What is static malware analysis?
Static analysis examines a malware file without actually running the program. This is the safest way to analyze malware, as executing the code could infect your system. In its most basic form, static analysis gleans information from malware without even viewing the code. Metadata such as file name, type, and size can yield clues about the nature of the malware. MD5 checksums or hashes can be compared with a database to determine if the malware has been previously recognized. And scanning with antivirus software can reveal what malware you’re dealing with.
Advanced static analysis—also known as code analysis—dissects the binary file to study each component, still without executing it. One method is to reverse engineer the code using a disassembler. Machine code is translated into assembly code, which is readable and understandable. By looking at the assembly instructions, an analyst can tell what the program is meant to do. A file’s headers, functions, and strings can provide important details. Unfortunately, modern hackers are adept at evading this technique. By embedding certain syntax errors into their code, they can misdirect disassemblers and ensure the malicious code still runs. Because static malware analysis can be more easily foiled, dynamic malware analysis is also necessary.
What is dynamic malware analysis?
Dynamic analysis—also called malware behavior analysis—runs the malware program to examine its behavior. Of course, running a piece of malware always carries some risk, so dynamic analysis must be performed in a safe environment. A “sandbox” environment is a virtual system that is isolated from the rest of the network and can run malware without risk to production systems. After the analysis is done, the sandbox can be rolled back to its original state without permanent damage.
When a piece of malware is run, technical indicators appear and provide a detection signature that dynamic analysis can identify. Dynamic analysis software monitors the sandbox system to see how the malware modifies it. Modifications may include new registry keys, IP addresses, domain names, and file path locations. Dynamic analysis will also reveal whether the malware is communicating with a hacker’s external server. Debugging is another useful dynamic analysis technique. As the malware is running, a debugger can zero in on each step of the program’s behavior while the instructions are being processed.
As with static analysis, cybercriminals have developed techniques to foil dynamic analysis. Malware may refuse to run if it detects a virtual environment or debugger. The program may delay the execution of its harmful payload or require certain user input. To reach the best understanding of a particular malware threat, a combination of static and dynamic analysis is most effective.
Interested in learning more about malware analysis? Explore our product suite to see how you can monitor and prepare for potential threats.