The tools used for malware analysis can
basically be broken into two categories: static and live. The static analysis tools attempt
to analyze a binary without actually executing the binary. Live analysis tools will study
the behavior of a binary once it has been executed.
Static Analysis
There are many tools out there to do basic static malware analysis. You may download
them from the references. We will cover some of the most important ones and perform
static analysis on our newly captured malware binary file.
PEiD
The first thing you need to do with a foreign binary is determine what type of file it is.
The PEiD tool is very useful in telling you if the file is a Windows binary and if the file is
compressed, encrypted, or otherwise modified. The tool can identify 600 binary signatures.
Many plug-ins have been developed to enhance its capability.We will use PEiD to
look at our binary.
We have confirmed that the file is packed with UPX.
UPX
To unpack the file for further analysis, we use the UPX tool itself.
Now that the file is unpacked, we may continue with the analysis.
Strings
To view the ASCII strings in a file, run the strings command. Linux comes with the
strings command; the Windows version can be downloaded from the reference.
Pages:
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890