Malware Reverse Engineering
Malware analysts must develop the skills needed to perform the necessary steps. Malware authors are constantly innovating and we, too, future malware analysts must cope with this. Performing procedures and staged analysis can help to simplify the life of an analyst. Depending on the situation, an analyst may encounter a situation inside their organization that requires them to respond to a fast-paced procedure when it comes to an incident.
Static code analysis is performed by not executing the sample but running it inside the disassembler and understanding the inner workings of the sample. This analysis requires expertise and knowledge of assembly language(instructions that are used by the CPU for execution) to understand the jumps and calls of the API function the sample is using.
In performing this type of analysis, there are also some drawbacks. First, there is the knowledge of the analyst in understanding assembly codes, second, if the sample is packed by a known or unknown packer, and if so, it needs to be unpacked in order to see the full disassembled code; and third, if the sample has an anti-static code analysis function.
Running a packed sample inside the disassembler can only give you a few instructions, and the rest is junked code used by the packer to obfuscate the data inside. Whether the sample is packed or not, static code analysis provides a huge advantage to the analyst when analyzing a sample.
This type of analysis is performed together with a disassembler and a tool called a debugger, and this too requires further expertise in understanding the assembly language, the debugger, and basic code structures. Developers use this technique when they encounter problems with the programs they are working on. From a malware analyst’s perspective, you are presented with a sample without knowing the code and function within, and in order to analyze and understand, you must reverse-engineer the sample to extract the data and fully understand the inner workings behind the sample.
In performing this type of analysis, there are also some drawbacks. First, there is the knowledge of the analyst in understanding assembly codes, second, if the sample is packed by a known or unknown packer, and if so, it needs to be unpacked in order to see the full disassembled code; and third, if the sample has an anti-dynamic code analysis function.
There are lots of anti-reverse engineering techniques used by the malware authors, and knowing each of those techniques aids the analyst in being a step ahead of the game.