Malware Forensics Notes

WHAT IS MALWARE

Definition: Malicious Software designed to achieve specific goals.
Motives: Includes military attacks, information theft (trade secrets), and financial gain.
Development: Creating effective malware is complex and costly, requiring high levels of expertise.

TYPES OF MALWARE

Common types (not detailed in transcript but usually include): viruses, worms, Trojans, ransomware, adware, spyware.

MALWARE BEHAVIOUR

Data Impact: Targets personal data, passwords, intellectual property, and biometric data.
Financial Impact: Leads to financial losses, reputational damage, and operational downtime.
Goals: Malware aims to profit over long periods through resource consumption and further exploitation of systems.

LIMITATIONS IN TRADITIONAL COMPUTER FORENSICS

Traditional Approach: Focused on evidence preservation without altering original states.
- Step 1: Power off victim machine; duplicate storage media.
- Step 2: Minimize file system distortion during analysis.
- Step 3: Often neglects volatile memory (RAM and device memory).
- Step 4: Selective data preservation may undermine evidence reliability.
Exploitation: Malware authors can exploit these procedural limitations.

COVERT OPERATION - LAUNCHER

Functionality: Designed to load malware onto victim machines while concealing malicious behavior.
Techniques: Uses Windows PE file format resource manipulation (e.g., icons, menus).
APIs Utilized: Includes FindResource, LoadResource, SizeofResource for resource management.

COVERT OPERATION – PROCESS INJECTION

Definition: Injects malicious code into active processes to avoid detection.
Classifications:
- DLL Injection: Inserts a DLL into the target process.
- Direct Injection: Directly modifying a running process.
- Process Replacement: Replacing an existing process with a malicious one.

COVER OPERATION – HOOK INJECTION

Mechanism: Uses Windows Hook to execute malicious code on intercepted messages.
Application: Common in keylogging malware to capture keystrokes.
API Used: SetWindowsHookEx() for injecting code as a hook into the target process.

MALWARE ANALYSIS PHASES

Static Analysis: Examines malware without execution (e.g., strings, obfuscation).
Dynamic Analysis: Analyzes behavior during execution (e.g., network connections, file system changes).
Reverse Engineering: Digs into malware code for deeper understanding (using tools like IDA, Ghidra, gdb).
Memory Forensics: Analyzes running malware and extracts sensitive data from RAM.

MEMORY FORENSICS

Acquisition: Capture RAM contents, hibernation file, and page file data.
Context Setup: Establish an environment for analysis; identify suspicious processes and drivers.
Analysis Techniques: Use heuristic methods to recognize indicators of compromise.

ANDROID MALWARE

Prevalence: 50x more malware incidents on Android than iOS due to the open ecosystem of Google Play Store.
Distribution Methods: Includes repackaging legitimate apps, exploiting vulnerabilities, and side-loading from the internet.
Considerations: The relative lack of control over the Play Store enables easier malware distribution.

IDENTIFYING ANDROID MALWARE

Methods:
- Using commercial tools or conducting manual analysis (e.g., extracting APK and manifest files).
- Analyzing app permissions, data storage methods, and functionalities.
- Running the app in simulators for testing and debugging.

CONCLUSIONS

Importance of Malware Knowledge: Understanding different malware types is crucial for intelligence gathering in cybersecurity.
Challenges: Issues regarding the chain of custody are significant in malware investigations.
Legacy Malware: Research into past malware is vital as they often resurface in new forms.

REFERENCES

Infosec Resources: Common malware behavior.
Avast: Guide to removing viruses from Android phones.
Threatpost: Analysis of Stuxnet incidents.
NCSC: Guidelines on mitigating malware and ransomware attacks.
Gemserv: Insight on Stuxnet as the first cyber weapon.
Palo Alto Networks: Explanation of command and control attacks.