DYNAMIC ANALYSIS OF THE PROPAGATION OF MALWARE IN COMPUTER

NETWORKS

Abstract — Studies suggest that the impact of malware is getting worse. Two types of malware
analysis are described here. One is Static Malware Analysis and other is Dynamic Malware
Analysis. Static Malware Analysis has some limitations. So, Dynamic Malware Analysis is
preferable for Malware Analysis. There are lots of tools available for Dynamic Malware
Analysis. This paper includes all the stuff Limitations of Static Malware Analysis and tools of
Dynamic Malware Analysis and Deobfuscating malware. Malicious software, also referred to as
malware developed by attackers, is polymorphic and metamorphic in nature which can modify
the code as it spreads. In addition, the diversity and volume of their variants severely undermine
the effectiveness of traditional defenses that typically use signature-based techniques and are
unable to detect malicious executables previously unknown. Malware family variants share
typical patterns of behavior that indicate their origin and purpose. The behavioral trends
observed either statically or dynamically can be manipulated by using machine learning
techniques to identify and classify unknown malware into their established families. This survey
paper gives an overview of the malware detection and analysis techniques and tools.

Keywords — Malware, Virus, Worm, Trojan Keylogger, Malware Analysis, Static Malware
Analysis, Dynamic Malware Analysis, Trends in Malware etc

I. INTRODUCTION

Now a day, Internet becomes an essential part of the daily life of many people. On Internet many
services are available and are also increasing day by day. More and more people are making use
of these services. Online banking or advertising are the examples of the commercial services of
the Internet. Just as in the physical world, there are people on the Internet with malevolent intents
by taking advantage of legitimate users whenever money is involved. Malware like software of
malicious intent helps these people accomplishing their goals.

Malware is any malicious software used to interrupt machine activity, capture sensitive
information, or obtain access to private computer systems. Malware is characterized by its
malicious intent, which works against the computer user’s specifications, and does not include
software which causes unintended harm due to a deficiency. The term badware is sometimes
used and applied to both true (malicious) malware and unintentionally harmful software. These
are intended to gain access to computer systems and network resources, disturb computer
operations, and gather personal information without taking the consent of the system’s owner,
thus creating a menace to the availability of the internet, the integrity of its hosts, and the privacy
of its users. Spreading of malware has affected everyday life, from e-governance [1] to social
networks [2], from digital automation [3] spreading up to mobile networks [4]. Malware comes
in a wide range of variations like Virus, Worm, Trojan-horse, Rootkit, Backdoor, Botnet,
Spyware, Adware etc. These classes of malware are not mutually exclusive meaning thereby that
a particular malware may reveal the characteristics of multiple classes at the same time. In order
to evade detection, malware authors introduce polymorphism to the malicious components. This
means that malicious files belonging to the same malware “family”, with the same forms of
malicious behavior, are constantly modified and/or obfuscated using various tactics, such that
they look like many different files. Malware is one of the most terrible and major security threats
facing the Internet today. According to a survey [5], conducted by Symantec in February 2019,
47% of the organizations experienced malware security incidents/network breaches in the past
one year, as depicted in figures 1 and 2. The malware is continuously growing in volume
(growing threat landscape), variety (innovative malicious methods) and velocity (fluidity of
threats). These are evolving, becoming more sophisticated and using new ways to target
computers and mobile devices. McAfee [6] catalogs over 100,000 new malware samples every
day means about 69 new threats every minute or about one threat per second. With the increase
in readily available and sophisticated tools, the new generation cyber threats/attacks are
becoming more targeted, persistent and unknown. The advanced malware is targeted, unknown,
stealthy, personalized and zero-day as compared to the traditional malware which was broad,
known, open and one time. Once inside, they hide, replicate and disable host protections. After
getting installed, they call their command and control servers for further instructions, which
could be to steal data, infect other machines, and allow reconnaissance. Attackers exploit
vulnerabilities in web services, browsers, and operating systems, or use social engineering
techniques to make users run the malicious code in order to spread malware. Malware authors
use obfuscation techniques [7] like dead code insertion, register reassignment, subroutine
reordering, instruction substitution, code transposition, and code integration to evade detection
by traditional defenses like firewalls, antivirus and gateways which typically use signature based
techniques and are unable to detect the previously unseen malicious executables. Commercial
antivirus vendors are not able to offer immediate protection for zero-day malware as they need to
analyze these to create their signatures. To overcome the limitation of signature-based methods,
malware analysis techniques are being followed, which can be either static or dynamic. The
malware analysis techniques help the analysts to understand the risks and intentions associated
with a malicious code sample. The insight so obtained can be used to react to new trends in
malware development or take preventive measures to cope with the threats coming in the future.
Features derived from analysis of malware can be used to group unknown malware and classify
them into their existing families.

