Getty Images/iStockphoto
How dynamic malware analysis works
Security teams use dynamic malware analysis to uncover how malware works -- and thereby improve threat hunting and incident detection capabilities.
Malware is a constant challenge. And it keeps proliferating because bad actors know it pays consistent dividends. To understand how malware works and keep ahead of emerging threats, security teams should conduct malware analysis. One key technique is dynamic malware analysis.
Let's look at what dynamic malware analysis is and how it compares to static malware analysis, as well as its benefits and challenges.
What is malware analysis?
Malware analysis is the process of investigating a malware sample to understand its function and devise ways to defend against it. By analyzing malware to see how it attacks a system or app, security teams learn where they have potential vulnerabilities or weaknesses. Understanding how malware works enables security teams to find these weaknesses and recognize an ongoing attack faster. Malware analysis also helps with threat hunting and incident response.
Security researchers conduct malware analysis through static, dynamic or a hybrid approach of the two.
Types of malware analysis: Static vs. dynamic
Cybersecurity teams have two main techniques to examine malware:
- Static malware analysis. This technique analyzes a malware file without executing it, but instead gathering information about it by examining its code and libraries. Hashing and fuzzing are two static malware analysis techniques.
- Dynamic malware analysis. This technique uses an isolated live environment to run the malware. Security teams can analyze the malware in action to observe what it does.
Static analysis can be faster and more efficient than dynamic analysis because teams don't need to run the code to determine if it is malicious. Teams can also compare the data collected on the sample in question with samples on sites that list known malware strains, such as VirusTotal -- also enabling faster identification.
Conducting static analysis can be difficult, however, especially on some malware samples. More sophisticated malware is designed to evade defenses, such as endpoint detection and response tools, and to make it as difficult as possible for researchers to analyze it.
Given this difficulty, teams often use a hybrid approach, combining static and dynamic analysis to achieve a more accurate understanding of how the malware works and what it is designed to do.
How does dynamic malware analysis work?
While static analysis provides security teams with part of the picture around a malware sample, they need dynamic malware analysis to really understand how it functions.
Teams conduct dynamic analysis by running the sample inside a safe environment, such as a sandbox. By "detonating" the malware inside the virtual environment, teams can observe the malware's actions, like which processes it attempts to execute and which network connections it tries to create. This analysis provides a deeper level of understanding into how the malware operates and the functions it performs. By analyzing network traffic surrounding the sample, dynamic malware analysis can sometimes help teams identify command and control servers.
Benefits of dynamic malware analysis
Dynamic analysis enables teams to observe behaviors that might not be discovered through static analysis. For example, if a malware sample uses code obfuscation or encryption, it might not be possible to accurately identify the malware by analyzing the code.
Once the malware is detonated through dynamic malware analysis, it's harder for it to hide its purpose and functions, enabling teams to observe what happens. The malware could also behave differently in certain environments, which can be tested using differently configured sandboxes.
The malware might also act in multiple stages -- for example, if the malware downloads a second malware sample onto an endpoint. Teams would not observe these extra stages using only static analysis.
Challenges of dynamic malware analysis
Dynamic malware analysis is more time-consuming and resource-intensive than static analysis. It can also pose a threat if the virtual environment is not completely isolated from other systems.
Additionally, while executing the malware helps teams understand more about a sample, it can also alert malware authors when their samples run.
Sophisticated malware can also sometimes detect when it is executed inside an isolated virtual environment instead of a natural environment. It does this by observing registry keys, processes or even whether the mouse and keyboard are actively in use. Some malware that can identify the difference might also employ techniques to prevent accurate analysis. It is challenging to create a realistic sandbox that can fool sophisticated malware, but it certainly isn't safe to execute a malware sample on a live system.
Rob Shapland is an ethical hacker specializing in cloud security, social engineering and delivering cybersecurity training to companies worldwide.
