Malware Analysis
Types of malware, analysis techniques, reverse engineering, and prevention.
Overview
Malware analysis identifies and understands malicious software.
Malware Types
| Type | Description | Impact |
|---|---|---|
| Virus | Attaches to files | Data corruption |
| Worm | Self-replicating | Network spread |
| Trojan | Disguised as legitimate | Backdoor access |
| Ransomware | Encrypts files | Data loss, extortion |
| Spyware | Secret surveillance | Data theft |
| Rootkit | Hides in system | Persistent access |
| Keylogger | Records keystrokes | Credential theft |
Analysis Techniques
Static Analysis
import hashlib
import pefile
# Calculate file hash
def calculate_hash(filename):
sha256_hash = hashlib.sha256()
with open(filename, "rb") as f:
for byte_block in iter(lambda: f.read(4096), b""):
sha256_hash.update(byte_block)
return sha256_hash.hexdigest()
# Analyze PE file
pe = pefile.PE(filename)
print(f"Entry point: 0x{pe.OPTIONAL_HEADER.AddressOfEntryPoint:08x}")
print(f"Sections: {[section.Name.decode().rstrip('\x00') for section in pe.sections]}")
Dynamic Analysis
# Monitor system calls
import subprocess
# Run in sandbox
result = subprocess.run([
'strace', '-f', '-e', 'trace=network', './malware_sample'
], capture_output=True, text=True)
print(result.stdout)
Reverse Engineering Tools
| Tool | Purpose |
|---|---|
| IDA Pro | Disassembler |
| Ghidra | Reverse engineering |
| OllyDbg | Windows debugger |
| Wireshark | Network analysis |
| ProcMon | Process monitoring |
Malware Indicators
Architecture Diagram
# YARA rule example
rule Malware_Indicator {
strings:
$s1 = "cmd.exe /c"
$s2 = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
$hex1 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }
condition:
2 of them
}
Prevention Strategies
- Endpoint Protection — Antivirus, EDR
- Email Filtering — Spam, phishing detection
- User Training — Security awareness
- Patch Management — Regular updates
- Network Segmentation — Limit spread
Practice
Analyze a suspicious file using static and dynamic analysis techniques.