Malicious software continues to be an ever-evolving scourge on enterprise and consumer systems. As soon as defenses are created, malware coders create a new strain that has the power to corrupt or destroy a system. Malware is even being utilized as a weapon against nation states and global organizations. A great many of the data breaches that have made the news have some component, either in whole or in part, that involves the use of malware to achieve some goal. Organizations in every sector of the economy have faced the threat of malware. With the addition of ransomware attacks such as WannaCry and Petya, organizations have had to spring into action to address these attacks.
With malware an ever-present risk, it is critical that incident response analysts have some knowledge of the methods and tools utilized in the analysis of malicious code. It would be impossible to address the complexities of malware analysis in a single chapter. Therefore, this chapter will focus on the foundational elements of malware analysis, while examining some of the tools that are utilized. This will give an analyst a solid understanding of these methods, and they will then be better able to see the results of such an analysis in the context of an incident.
In this discussion of malware analysis, the following topics will be addressed:
- Malware classifications
- Malware analysis overview
- Analyzing malware
- Tools for analysis
- Sandbox tools and techniques