Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Chapter 6: Malware Analysis > How Should Network Access Be Limited? - Pg. 147

MalwareAnalysis·Chapter6 147 comes in. You need to know what activities the virus performs. Does it send data to the creator? Was the malware specifically targeted in some way to the victim? How does it infect other computers? Can the damage it does be repaired? There are two primary methods of malware analysis that can be used. One is static analysis, and the second is dynamic analysis. Static analysis involves looking at the code of the malware itself. If you are lucky enough to be able to obtain source code in a high-level language, this can be a fairly straightforward task. Unfortunately for the researchers this almost never happens. Instead the malware is almost exclusively distributed in binary format. In addition, malware writers often use obfuscation tools to cause their binaries to be even more difficult to understand (as if reading assembly code weren't hard enough). They often use encryption techniques to hide portions of their code, and write custom code modification scripts. They may alter their binary structure so that the traditional binary sections are not in place, or worse are corrupted in some fashion to prevent binary analysis tools from working. In many cases the actual binary of the entire malware is never actually in memory at one time. Modules are decoded on demand, and promptly erased when execution is complete. The other method of analysis is known as dynamic analysis. This analysis involves