2. BACKGROUND

Malware stands for malicious software, designed to damage a computer system without the
user’s informed consent. Generally malware is categorized into following categories.

Virus: It is a program that attaches itself to other programs in order to infect that program and
perform some unwanted function

Trojan: Trojan makes copies of themselves and steals information. It is standalone malicious
program that does attempt to infect other computers in a completely automatic manner without
help from outside forces like other programs.

Worms: A worm is self replicated malware computer program which uses computer and
network resources without authenticated user permission. In the network it is consuming the
network bandwidth. This is security shortcoming on the target computer.

Spyware: It is installed without a user’s knowledge in order to report the behaviour of the user to
the attacker.

Rootkit: Rootkit is malware program which creates a backdoor into the system for the hacker’s
use, alters log files and destroyed the data files

CURRENT STATUS (NATIONAL/INTERNATIONAL)

Malware analysis is the process of determining the purpose and characteristics of a given
malware sample such as a virus, worm, or Trojan horse. This process is a necessary step to be
able to develop effective detection techniques for malicious code. The tools used for malware
analysis can basically be broken into two categories: static and dynamic (live). The static
analysis tools attempt to analyze a binary without actually executing the binary. Live analysis
tools will study the behaviour of a binary once it has been executed. Static and Dynamic analysis
are described in detail in next sections. Automated malware analysis is a virtually intractable
problem. It is simply not possible for one program to determine the exact behaviour of another
program.

STATIC MALWARE ANALYSIS

Analyzing software without executing it is called static analysis. Static analysis techniques can
be applied on different representations of a program. Static analysis tools can also be used on the
binary representation of a program. When compiling the source code of a program into a binary
executable, some information gets lost. This loss of information further complicates the task of
analyzing the code. The process of inspecting a given binary without executing it is mostly
conducted manually. For example, if the source code is available several interesting information,
such as data structures and used functions can be extracted. This information gets lost once the
source code has been compiled into a binary executable and thus impedes further analysis. There
are different techniques used for static malware analysis. Some of are described below.

File fingerprinting: Beside examining obvious external features of the binary this includes
operations on the file level such as computation of a cryptographic hash (e.g., md5) of the binary
in order to distinguish it from others and to verify that it has not been modified.

File format: By leveraging metadata of a given file format additional, useful information can be
gathered. This includes the magic number on UNIX systems to determine the file type. For
example from a Windows binary, which is typically in PE format (portable executable) a lot of
information can be extracted, such as compilation time, imported and exported functions as well
as strings, menus and icons

AV scanning: If the examined binary is well-known malware it is highly likely to be detected by

one or more AV scanners. To use one or more AV scanner is time consuming but it becomes
necessity sometimes
Packer detection: Nowadays malware is mostly distributed in an obfuscated form e.g., encrypted
or compressed. This is achieved using a packer, whereas arbitrary algorithms can be used for
modification. After packing the program looks much different from a static analysis perspective
and its logic as well as other metadata is thus hard to recover. While there are certain unpackers,
such as PEiD2, there is accordingly no generic unpacker, making this a major challenge of static
malware analysi

Disassembly: The major part of static analysis is typically the disassembly of a given binary.
This is conducted utilizing tools, which are capable of reversing the machine code to assembly
language, such as IDA Pro. Based on the reconstructed assembly code an analyst can then
inspect the program logic and thus examine its intention.

The main advantage of static malware analysis is that it allows a comprehensive analysis of a
given binary. That is, it can cover all possible execution paths of a malware sample.
Additionally, static analysis is generally safer than dynamic analysis as the source code is not
actually executed. However, it can be extremely time-consuming and thus requires expertise.

