RE Process

Reverse Engineering

• Definition: Reverse engineering is the process of deconstructing something to understand how it was designed, how it works, and its purpose.

• Application to Malware: When applied to malware, reverse engineering involves deconstructing the malware to reveal its design, code architecture, and purpose. This helps in understanding how the malware operates and what it aims to achieve.

Malware Analysis vs. Reverse Engineering

• Malware Analysis: This is the process of determining the functionality or impact of a given malware sample, such as a backdoor, worm, or virus.

• Reverse Engineering as a Sub-process: Reverse engineering is often a part of the overall malware analysis process. Depending on the analysis goals, you may choose to include reverse engineering techniques or not.

Analysis Goals

• Importance: Defining your analysis goals ahead of time helps guide your analysis and reporting. For example, you might focus on retrieving malicious callouts for network blocking or detailing an encryption algorithm used by the malware.

Static vs. Dynamic Analysis

• Static Analysis: This involves analyzing the malware without executing it. You might view the binary, look at the file bytes, and use specific tools to guide your analysis.

• Dynamic Analysis: This involves executing the malware in a controlled environment (like a virtual machine) to observe its behavior and actions. Tools are used to monitor and log the environment while the malware is running.

Importance of Malware Analysis

• Understanding Malware Behavior: Analyzing malware helps in understanding its behavior, which is crucial for protecting systems from threats. For example, knowing the list of malicious URLs can help network administrators impose policies to mitigate attacks.

Reporting

• Documentation: Documenting all the information collected during analysis is essential for creating a knowledge base for future analysts or upper management.

• Audience Awareness: Ensure your reports are understandable to your audience, who may not be as technical as you. Answer questions like what the malware does, its triggered behaviors, intended platforms, and code architecture.