Daniel Plohmann studied Computer Science at the University of Bonn. Since 2010, he is a PhD student as well as a security researcher of the Cyber Defense Research Group at Fraunhofer FKIE in Wachtberg, Germany. His main research field is reverse engineering with a focus on malware analysis and botnet mitigation. For more information on his work and his publications, please visit: http://pnx.tf.
Patterns of a Malware Analysis Workflow
Co-authors: Sebastian Eschweiler, Dr Elmar Gerhards-Padilla
In this talk, we give a thorough explanation of the malware analysis workflow specified and employed by our team of analysts. It was deducted from observed work patterns and best practices with a strong focus on enabling collaboration, i.e. analyses conducted by multiple analysts in parallel in order to achieve a speed-up. It consists of four phases as a whole, each with its own goals, constraints, and abort conditions.
The first phase aims at gaining an overview of the current situation and specifying goals of the analysis and their respective priorities. The second phase features a preliminary analysis used to sharpen the picture of the threat, using methods of Open Source Intelligence (OSINT) and automated tools in order to obtain a quick assessment enabling first mitigation. In addition, one objective is to facilitate and prepare a more granular dissection of the malware sample, e.g. by unpacking and deobfuscation. The third phase comprises an in-depth analysis relying heavily on reverse engineering of selected parts of the malware. The selection may be influenced by earlier findings or focus on prominent aspects like nesting, functionality, or communication protocols. The final phase builds upon the results of the preceding phases, leading to tailored mitigation concepts for the specimen analysed. Where possible, we will use case studies of our actual work to provide illustrative examples.
For each of the proposed phases, we give an overview of potential key tools, e.g. helping to gain information or improve collaboration. On a higher level, we highlight challenges to cooperative analysis and our approach to handle them. In this regard, the workflow contains adoptions of principles known from agile software development methodologies. For example, Scrum is used for management of tasks and coordination, aiding the creation of a reproducible and reliable chain of results.