Chapter 9. Malware Analysis

The field of malware analysis is a prime candidate for scientific exploration. Experimentation is worthwhile because the malware problem affects all computer users and because advances in the field can be broadly useful. Malware also evolves over time, creating an enormous dataset with a long history that we can study. Security researchers have conducted scientific experiments that produced practical advances not only in tools and techniques for malware analysis but also in knowing how malware spreads and how to deter and mitigate the threat.

People who do malware analysis every day know the value of automation for repetitive tasks balanced with manual in-depth analysis. In one interview with [IN]SECURE, Michael Sikorski, researcher and author of Practical Malware Analysis, described his approach to analyzing a new piece of malware. “I start my analysis by running the malware through our internal sandbox and seeing what the sandbox outputs,” followed by basic static analysis and then dynamic analysis which drive full disassembly analysis. Anytime you see the prospect for automation is the opportunity to scientifically study the process and later evaluate the improvements.

Recall from the discussion of test environments in Chapter 3 that cybersecurity science, particularly in malware analysis, can be dangerous. When conducting experimentation with malware, you must take extra precautions and safeguards to protect yourself and others from harm. We will talk ...