiest ways for attackers to deliver malware. Web and Emails stand out first.

Web: Browsing on the web is the most common thing everybody does. 90% of the time, we land on websites that we have never accessed before. Attackers might compromise websites that are visited by many and spread virus infections whenever the website is accessed.

Emails: Another widely used attack vector is emails, used by all of us as a trusted means of communication. This is a widely-used avenue for malware infections. We will concentrate more on this category throughout this post, as this exploits the users’ trust, and therefore it’s harder to detect and prevent at an early stage. For example, you might receive an offer for collaboration by a peer within the IT industry. You can receive bills from various public services like water, gas, electricity that will require his attention. Cheap vacation tickets are very hard to refuse a good offer, and requests to review reports, attachments, or documents. And here comes the bad news. Each one of these scenarios might embed links to malicious websites controlled by the attacker. Archived computer viruses can be deployed as attachments that bypass email antivirus checks, and also infected documents that once opened will start deploying computer viruses in the background.

Basic Approach to Analyze Malware Infections:

First, we have to identify the indicators within the phishing mail, such as a URL or an IP address. Second, on the list is retrieving the remotely hosted pieces of malware for analysis. Next, we need to classify the artifacts we have gathered so we can choose the right strategy and tools. We also need to check if the artifacts are malicious, and the quick way to get some validation is to leverage open-source intelligence. The last piece of the puzzle, and probably the most important, is to implement safeguards to make sure we avoid any future infections.

There are some considerations that we have to keep in mind. We need to avoid browser infections. The link in the mail might lead us to an exploit kit, so we need to find some alternatives for downloading artifacts without a browser. Classifying artifacts requires us to discover the file details. If we encounter human-readable files, like HTML, JavaScript, or XML, it’s easy to understand their functionality. At the same time, if we encounter executables, Java Applets, or Flash objects, it will be harder to determine their scope.

We should create file hashes for the artifacts that we have gathered in order to be able to validate them against open-source intelligence. And the most interesting subject will be to use the IoCs gathered to develop defenses against future threats.

These are some of the issues that we have to address during our analysis. This is a good opportunity to introduce two important concepts in malware analysis. The first is called static analysis, and the second is called dynamic analysis.

With static analysis, we analyze the file passively. We do not execute it. We will use information stored in the header of the file, metadata to get a better understanding of its type, and also, we are able to look for embedded artifacts like other files in case of suffix archives.

On the other hand, dynamic analysis means we get to execute the virus. The scope of this is to be able to analyze its behavior, like what files it creates if it replicates to other locations. Also, when in execution, it might attempt connections to the internet to exfiltrate data, so we are able to analyze network activity as well.

There are some considerations that we have to keep in mind. We need to avoid browser infections. The link in the mail might lead us to an exploit kit, so we need to find some alternatives for downloading artifacts without a browser. Classifying artifacts requires us to discover the file details. If we encounter human-readable files, like HTML, JavaScript, or XML, it’s easy to understand their functionality. At the same time, if we encounter executables, Java Applets, or Flash objects, it will be harder to determine their scope.

We should create file hashes for the artifacts that we have gathered in order to be able to validate them against open-source intelligence. And the most interesting subject will be to use the IoCs gathered to develop defenses against future threats.

These are some of the issues that we have to address during our analysis. This is a good opportunity to introduce two important concepts in malware analysis. The first is called static analysis, and the second is called dynamic analysis.

With static analysis, we analyze the file passively. We do not execute it. We will use information stored in the header of the file, metadata to get a better understanding of its type, and also, we are able to look for embedded artifacts like other files in case of suffix archives.

On the other hand, dynamic analysis means we get to execute the virus. The scope of this is to be able to analyze its behavior, like what files it creates if it replicates to other locations. Also, when in execution, it might attempt connections to the internet to exfiltrate data, so we are able to analyze network activity as well.

How to Analyze a Suspicious Mail?

