Malware analysis: Static vs. Dynamic methods

If you’ve read about malware analysis techniques, you may have heard references to “static” and “dynamic” analysis methods. What do these terms mean? Why would you choose one over the other? In this article, let’s examine these terms and look at why they are both important in our fight against malware.

Static Analysis

In static analysis, we are concerned with understanding what a file is. Static analysis treats files as sequences of bytes and generally doesn’t try to execute the file in any way. By looking at the file contents in a static manner, we can try to avoid inadvertently executing the malware. Static analysis is also passive - the file isn’t executing so it doesn’t have any chance to try to avoid being analyzed. These analysis methods are also generally faster and more efficient since the resources required to look at the file’s contents are much lower than the resources required to run the file in a sandbox environment.

Common static analysis techniques include:

• Unpacking: Removing layers of executable code that try to hide the true intent of a file or make it more difficult to analyze, or separating/unarchiving files that contain many other files (such as a RAR archive or an Android APK)
• File type identification: Looking at attributes of files to determing the file type
• Metadata Analysis: Extracting information about the file specific to its type. For example, PDF files contain metadata about the program used to generate them, or the author
• String analysis: Searching for human readable strings in a file to try to determine what it does or how it works
• Disassembly: Converting an executable file to an assembly language representation for analysis
• Decompilation: Attempting to represent an executable file as code in a higher level language such as C, C++, Java, C#, etc.
• Deobfuscation: Converting portions of the file (such as strings) from encoded representations to understandable ones (for example, finding Base64 encoded strings and Base64 decoding them)
• Signature Matching: Seeing if a file matches certain known patterns or rules
• Indicator Extraction: Finding potential “indicators” in the file, such as URLs, domain names, IP addresses, etc.
• Call Graph Analysis:

Dynamic Analysis

In dynamic analysis, we are concerned with what a file does. This is generally accomplished by executing the file in a controlled environment (often referred to as a “sandbox” environment). The sandbox needs to be “instrumented,” meaning that it has systems in place to measure what happens when a file is executed within it. Sandbox environments generally monitor:

• File system access (reads, writes, files created, files deleted)
• Network traffic (DNS queries, HTTP requests, UDP/TCP traffic, etc.)
• System configuration changes (such as the Registry on Windows)
• System API calls
• Process spawning and process trees
• Malware persistence techniques

Dynamic analysis can be interactive or non-interactive. In interactive analysis, an analyst is executing and working with the file in real time. Interactive analysis is useful when the file may require specific actions to be taken that are hard to automate, such as clicking on a specific button or looking for a specific form field within a user interface. Interactive analysis is also used when using a debugger to analyze and step through an executable file.

In non-interactive dynamic analysis, the malware is executed in a sandbox environment without human interaction. The execution may follow a scripted flow, or use robotic process automation techniques to try to approximate how a human would interact with the file.

Common dynamic analysis techniques include:

• Sandbox Execution: Running the file in a controlled environment and analyzing the behavior of the file and how it modifies its environment
• Debugging: Attaching a debugger to the process while it executes to enable detailed monitoring of how it works, monitoring of memory, and to modify its execution in real time
• Execution Tracing: Using a tool to monitor the details of a program’s execution, such as logging every API/function call made along with the parameters and return values
• Code Injection: Injecting 3rd party code into the process while it’s executing to change its behavior or to perform more detailed logging of how it works
• Network Traffic Inspection: Monitoring the network traffic generated while the process is running, either at the OS level (such as by tracing system API calls related to networking) or at the network level (by tapping the network external to the sandbox). Network traffic inspection can include metadata logging, SSL/TLS inspection (via a man in the middle proxy), and full packet capture
• Memory Analysis: Inspecting the contents of the process memory to understand how it works and to extract useful information
• Network Sandboxing: redirecting network traffic to servers/services that masquerade as their real counterparts on the Internet. For example, you may develop a false HTTP C2 server to trick the malware into thinking that it is communicating with its real one to ensure operational security or to analyze different control flows of the malware.

When to choose dynamic or static analysis

Talk about the tradeoffs between the two, and when you’d want to use one over the other. Focus on static analysis being fast and efficient but incomplete, and dynamic analysis being more thorough but slower, and prone to interference by the malware or external C2

Hybrid analysis methods

Talk about techniques that involve extracting portions of a file statically and then executing them dynamically. This can be extremely helpful to deobfuscate code or to understand how a small portion of the file operates.

Conclusion

Summarize the key points, provide a few external resources