Static and Dynamic Analysis

Malware Analysis can be broadly divided into two categories:
· Static Analysis
· Dynamic Analysis

Static Analysis

It’s a malware analysis technique in which malware sample is not run it is analyzed statically using tools such as Sting viewer, Dis-assemblers, PE format viewers, etc. It is safer than dynamic analysis as sample is not executed so there is no chance of infecting the machine but it is slower process and requires much experience to do it properly. And if binary is packed it is not possible to analyze it without unpacking.

It can be further divided into two categories:
· Basic Static analysis
· Advanced Static Analysis

Basic Static Analysis

Basic malware analysis is not very effective technique of analysis but it’s very quick. It does not include looking at the actual instruction of executable. Primary goal of basic static analysis is to find out whether suspected executable is malicious or clean, not to fully understand the executable capabilities. It may include checking if executable is already detected by any AV, any suspicious imports by executable, executable is packed or not, its version information, digitally signed or not, if executable has any malformed PE format fields(If you don’t know about PE format just ignore it for now we will cover it in detail later), look at strings, etc.

Advanced Static Analysis

Advanced static analysis involves loading the binary into disassembler such as IDAPro to completely analyze the malware it requires experience and analyst need to know Windows Internals, Assembly language and compiler code but it can give complete overview of the capabilities of binary what it can do and what conditions it requires to run. It is most effective technique of analysis.

Dynamic Analysis

Dynamic analysis unlike static analysis involves executing the binary in controlled environment. I can give us the overview of malware activity. It is quicker that static analysis but it has its own disadvantages malware might need specific environment( specific OS, Application like Email client, IM, Flash player, etc.) to run, if that environment not found it may not show complete activity or may even not show any activity at all. So there are strong chances that analyst misses malware activity and don’t come to all the capabilities of malware

Malware need to run in safe controlled environment to make sure it does not infect analysts system, and there is still the risk of infection because malware may use some unknown exploit to break out of controlled environment it is not common but possible.

Similar to Static Analysis Dynamic analysis can also be divided into two categories:
· Basic Dynamic Analysis
· Advanced Dynamic Analysis

Basic Dynamic Analysis

Basic Dynamic analysis includes running the malware in controlled environment and capturing its activity in order to properly clean infection. It can involve tracking files, registry entries created by malware. So it can be cleaned. But it’s not that much effective and can miss much of the functionality of malware. But it does not require any specific programming or windows internal knowledge so most people can do it and get idea about malware’s activities.

Advanced Dynamic Analysis

Advanced malware analysis involves looking at code similar to advanced static analysis. It also requires similar experience and skills, Binary are loader into debugger such as Ollydbg/Immunity/Windbg and run step by step to see how malware is doing its activity. Malware's execution code flow can be changed at run-time to make do something else that it would not have done if condition was not met. This is most useful and mostly used technique for malware analysis.

few points to remember while analyzing malware:

• Don't get stuck into details - Most of today's malware is large, complex and sophisticated, so first try to get general overview of malware capabilities. Then go into details step by step.
• Always remember there are different tools and techniques for different scenarios. If one tool or technique does not work try another.