COMPUTER NETWORKS UNIT-I

Unit-4
Malware analysis can be described as the process of understanding the behavior and
purpose of a suspicious file or URL. The output of the process aids in detecting and
mitigating any potential threat. 
There are some benefits that malware analysis offers:
 Assesses the damage from a security threat
 Identify the source of the attack
 Identify the vulnerability of the malware, its exploitation level, and preparation to
patch accordingly.
 Practically break incidents by the level of security threat
 Reveal hidden indicators of compromise that need to be blocked
 Improve the efficiency of indicators of compromise, alert and notify
 Enrich any context when hunting for threat
What is malware:
Malware is a destructive computer software program that is specifically designed to disrupt,
damage, or gain unauthorized access to a computer system.

Types of malware:

Keyloggers:

 A keylogger is a type of spyware that monitors user activity.

 Keyloggers have legitimate uses; businesses can use them to monitor employee
activity and families may use them to keep track of children’s online behaviors.
However, when installed for malicious purposes, keyloggers can be used to steal
password data, banking information and other sensitive information.

 Keyloggers can be inserted into a system through phishing, social engineering or

malicious downloads.
1
COMPUTER NETWORKS UNIT-I

Keylogger Example:
A keylogger called Olympic Vision has been used to target US, Middle Eastern and Asian
businessmen for business email compromise (BEC) attacks. Olympic Vision uses spear-
phishing and social engineering techniques to infect its targets’ systems in order to steal
sensitive data and spy on business transactions.
Trojans:

 A Trojan disguises itself as desirable code or software. Once downloaded by

unsuspecting users, the Trojan can take control of victims’ systems for malicious
purposes.

 Trojans may hide in games, apps, or even software patches, or they may be embedded
in attachments included in phishing emails.
Trojan Example:
Emotet is a sophisticated banking trojan that has been around since 2014. It is hard to fight
Emotet because it evades signature-based detection, is persistent, and includes spreader
modules that help it propagate. The trojan is so widespread that it is the subject of a US
Department of Homeland Security alert, which notes that Emotet has cost state, local, tribal
and territorial governments up to $1 million per incident to remediate.
Ransome ware:

 Ransomware is software that uses encryption to disable a target’s access to its data
until a ransom is paid.

 The victim organization is rendered partially or totally unable to operate until it pays,
but there is no guarantee that payment will result in the necessary decryption key or
that the decryption key provided will function properly.

Example of a ransom letter

2
COMPUTER NETWORKS UNIT-I

Ransomware Example:
This year, the city of Baltimore was hit by a type of ransomware named RobbinHood, which
halted all city activities, including tax collection, property transfers, and government email
for weeks. This attack has cost the city more than $18 million so far, and costs continue to
accrue. The same type of malware was used against the city of Atlanta in 2018, resulting in
costs of $17 million.
Rootkits:

 A rootkit is software that gives malicious actors remote control of a victim’s computer
with full administrative privileges.

 Rootkits can be injected into applications, kernels, hypervisors, or firmware. They

spread through phishing, malicious attachments, malicious downloads, and
compromised shared drives.

 Rootkits can also be used to conceal other malware, such as keyloggers.

Rootkit Example:
Zacinlo infects systems when users download a fake VPN app. Once installed, Zacinlo
conducts a security sweep for competing malware and tries to remove it. Then it opens
invisible browsers and interacts with content like a human would — by scrolling,
highlighting and clicking. This activity is meant to fool behavioral analysis software.
Zacinlo’s payload occurs when the malware clicks on ads in the invisible browsers. This
advertising click fraud provides malicious actors with a cut of the commission.
Antivirus:
Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer
program used to prevent, detect, and remove malware.
Once installed, most antivirus software runs automatically in the background to provide real-
time protection against virus attacks.
How does antivirus work?
Antivirus software begins operating by checking your computer programs and files against a
database of known types of malware. Since new viruses are constantly created and distributed
by hackers, it will also scan computers for the possibility of new or unknown types of
malware threats.
Examples: Norton, McAfee and Kapersky.
Firewalls:
A firewall is software or firmware that prevents unauthorized access to a network. It inspects
incoming and outgoing traffic using a set of rules to identify and block threats. 
Firewalls are used in both personal and enterprise settings, and many devices come with one
built-in, including Mac, Windows, and Linux computers. They are widely considered an
essential component of network security.

3
COMPUTER NETWORKS UNIT-I

How does a firewall work?

