| Title | Author | Created | Published | Tags | | ---------------- | ---------------------------- | ---------------- | ---------------- | ---------------------- | | Malware Analysis | <ul><li>Jon Marien</li></ul> | January 08, 2025 | January 08, 2025 | [[#classes\|#classes]] | # Malware Analysis ## Incident Response - Case History - A medical clinic with 10 offices found malware on one of their workstations - Hired a consultant to clean & re-image that machine - All done! Is the case closed? - After some malware is found, you need to know a few things: - Did an attacker implant a rootkit or trojan on your systems? - Is the attacker really gone? - What did the attacker steal or add from/to your files? - How did the attack get in? - Root-cause Analysis  ## Malware Analysis - Dissecting malware to understand: - How it works. - How to identify it. - How to defeat or eliminate it. - This is a critical part of incident response. ### Goals of Malware Analysis - Information required to respond to a network intrusion: - Exactly what happened! - Ensure you've located all infected machines and files. - How to measure and contain the damage. - Find signatures for intrusion detection systems (IDS). ## Signatures - Host-based signatures - Identify files or registry keys on a victim computer that indicates an infection. - Focus on what the malware did to the system, not the malware itself. - Different from an antivirus signature! - Network signatures - Detect malware by analyzing network traffic. - More effective when made using malware analysis. - False Positives:  # Malware Analysis Techniques ## Static vs. Dynamic Analysis - Static Analysis - Examines malware without running it. - Tools: VirusTotal, `strings`, IDA Pro. - Dynamic Analysis - Run the malware and monitor its effect. - Use a virtual machine and take snapshots. - Tools: RegShot, Process Monitor + Hacker, CaptureBAT. - RAM Analysis: Mandant, Redline, Volatility. ## Basic Analysis - Basic static analysis - View malware without looking at instructions. - Tools: VirusTotal, `strings`. - Quick and easy but fails for more advanced malware and can miss important behaviour. - Basic dynamic analysis - Easy but requires a safe test environment. - Not effective on all malware. ## Advanced Analysis - Advanced Static Analysis - Reverse-engineering with a disassembler. - Complex, requires understanding of assembly code. - Advanced Dynamic Analysis - Run code in a debugger. - Examines internal state of a malicious executable that is running. ## General Rules for Malware Analysis - Don't get caught in the details! - You don't need to understand 100% of the code - Focus on the key features, or malicious parts of the code. - Try several tools! - If one tool fails, don't give up! Try another. - If you get stuck on a hard issue, move along, and come back to it. - Malware authors are constantly raising the bar. # Lab Setup -- Done in class # Types of Malware ## Spyware or Infostealer - Spies on and steals sensitive data from your system. The data targeted by spyware can be usernames, passwords, images, and documents. ## Keylogger - Spyware that can log the user’s keystrokes and send the recorded keystrokes back to the attacker. ## Botnet - A bot network or robot network that comprises of multiple machines infected by malware. The malware that forms this bot network or botnet works together as a herd, accepting and acting on commands sent by an attacker from a central server. Botnets can carry out denial-of-service (DOS) attacks, send spam, and so forth. ## Adware - A common type of malware that most of us have come across but never noticed. Adware is included with software downloads from third-party websites. While installing the downloaded software, adware is installed behind the scene without our knowledge. Do note that not all adware is malicious. But you can call these as a category of trojan but only responsible for displaying unwanted ads on your system. Many of them are known to change the default search engines for the browsers on our computers. ## Rootkit - A malware or a malware functionality combined with another piece of malware, whose aim is to conceal its activity or that of another malware on the system. Rootkits mostly function by modifying system functions and data structures. ## Banking Malware - Works by intercepting and modifying browser communication to capture information on banking transactions and credentials. ## PoS Malware (Point-of-sale) - Infects PoS devices, which are used by most retail, shopping outlets, and restaurants worldwide. PoS malware’s main functionality includes trying to steal credit card information from the PoS software. ## Ransomware - Works by taking hostage of the data, files, and other system resources on the system, and demand the victim for ransom in return to release these resources. Compared to other malware types, ransomware is easy for a hacker to program. At the same time, from a remediation standpoint, ransomware is very hard to deal with since once encrypted, the data causes huge losses for the users, and requires a lot of effort to neutralize the damage and restore the system to its