Malware Analysis is the practice of determining and analyzing suspicious files on endpoints and within networks using dynamic analysis, static analysis, or full reverse engineering.
A strong Malware Analysis practice aids in the analysis, detection, and mitigation of potential threats. Malware Analysis can help organizations identify malicious objects used in advanced, targeted, and zero-day attacks
Malware Analysis is important because it helps security operations teams rapidly detect and prevent malicious objects from gaining persistence and causing destruction within the organization.
There are three main types of Malware Analysis:
1. Static Analysis examines the files for signs of malicious intent without executing the program.This form can also call for manual review by an IT professional after the initial examination to conduct further analysis as to how the malware interacts with the system.Static document analysis looks for abnormalities in the file itself, not in how it executes.
It seeks to answer questions such as the following:
- Are there structural anomalies such as embedded shellcode, abnormal macros, or other executable program that would not normally be present in a document of this type?
- Does the document have any missing or added segments?
- Are there any embedded files?
- Are there any encryption, fingerprinting, or other suspicious capabilities?
- Is there anything about the document that just looks odd?
2. Dynamic Analysis relies on a closed system (known as a sandbox), to launch the malicious program in a secure environment and simply watch to see what it does. The inspection environment simulates an entire host (including the CPU, system memory, and all devices) to continuously observe all the actions malicious objects can take. This automated system enables professionals to watch the malware in action without letting it infect their system. Dynamic analysis interacts with the malware to elicit every malicious behavior supports automation, fast and accurate findings, and can support identifying and analyzing the obscurities within an organization’s infrastructure
3. Reverse Engineering malware involves disassembling (and sometimes decompiling) a software program. Through this process, binary instructions are converted to code mnemonics (or higher-level constructs) so that engineers can look at what the program does and what systems it impacts. Only by knowing its details are engineers then able to create solutions that can mitigate the program’s intended malicious effects. A reverse engineer (aka “reverser”) will use a range of tools to find out how a program is propagating through a system and what it is engineered to do. And in doing so, the reverser would then know which vulnerabilities the program was intending to exploit
VMware NSX Network Detection and Response (NDR) offers advanced malware analysis capabilities through a full-system emulation sandbox which shows all malware interactions within an operating system, including evasive behaviors and deep visibility into all artifacts traversing the data center using advanced AI techniques.
VMware also provides on-premises threat hunting and incident response solution via continuous End-Point Detection Response (EDR). VMware’s EDR also enables visibility in offline environments, which continuously records and stores endpoint activity data so IT professionals can target threats in real time.