A firewall establishes a border between an external network and the network it guards. It is
inserted inline across a network connection and inspects all packets entering and leaving the
guarded network. As it inspects, it uses a set of pre-configured rules to distinguish between
benign and malicious packets.
Types of firewalls:
A packet-filtering firewall :

 A packet-filtering firewall works mainly on the network layer of the OSI reference
model, although the transport layer is used to obtain the source and destination port
numbers.

 It examines each packet independently and does not know whether any given packet
is part of an existing stream of traffic.

 It examines packets in isolation and does not know the packet's context.
A stateful inspection firewall :

 Stateful inspection firewalls – also known as dynamic packet-filtering firewalls –

monitor communication packets over time and examine both incoming and
outgoing packets.

 It examines network traffic to determine whether one packet is related to another

packet.
A proxy firewall (application-level gateway) :
It inspects packets at the application layer of the Open Systems Interconnection (OSI)
reference model.
A Next Generation Firewall (NGFW) :
It uses a multi layered approach to integrate enterprise firewall capabilities with an
intrusion prevention system (IPS) and application control.
Malware analysis:

4
COMPUTER NETWORKS UNIT-I

Malware Analysis is the practice of determining and analyzing suspicious files on endpoints
and within networks using dynamic analysis, static analysis, or full reverse engineering.
Types of malware analysis:
Static Malware Analysis

 Static malware analysis examines files for signs of malicious intent. A basic static
analysis does not require a malware code that is actually running. It is useful for
revealing malicious infrastructure, packed files, or libraries.
 In this kind of malware analysis, the technical indicators like file names, hashes,
strings such as IP addresses, domains, and file header data are identified.
 Various tools like disassemblers and network analyzers have the ability to observe the
malware without running it. These tools can gather information on how the particular
malware works.
 Since static malware analysis does not run the malware code, there can be malicious
runtime behavior in some sophisticated malware, which can go undetected.
 For example, a file that generates a string and downloads a malicious file depending
on the dynamic string. The malware could go undetected if a basic static malware
analysis is used. In these cases, dynamic analysis is more helpful in getting a complete
understanding of the file behavior.
Dynamic Malware Analysis
In dynamic malware analysis, a suspected malicious code is run in a safe environment called
a sandbox. This isolated virtual machine is a closed system that allows security experts to
observe the malware closely in action without the risk of system or network infection. This
technique provides deeper visibility of the threat and its true nature.
Hybrid Analysis:
Basic static analysis isn’t a reliable way to detect sophisticated malicious code, and
sophisticated malware can sometimes hide from the presence of sandbox technology. By
combining basic and dynamic analysis techniques, hybrid analysis provide security
team the best of both approaches 
VM Ware:
One of the most important decisions to make is what kind of and how an analyst will set up
their malware analysis lab, also sometimes called a sandbox.
There are two main approaches,
physical devices (usually personal computers (PCs), tablets, or actual cell phones),
virtual machines (VMs).
Virtual machines are like a computer inside a computer . A virtual machine is used to
simulate an ideal environment replica of the original environment to see how a malware
sample interacts with everything from the file system to the registry. 
With virtual machines there are a lot of free options that can be used. There are lots of 13
operating systems that have virtual machine editions that can be simulated.
5
COMPUTER NETWORKS UNIT-I

Some of the potential programs are VMWare, Parallels, Xen, and Microsoft Virtual PC. A
few of these such as VMWare support the idea of taking a snapshot.
A VMWare snapshot will basically take an image of the time the computer is at. When the
researcher restores to this point, everything that was done after it will be gone – all new files
created, all registry changes, all text files, all system file changes, etc. It will be as if none of
it happened.

How to create virtual machine:

Most malware and malware analysis tools run on Windows, so install Windows as virtual OS.
Windows XP is still the most popular OS and the target for most malware.

Next install VMware Tools. From the VMware menu, select VM Install VMware Tools to begin the
installation.

After installed VMware, it’s time for some configuration.

Configuring VMware :

Most malware includes network functionality.

6
COMPUTER NETWORKS UNIT-I

Setting Up Host-Only Networking

Host-only networking, a feature that creates a separate private LAN between the host OS and the
guest OS, is commonly used for malware analysis.

When configuring your host computer, ensure that it is fully patched, as protection in case the
malware you’re testing tries to spread. It’s a good idea to configure a restrictive firewall to
the host from the virtual machine to help prevent the malware from spreading to your host.