SANS: Behavioral Analysis of Rootkit Malware

...I am a fan of a two-phased approach to malware analysis:

1. The behavioral analysis phase examines how the malicious program interacts with its environment: the file system, the registry (if it's a Windows program), and the network.
2. The code analysis phase examines the code of the malicious program to understand what capabilities are built into it.

Each phase produces findings that reinforce findings from the other phase, resulting in a comprehensive understanding of the malicious program that would be harder to obtain via a single phase. The analyst typically starts with the phase that he or she is most comfortable with.

The behavioral analysis phase can be tricky when the malicious specimen exhibits rootkit tendencies--hiding its processes or files, for instance. One way to deal with this is to patch the specimen so that the concealing subroutine never executes. This is not always easy. To ease the challenge of monitoring rootkit-concealed processes, we can employ programs that can detect concealment mechanisms such as function hooking. I'd like to describe two such programs: Helios and IceSword. SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Linked by shanmuga Monday, 17th July 2006 1:59AM