You should keep in mind that malware may try to hide from examination so you should not trust the operating system that runs the malware to tell you what is happening.
A skilled developer can disassemble the malware's components and determine (mostly) what the malware is doing. That level of sophisticated analysis is far outside of this answer, so I'll focus on ways of identifying some of the basic actions instead. Malware designers are often very skilled persons (or teams) who apply a lot of excellent security methods to keep their creations undetected.
Virtual machines are a convenient tool for examining the workings of a malware item. A virtual machine gives you a consistent and easy-to-replace platform for testing malicious code that you've encountered. The downside of virtualization, however, is that it's easy for malware to determine if it's in a virtual environment and possibly act differently, or not activate, avoiding detection.
Because most malware is capable of communicating over the network, a key tool in your arsenal should be a program like ActivePorts or Foundstone's fport that allows you to determine what processes use a network interface. Microsoft's Port Reporter is another robust option. According to the software's listed features, Port Reporter logs will examine the ports that are used, the processes that use the port, the modules (.dll, .drv, and so on) that a process loads and the user accounts that start a process. This is a two-part application designed to examine systems that may be compromised.
Forensic tools are often well suited to examine system activity and history. There are a few incident response-focused bootable CDs containing Windows binaries that can be run as safe, known-good tools for data collection on a compromised system. The Windows Forensic Toolkit (WFT) is one such CD, but the newest version is no longer free for commercial use. Helix is another live CD but is also no longer free. Guidance Software Inc.'s EnCase and AccessData Corp.'s FTK forensic products have advanced features that will allow you to collect detailed system and memory information, along with a forensic image, provided you have the budget for these tools.
As a tangent, I'd recommend anyone interested in the security efforts used by malware developers read up on the Conficker / Downadup botnet, malware that uses a variety of techniques to obscure itself and make examination tricky. A Conficker working group is dedicated to examining and eradicating it.
Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.
Send Tom your security questions.
Join us on LinkedIn. This was first published in July 2010
This was first published in July 2010