Notes on Malware Forensics Analysis

Module Overview on Malware Forensics

  • Introduction to malware forensics in digital forensics essentials.

  • Focus on key aspects of malware and its analysis techniques.

  • Outline of the following sections to be covered:
      - Understanding malware, its components, and distribution methods.
      - Static and dynamic malware analysis.
      - Analyzing suspicious documents and malware behavior in real-time.

Understanding Malware

  • Definition of Malware: Software designed to
    destroy, exfiltrate, damage, disable, or give control to an external entity.

  • Types of Malware:
      - Viruses: Programs that replicate by inserting copies into other computer programs.
      - Worms: Malware that replicates itself to spread to other computers via networks.
      - Trojans: Malicious software disguised as legitimate software.
      - Crypters: Tools that encrypt or obfuscate malware to evade detection.

Distribution Methods of Malware

  • Common Vectors:
      - Instant Messaging: Links or attachments are clicked by users, spreading malware.
      - Removable Devices: Malware on USB drives that users inadvertently install on systems.
      - Email Attachments: Clicking on what appears to be legitimate documents that contain malware.
      - File Sharing Sites: Downloading software or files from untrusted or illegal sites can introduce malware.
      - Browser Bugs: Exploiting vulnerabilities within outdated browsers can lead to drive-by downloads without user interaction.

Components of Malware

  • All malware has several components to facilitate its objectives:
      - Crypters: Disguises the malware code to evade analysis through encryption or obfuscation.
      - Downloaders: Install additional malicious software onto the system.
      - Injectors: Insert code into active processes to conceal their activity.
      - Packers: Compresses and encrypts malware to avoid detection.
      - Payload: The actual malicious effect of the malware once executed.
      - Exploits: Code that takes advantage of software vulnerabilities

         - RAM-Malware: Code that takes advantage of your RAM.

Techniques for Distributing Malware

  • Various advanced techniques exist for distributing malware:
      - Black Hat SEO: Manipulating search engine results to lead users to malicious sites.
      - Malvertising: Embedding malware into legitimate advertising networks.
      - Domain Shadowing: Creating subdomains to host malware.
      - Clickjacking: Tricks users into clicking unnoticed links that download malware.
      - Phishing: Fake emails mimic legitimate institutions to steal log-in details.
      - Mouse Hovering: Malware triggers when the mouse hovers over infected links.
      - Drive-By Downloads: Malware automatically downloads just by visiting an infected webpage.

Malware Forensics Techniques

Static and Dynamic Analysis

  • Static Analysis: Involves examining the malware without executing it, often using:
      - Code Analysis: Review of the malware's binary and code structure.
      - String Searching: Recovering text strings embedded in the malware that reveal functionality.
      - Online Scanning: Tools like VirusTotal check uploaded files against known malware databases.

  • Dynamic Analysis: Involves executing the malware in a controlled environment to observe its behavior:
      - Behavioral Analysis: Looking at system calls, registry changes, network activity, API interactions, etc.
      - Monitor Processes: Track which processes are spawned and API calls made.

System Behavior Analysis

Monitoring API Calls

  • Malicious programs often make use of Windows APIs

Monitoring Device Drives

  • Malware gets installed along with device drivers downloaded from untrusted sources

  • You must scan for sus device drivers, using tools like DeviceDrivers

Files & Folder Integrity checkers

  • FastSum:

    • FastSum used for integrity checking files

    • It computes checks according to the MD5 checksum algorithm

  • WinMD5:

    • Windows utility tool for computing the MD5 hashes of files

    • These fingerprints can be used to ensure that the fie is uncorrupted

Malware Analysis Challenges

  • Accuracy of the analysis process

  • Detections of malware pieces and traits

  • Changing technologies and dynamics of malware creation and propagation

  • Anti-analysis procedures such as encryption, code obfuscation, and deletion of records.

Analyzing Suspicious Documents

  • Tools: Use specific tools like OLE (Object Linking and Embedding) analysis tools to extract embedded code or objects within documents.
      - For instance, analyzing suspicious Word documents for macro scripts that may perform malicious operations.

Practical Considerations in Malware Forensics

  • Creating a Controlled Analysis Environment:
      - Use virtual machines to isolate malware execution, allowing for complete monitoring without harm to production systems.
      - Implement monitoring tools: Wireshark for network monitoring, Process Explorer for system activity, and API Monitor for API calls.

  • Report Creation: Document every step of the analysis including indicators of compromise (IOCs) and methodology.

Summary

  • The knowledge gained from malware forensics not only helps in handling malware incidents but also improves defensive tactics against potential vulnerabilities in systems.

  • When analyzing malware, both static and dynamic methods should be used alongside robust documentation practices to ensure comprehensive understanding and reporting.