Unpacking Malware For Analysis Of The Advanced Threat
A recent blog of McAfee, Malware Packers Use Various Tricks to Avoid Detection, Analysis, highlighted the use of different packers as an effective way to decrease detection and slow down the analysis by anti malware products.
As an engineer with a keen interest in malware virus, we are quite familiar with packers and the conclusion from that particular blog that manual analysis usually gets defeats. Manual analysis can take some extra time. Something which seems to be in short supply as of late. We have found a product of McAfee – McAfee Advanced Threat Defense (ATD)- which takes care of the packing issue for us, saving lots of time and a few major headaches too.
Let us explain: First, what is a packer?
A packer is basically a tool that can be utilized to encrypt, compress, or modify the format of a respective file. By packing a single file, the authors of malware can complicate all the content and disrupt analysis by various tools of threat detection. This particular technique of threat detection may also be referred to as compression that is executable. The compression of the single file reduces the size or footprint of the file and can be quite an effective method to reduce or avoid the one chance of the malicious file to get detected, resulting in the successful delivery of a payload. While an effective method, forcing the code re-execution through a memory dump gives a preferred solution to detect even the threats that are most advanced. So how is this actually accomplished? McAfee Advanced Threat Defense provides an answer to detecting the most advanced and complicated code in unpacked or packed files.
When a packed sample usually arrives at McAfee Advanced Threat Defense for analysis, the sample is loaded into the respective memory and the packer connected with the sample unpacks the entire code, de-obfuscating the code during the time of execution. At this particular point, several advanced detection engines are basically engaged, including dynamic analysis (that is the observation of execution) and the analysis of the static code (where the code – not just the behavior it actually exhibited in the sandbox – is scrutinized for any behavior that is malicious). After the sample has finished the process of execution, McAfee Advanced Threat Defense assesses the memory dump and maps the entire code. As sections of code are being analyzed, family classification is performed on the buffered code based on known behavior that is malicious. Once the assessment of behavioral characteristics of the entire code is completed, a determination on whether the single file is malicious or clean yields a reputation verdict. It is quite easy.
As mentioned in the previous blog of McAfee, a rather effective method for defeating a packer is to manually analyze the respective file. McAfee Advanced Threat Defense can help with that as well. McAfee Advanced Threat Defense offers capabilities of manual analysis with its interactive mode, or basically X-Mode. Manually uploading a file to a McAfee Advanced Threat Defense appliance and enabling the feature of X-Mode will allow users to choose their virtual machine (VM) or specified analysis environment to initiate the execution of a single file. As the file is uploaded through this particular route, a user may open a window to the active virtual machine denotating the file to interact and observe with the malware. This gives a deep investigative and forensic capability for a malware analyst to completely understand the behavior of the code that is executed.
Robert Williams is a self-professed security expert; he has been making the people aware of the security threats. His passion is to write about Cybersecurity, malware, social engineering, Games,internet and new media. He writes for mcafee products at mcafee.com/activate or www.mcafee.com/activate.
Comments
Post a Comment