Scribd Logo
Carica

Benvenuto in Scribd!

  • Malware Analysis

    Caricato da

    pratik karguppikar
    144 visualizzazioni4 pagine
    Malware is malicious software that gives partial or full control of a computer to harm the user. It can be viruses, worms, trojans, adware, spyware, or rootkits. Malware analysis determines a sample's purpose and functionality through static analysis of the code without executing it or dynamic analysis by executing it to observe behavior. Memory forensics analyzes memory dumps to find artifacts like open files and registry keys when malware avoids leaving evidence on disk.

    Descrizione originale:

    Malware Analysis

    Copyright

    © © All Rights Reserved

    Formati disponibili

    TXT, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Malware is malicious software that gives partial or full control of a computer to harm the user. It can be viruses, worms, trojans, adware, spyware, or rootkits. Malware analysis determines a sample's purpose and functionality through static analysis of the code without executing it or dynamic analysis by executing it to observe behavior. Memory forensics analyzes memory dumps to find artifacts like open files and registry keys when malware avoids leaving evidence on disk.

    Copyright:

    © All Rights Reserved
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    144 visualizzazioni4 pagine

    Malware Analysis

    Caricato da

    pratik karguppikar
    Malware is malicious software that gives partial or full control of a computer to harm the user. It can be viruses, worms, trojans, adware, spyware, or rootkits. Malware analysis determines a sample's purpose and functionality through static analysis of the code without executing it or dynamic analysis by executing it to observe behavior. Memory forensics analyzes memory dumps to find artifacts like open files and registry keys when malware avoids leaving evidence on disk.

    Copyright:

    © All Rights Reserved
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 4

    What is Malware?

    ------------------
    Malicious software (malware) is any software that gives partial to full control of
    your computer to do whatever the malware creator wants. Malware can be a virus,
    worm, trojan, adware, spyware, root kit, etc. The damage done can vary from
    something slight as changing the author's name on a document to full control of
    your machine without your ability to easily find out. Most malware requires the
    user to initiate it's operation. Some vectors of attack include attachments in e-
    mails, browsing a malicious website that installs software after the user clicks ok
    on a pop-up, and from vulnerabilities in the operating system or programs. Malware
    is not limited to one operating system.

    Types of Malware
    ------------------
    Virus:
    Like their biological namesakes, viruses attach themselves to clean files and
    infect other clean files. They can spread uncontrollably, damaging a system’s core
    functionality and deleting or corrupting files. They usually appear as an
    executable file (.exe).
    Trojans:
    This kind of malware disguises itself as legitimate software, or is hidden
    in legitimate software that has been tampered with. It tends to act discreetly and
    create backdoors in your security to let other malware in.
    Spyware:
    No surprise here — spyware is malware designed to spy on you. It hides in
    the background and takes notes on what you do online, including your passwords,
    credit card numbers, surfing habits, and more.
    Worms:
    Worms infect entire networks of devices, either local or across the
    internet, by using network interfaces. It uses each consecutively infected machine
    to infect others.
    Ransomware:
    This kind of malware typically locks down your computer and your files, and
    threatens to erase everything unless you pay a ransom.
    Adware:
    Though not always malicious in nature, aggressive advertising software can
    undermine your security just to serve you ads — which can give other malware an
    easy way in. Plus, let’s face it: pop-ups are really annoying.
    Botnets:
    Botnets are networks of infected computers that are made to work together
    under the control of an attacker.

    Whats is Malware Analysis?


    --------------------------
    Malware analysis is the process of determining the purpose and functionality of a
    given malware sample. Malware analysis equips us with the understanding on how the
    malware functions, how to identify the malware and how to eliminate it.

    Why Malware Analysis?


    ----------------------
    Malware analysis can be conducted with various objectives in mind.
    To understand the capabilities of the malware
    Determine how the malware functions
    Asses the intrusion damage
    Identify indicators that will helps us determine other infected machine by the same
    malware and the level of infection in the network
    Help us identify if the malware is exploiting any vulnerability or on how it is
    persisting on the system
    Determine the nature & purpose of the malware
    To understand who is targeting & how good they are.
    To understand what information did they steal.

    Types of Malware Analysis


    --------------------------
    1> Static analysis
    2> Dynamic analysis

    Static analysis
    ----------------
    A basic static analysis is analyzing software without executing it. Basic static
    analysis is straightforward and can be quick, but it’s largely ineffective against
    sophisticated malware, and it can miss important behaviour.
    Advanced static analysis consists of reverse-engineering the malware binary by
    loading the executable into a disassembler like Ollydbg or IDA to get assembly
    language source code from machine-executable code, we then look at the program to
    discover what the program does.
    Some of the techniques use in static analysis is determining file type, strings
    encoded in the binary file, Check for file obfuscations in order to determine if
    the file has been packed or determine if they have used any cryptors), Hash and
    comparison, checking hash against multiple AV database

    Ways of Static Malware Analysis


    --------------------------------
    Checking File Hash:
    The very first technique in static analysis is to upload the suspicious
    executable to VirusTotal, which runs the executable against several AV solutions
    and gives the result.

