Notes from SophosLabs: On the trail of rootkits and other malware by Paul Ducklin.
From the post:
When an interesting new piece of malware makes the news, the first questions people ask are usually, “How does it work? What does it do?”
In the old days, back when there were no more than a few hundred new viruses each year, almost all of them written in assembly language, we’d often start with a static, analytical approach by disassembling or decompiling the machine code itself.
Once we knew what sequence of operations the malware performed – for example, that it scanned through the directories on the C: drive and appended itself to every .COM file – we would then run the malware on a freshly-prepared computer and confirm our analysis using a dynamic, deductive approach.
But these days there are hundreds of thousands of new malware samples every day, written in a variety of programming languages, and delivered in a variety of ways.
The vast majority of the samples we get aren’t truly new, of course.
They’re unique only in the strictly technical sense that they consist of a sequence of bytes that we haven’t encountered before, in the same way that
Good morningandGOOD MORNINGare not literally the same.Indeed, most of the new samples that show up each day are merely minor variants that we already detect, or known malware that has been encrypted or packaged differently.
Nevertheless, that still leaves plenty of samples worth looking at.
So, these days we usually start dynamically and deductively, using automated systems that run the malware in a controlled environment, instead of first trying to deconstruct each new sample by hand, like we did in the 1980s.
And that leaves us with the questions behind the questions that we asked at the start, namely, “How do you tell how it works? How do you keep track of what it does?”
….
As you can tell from my posts, Naked Security, is on my regular reading list.
Malware is an area where collation of information on malware, weaknesses, solutions would be more than helpful. When you are a reported ten (10) years behind the opposition, merging information from a variety of sources could be a significant step towards catching up.
Paul’s post is a high level view of a process to answer the questions:
“How do you tell how it works? How do you keep track of what it does?”
Information that could be used to identify a particular bit of malware.
Not overly technical but deep enough to give you a sense of the technique.
Enjoy!