Try   HackMD

Malware Analysis

tags: Malware Cybersecurity Learning notes

Overview

Malware is a broad term that refers to malicious software. We assess the malice of software based on its intent or purpose. For example, recording a video for your youtube channel using your webcam is different from an unauthorized person using the same webcam to spy on you while you are unaware.
Malware is generally composed of 3 main components which also inform how it is classified:

  1. Concealer: keeps the malware hidden / undetected even by antimalware programs.
  2. Replicator: spreads the malware depending on its nature.
  3. Bomb: the part of the malware that deals the intended damage to the target(s).

The Bomb is what helps you understand the true intent of the malware.

Example:
Mojojo wants funding for his latest plan to rule the world. He acquires a list of emails in a data dump off the dark web, one of the emails is Ms Bellum's. Mojojo emails the list sending a document appearing to contain a simulation of how to mass produce chemical X - something most people would be interested in.

Replicator: Ms Bellum is tricked into downloading and opening the document.

Concealer: The macros in the document sends an encrypted connection to a command and control (CnC) server to download the bomb, an actual exe file. As this action is user initiated, the antivirus might allow it since trust is on the user.

Bomb: The downloaded executable encrypts all the data on Ms Bellum's machine using Mojojo's proprietary encryption standards and shows her a message demanding ransom for the files to be decrypted.

Malware Analysis is an investigative process aimed at getting inside knowledge of how malicious software works and understanding its intent on a system.
Its main aim is:

  1. Understand the functionality of malware and the perpetrator's intent to measure extent of damage if exploited.
  2. Get proper signatures of malware for use in anti-malware systems, that is indicators of compromise (IOCs).
  3. Identify and classify different strings of the same malware.

Types of Malware

Classified based on their nature and functionality.
The most common classifications are:

  • Viruses : described based on their replicator, a virus will need to attach itself to a host program to spread.
  • Worms: do not require the help of a host program to spread.
  • Trojans: classified based on the concealer and the bomb. Trojans disguise themselves as legitimate software (concealer bit). They usually serve the purpose of exfiltrating information / administering a system remotely (bomb)
  • Rootkit: Malware used to gain root / admin privileges on a computer and is classified based on its bomb.
  • Backdoor: Allows access to a system without the knowledge / authorization of the custodian and is classified based on its bomb.
  • Spyware: Used to exfiltrate information and is classified based on its bomb.
  • Adware: Used for malicious advertisements i.e malvertising and are injected through malicious web scripts.
  • Ransomware: Attacker takes over your soft assets(data) and demands ransom for retrieval.

Malware Analysis Methodology

The Four general stages are:

  1. Manual code reversing
  2. Interactive behavior analysis : in memory and on disk
  3. Static properties analysis
  4. Automated (semi /fully) analysis

These stages overlap and you might not have to go through each one of them.

Malware analysis can be classified into:

  1. Static analysis: analysis of a piece of software to understand its making and does not involve code execution. Some of the steps here include:
  • Decompiling
  • Static PE properties analysis
  • Analysis of system calls
  • Analysis of strings
  1. Dynamic analysis: the study of the behavior of software to determine whether or not it is malicious. Some of the activites performed include:
  • Network Analysis
  • File system modification
  • Registry analysis
  • Memory Analysis

Rules of Malware Analysis

Do:

  1. Isolate the malware vms from the network.
  2. Have a snapshot(s) at all times.
  3. Assign enough resources for analysis.
  4. Ensure your machine is fully patched.

Don't:

  1. Run malware on the host system.
  2. Allow malware to connect to a production environment.
  3. Acquire malware via the production network.
  4. Forget to Set the machine to host-only or NAT during dynamic analysis.
Last changed by 
codeAssassin
As a code Assassin my focus is on Learning different ways to break code, and therefore, secure it. Interested in everything cyber security!
0
1
198

Read more

Jeeves - HTB Series

Windows Exploitation Walk through for Jeeves on Hack The Box

Sep 5, 2024
Windows Privilege Escalation

Fuzzy Security reference

Aug 26, 2024
Chatterbox - HTB Series

We start by scanning the target with nmap to find open ports

Aug 11, 2024
Active - HTB Series

image

Aug 10, 2024
Read more from codeAssassin
Published on HackMD