LIMITATIONS OF STATIC MALWARE ANALYSIS

Generally, the source code of malware samples is not readily available. That reduces the
applicable static analysis techniques for malware analysis to those that retrieve the information
from the binary representation of the malware. Consider, for example, that most malware attacks
hosts executing instructions in the IA32 instruction set. The disassembly of such programs might
result in ambiguous results if the binary employs self modifying code techniques.

OBJECTIVE OF THE STUDY

A given malware sample can be executed within a controlled environment and monitoring its
actions in order to analyze the malicious behavior which is called dynamic malware analysis.
Since Dynamic Malware Analysis is performed during runtime and malware unpacks itself,
dynamic malware analysis evades the restrictions of static analysis (i.e., unpacking issue).
Thereby it is easy to see the actual behavior of a program. However, the main drawback is so-
called dormant code: That is, unlike static analysis, dynamic analysis usually monitors only one
execution path and thus suffers from incomplete code coverage. In addition there is the danger of
harming third party systems, if the analysis environment is not properly isolated or restricted
respectively. Furthermore, malware samples may alter their behavior or stop executing at all
once they detect to be executed within a controlled analysis environment

SIGNIFICANCE OF THE STUDY

There are two basic approaches for dynamic malware analysis which are as below:

Analyzing the difference between defined points: A given malware sample is executed for a
certain period of time and afterwards the modifications made to the system are analyzed by
comparison to the initial system state. In this approach, Comparison report states behavior of
malware.

Observing runtime-behavior: In this approach,malicious activities launched by the malicious

application are monitored during runtime using a specialized tool

An example of first approach is Regshot tool. Before executing the binary, we will take a
snapshot of the registry with Regshot. After executing the binary, we will take the second
snapshot by clicking the 2nd shot button and then compare the two snapshots by clicking the
compare button. When analysis is complete, we got result in text file such as which file are
added and modified

While observing the runtime-behavior of an application is currently the most promising

approach. It is mostly conducted utilizing sandboxing. A sandbox hereby refers to a controlled
runtime environment which is partitioned from the rest of the system in order to isolate the
malicious process. This partitioning is typically achieved using virtualization mechanisms on a
certain level.

METHODOLOGY

Here is an overview of the existing approaches and tools that make use of the presented
techniques to analyze unknown and potentially malicious software. The analysis reports
generated by the tools in this section give an analyst valuable insights into actions performed by
a sample. These reports lay the foundation for a fast and detailed understanding of the sample.
FileMon: The FileMon program is very useful in finding changes to the file system.
Additionally, any searches performed by the binary will be detected and recorded. This tool is
rather noisy and picks up hundreds of file changes by a seemingly idle Windows system.
Therefore be sure to clear the tool prior to executing the binary, and “stop capture” about 10
seconds after launching the tool.

Norman Sandbox: The Norman Sandbox is a dynamic malware analysis solution which executes
the sample in a tightly-controlled virtual environment that simulates a Windows operating
system. This environment is used to simulate a host computer as well as an attached local area
network and, to some extent, Internet connectivity. The core idea behind the Norman Sandbox is
to replace all functionality that is required by an analyzed sample with a simulated version
thereof. The simulated system thus has to provide support for operating system relevant
mechanisms such as memory protection and multithreading support. Moreover, all required APIs
have to be present to give the sample the fake impression that it is running on a real system.
Because the malware is executed in a simulated system, packed or obfuscated executables do not
hinder the analysis itself. Norman Sandbox focuses on the detection of worms that spread via
email or P2P networks, as well as viruses that try to replicate over network shares

JoeBox: During the dynamic analysis of a potentially malicious sample, JoeBox creates a log
that contains high level information of the performed actions regarding file system, registry, and
system activities. JoeBox is specifically designed to run on real hardware, and not to rely on any
virtualization or emulation technique. The system is designed as a client server model where a
single controller instance can coordinate multiple clients that are responsible for performing the
analysis. Thus, it is straight forward to increase the throughput of the complete system by adding
more analyzing clients to the system. All analysis data is collected by the controlling machine.

