September 3, 2014
The analysis of encrypted malware utilizes traditional Dynamic Analysis, Active Memory Analysis and cutting edge “Trace Analysis”, allowing for a more holistic approach towards malware analysis from three differing perspectives. All three “prongs” of this methodology involve the analysis of “Data In Execution” which significantly reduces, and in some cases negates, the effectiveness of the anti-forensic techniques employed by malware authors attempting to implement countermeasures.
This multi-layered methodology has the benefit of targeting the weaker and less protected aspect of malware, its execution. It provides an analyst with multiple avenues for analysis which complement each other and provide a means to analyze advanced malware which may employ defenses designed to obfuscate the binary and foil Static Analysis, which come in the form of packers, obfuscation or other encryption techniques. With the de-obfuscation of such techniques, the playing field has been leveled allowing an analyst to become more effective. This paper provides a brief demonstration of this methodology and stands as an example of the benefit of this approach in identifying and analyzing malware which utilizes anti-forensic techniques, such as encryption.
About the author: Kristopher Bleich has 15 years of military and civilian law enforcement, computer information security and computer forensic experience. He has extensive experience in criminal investigations and criminal computer forensic investigations. Kristopher is certified to instruct law enforcement personnel in the seizing of electronic evidence through the National White Collar Crime Center (NW3C), along with being a Certified Ethical Hacker (C|EH) and certified as an EnCase Certified Examiner (EnCE). SpearTip is a cyber counterintelligence firm located in St Louis, MO with offices in Dallas, TX and Washington D.C. SpearTip’s mission statement is, “Blending cutting-edge technologies, unique skill sets, and military-proven cyber-counterintelligence strategies, SpearTip partners with our clients to protect shareholder value, shield corporate reputations, and enhance long-term profits.” http://www.speartip.com