- My team at Savvis provides security assessments, design, and operational assistance for businesses.
- Learn how to analyze malware at my SANS course in New York, London, DC, and over the Web.
- My new 2-day course on Combating Malware debuts in Las Vegas at half price; full price in DC.
Related Content:
- Reverse-Engineering Malware cheat sheet
- Analyzing Malicious Documents cheat sheet
- Combating Malicious Software articles
|
New! My 2-day Combating Malware in the Enterprise course debuts in Las Vegas at half price (September); full price in DC (December). |
What to Include in a Malware Analysis Report
In my SANS Institute course, I teach security and systems professionals how to reverse-engineer malicious software. The following note summarizes my recommendations for what to include in the report that describes the results of the malware analysis process.
A typical malware analysis report covers the following areas:
- Summary of the analysis: Key takeaways should the reader get from the report regarding the specimen's nature, origin, capabilities, and other relevant characteristics
- Identification: The type of the file, its name, size, hashes (such as MD5, SHA1, and ssdeep), malware names (if known), current anti-virus detection capabilities
- Characteristics: The specimen's capabilities for infecting files, self-preservation, spreading, leaking data, interacting with the attacker, and so on
- Dependencies: Files and network resources related to the specimen’s functionality, such as supported OS versions and required initialization files, custom DLLs, executables, URLs, and scripts
- Behavioral and code analysis findings: Overview of the analyst's behavioral, as well as static and dynamic code analysis observations
- Supporting figures: Logs, screenshots, string excerpts, function listings, and other exhibits that support the investigators analysis
- Incident recommendations: Indicators for detecting the specimen on other systems and networks (a.k.a. "indicators of compromise"), and possible for eradication steps
Malware analysis should be performed according to a repeatable process. To accomplish this, the analyst should save logs, take screen shots, and maintain notes during the examination. This data will allow the person to create an analysis report with sufficient detail that will allow a similarly-skilled analyst to arrive at equivalent results.
A convenient way of keeping track of your observations during the reverse-engineering process is to use a mind map, which organizes your notes, links, and screenshots on a single easy-to-see canvas. You can download my mind map template for such a report; you need to use the free mind-mapping tool called FreeMind to load and edit the template.
About the Author: Lenny Zeltser leads the security consulting practice at Savvis, where he focuses on designing and operating security programs for cloud-based IT infrastructure. Lenny's other area of specialization is malicious software; he teaches how to analyze and combat malware at SANS Institute. Lenny explores security topics at conferences, in books and in articles. He also volunteers as an incident handler at the Internet Storm Center. You can follow Lenny on Twitter to stay in touch.
Copyright © 1995-2010 Lenny Zeltser. All rights reserved. RSS Feed.
The information on this site does not necessarily represent positions or opinions of my employer.