MALWARE ANALYSIS

MALWARE

• Malware, or malicious software, is any program or file that is harmful to a

computer user. Malware includes computer viruses, worms, Trojan horses and
spyware and many more.
• Designed or Developed with Malicious intensions mainly to steal information,
disrupt services or gain access.
• Can be code, scripts, executables, library files, or other form of applications.
• A general term used to refer a variety of forms of hostile, intrusive, or
annoying software.
 TYPES OF MALWARE

• Viruses • Backdoor
• Spyware • Downloader
• Adware • Launcher
• Ransomware • Rootkit
• Keylogger • Scareware
• Botnet • Spamware
 VIRUSES

• Created to relentlessly self-replicate it infects programs and files. The malicious

activities may be targeted at destroying valuable data or causing unrepairable
damages
 BACKDOOR

• Malicious code that installs itself onto a computer to allow the attacker access.
• Backdoors usually let the attacker connect to the computer with little or no
authentication and execute commands on the local system.
 DOWNLOADER

• Malicious code that exists only to download other malicious code.

• Downloaders are commonly installed by attackers when they first gain access
to a system.
• The downloader program will download and install additional malicious code.
 LAUNCHER

• Malicious program used to launch other malicious programs.

• Usually, launchers use nontraditional techniques to launch other malicious
programs in order to ensure stealth or greater access to a system.
 ROOTKIT

• Malicious code designed to conceal the existence of other code.

• Rootkits are usually paired with other malware, such as a backdoor, to allow
remote access to the attacker and make the code difficult for the victim to
detect.
 SPYWARE

• The software is created to spy on the victim.

• It is secretly implanted on the computing device by the hacker.
• The spyware gathers information and sends it to the hacker.
 ADWARE

• The malicious program is devised to pop-up unwanted advertisements on the

victim’s computer without their permission.
• The pop-ups are uncontrollable and tend to behave erratically.
 SCAREWARE

• Malware designed to frighten an infected user into buying something.

• It usually has a user interface that makes it look like an antivirus or other
security program.
• It informs users that there is malicious code on their system and that the only
way to get rid of it is to buy their “software,” when in reality, the software it’s
selling does nothing more than remove the scareware.
 SPAMWARE

• Malware that infects a user’s machine and then uses that machine to send
spam.
• This malware generates income for attackers by allowing them to sell spam-
sending services.
 RANSOMWARE

• The ransom malware blocks the user from accessing the files or programs and
the malware removal demands to pay the ransom through certain online
payment methods.
• Once the amount is paid the user can resume using their system.
 KEY-LOGGER

• Tools designed to record every keystroke on the affected machine for later
retrieval
• It stores the data regarding each and every key user presses on the keyboard.
• It is very commonly used method to get username and passwords from a
legitimate user.
 BOTNET

• The cybercriminal blocks a user actions and takes full control of the system.
• The hacker creates a network of malware-infected computers which functions
as a bot.
• The botnet is used to transmit malware, send spam emails, and execute other
malicious tasks.
 MALWARE ANALYSIS

• The purpose of malware analysis is usually to determine exactly what

happened, and to ensure that where all infected machines and files are located.
• Goal of analyzing suspected malware is typically to determine exactly what a
particular suspect binary can do, how to detect it, and how to measure its
damage.
• There are two fundamental approaches to malware analysis: static and
dynamic.
• Static analysis involves examining the malware without running it.
• Dynamic analysis involves running the malware.
 MALWARE ANALYSIS

• Static malware is malware at rest.

• Static analysis is the process of extracting information from malware while it is
not running
• Static analysis is the easiest and least risky malware analysis process.
• It is as easy as clicking some buttons or using a command line.
• It is less risky because the malware is not running during static analysis;
therefore, there is no risk of an infection occurring while analysis is taking
place.
 MALWARE ANALYSIS

• Dynamic malware analysis is malware in motion.

