Behavioral Analysis of Malware Process…the on the fly approach

In most organizations when a host goes rouge, it’s automatically rebuild/reimaged without a second thought. Although this eradicates the malware and speeds up the recovery process, there is risk of the malware spreading undetected. I like to perform a quick behavioral analysis before re-imaging the host to build detective controls to watch for more infections in my organization.

When performing an organized (i.e. in a lab) behavioral analysis I use a methodology that consists of these different phases:

Lab Preparation

Malware Execution

Observation

Results Gathering

Interpretation

Repeat as Needed

Improving and Testing Defenses

Unfortunately when doing malware analysis quickly a couple of phases must be skipped since the malware is already running. For those situations, I use a slightly different methodology consisting of these phases:

Containment

Observation

Results Gathering

Interpretation

Improving Defenses

Since the host is already infected, the containment phase is about preventing the malware from spreading. My preferred choice is to disconnect the system from the network, but disconnecting the host is not always an option. When disconnecting is not an option, I will use network isolation to permit limited services to the host, i.e. a remote access tool (RAT) from the analyst host.

With the host contained, the next phase is observation. I recommend having a notebook handy, I always use a spiral notebook, to keep notes of any observations you make. During this phase, tools such as Process Monitor, Process Explorer, Autoruns, and TCPVeiw are used to analyze the host. If possible I try to use a network sniffer, but this may not always be an option.

After running the tools for about 15 to 30 minutes, save the results for analysis. I prefer to save them in a directory, than take an MD5 or SHA1 hash of the results to make sure they are not changed in the interpretation phase. Of course the longer the tools run, the better understanding of how the malware behaves can be achieved.

The interpretation phase is about looking at the output of the tools and interpreting the results. Since there is a high probability no baseline exist, this is by far the most challenging phase. To assist with this phase it’s important to have an understanding of how the Operating System operates without infection of malware. This knowledge makes it easier to sift through the results looking for how the malware behaves so it can be detected.

Improving defenses is taking the knowledge gained in earlier phases and improving the organizations defenses. Typically these include changing ACL, writing IDS/IPS signatures, and/or making host changes in an effort to detect the malware.

When performing malware analysis on systems connected to a production extreme caution should be used. This type of analysis should be performed for the purpose of creating detective controls for this piece of malware. If preventative controls can be built as well that is even better, but remember the objective is to use this information for detection of other infections.