In the real life you can't have a medicine without going to the dr who will tell you to analyze your blood so he can know what type of infection you have then he can give you the right cure .
Malware analysis is one of the most important work in information security field , you may be the dr who will give the cure or the one who will analyze the system for the infection , today we will be the analyzer and the dr :D .
First How To Define The Symptoms For The Infection :
As a Dr you will take a look at the systems and try to notice suspicious behavior like :
- Cpu work at 100% when no user programs are running.
- Icons on task bar for programs user didn't install.
- Network is always busy and everyone have slow connection .
- Unknown programs runs at startup .
- Document and files encrypted.
- Web pages open automatically on startup or when using the system.
- Messages sent without user interaction through skype or other messengers.
- Strange mouse motion like it controlled by someone.
- Applications won't start , some times another program run.
- Browser Popups and ads in websites have no ads.
Second - How To Define The Infection Type :
After you noticed a suspicious behavior now you will search for a malware that have similar behavior .
to find this malware we must begin with a start point which may be :
- If the infection in browser we must get the name of the website that open as default page , search the plugins for suspicious plugins we didn't install .
- If the infection is a Desktop Popups , we must get the info displayed in these popups .
- If the infection in process that use 100% from cpu , we get the name of the process .
- If the infection in programs that show in taskbar , we get the name of this programs .
- If the infection is encryption of files , we get the extension of this encrypted files .
- If the infection is making the network slow , we get a capture of data transmitted to internet ( how to explained later ) .
now we search google for these info , you must know that the malware infected you has a probability of 70% that is infected other users and the anti-malware company's caught him , so there is high probability that you will find the cause , name of malware , and the way to remove it .
Third - New Malware ? Lets Analyze And Make A Cure .
In malware analysis you must get a sample of the malware ( infection ) so you can isolate it from other programs and do your test in virtulized environment and gather info about what the malware can do and how to reverse and delete any record or infection done .
when you analyze malware you should know from where to gather information and what the locations malware usualy left a trace in it , as human body huge and complicated Operating systems also huge there is many location for malware to hide but there is a locations which malware must interact with in order to keep running in the system and to do its dirty work , so we must search in these location in order to analyze the malware right :
- watch every Folder or file open when malware run .
- Watch any edit on registry when malware run .
- Watch any traffic out from network interface .
Drs have their own tools to analyze the microbics , as system Drs we have our own tools to analyze and gather even smallest information about the target malware .
from a various great tools we chosen those :
- Regshot : this tool can analyze the registry before and after the infection then compare them to get the difference which will be what the malware did .you can dowload it from here
- Process monitor : great tool from microsoft that watch every process and get any small detail of the task did by this process .you can dowload it from here
- Dirwatch : this tool watch every attempt to read , write in any folder in the system .you can dowload it from here
- Process Explorer : this tool from microsoft will give us all details about the running process . you can dowload it from here
- Wireshark : a great tool that will capture all the traffic out from network interface so we can analyze it later . you can dowload it from here