• Dynamic analysis is the process of extracting information from malware while
it is running.
• Unlike the limited view static analysis provides of the malware being analyzed,
dynamic analysis offers a more in-depth view into the malware’s functions
because it is collecting information while the malware is executing its functions
and directives.
• Malware sandbox, malware test environment, and dynamic analysis lab are different
names given to a system where malware is executed for the purpose of
analysis.
 MALWARE ANALYSIS TECHNIQUES

• Static Analysis
• Basic
• Advance
• Dynamic Analysis
• Basic
• Advance
 BASIC STATIC ANALYSIS

• Basic static analysis consists of examining the executable file without viewing
the actual instructions.
• Basic static analysis can confirm whether a file is malicious, provide information
about its functionality, and sometimes provide information that will allow you
to produce simple network signatures.
• Basic static analysis is straightforward and can be quick, but it’s largely
ineffective against sophisticated malware, and it can miss important behaviors.
 BASIC DYNAMIC ANALYSIS

• Basic dynamic analysis techniques involve running the malware and observing
its behavior on the system in order to remove the infection, produce effective
signatures, or both.
• However, before you can run malware safely, you must set up an environment
that will allow you to study the running malware without risk of damage to
your system or network.
• Like basic static analysis techniques, basic dynamic analysis techniques can be
used by most people without deep programming knowledge, but they won’t be
effective with all malware and can miss important functionality.
 ADVANCED STATIC ANALYSIS

• Advanced static analysis consists of reverse-engineering the malware’s internals

by loading the executable into a disassembler and looking at the program
instructions in order to discover what the program does.
• The instructions are executed by the CPU, so advanced static analysis tells you
exactly what the program does.
• However, advanced static analysis has a steeper learning curve than basic static
analysis and requires specialized knowledge of disassembly, code constructs,
and Windows operating system concepts.
 ADVANCED DYNAMIC ANALYSIS

• Advanced dynamic analysis uses a debugger to examine the internal state of a

running malicious executable.
• Advanced dynamic analysis techniques provide another way to extract detailed
information from an executable.
• These techniques are most useful when you’re trying to obtain information
that is difficult to gather with the other techniques.
 FORENSIC IMPORTANCE

• When malware is discovered on a system, the importance of organized

methodology, sound analysis, steady documentation, and attention to evidence
dynamics all outweigh the severity of any time pressure to investigate.
• Formalized methodologies and goals emphasize to help digital investigators
reconstruct a vivid picture of events surrounding a malware infection and gain
a detailed understanding of the malware itself.
 FORENSIC IMPORTANCE

• Whenever feasible, investigations involving malware should extend beyond a

single compromised computer, as malicious code is often placed on the
computer via the network, and most modern malware has network-related
functionality.
• Discovering other sources of evidence, such as servers the malware contacts
to download components or instructions, can provide useful information about
how malware got on the computer and what it did once installed.
 FORENSIC IMPORTANCE

• In addition to systems containing artifacts of compromise, other network and

data sources may prove valuable to your investigation. Comparing available
backup tapes of the compromised system to the current state of the system,
for example, may uncover additional behavioral attributes of the malware, tools
the attacker left behind, or recoverable files containing exfiltrated data.
• Also consider checking centralized logs from anti-virus agents, reports from
system integrity checking tools like Tripwire, and network level logs.
 FORENSIC IMPORTANCE

• Finally, as digital investigators are more frequently asked to conduct malware

analysis for investigative purposes that may lead to the victim’s pursuit of a civil
or criminal remedy, ensuring the reliability and validity of findings means
compliance with an oft complicated legal and regulatory landscape.
 MALWARE LAB

• A malware research lab is a collection of systems fully under the control of

malware researchers and analysts.
• It is not for production nor does it serve any other purpose besides the
research and analysis of malware.
• A malware research lab consists of different systems that have a special
purpose, the most common of which are the following:
 MALWARE LAB

• A malware collection lab is a system or collection of systems designed

solely to collect malware samples from different sources.
• A static analysis lab is designed to gather data from malware while it is at
rest, and
• A dynamic analysis lab is designed to gather data from malware while it is in
motion.