Malware analysis is the process of investigating a sample malware with different tools and procedures. Malware analysis can be performed with a variety of goals. The major reasons are analysing the damage from malware, finding indicators of compromise, determining the sophistication level of the malware author, identifying the vulnerability and finding intruders or insider responsible for an attack. Generally, there are two methods of analysing the malware:
Dynamic Malware Analysis: In this method, the analyser needs to execute the malware to observe its actions. This process needs a proper environment which is logically partitioned from other hosts on network. Different tools can be used to analyse malware interaction with file system, the registry, other processes and network. The basic open source tools used for the analysis are Wireshark, Process monitor and Sys Internals. These tools monitor the behaviour of whole computer rather the just malicious code. During examination, analysers must filter out the normal background activities which are not attributable to malware.
Static Malware Analysis: This method of analysis is safer compared to dynamic malware analysis. In this method, there is no need of executing the malware during process. The executable code is loaded inside the disassembler in order to find the malware behaviour. Reverse engineering is also linked with Static Malware analysis. The basic example of disassembler is IDA. It covers file fingerprinting, virus scanning, packer detection, strings finding and disassembly. (Kris Kendal 2007