WORK PLAN

Malware is growing increasingly sophisticated. Malware authors seek to make their tools
undetectable. Virtually every known offensive technique has been incorporated into malware to
make it more difficult to defend against. Malware authors often seek to deliver several
components in a single malware payload. Such additional components can include kernel level
drivers designed to hide the presence of the malware, and malware client and server components
to provide proxy services through an infected computer. One technique for embedding these
additional components within Windows malware is to make use of the resource sections within
Windows binaries. Malware may choose to create its own installation directory deep within the
install program’s hierarchy in an attempt to hide from curious users. Various techniques also
exist to prevent installed antivirus programs from detecting a newly infected computer. A crude
yet effective method is to modify a system’s hosts file to add entries for hosts known to be
associated with antivirus updates. A hosts file is a simple text file that contains mappings of IP
address to hostnames. The modifications go so far as to insert a large number of carriage returns
at the end of the existing host entries before appending the malicious host entries in the hopes
that the casual observer will fail to scroll down and notice the appended entries. By causing
antivirus updates to fail, new generations of malware can go undetected for long periods.
Malware authors are increasingly turning to the use of rootkit techniques to hide the presence of
their malware. Most malware takes steps to ensure that it will continue to run even after a system
has been restarted. The most basic forms of persistence are achieved by adding commands to
system start up scripts that cause the malware to execute. On Windows systems this evolved to
making specific registry modifications to achieve the same effect. Other registry manipulations
include installing malware components as extensions to commonly used software such as
Windows Explorer or Microsoft Internet Explorer. More recently, malware has taken to
installing itself as an operating system service or device driver so that components of the
malware operate at the kernel level and are launched at system start up

MALWARE ANALYSIS TOOLS

Analysts use tools for analyzing malware to protect and predict future attacks, and share knowledge
among them. Open source tools are often the first choice to carry out such actions. It’s no secret that
distributing malware is a big business and the fast-growing malware epidemic will only grow in ability
and efficiency in the years to come. Using open source malware analysis tools, researchers will check,
identify and log different variants of malicious triggers when analyzing the life-cycle of attack. As
malware trading forums are proliferating on the dark web, the crypters, botnets and zero-days needed
to carry out powerful attacks have become easier than ever to get. With the growth of complexity of
malware variants, the jobs of understanding and benchmarking the specific type have become harder.
It’s the job of security researchers and analysts to find out the right tool to analyze each specific type of
attack. We now present some open source malware analysis tools that can help the researchers and
security engineers

Google Rapid Response (GRR). The GRR platform is an incident response system developed by security
researchers at Google, identifying common malware footprints workstations focused on remote live
forensics. This consists of an application that is installed on the target system to communicate with the
agent and a server infrastructure. GRR is a python client (agent) that is installed on target systems, and
python server infrastructure that can manage and talk to clients. Once both the server side and the
agent are deployed they can become GRR clients and start receiving messages from the servers. Then
the incident response staff on the host computer will perform various technical operations, such as
reviewing the memory, looking for different settings and handling software choices. GRR has been
designed to run on a scale so analysts can easily capture and process data from large numbers of
computers. GRR’s goal is to support forensics and investigations in a simple, flexible way that allows
investigators to rapidly triage incidents and conduct remote analysis

REMnux. REMnux is a free Linux toolkit designed to assist malware analysts with malware reverse
engineering. This seeks to make this easy for forensic investigators and accident witnesses to continue
using the variety of free-to-use software that can analyze ransomware, although it may be difficult to
locate or set up. This Linux toolkit has been developed as a one-stop shop for researchers searching for
examples of reverse engineering malware. REMnux is focused on Ubuntu and integrates several
resources into one for quickly analyzing malware based on Windows and Linux. The cornerstone of the
project is the Ubuntu based REMnux Linux system. This lightweight distro provides various resources to
detect Windows and Linux ransomware, review browser-based vulnerabilities such as obfuscated
JavaScript, investigate unusual text files, and uninstall other harmful objects. The distro can be used by
investigators to intercept suspicious network traffic in an isolated laboratory. It helps researchers
investigate browser-based malware, perform forensics on memory, analyze multiple samples of
malware, extract and decode suspicious items, etc