    Finding strings:
    Searching through the strings can be a simple way to get hints about
    the functionality of a program.
    Use Strings in Windows(Sysinternal)
    Look for URLs,Dlls,IP Address.

    How to check if a malware code is obfuscated or not?


    Often malware writers obfuscate their codes so that the files are hard
    to read. When a packed program runs, a wrapper program also runs around to unpack
    it. With static analysis, it is really hard to predict which files are packed
    unless it is clearly evident that they are.
    Tools like PEid sometimes are able to tell that the files are packed.

    Files which are UPX packed can be unpacked by the following command:
    upx –o <newfilename> -d <packedfilename>

    PE File Sections
    ----------------
    Information gathering from Portable Executable (PE) file format
    PE file format is used by Windows executables, DDLs etc. It contains the
    necessary information for Windows OS loader to run the code. While examining the PE
    files, we can analyse which functions have been imported, exported and what type of
    linking is there i.e. runtime, static or dynamic.

    A PE file contains a header and some more important sections. Under these
    sections there is some useful information. Let’s understand these sections as well.
    1) .text: This contains the executable code.
    2) .rdata: This sections holds read only globally accessible data.
    3) .data: Stores global data accessed through the program.
    4) .rsrc: This sections stores resources needed by the executable.

    Most often malware writers use dynamic linking in their code.


    Under the header, there is a subsection named “IMAGE_FILE_HEADER”, which
    contains the timestamp field. This timestamp shows the compile time of the
    executable.
    Suppose from static analysis, an analyst predicts that the executable will
    create a process and then suppose the following exec and sleep command is found,
    but there is no information found about the respective DLL, which has a function to
    connect with another server. In that case, the resource is hidden with the
    executable. Open the .rsrc section of PE file with a tool like Resource Hacker to
    gain more information regarding the malware.

    Advanced static analysis


    ------------------------
    Advanced static analysis consists of reverse-engineering the malware binary
    by loading the executable into a disassembler like Ollydbg or IDA to get assembly
    language source code from machine-executable code, we then look at the program to
    discover what the program does.

    Dynamic analysis
    ----------------
    Basic dynamic analysis actually runs malware to observe its behavior, understand
    its functionality and identify technical indicators which can be used in detection
    signatures. Technical indicators revealed with basic dynamic analysis can include
    domain names, IP addresses, file path locations, registry keys, additional files
    located on the system or network.

    Additionally, it will identify communication with an attacker-controlled external


    server for command and control purposes or in an attempt to download additional
    malware files.
    Dynamic analysis usually focuses on the following activities, file system ,
    Registry, process, network and system calls.

    Memory Forensics
    -----------------
    In investigation of advanced computer attacks which are stealthy enough to avoid
    leaving data on the computer’s hard drive, the memory of the computer must be
    analyzed for vital information.Memory Analysis is the science of using a memory
    image to determine information about running programs, the operating system, and
    the overall state of a computer.
    Steps in memory Forensics
    a> Memory Acquisition:
    This step involves dumping the memory of the target machine. On the
    physical machine you can use tools like Win32dd/Win64dd, Memoryze, DumpIt,
    FastDump. Whereas, on the virtual machine, acquiring the memory image is easy, you
    can do it by suspending the VM and grabbing the “.vmem” file.
    b> Memory Analysis:
    Once a memory image is acquired, the next step is to analyze the
    grabbed memory dump for forensic artifacts, tools like Volatility and others like
    Memoryze can be used to analyze the memory

    Memory forensics helps us to gather the following information


    List of all past and current network connections
    List of all running process
    List of DLL’s loaded
    Keystrokes entered
    Unpacked / Uncrypted version of the malware file
    list open files associated with a process
    list open registry keys associated with a process
    Kernel Modules
    Code injection
    Rootkit detection
    Detect hidden artifacts

    Softwares:
    -------------
    Strings(Sysinternal) - To Check the Stringd in the executable
    PEiD - To Check id the Executable is packed.
    PEview(Sysinternal) - To view the structure of the exe.
    Ollydbg/IDA - To reverse-engineer the malware binary by loading the executable into
    a disassembler
    Dependency Walker
    Resource Hacker
    FileAlyzer
    Procmon
    Process Explorer
    Regshot
    ApateDNS
    Netcat
    Wireshark
    INetSim

    Potrebbero piacerti anche