A COMPARISON OF TOOLS

FOR MALWARE ANALYSIS

Tiziana Spata

tizianaspata@yahoo.it

Università degli Studi di Catania

Dipartimento di Matematica e Informatica

Malware is everywhere...

Malware Analysis

PROGRAM UNDERSTANDING

PREVENT MALWARE ATTACK

Static Analysis

Dinamic Analysis

Static Analysis

It’s performed without executing the

program:

• Disassemble the malware

• Control flow or Data flow analysis:

provide a great deal of information

on how malware functions

IDA Pro

The Interactive Disassembler Professional

is a product of Hex-Rays.

It’s a recursive descent disassembler:

• Sequential Flow Instructions

• Conditional Branching Instructions

• Unconditional Branching Instructions

• Function Call Instructions

• Return Instructions

Dinamic Analysis

It’s performed by executing programs on a real or

virtual environment.

• Black Box Analysis: "what you see is all you get"

• White Box Analysis: it’s different from Static

Analysis!

Wireshark

It’s a free and open-source packet analyzer.

Most network interfaces can be put in

“promiscuous mode”, in which they

supply to the host all network packets they

see.

oSpy

It’s a packet sniffing tool which aids in

reverse-engineering software running on

the Windows platform.

The sniffing is done on the API level

which allows a much more fine-grained

view of what’s going on.

Process Monitor

It’s an advanced monitoring tool for Windows

that shows real-time file system, registry and

process/thread activity.

Process Monitor includes powerful monitoring

and filtering capabilities:

• File System

• Registry

• Process

• Network

• Profiling

OllyDbg

It’s a debugger that races registers,

recognizes procedures, API calls…

It has a friendly interface, and its

functionality can be extended by third

party plugins.

Conclusions

A good analysis of malware can be made

thanks to the combination of several tools

that implement techniques of static and

dynamic analysis.

Thanks for your attention!