Malware Analysis tools chest: ClamAV

ClamAV is not a tool for analyzing malwares per se, it is more of a tool for organizing and is mainly useful in the pre-analysis stages.

Many malwares are analyzed and studied on a daily basis by researchers, companies, hackers and the curious  kids of the present age after they finish their homework, sigh!  Its always challenging, fruitful, satisfying to analyze a new malware which has not been touched and studied by others. That gives a rush ! So before analysis, why not make sure that its not analyzed before ? Enter ClamAV ...

ClamAV is used for classification of malwares by many malware analysts. Its always advisable to put the executable through ClamAV to understand if someone has analyzed it. We can refer to the analysis to gain knowledge about the malware, compare our analysis with the other and thereby understand how potent our methods of analysis are.

Virtual Machines for Malware Analysis

An ideal setup for Malware Analysis would be to have a machine where we can readily install and execute malicious programs. But given the nature of malicious programs, they may cause permanent and irreversible damage to the machine. To protect a machine from such damage Virtual Machines are used.
A Virtual Machine is a OS running within an OS. Softwares like VMWare and VirtualBox allow emulation of multiple Operating Systems on a single physical system.

Advantages of using a Virtual System:

• Safe environment to infect: We can safely infect a virtual machine without harming the base system to some extent (more will be explained about this later). This allows us to boldly analyze dangerous malwares which we would otherwise hesitate to analyze.   
• Snapshots: A snapshot taken in a Virtual Machine saves the state of the virtual OS 'at that point of time'. In the event of a system crash due to the malware, we can travel back to the state when the snapshot was taken.
• Host-Only Networking:  This is convenient for interconnecting virtual systems using a simulated network without additional hardware. The host-only network allows any virtual system to see all traffic on the simulated network when listening in promiscuous mode.This makes monitoring the specimen's network interactions easy.
• Multiple environments: Using virtual machines for different OS allows us to perform analysis on different Operating Systems. It is more feasible for people to have multiple systems with different OS  rather than buying different systems with multiple OS. Malwares usually behave differently on different OS and different versions of the same OS. Having multiple OS allows us to analyze malware behavior on different systems and thus get a better understanding of the malware.

So just how do I analyze Malware ?

There are two main ways in which Malwares are analyzed
1. Behavioral Analysis
2. Static Analysis

In Behavioral Analysis we observe the behavior of the Malware. We observe and record what changes the Malware is doing to the system it is infecting, how it is trying to stay under the hood undetected by the user of the machine.
This includes the use of tools like RegShot which shows us exactly what keys/files the malware is trying to modify, also a basic observation of system behavior is needed

In Static Analysis we try to analyze the Malware by observing the code of the program in question. Generally we go through the Assembly level code of the program and try to observe peculiar actions performed by it. There are certain actions which are peculiar to Malware behavior, if the same actions are found in the program, it is highly likely that the program is malicious in nature. We use Disassemblers like IDA Pro and Debuggers like OllyDBG for this purpose.

Both the methods have their Pros and Cons but both are very instrumental for a deeper, much thorough analysis.
Think of it like two sides of a coin.

I will shortly cover in depth about both the techniques mentioned in the post.

First Post

Let me set the context in the 'First Post'.
My aim in this blog is to analyze different types of Malwares. I would be analyzing both past as well as latest malwares.
I would try to explain a bit about the different Packers which are used in Malwares.
I will also shed some light on different techniques used in Malwares to make the life of a malware analyst difficult.