Chapter 12: Malware Code Analysis

		Chapter 12 - Malware Code Analysis Honeypots for Windows by Roger A. Grimes Apress 2005

Highlights

Real honeypots often end up containing malicious files that the hacker either executed as part of the initial exploit or uploaded later for more maliciousness. Administrators experienced in disassembly can, at their discretion, disassemble the executable and learn exactly what it does, byte by byte. Administrators without these skills are, at best, guessing what the code does.

Without disassembly, the best you can do is to examine the file for embedded ASCII strings, monitor system and file modifications, and look at network communications. But ASCII strings are often encrypted, and malicious code doesn’t always do everything it can do at once. For instance, viruses and worms often wait for a particular circumstance—such as a certain date to occur, the administrator to log in, or a particular command to be typed—before their payload action executes. How can you be sure that you know everything the malware can do? Disassemble it.

This chapter discusses analyzing and disassembling malware code to reveal its functionality and feature set. It will summarize the basic steps, describe the various tools available, and give you an idea of how malware writers work. Along the way, I’ll provide plenty of recommendations for further research on each topic.