Reverse Engineering Malware
I’m used to work with network devices and security systems to improve network performance and protect the information. However, it seems I’m specialized to the networking and security fields but, in fact, there are lots of subfields inside network and security like forensics, reverse engineering, laws, pentesting, auditing, etc. Therefore, I’m not specialized yet to any field but I would like to write about reverse engineering this week, which is an amazing and very technical field that only few people know how to do it very well. Of course, I’m not one of them. I’m newbie in this field.
Reverse engineering is a field mainly for researches and antivirus companies who are interested in finding exploitation techniques, discover new encryption methods or finding encryption keys. They are also interested in finding new de-obfuscation techniques and investigating C&C communications. Therefore, they know how to do a completely reverse engineering with techniques such as static analysis, dynamic analysis, automated analysis, even manual analysis as well. Thus, knowing and picking the right tools is very important for reverse engineering.
There are many reverse engineering tools, some free and others commercials. For instance, the most popular static analysis tool for reverse engineering is IDA Pro, which is useful for Hex rays decompiling, but if we are newbies, we can use Radare2 for free and Linux commands like strings, file or otool. However, there are many more static analysis tools like PeiD, PEStudio, PE32, etc. On the other hand, there are many dynamic analysis tools like Immutiny debugger, OllyDbg, Sysmon, Regshot or the popular Wireshark/TCPdump.
Sandboxing is another kind of dynamic analysis tool very popular and useful today. There are free online sandboxes like Malwr, Hybrid-analysis, DeepViz or VirusTotal, and there are also commercial sandboxes like FortiSandbox in the cloud or as an appliance on-site. Of course, local sandboxes, or on-premise, are better than online sandboxes because it is faster to upload the file to the sandbox and, as a result, we’ll have the results faster too. In addition, local sandboxes are more customized than online sandboxes because we can choose the language of the operating system and other kind of variables for better analysis.
If we don’t have a deep knowledge about malware analysis and we don’t have enough resources either, we can use Cuckoo Sandbox for reverse engineering malware. It is an automated malware analysis system which is able to analyse any malicious file under Windows, OS X, Linux and Android. Cuckoo is a free sandbox and 100% open source that easily integrates with our existing frameworks and storages with the data we want, in the way we want, with the format we want. Therefore, it’s highly recommended to have a Sandbox in our infrastructure then Cuckoo Sandbox is better than nothing. It’s another barrier for better security.
There are many others tools which help us to know what is happening in our infrastructure like OTX, which is the Collective Intelligence Framework of Alienvault and where we can subscribe to Pulses to exchange indicators of compromise with our USM or OSSIM. On the other hand, we can also search for IP or domain reputation in online services like FortiGuard.
Regards my friends and remember, reverse engineering malware is a subfield inside the security field which should be taken into account to protect our information.