Chapter 10: Malware Analysis and Reverse Engineering (Intro)
Malware Analysis and Reverse Engineering (Intro). This is one of the most fascinating (and sometimes creepy) parts of cybersecurity—it’s basically digital detective work. We’re looking inside malicious software to understand what it does, how it does it, how it hides, and how to stop it before it causes real damage.
In January 2026 (right here in Airoli, with the monsoon just gone and everything feeling fresh), malware is more sophisticated than ever. India’s seen massive surges: ransomware families like LockBit 3.0 variants, Akira, BlackCat/ALPHV successors, and infostealers (RedLine, Raccoon, LummaC2) targeting UPI users, small businesses, and even hospitals. Average ransomware recovery cost in India is still in crores when downtime + reputation hit. Understanding malware is no longer optional—it’s a core skill for SOC analysts, threat hunters, DFIR teams, and CERT-In responders.
We’ll cover the chapter step by step, with real-world examples (many India-relevant), analogies, and safe practices.
1. Types of Malware (Viruses, Worms, Trojans, Ransomware, Rootkits)
Malware isn’t one thing—it’s a family with different behaviors and goals.
- Viruses Classic: Attaches to legitimate files/programs and spreads when the file runs. Requires user action (open infected doc/EXE). 2026 status: Less common standalone—most modern “viruses” are hybrids. Example: Old macro virus in Word/Excel docs (still seen in phishing attachments targeting Indian SMEs).
- Worms Self-replicating, spreads automatically over networks without user interaction. Exploits vulnerabilities (e.g., EternalBlue for WannaCry). Example (India 2025–2026): Variants of NotPetya-style worms or Mirai/IoT worms scanning for open RDP/SSH → infect IoT cameras/routers in homes and offices across Maharashtra → turn them into botnets for DDoS or crypto mining.
- Trojans Disguised as legitimate software (game, PDF, invoice, “free antivirus”). Once run, does bad things (steal data, backdoor, drop ransomware). Most common delivery in 2026: Fake UPI apps, job portals, “Aadhaar update” tools. Example: Lumma Stealer disguised as “QuickBooks update” → steals browser cookies, crypto wallets, saved passwords → leads to bank/UPI frauds.
- Ransomware Encrypts files/data, demands ransom (usually crypto) for decryption key. 2026 evolution: Double/Triple extortion (encrypt + steal data + threaten leak/DDoS family). Top families active in India right now: Akira, Black Basta, LockBit successors, Play, RansomHub. Example: Hospital in Navi Mumbai hit by Akira variant → encrypts patient records + leaks sample data on dark web → demands $500k or full leak.
- Rootkits Hides presence of malware/processes/files/registry entries. Operates at kernel/user level → very hard to detect. Example: Kernel-mode rootkit in banking trojan → hides malicious process from Task Manager → persists even after reboot. Seen in some Indian-targeted infostealers.
Quick comparison table (2026 lens):
| Type | Spread Method | User Interaction Needed? | Main Goal | 2026 Prevalence in India |
|---|---|---|---|---|
| Virus | File infection | Yes | Spread + payload | Low–Medium (macros) |
| Worm | Network auto-spread | No | Mass infection, DDoS | High (IoT botnets) |
| Trojan | Social engineering | Yes | Backdoor, theft | Very High |
| Ransomware | Trojan + exploit | Usually Yes | Extortion | Extremely High |
| Rootkit | Trojan/kernel exploit | Yes | Stealth/persistence | Medium–High (in advanced) |
2. Static vs Dynamic Analysis
Two main ways to study malware safely.
-
Static Analysis — Examine malware without running it. Pros: Safe (no risk of infection), fast initial intel. Cons: Can’t see runtime behavior, packed/encrypted/obfuscated code hides a lot.
Techniques:
- File type/ID (PEiD, Detect It Easy).
- Strings extraction (strings command or BinText).
- Hashing (VirusTotal, Hybrid Analysis).
- Disassembly (IDA Free, Ghidra, Binary Ninja).
- Decompilation (Hex-Rays for IDA).
- Packer detection (PE-bear, Detect It Easy).
Example: Get sample → hash on VirusTotal → see it’s LummaC2 stealer → strings show C2 URLs, wallet steal functions.
-
Dynamic Analysis — Run malware in controlled/safe environment and observe what it does. Pros: See real behavior (network, file changes, registry, processes). Cons: Can be detected (anti-VM tricks), needs isolation.
Environment: Sandbox (Cuckoo, Any.Run, Triage), VM (VirtualBox/VMware with snapshots), isolated network. Example: Run sample in Windows 10 VM → see it drops payload in %AppData%, contacts C2 server in Russia, encrypts files with .akira extension.
2026 best practice: Combine both—static first → dynamic if needed. Use hybrid sandboxes (e.g., Joe Sandbox, Hybrid Analysis) that do both.
3. Behavioral Analysis and Sandboxing
Behavioral Analysis = Watch what the malware does (actions) rather than what it is (code). Key indicators:
- Creates unusual processes/connections.
- Modifies registry (Run keys for persistence).
- Encrypts files in bulk.
- Hooks keyboard/mouse (keylogger).
- Injects into explorer.exe/svchost.exe.
Sandboxing = Isolated environment that runs suspicious files and records behavior. Types:
- Online sandboxes: VirusTotal (behavior tab), Any.Run (interactive), Joe Sandbox.
- Local: Cuckoo Sandbox (open-source), Flare-VM + REMnux setup.
Example (real Indian case style): Sample arrives via phishing (“Salary Slip Dec 2025.pdf.exe”). Sandbox shows:
- Drops file in C:\Users\Public\svchost.exe
- Connects to 185.XX.XX.XX:443 (C2)
- Enumerates drives → starts encrypting .docx/.pdf with .locked
- Sends stolen cookies to Telegram bot → Behavioral verdict: Ransomware + infostealer hybrid.
Anti-sandbox tricks (2026 common):
- Check for VM artifacts (registry keys, MAC addresses).
- Sleep/delay execution.
- Mouse/keyboard activity check.
- CPU core count check.
4. Common Delivery Methods and Anti-Malware Techniques
Delivery Methods (2026 top in India):
- Phishing (email/SMS/WhatsApp) — Malicious attachment/link (most common).
- Malvertising — Fake ads on sites.
- Drive-by download — Exploit kits on compromised sites.
- Supply-chain compromise — Infected software updates (rare but devastating).
- SEO poisoning — Fake results for “free Netflix” or “Aadhaar update”.
- USB drops / watering hole — Physical or targeted sites.
Anti-Malware Techniques (Defenses):
- Signature-based — AV matches hash/pattern (good for known, fails on new/packed).
- Heuristic / Behavior-based — Detects suspicious actions (process injection, encryption spikes).
- Machine Learning / AI — Models trained on millions of samples (CrowdStrike, SentinelOne, Microsoft Defender).
- Endpoint Detection & Response (EDR) — Monitors + responds (block, quarantine, rollback).
- Application Whitelisting — Only allow approved apps (AppLocker, WDAC).
- Browser protections — SmartScreen, Chrome Safe Browsing.
- User training + phishing sims (KnowBe4 style).
Example stack for Indian small business (2026): Microsoft Defender for Endpoint (EDR) + Malwarebytes + regular backups (offline/air-gapped) + employee training on spotting fake UPI alerts.
