Malware analysis involves examining software that performs actions without user knowledge or consent.
Examples of malware include backdoors, bots/botnets, downloaders, and information-stealing malware.
Backdoors: Once executed, they grant attackers remote access and control of a system.
Botnets: A collection of infected devices (e.g., 10 devices) controlled by a single controller. These infected devices are often referred to as "zombies."
Downloaders: Malware that, once executed, downloads additional malicious software onto a system.
Information Stealing Malware: Designed to steal sensitive information from a system.
Ransomware: Encrypts a user's files and demands a ransom payment in exchange for the decryption key.
Viruses: Self-replicate and require user interaction or a host program to execute and spread.
Worms: Self-replicate over a network without needing a host program or user interaction.
Source textbook: Malware Analysis: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software.
The goal of malware analysis is to examine infected files or systems to determine if they are benign or malicious.
Malware analysis involves analyzing malware to understand its functionality and potential damage to a device.
Key components of malware analysis:
Analyzing executable files (.exe), PDF files, Word documents, and APK files.
Identifying potentially infected or damaging programs.
Analysts develop skills in identifying host-based and network-based indicators.
Host-Based Indicators: Used to detect malicious code on victim computers and its effects on the system.
Example: A program that, when double-clicked, turns out to be malware.
Network-Based Indicators: Used to detect malicious code by monitoring network traffic.
Examples: Communication protocols and data exfiltration to a server IP address.
Combining host-based and network-based indicators provides a more comprehensive detection approach.
Malware execution involves several stages: initial infection, installation, and execution.
*Installation of the high stage.
After installation, malware often exhibits host-based indicators (e.g., file replication) and network-based indicators (e.g., data transmission).
Malware analysis faces challenges due to code protection technologies and reverse engineering techniques.
Malware authors employ techniques to make analysis more difficult.
Chapter 2: Dynamic Analysis Environment
Dynamic analysis involves running malware and observing its behavior.
Static analysis involves examining the malware without running it.
Dynamic analysis environment crucial to safely analyze malware.
Virtual machines are used to isolate the malware and prevent damage to the host machine.
Static analysis involves examining the executable file without viewing the actual instructions.
Dynamic analysis involves running the malware and observing its behavior.
Two techniques: basic static analysis and advanced static analysis, basic dynamic analysis and advanced dynamic analysis
Basic Static Analysis: Examining the executable file without viewing the actual instructions.
*Assessing the malicious nature of machine malware and confirming by uploading it to VirusTotal.
Advanced Static Analysis: Reverse engineering using tools like CFF Explorer, Immunity Debugger, and disassemblers.
Involves loading the executable into a debugger and studying the assembly code.
Looking for reference text strings within the code.
Basic dynamic analysis involves running the malware and observing its behavior to remove infection procedures.
Dynamic analysis is used to learn about host and network indicators.
Setting up a safe environment is crucial for dynamic analysis to prevent damage.
Advanced dynamic analysis involves using debuggers to examine the RAM executable in a safe environment.
Analyzing the malware's behavior at runtime.
Chapter 3: Obfuscated Malware
Basic static analysis includes using VirusTotal and hash lookups to identify malware.
Tools like strings, CFF Explorer, and Notepad can be used to examine files for strings and functions.
Finding strings in notepad is like finding a needle in a haystack.
High strings is a tool to find keywords.
The strings tool extracts embedded strings from a file without running it.
CFF Explorer is used to examine the file structure and identify properties without running the malware.
Basic static analysis can reveal information like hashes, strings, functions, and headers.
Examining strings can give you hints about the malware's functionality.
Obfuscated malware makes analysis difficult by hiding functions and strings.
Dynamic analysis can help deobfuscate malware by observing its behavior at runtime.
Chapter 4: Use Dynamic Analysis
Tools like CFF Explorer can be used to examine file headers and strings.
UPX is a tool used to compress executable files, reducing their size.
The command UPX -9 is used to compress a file with maximum compression.
The command UPX -d is used to decompress a file.
Packing is used by malware authors to obfuscate their code.
PEID is a tool used to detect packing algorithms.
Using outdated versions of PEID can be vulnerable to buffer overflow attacks.
Polymorphism: A technique used to evade signature-based detection by antivirus programs.
Involves randomly encoding or encrypting the program code while maintaining its original functionality.
A random key is used to decrypt it at runtime.
This can prevent accurate identification of malicious programs.
Chapter 5: Signature Or Malware
Polymorphism: Every time the file be copied with different hash because it is being encrypted every time.
Polymorphism can use different encryption keys each time a program is copied.
Antivirus programs scan for virus signatures in memory.
Even with polymorphism, the CPU will eventually decrypt the program, making it vulnerable to detection.
Polymorphism: Antivirus detects the malware, because memory is decrypted eventually.
Polymorphism can involve using different registers (e.g., EAX, EBX, ECX) each time the code is executed.
Metamorphism: An even more advanced technique that alters the entire program code each time it replicates.
This makes it difficult for antivirus programs to use signature matching.
Random bytes might be inserted inside functionality.
Metamorphism is runtime and very difficult to be detected by antivirus because it is different than the original.
Portable Executable PE is used with Windows, ELF used with Linux.
Magic codes are used to identify file types (e.g., MZ for portable executables).
Chapter 6: Basic Dynamic Analysis
Portable executables have sections like headers, text, data, TLS, and resources.
The .text section contains the executable code.
The .data section contains import and export information.
The .rsrc section contains resource data like images, icons, and menus.
PE Explorer, PE View, and CFF Explorer are tools used to perform static analysis.
These tools can reveal information about the file's resources, sections, and imports/exports.
*You can even edit parts of a PE file, like icons, strings during basic static analysis.
Static analysis can help identify suspicious programs.
Key elements to examine: resources, icons, sections, file sizes, timestamps, and import/exports.
Example Case Study:
A user gets hacked after opening a corrupted picture from Facebook.
The file turns out to be an executable with a deceptive icon.
Analyzing the file involves looking for strings and signatures.
The executable is packed with UPX, making analysis more difficult.
Decompressing the file with UPX reveals suspicious strings, including an email address and IP address.
Chapter 7: Conclusion
Text strings can provide valuable information, but they are not always trustworthy.
It is important to verify information obtained from static analysis with dynamic analysis.
In the case study, the text strings revealed the attacker's email address and IP address.
The investigator used UPX to unpack the executable.
Tools like PE Walker and ASProtect can be used for further analysis.
Malware authors may use anti-virtual machine techniques to evade analysis.
*It's possible for the attacker to attack an investigators virtual machine by running the exe.