Malware 101: Understanding Threats, Analysis Techniques, and Essential Tools

You’re working in the office and your email notification pop-up on your screen. You open that mail to check and message says:

“Congratulations! You’ve been selected as one of our lucky winners! You have a chance to win your favourite electronic gadget. Click the link below to claim your prize!”

You are trapped here. You think you’re lucky and click on that link. What you think you won, not at all. You didn’t win. Instead, one notification appears on your screen: “Your files are encrypted. Pay $5000 to get them back.”

You feeling scared like what’s happened, right? Malware isn’t just some hacker movie stuff; it’s real, and it’s everywhere. Cyber threats are everywhere, and malware is one of the biggest dangers we face. From stealing personal data to shutting down entire networks, malware can cause serious damage to individuals and organizations alike.

Whether you’re a cybersecurity professional, an IT enthusiast, or just someone looking to protect your device's, understanding malware is crucial. Today we will cover what malware is, it's different types, how experts analyse it, and the tools used to detect and study these threats.

What is Malware?

The word Malware is a word derived from the words MALicious softWARE. It is the name given to software that endangers the security and integrity of systems by targeting a malicious purpose. Malware is any software intentionally designed to leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user’s computer security and privacy.

Malware Types:

1. Backdoor: Leaving a backdoor on the device where the malware is installed, it allows the attacker to access the system through this backdoor. For example, by opening a network port connected to the shell, it enables the attacker to connect to the system through this port.
   Example: Cryptojacking is form of backdoor malware where a victim’s computing resources are hijacked to mine cryptocurrency. In 2017, the DoublePulsar was detected to have backdoor malware that allowed threat attackers to install powerful cryptojackers, leading to the creation of a large chain of crypto-mining botnets.
2. Adware: It often comes with downloaded software, causing unwanted advertisements to be displayed on the device. While not all adware is harmful, some change the default search engine.
   Example: Fireball, a notorious adware and browser hijacker, made headlines in 2017 when a study revealed that it had infected approximately 250 million computers worldwide. Fireball floods you with ads, changes your default search engine to a fake one, and prevents you from modifying your browser settings.
3. Ransomware: It is a type of malware that has been on the world agenda for the last few years. It demands ransom from people by encrypting and exfiltrating all files on the device.
   Example: Ghost ransomware variant executable payloads, switches file extensions for encrypted files, and uses numerous ransom email addresses. It is known for its double extortion tactics, where it not only demands a ransom but also threatens to leak stolen data if the payment isn’t made.
4. Virus: It is one of the first types of malware seen in the wild. So we see that in daily life, it is often called a virus instead of the term malware. Viruses have a self-replicate feature. It provides persistence by infecting other files on the device.
   Example: The ILOVEYOU virus, also known as the Love Bug or Loveletter, was a computer worm that infected over ten million Windows personal computers. The ILOVEYOU virus remains one of the farthest-reaching computer viruses in history, highlighting vulnerabilities in computer security and technology that we are still addressing today.
5. Worm: Since this type of malware spreads from infected devices to other devices, it is named worm. WannaCry, a worm malware exploiting MS17–010 vulnerability, caused panic around the world.
6. Rootkit: It is a type of malware that disguises itself by providing access to a high level of authority on the device.
   Example: Vanquish is a user-mode rootkit that manipulates application programming interfaces to present false information and intercept system calls, making it difficult to detect but not as resilient as other rootkit types.
7. RAT (Remote Access Trojan): It is a type of malware that provides full control over the device to the threat actor.
   Example: Gh0stRAT is a remote access trojan (RAT) used for spying on victims’ activities by logging keystrokes, accessing microphones and webcams, and stealing files.
8. Banking malware: A type of malware that targets banking applications and causes money to be stolen from the victim. Banking malware, also known as banking Trojans, are malicious software designed to steal financial information and credentials from users.
   Example: Zeus has been used to steal money from online bank accounts and can be customized to gather banking details in specific countries and by using various methods.
9. Keylogger: A type of malware that record keystrokes and sends the data to attacker.
   Example: Snake Keylogger is a stealthy malware that records keystrokes, steals credentials, and captures screenshots, spreading through phishing emails and malicious attachments.

Imagine you download a free software tool from the internet. It looks safe, but suddenly your computer starts behaving strangely. Your files are encrypted, and a ransom note appears. What just happened? This is where malware analysis comes in — helping experts understand how threats work and how to defend against them. Now, let’s dive into malware analysis and its types

What is Malware Analysis?

Malware analysis is the process of understanding the behavior and purpose of a suspicious file or URL. The output of the analysis aids in the detection and mitigation of the potential threat.

Types of Malware Analysis:

1. Static Analysis: Basic static analysis examines the code without executing it. Instead, static analysis examines the file for signs of malicious intent. It can be useful to identify malicious infrastructure, libraries or packed files.
   Technical indicators are identified such as file names, hashes, strings such as IP addresses, domains, and file header data can be used to determine whether that file is malicious.
2. Dynamic Analysis: Dynamic malware analysis executes suspected malicious code in a safe environment called a sandbox. This closed system enables security professionals to watch the malware in action without the risk of letting it infect their system or escape into the enterprise network.
   Dynamic analysis provides threat hunters and incident responders with deeper visibility, allowing them to uncover the true nature of a threat.
3. Hybrid Analysis: Basic static analysis alone isn’t always effective against advanced malware, and some malicious programs can evade detection in a sandbox. Hybrid analysis solves this by combining both static and dynamic techniques, giving security teams a more complete picture. It helps uncover hidden threats, detects malware that tries to avoid analysis, and extracts valuable indicators of compromise (IOCs) from previously unseen code. This approach makes it easier to identify even the most sophisticated cyber threats.

Malware Analysis Tools:

A) Static Analysis Tools:

1. IDA Pro — A powerful disassembler and debugger that helps reverse engineer compiled malware.
2. Ghidra — An open-source reverse engineering tool developed by the NSA, useful for analyzing binary code.
3. PE Studio — A lightweight tool that inspects Portable Executables (PE files) to detect suspicious characteristics.
4. Strings — A command-line tool that extracts readable text from binaries to find potential clues about malware.
5. VirusTotal — A cloud-based malware scanning service that checks files against multiple antivirus engines.

B) Dynamic Analysis Tools:

1. ANY.RUN — An interactive online sandbox that lets analysts observe malware execution in real-time.
2. Cuckoo Sandbox — An open-source automated malware analysis system that executes and monitors files.
3. Wireshark — A network packet analyzer that helps capture and inspect network traffic for malicious activity.
4. Procmon (Process Monitor) — A Windows tool that logs real-time system activities, such as file access and registry changes.
5. Regshot — A utility that compares Windows registry changes before and after malware execution.

C) Hybrid Analysis Tools:

1. CrowdStrike Falcon Sandbox — A cloud-based sandbox that detects sophisticated threats using AI-driven analysis.
2. Joe Sandbox — A powerful automated analysis platform that provides in-depth behavioral reports on malware.
3. ANY.RUN — Also used as a hybrid tool because it supports both interactive and automated analysis.
4. CAPE Sandbox — A modified version of Cuckoo Sandbox, specialized in extracting malware payloads and unpacking files.

Conclusion

Malware is one of the biggest threats in the digital world, but understanding it can help us fight back. By learning about different malware types, how they work, and the tools used to analyze them, we can stay one step ahead of cybercriminals.

Written By: Helly Shah