former state. ## Cryptominer - Relatively new member of the malware family, having become popular with the increasing use of cryptocurrencies. This malware is rarely known to steal data from the victim’s machine, but they eat up system resources by mining cryptocurrencies. ## Downloader - A malware that downloads other malware. Botnets work as downloaders and download malware upon receiving a command from the central server. These days most of the Microsoft Office file-based macro malware are downloaders, which downloads another piece of the bigger malware payload. Emotet is a popular malware that uses a Microsoft document-based macro downloader. ## Spammer - Sends out spam emails from the victim’s machine. The spam may contain emails containing links to malicious sites. The malware may read contacts from email clients like Microsoft Outlook installed on the victim’s machine and send out emails to those contacts. ## Exploit - Not malware but rather malicious code that is meant to take advantage of a vulnerability on the system and exploit it to take control of the vulnerable program and thereby the system. These days most exploits are responsible for downloading other malware. # Malware Lifecycle  ## Development Phase ### Self Defense - Malware authors use the cryptography to protect their malware from being decrypted, detected, and analyzed. - As another example, attackers reverse engineer software and develop cracks and patches for it so that the software can be used without paying for its license, which is known as software piracy. - To prevent this, software developers have devised several antipiracy and anti-reverse engineering techniques. Malware authors also use these techniques to prevent malware researchers from analyzing and deobfuscating malware, making it difficult to write effective signatures to detect malware. ### The Adaptive and Deceptive Nature of Malware - They adapt to new changes in the environment and develop resistance against the anti-malware defenses. - Malware does not show its real qualities when they are tested in the presence of anti-malware products and analysis tools and environments like those used by malware analysts. ### Mass Production of Malware - They use programs called polymorphic packers or cryptors that can create many malware variants from a single piece of malware. It protect them against signature-based detection patterns in antivirus. - This kind of malware technology forced the antivirus industry to develop next-generation antivirus, which can identify malware by looking into the behavior rather than detect it by its static properties or hash only. ## Distribution Phase: The Diverse Transport System - Exploit kits - Email spam and malicious attachments - Advertisements - USB drives - Social Engineering Techniques ## Infection Phase: - Some of the hurdles encountered by malware for a successful infection are as follows. - Antivirus software. The biggest threat to most malware is an antivirus engine. If the malware is freshly created, then it is less likely that an antivirus engine is going to catch it. - Bugs. If the malware was coded incorrectly or has bugs, it might fail to infect the target successfully. - Lack of a suitable execution environment. Sometimes the malware does not find a suitable environment like the appropriate dependency files and libraries on the victim machine, which might result in failed execution or a crash. - For example, malware written in Java cannot execute on a machine if Java virtual machine is not installed on it. ## Post-Infection Phase: - Malware might try to contact its owner or the central server for upgrades or commands from the attacker, upload the victim’s information, and so forth. - The actions might include stealing data, credentials, or personal information, and giving remote access to the attacker, and so on. ## Malware Hunting - Blogs, Feeds, and Other Shared Sources - Honeypots - Web Crawlers: - Web crawlers work by simulating an end user visiting a website, crawling the web intelligently, searching for these infected web servers, and fooling them to respond with their exploits and malware hosted on them. - Going Dark and Underground: - Sometimes malware hunters also need to penetrate the underground market, forging their identity and masquerading as malicious hackers to track down other malicious actors, trace any upcoming threats, and other malicious activities. Sometimes they might need to share certain information with other bad actors in these marketplaces, to gain their trust and extract more information out of them. They go anonymous through Tor. - Incident Responders and Forensic Analysts # Terminologies ## APT (Advanced Persistent Threat) ## Vulnerability ## Exploits ## Shellcodes ## Exploit kit ## Malvertising ## Spam ## Fileless Attack ## Living off the Land - Attack Technique ## Drive-by-Download ## Antivirus ## EDR ## IDS ## Sandboxes ## DLP ## Memory Forensics ## Cyber Kill Chain ## IR ## Forensics ## Threat Hunting ## TTP ## Artifacts ## IOCs ## IOA ## Payload ## Persistence ## Code Injection ## Hooking ## Packer/Cryptors ## Rootkit ## Lateral Movement ## C2 ## Tor ## DGA