# Practical Malware Analysis 閱讀筆記 ## Chapter 0 ### Definition of Malware >Any software that does something that **causes detriment to the user, computer, or network—such** as viruses, trojan horses, worms, rootkits, scareware, and spyware—can be con- sidered malware. ### Definition of Malware Analysis >Malware analysis is the art of dissecting malware to understand **how it works, how to identify it, and how to defeat or eliminate it**. ### Malware Analysis >找出發生什麼事 有哪些code或檔案被影響 找出網路流量是否有異常 ### The Goals of Malware Analysis >provide the information you need to respond to a network intrusion. ### Signatures >- 類似malware的**footprints** >- 使用signatures找出malware infections >>分為: >>- host-based signature >>- network signature #### host-based signature > 又稱**indicators**,重點在找出這個**binary的行為**，而非程式本身的characteristics, 藉此**較不容易因程式外殼不同而無法偵測出malware** #### network signature > 藉著偵測網路流量來找出malware 有signatures後，便可以開始指出malware到底會做什麼。 ### Malware Analysis Techniques - Basic static Analysis - examining the executable file **without viewing the actual instructions** - straightforward and can be quick - 看外型，容易被假殼影響 - Basic Dynamic Analysis - running the malware and observing its behavior on the system in order to remove the infection, produce effective signatures, or both - must set up an environment that will allow you to study the running malware without risk of damage to your system or network.（**sandbox**） 上面basic的兩者都容易操作，不需要太多程式背景知識，但很容易忽略大部分的惡意程式資訊及功能 - Advanced static Analysis - **reverse-engineering** the malware’s internals by loading the executable into a **disassembler** and looking at the program instructions in order to discover what the program does. - has a steeper learning curve than basic static analysis and requires specialized knowledge of disassembly, code constructs, and Windows operating system concepts, - Advanced Dynamic Analysis - uses a **debugger** to examine the internal state of a running malicious executable. - provide another way to extract detailed information from an executable. - 能較**完整分析**，得到其他方法無法獲得的資訊 ### Types of Malware - Backdoor >Malicious code that **installs itself onto a computer to allow the attacker access**. Backdoors usually let the attacker connect to the computer with little or no authentication and execute commands on the local system. - Botnet >Similar to a backdoor, in that it allows the attacker access to the system, but all computers infected with the same botnet receive the same instructions from a single command-and-control server. - Downloader >Malicious code that **exists only to download other mali-cious code**. Downloaders are **commonly installed by attackers when they first gain access to a system.** The downloader program will download and install additional malicious code. - Information-stealing malware >Malware that **collects information from a victim’s computer and usually sends it to the attacker**. Examples include sniffers, **password hash grabbers**, and keyloggers. This malware is typically used to gain access to online accounts such as email or online banking. - Launcher >Malicious program used to **launch other malicious programs**. Usually, launchers use **nontraditional techniques** to launch other malicious programs in order to ensure stealth or greater access to a system. - Rootkit >Malicious code designed to **conceal the existence of other code.** Rootkits are usually **paired with other malware**, such as a backdoor, to allow remote access to the attacker and make the code difficult for the victim to detect. - Scareware >Malware designed to **frighten an infected user into buying something**. It usually has a user interface that makes it **look like an anti-virus or other security program**. It informs users that there is malicious code on their system and that the only way to get rid of it is to buy their “software,” when in reality, the software it’s selling does nothing more than remove the scareware. - Spam-sending malware >Malware that infects a user’s machine and then uses that machine to **send spam**. This malware **generates income** for attackers by allowing them to sell spam-sending services. - Worm or virus >Malicious code that can **copy itself** and infect additional computers. :::success 大部分malware是多種型態組成，可能是**Backdoor配Virus** Malware可又分為: - **mass** • mass malware採用**亂槍打鳥**，以影響多台電腦為目標，**scareware**為例子 - **Targeted malware** - usually very sophisticated, and your analysis will often require the advanced analysis skills. - 採用針對策略，所以更難處理。 ::: ### General Rules for Malware Analysis 1. **Don’t get too caught up in the details.**<BR> Most malware programs are large and complex, and you can’t possibly understand every detail. Focus instead on the key features. 2. **Remember that different tools and approaches are available for different jobs** <BR>There is no one approach! 3. **Remember that malware analysis is like a cat-and-mouse game.**<BR> As new malware analysis techniques are developed, malware authors respond with new techniques to thwart analysis