Cuckoo Sandbox. Created by a team of volunteers during the Google Summer of Code initiative back in
2010, it is an open source framework that automates malicious file analysis for Windows, OS X, Linux
and Android and offers comprehensive and practical input on how each presented file operates in
isolated environments. And since it is open source software, developers are constantly writing plugins
that provide enhanced features. Cuckoo is used by malware detection and security firms to help ease
the strain of manually wading through troves of potentially malicious data. The modular design allows
the recording and analysis phases simple to configure. In recent years, it has, understandably, become
one of the most commonly used open source tools. In 2012, Cuckoo published Malwr, a sandbox-as - a-
service that allows users to use their collected data through an easy-to-use GUI. The goal was to act as
an option for users who can’t handle Cuckoo properly but still want to exploit their intellect.

Zeek. The Zeek Network Security Monitor (formerly Bro) is a versatile network dependent analytics
system that transforms network traffic into events to cause scripts. It is comparable to an IDS (intrusion
detection system) in that it gives users a bird’s-eye view of their network activity, using both signature-
based (looks for rules or trends of documented malicious traffic) and anomalybased monitoring (looks
for unusual activity). Nevertheless, its features go far beyond those of conventional IDS that can be used
to conduct investigations in forensics, network monitoring and interface research. Although focussing on
tracking network security, Zeek also provides a comprehensive forum for more general analysis of
network traffic. Well grounded in more than 20 years of research, Zeek has since its inception succeeded
in bridging the traditional gap between academia and operations

Yara Rules. Another open source malware identification tool that can identify samples of malware based
on textual or binary trends once they are tested in Cuckoo. Investigators use Yara to compose pattern-
based definitions of the malware families. YARA stands for “Yet Another Recursive Acronym” as the
descriptions are called rules. This helps researchers to identify and categorize apparently similar
malware types and can be adapted for use inside Cuckoo. IBM calls Yara the “pattern matching Swiss
army knife” of the malware researcher and can be used on both Windows and Linux computers. Yara’s
creators released a new service still in alpha called YaraRules Analyzer, that lets users analyze files in the
cloud using full rulesets. This ensures that users are always analyzing samples against the most recent
ruleset version and frees them from needing to install Yara locally. Yara rules have been added to many
Endpoint Detection and Response framework to help them identify the malware samples they
encounter, classify them and share their findings with clients and the community later

APKTool. A tool for reverse engineering 3rd party, closed, binary Android apps. By making several
changes, it can decode resources to almost original form and restore them. It also makes it easier to deal
with a device owing to the project such as file creation and completion of some repetitive tasks such as
creating the apk etc. We can decode APK resources to almost original form with the help of Apktool; we
can modify the source code on the fly and rebuild the decoded resources back into APK. Its project-like
structure makes working with them easy. Apktool can decode APK resources (resources.arsc, classes.dex
and XMLs), rebuild decoded resources back to binary APK, organize and handle APKs that depend on
framework resources along with automating the repetitive tasks.

Smali. Smali / baksmali is a dex format assembler / disassembler used by Dalvik, a Java VM
implementation for Android. The syntax is loosely based on the syntax of Jasmin / dedexer, and follows
the complete dex format features (annotations, debug data, line details, etc.). Also, code created by the
baksmali is often considered to be written in the Smali language. Baksmali is a dex Bytecode software
disassembler. The terms “Smali” and “Baksmali” are just the corresponding Icelandic versions of
“assembler” and “disassembler.” It wasn’t an easy task to debug smali code before, but recently a
wonderful plugin was launched for Intellij IDEA / Android Studio - Smalidea.

Dex2Jar. Dex2Jar is a free tool for dealing with the files Android “.dex” and Java “.class.” Android
programs are assembled into“.dex” (Dalvik Executable) scripts, which in effect are zipped onto the
computer into a single.apk file. Android will automatically create the “.dex” folders, by converting the
compiled applications written in the Java. Dex2Jar reads the dex instruction to dexir format and can
convert to ASM format. It can also be used to perform some basic deobfuscation. Dex2Jar’s core feature
is converting an APK classes.dex file to classes.jar, or vice versa. So, using any Java decompiler, it is
possible to view the source code of an Android application, and it is fully legible. Here we get files
from.class and not the real Java source code that the program author wrote

