Friday, June 8, 2012

Introduction to Virus Analysis

Malware analysis is a generic term which refers to any software that not only harms the computer data but wreaks havoc to society. It has different types which can be distinguished based on their behavior. Majority of these are called viruses, trojans, and worms which a Malware Analyst encounters everyday.

I've dedicated this blog to virus analysis as it is focused purely on reverse engineering. The ultimate goal of virus analysis is to understand how to perform file restoration so that users can run applications as before.

Virus is a malware type that attaches itself to programs such as EXE files. It has three ways of infecting a file. These are prepending, appending, or cavity infection. 

Prepending virus - infects EXE files by writing its code at the start of the file. It either shifts the file downward or overwrites itself to the start of the target file. The overwritten code is usually stored at the end of the file. 

Appending virus - infects EXE files by attaching itself to the end of the file. It modifies a maximum of 6 bytes of the target's start code to execute the virus code first.

Cavity virus - infects EXE files by distributing its code to non-contiguous area that are available in the target file. Think of the EXE files as a group of buckets stacked on top of each other. Treat the codes and data in the EXE file as water half-filled in the bucket. This is why archivers such as 7z or WinRar can compress EXE files into smaller size. The space inside the buckets is where the virus write its code.

A well written virus is one that does not corrupt the infected file. Its aim is to spread to as many computers as possible. So it has to be able to execute the infected host code without any side effects.

To be able to understand the malware behavior one should know how to create a program. He/she should be familiar with Windows API and not just those simple arithmetic operations that introductory programming subjects in school give as exercise. He/she should have a firm grasp of Assembly language instructions since we won't be dealing with if-then-else readable statements here.

There are two ways to analyze a malware. The first one is to let the malware execute and watch the behavior from monitoring tools such as Procmon. The last one is to fire up a debugger and reverse the application by stepping through its code. We'll mainly be using OllyDbg or IDA Pro in this blog. Since we're dealing with a virus program here, I strongly suggest that you analyze them inside a virtual machine such as VirtualBox.

Over the next blog posts, I'll be dumping everything I know about the topic. So stay tuned.