Malicious code, also known as malware
Any software that causes damage to users, computers, or networks in some way is considered malicious code
Virus trojan worm kernel nesting ransomware spyware
All dissect malware
Process:
Identify the target --- locate the infected host, file
Analysis ------------ The goal is usually to determine what a particular suspicious binary has done
Comprehensive analysis after confirmation
Write the corresponding detection feature code 1. Host-based verification feature code 2. Network-based verification feature code
Host signature (signs of infection)
Used to detect malicious code on infected hosts. These signs are often files created or modified by malicious code, or their specific modifications to the registry.
Unlike the virus signatures used by anti-virus software, the signs of malicious code infection focus on what the malicious code does to the system, not the characteristics of the malicious code itself.
The network signature is used to detect malicious code by monitoring network traffic.
Network signatures can be created without malicious code analysis, but signatures extracted with the help of malicious code analysis are often more effective, providing higher detection rates and fewer false positives.
Malicious code analysis techniques
Generally we get only executable files of malicious code, and this file is not readable by us.
Malicious code analysis method:
Static analysis: analysis when the program is not running
Basic technology: 1. Confirm whether a file is malicious or not 2. Collect basic information 3. Able to generate network signatures
Advanced technology: mainly the reverse process of malicious code, by loading executable files into the disassembler, so as to discover what drops of malicious code. These instructions are executed by the CPU, so through analysis you can know what the program has done. Need to master assembly language, code structure, Windows operating system concept, Linux operating system concept, etc.
Dynamic analysis: analysis during running malicious code
Basic analysis: Run malicious code and observe the behavior on the system to remove infections and generate effective detection signatures. Before running malicious code, you need to build a safe environment to avoid risks to the system and network.
Advanced technology: Use a debugger to check the malicious executable program, the internal state of the runtime, and another path to extract detailed information from the executable file.
The combination of dynamic analysis and static analysis can more perfectly analyze malicious code
Malicious code type
When performing malicious code analysis, you will find a very useful empirical technique, that is, one day you can guess what this malicious code sample is trying to do, and then verify these conjectures, which will speed up your analysis process. Of course, if you know what malicious code usually does, then you can make more accurate guesses. So far, the vast majority of malicious code can be classified into the following categories.
Backdoor: Malicious code installs itself on a computer to allow attackers to access it. Backdoor programs usually allow an attacker to connect to a remote computer with little or no authentication, and can execute commands on the local system.
Botnet: Similar to backdoors, it also allows attackers to access the system. But all computers infected with the same botnet will receive the same command from a control command server.
Downloader: This is a type of malicious code that is only used to download other malicious code. The downloader is usually installed first when the attacker gains access to the system. The downloader program will download and install other malicious code.
Spyware: This is a type of malicious code that collects information from the victim computer and sends it to the attacker. For example: sniffer, password hash collector, keylogger, etc. This type of malicious code is usually used to obtain access information for accounts such as e-mail and online banking.
Launcher: malicious code used to launch other malicious programs. Usually, the launcher uses some non-traditional techniques to start other malicious programs to ensure its concealment, or access the system with higher permissions.
Kernel kit: malicious code designed to hide other malicious code. The kernel suite is usually combined with other malicious code (such as a backdoor) to form a tool suite to allow remote access to the attacker and make the code difficult to find by the victim.
Ransomware: Malicious code designed to frighten infected users to blackmail them for buying something. Such software usually has a user interface that makes it look like an antivirus or other security program. It informs users that there are malicious codes in the system, and the only way to get rid of them is to buy their "software." In fact, all the functions of the software they sell are just removal of ransomware.
Malicious code for sending spam: After this type of malicious code infects the user's computer, it will use the system and network resources to send a large amount of spam. This type of malicious code makes money by selling spam services for attackers.
Creep or computer virus: malicious code that can replicate itself and infect other computers.
Malicious code also often spans multiple categories. For example, a program may have a keylogger to collect passwords, and it may also have a worm component to spread itself by sending emails. So don't fall too far into the misunderstanding of classification according to the function of tragic code.
Malicious code can be divided into two categories according to the attack target:
Popular malicious code: For example, the ransomware virus, adopting the method of spreading the Internet, as far as possible to affect more machines. Popularity classes are the most common, usually not too complicated, and are easier to check and defend against, because security software targets this type of code.
Targeted malicious code: such as specially crafted backdoors, are studied for specific organizations. Targeted malicious code is more of a threat than the public, because it is not widely spread, and many security products cannot protect you.
General rules for malicious code analysis
Finally, we will introduce a few general rules to keep in mind when conducting malicious code analysis.
First of all, don't get too detailed. Most malicious programs will be huge and complex, and you cannot understand every detail. You need to focus on the most critical main functions. When you encounter some difficult and complex code segments, you should have a brief understanding before entering the details.
Second, remember that for different tasks, different tools and methods can be used. There is no one-size-fits-all method. Each situation is different, and the various tools and techniques you will learn will have similar, sometimes overlapping functions. If you do not have good luck when using one tool, try another. If you are stuck at one point, don't spend too much time at this point and try to move to another problem. Try to analyze the malicious code from different angles, or just try different methods.
Finally, please remember. Malicious code analysis is like a cat-and-mouse game. As new malicious code analysis techniques are developed, malicious code writers are responding to new technologies that can frustrate analysis. As a malicious code analyst, if you want to succeed, you must be able to recognize, understand, and overcome these new technologies, and be able to quickly respond to malicious. If you want to achieve success
New changes in the art of code analysis.