Mobile-Sandbox. Mobile-Sandbox provides static and dynamic malware analysis for Android OS
smartphones. The system is designed to automatically evaluate Android software in two novel ways: (1)
by integrating static and dynamic analysis, i.e., static analysis findings are used to direct dynamic analysis
and expand coverage of executed code, and (2) by using different logging methods for native API calls. It
can evaluate the application with different modules within the static analysis component to get a
summary of the program. To achieve this, it uses the VirusTotal service to perform several anti-virus
scans, parse the manifest file and finally decompile the application to better identify suspect code.
Within the dynamic analysis, it can run the application in an emulator and log every application
operation, i.e. it logs both actions performed in the Java Virtual Machine Dalvik and actions performed
in native libraries that may be bundled with the application

Malzilla. Malzilla is a useful malware hunting tool for analyzing websites containing malicious code. Web
pages that contain exploits often use a sequence of redirects and obfuscated code to make it difficult for
someone to track them. This allows users to access websites and obtain all of their source code, such as
wget, without visiting the site and potentially damaging their device. This program has the option of
switching the user agents and picking the user’s referrer. This shows the full list of webpages for
browsers and all the headers for HTTP. It also has proxy features, complex decoders and, most notably,
JavaScript code deobfuscation, all in one program.

Wireshark. Wireshark, a network monitoring application once known as Ethereal, records packets and
shows them in the human-readable format in real-time. It intercepts traffic and transforms the binary
data into a readable format for users. Wireshark includes filters, color coding, and other features that
allow individuals to dig deep into network traffic and inspect individual packets. It is the leading network
traffic analyzer in the world, and an essential tool for any skilled security or device administrator. This
free software allows people to track network traffic in real-time, and is often the best tool on any
network for troubleshooting problems. Common issues that Wireshark can deal with troubleshooting
include lost messages, latency issues and malicious network operation. It enables network data to be
held under a microscope and offers resources for filtering and digging into that information, zooming
into the root cause of the issue. It is used by management to detect defective network equipment that
loses packets, latency problems caused by machines transmitting traffic around the world and data
exfiltration or even intrusion attempts against any entity.

SysAnalyzer. SysAnalyzer is an open-source tool developed to provide an interactive resource for

malware researchers to easily compile, analyze, and monitor the behavior that a binary performed when
operating on the network. It is an interactive framework for the malcode run time analysis that tracks
different aspects of device and method states. SysAnalyzer was designed to allow analysts to rapidly
create a detailed report. SysAnalyzer’s main components function off of comparing device snapshots
over a given user time interval. Similar to a live monitoring system, the reason a snapshot method was
used is to reduce the amount of data analysts need to wade through when performing their research. By
using a snapshot method, audiences can easily display only the persistent changes that have been
identified since the first run of the application

VirusTotal. Virustotal is a service that analyzes suspicious files and URLs and helps to detect viruses,
worms, Trojans and all kinds of malware detected by antivirus engines quickly. In addition to a variety of
methods for removing signals from the studied material, VirusTotal inspects products with over 70
antivirus scanners and URL / domain blacklisting services. Every person can use their browser to pick a
file from their device, and submit it to VirusTotal. VirusTotal offers various methods for uploading data,
including the default public web portal, desktop uploaders, browser extension, and a programmatic API.
The web interface has the greatest scanning priority among the forms of application which are available
to the public. The specifications can be made using the HTTP-based public API in any programming
language. It also offers a variety of other functions, including the VirusTotal Community: a network that
allows users to report on files and URLs and exchange comments with each other. This can be helpful in
detecting malicious content and also in finding false positives – regular and harmless objects identified
as dangerous by one or more scanners.