If you found an email suspicious and want to do the basic analysis. Start analyzing the email by noting down the following:

Created by

Validate the IP address, URLs, domains, and the attached file in online OSINT tools like virustotal.com. Analyze the result. VirusTotal will tell you those are legit or suspected IoCs.Next, submit the original header to mxtoolbox.com, which would tell you about the real origination of the email. This would help to Analyze the email.

How to Analyze a suspicious URL?

What Is a malicious URL/Domain/Links?

We can define malicious links as websites or resources that either host malware components or make use of exploits to deliver malicious payloads.

How Do Attackers Abuse URLs to Spread Infections?

Malicious links are very common in terms of tactics preferred by hackers, and this is due to the fact that they are easy to set up. In terms of technical resources, they require only a web server for hosting. This raises some concerns, as anybody with malicious intent can set this up.

Another avenue for serving malware is comprised public websites or services. This tends to happen when owners don’t implement proper security controls, leaving their infrastructure vulnerable. From this point, hackers only need to compromise and access the front-end servers that are accessible by all public visitors, and the method for spreading malware infections is replacing legitimate software packages with infected versions.

These scenarios have a quick remediation time. After the user notices his computer getting infected and notifies the owner, the servers are patched and clean versions of the software are hosted once again. Hackers also leverage infected machines. Once they gain control of a server or a computer, they use this to host second-stage malware. The links to these are either included in phishing emails or embedded in malware delivery components. And now we’ll see how they manage to bypass email antivirus capabilities.

In some cases, attackers choose not to embed the malicious payload inside the phishing mail to avoid detection. Instead, they embed the link to the malicious payload hosted remotely. When a user receives the email with a malicious link, through various social engineering techniques, he’ll be tricked into clicking it. This will initiate the request to a server controlled by the attackers. As a response, the computer virus is deployed to the victim. This method is used by hackers to avoid triggering any alerts from the antivirus that is part of the mail server.

Why Should You Use cURL Instead of Browser in Analyzing Malware Infection?

Using the right tools is the key to remediating a computer virus investigation. All the tools that we will be using are free command-line tools that come preinstalled with the most popular line of distributions, like Ubuntu. cURL is a tiny web client that enables us to craft web requests.

When you type in an address, the browser will initiate a web request to the server. The server will send out a response in the form of an HTML file. When the browser interprets this, it will look for additional dependencies like images, script files, cascading style sheets and make requests for these as well. After these are loaded, the browser will display the fusion of all of these resources on a single page. The browser handles a lot of communication with the server, and in some scenarios, we want to have better control over this.

Using cURL, we can craft our own requests with all the parameters like type of requests, custom User-Agent, and cookies. We get the response from the server. This will be in the form of static content. We will not get images, Flash objects, Java Applets, or other resources. Another benefit is that it can handle Transport Level Security. We use cURL to have more control over the requests that we make.

Analyzing Suspicious URL’s or Links:

For this investigation, we will recommend using Linux VM. The reason for choosing Linux over Windows is that if the malware is targeted at Windows operating systems, performing analysis in a Linux environment should pose no threat of accidental execution.

Use cURL to download the remote resource that is located at this particular IP address. Save this to a file so we can just use greater than, and then the name of the file we want to save it to. Now that we have secured our artifact, it’s time to get some more information about it by running the file command-line utility against it.

Now let’s check VirusTotal.com to gather some more details about our sample. We could submit the file directly to be tested against a large number of antivirus solutions. Instead, we will generate the MD5 hash and check this indicator against the VirusTotal. This way, we can see if this sample is already submitted by others and if it’s flagged as malicious. So we’re running the command md5sum, and now we can check it against VirusTotal in the Search column. We will copy it, and surprisingly enough, this is identified as a Trojan-type virus. Now that we know it’s malicious, we can stop our research here and start elaborating on defensive courses of action.

What Tools Are Needed to Analyze Malware Infection?

Using the right tools is the key to analyzing malware infections. All the tools that we will be using are free command-line tools that come preinstalled with the most popular Linux distributions,

We hope this post would help you know How to Analyze Malware Infections. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.