Tuesday, October 12, 2010

Quick introduction to malware analysis

This post from Lenny Zeltser in the Sans Forensics Blog  introduces the whole process of malware analysis.

The post can be resumed with the following points:

  • Behavioral analysis (dynamic analysis). Helps to  understand how the malware interacts with the local and remote systems by running it in a controlled environment.
  • Code analysis (static analysis).  Decompile the binary  and analyze the malware at assembler level with the help of a debugger.
  • Memory analysis.  This method is related to the behavioral analysis because the investigator dumps the contents of the memory for further examination. This will help to spot hidden code as well as better understand how the malware behaves.

I also would add network analysis because it helps to understand how the local system interacts with remote systems, like a C &C server.  Many times the investigator must examine malware that was found in a live system and having a network capture may be handy.


No comments:

Post a Comment