Likely outcomes

Obfuscation is the process of modifying something so as to hide its true purpose. In the case of
malware, obfuscation is used to make automated analysis of the malware nearly impossible and
to frustrate manual analysis to the maximum extent possible. There are two basic ways to deal
with obfuscation. The first way is to simply ignore it, in which case your only real option for
understanding the nature of a piece of malware is to observe its behaviour in a carefully
instrumented environment. The second way to deal with obfuscation is to take steps to remove
the obfuscation and reveal the original “de-obfuscated” program, which can then be analyzed
using traditional tools such as disassembles and debuggers. Of course, malware authors
understand that analysts will attempt to break through any obfuscation, and as a result they
design their malware with features designed to make de-obfuscation difficult. De-obfuscation
can never be made truly impossible since the malware must ultimately run on its target CPU; it
will always be possible to observe the sequence of instructions that the malware executes using
some combination of hardware and software tools. Tools used to obfuscate compiled binary
programs are generically referred to as packers. This term stems from the fact that one technique
for obfuscating a binary program is simply to compress the program, as compressed data tends to
look far more random, and certainly does not resemble machine language. For the program to
actually execute on the target computer, it must remain a valid executable for the target platform.
The most basic packers simply perform compression of a binary’s code and data sections. More
sophisticated packers not only compress, but also perform some degree of encryption of the
binary’s sections. There are different tool available for unpacking binary

Debugger-Assisted Unpacking: Allowing malware to run free is not always a great idea. If we
don’t know what the malware does, it may have the opportunity to wreak havoc before we can
successfully dump the memory image to disk. Debuggers offer greater control over the execution
of any program under analysis. The basic idea when using a debugger is to allow the malware to
execute just long enough for it to unpack itself, then to utilize the memory dumping capabilities
of the debugger to dump the process image to a file for further analysis. A fundamental problem
when working with self-modifying code in a debugger is that software breakpoints (such as the
x86 int 3) are difficult to use since the saved breakpoint opcode (0xCC on the x86) may be
modified before the program reaches the breakpoint location. As a result, the CPU will fetch
something other than the breakpoint opcode and fail to break properly. Hardware breakpoints
could be used on processors that support them; however, the problem of where to set the
breakpoint remains. Without a correct disassembly, it is not possible to determine where to set a
breakpoint. The only reasonable approach is to use single stepping until some pattern of
execution such as a loop is revealed, then to utilize breakpoints to execute the loop to
Completion, at which point you resume single stepping and repeat the process.

CONCLUSION

We have learnt Malware basics, malware analysis and techniques of analyzing malware. We
have also learnt limitations of static malware analysis. After the discussion between static and
malware analysis, Dynamic malware analysis is the best way to analyze malware samples. In this
we have gone through the some tools for malware analysis. We also see current trends in
malware and de-obfuscating malware. This survey paper presents a summary of malware detection
and analysis techniques and tools. In particular, the different tools available for malware detection,
memory forensics, packet inspection, scanners/sandboxes, reverse engineering, hacking, and website
analysis have been thrown light. Since most of the current surveys typically concentrate on a specific
subset of the model, this paper offers an in-depth study of methods to identify and evaluate malware
with a clear understanding of domain-specific analytics.

REFERENCES

1) A Survey on Automated Dynamic Malware Analysis Techniques and Tools,

http://www.seclab.tuwien.ac.at/papers/malware_surv ey.pdf

2) Malware Analysis & its Application to Digital Forensic,

http://www.enggjournals.com/ijcse/doc/IJCSE12-04- 04-023.pdf

3) Gray Hat Hacking 2nd Edition McGraw Hill by Shon Harris

[4] A. Damodaran, F. Di Troia, C. A. Visaggio, T. H. Austin, and M. Stamp, “A comparison of

static, dynamic, and hybrid analysis for malware detection,” Journal of Computer Virology and
Hacking Techniques, vol. 13, no. 1, pp. 1–12, 2017.

[5] B. Anderson, C. Storlie, and T. Lane, “Improving malware classification: bridging the
static/dynamic gap,” in Proceedings of the 5th ACM workshop on Security and artificial
intelligence, pp. 3–14, 2012.

[6] S. Talukder, S. Witherspoon, K. Srivastava, and R. Thompson, “Mobile technology in

healthcare environment: Security vulnerabilities and countermeasures,” arXiv preprint
arXiv:1807.11086, 2018.

[7] C. Raghuraman, S. Suresh, S. Shivshankar, and R. Chapaneri, “Static and dynamic malware
analysis using machine learning,” in First International Conference on Sustainable Technologies
for Computational Intelligence, pp. 793–806, Springer, 2020.