malware analysis and detection
- Thread starter Dipjyoti Deka
- Start date
- Feb 13, 2017
- 1,486
I think that the best way to analyze a malware is to use well known standard techniques of static and dynamic analysis, having a good knowledge and skills in reverse engineering and assembly.
New technologies can help, of course, but the manual analysis is the best thing.
For example, if you consider a dropper.
it is very widespread and contains the code embedded in the resources of the executable or in the same file.
So the malicious code is contiguous to the dropper code: when executed, it reads the next part of the executable itself writing to disk another file that will run later.
The malware is saved in the resources of the executable, the dropper copies the malware from the resources of the executable to the disk. If the file is embedded or the resources are encrypted, the dropper first will have to decrypt them and then write them to disk.
This is a very common behavior, but an automated analysis can show general impairment indicators but hardly you get a complete and reliable result if you're not skilled in malware analysis and you can't objectively interpret the report.
New technologies can help, of course, but the manual analysis is the best thing.
For example, if you consider a dropper.
it is very widespread and contains the code embedded in the resources of the executable or in the same file.
So the malicious code is contiguous to the dropper code: when executed, it reads the next part of the executable itself writing to disk another file that will run later.
The malware is saved in the resources of the executable, the dropper copies the malware from the resources of the executable to the disk. If the file is embedded or the resources are encrypted, the dropper first will have to decrypt them and then write them to disk.
This is a very common behavior, but an automated analysis can show general impairment indicators but hardly you get a complete and reliable result if you're not skilled in malware analysis and you can't objectively interpret the report.
Similar threads
