System Malware Analysis


What is Malware ?
                          Malware is a code that performs malicious actions; it can take the form of an executable,script, code, or any other software. Attackers use malware to steal sensitive information,
spy on the infected system, or take control of the system. It typically gets into your system without your consent and can be delivered via various communication channels such as email, web, or USB drives.
The following are some of the malicious actions performed by malware:

  • Disrupting computer operations
  • Stealing sensitive information, including personal, business, and financial data
  • Unauthorized access to the victim's system
  • Spying on the victims
  • Sending spam emails
  • Engaging in distributed-denial-of-service attacks (DDOS)
  • Locking up the files on the computer and holding them for ransom


Types of Malware 
  • Botnets
  • Ransomware
  • Rootkits
  • Trojans
  • Viruses
  • Worms
  • Adware
  • spyware
  • Downloader or dropper
  • Information stealer
BotnetsThe word botnet is derived from the phrase "network of robots". It is essentially a widespread collection of a large number of infected computer systems. Each infected system runs a piece of software program called as a "Bot".
Ransomware: Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid.
Rootkits: Malware that provides the attacker with privileged access to the infected
system and conceals its presence or the presence of other software.
  • Application Level Rootkits: Application level rootkits operate inside the victim computer by changing standard application files with rootkit files, or changing the behavior of present applications with patches, injected code etc.
  • Kernel Level Rootkits: Kernel is the core of the Operating System and Kernel Level Rootkits are created by adding additional code or replacing portions of the core operating system, with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can have a serious effect on the stability of the system if the kit’s code contains bugs. Kernel rootkits are difficult to detect because they have the same privileges of the Operating System, and therefore they can intercept or subvert operating system operations.
  • Hardware/Firmware Rootkits: Hardware/Firmware rootkits hide itself in hardware such a network card, system BIOS etc.
  • Hypervisor (Virtualized) Level Rootkits: Hypervisor (Virtualized) Level Rootkits are created by exploiting hardware features such as Intel VT or AMD-V (Hardware assisted virtualization technologies). Hypervisor level rootkits hosts the target operating system as a virtual machine and therefore they can intercept all hardware calls made by the target operating system.
  • Boot loader Level (Bootkit) Rootkits: Boot loader Level (Bootkit) Rootkits replaces or modifies the legitimate boot loader with another one thus enabling the Boot loader Level (Bootkit) to be activated even before the operating system is started. Boot loader Level (Bootkit) Rootkits are serious threat to security because they can be used to hack the encryption keys and passwords.

Trojans: A destructive program that masquerades as a benign application.Unlike viruses,Trojan horses do not replicate themselves but they can be just as destructive. 
  • Remote Access Trojans:Abbreviated as RATs, a Remote Access Trojan is designed to provide the attacker with complete control of the victim's system. Attackers usually hide these Trojan horses in games and other small programs that unsuspecting users then execute on their PCs.
  • Data Sending Trojans:This type of Trojan horses is designed to provide the attacker with sensitive data such as passwords, credit card information, log files, e-mail address or IM contact lists. These Trojans can look for specific pre-defined data (e.g., just credit card information or passwords), or they install a key logger and send all recorded keystrokes back to the attacker
  • Destructive Trojans:This Trojan horse is designed to destroy and delete files, and it’s more like a virus than any other Trojan. It can often go undetected by anti virus software.
  • Proxy Trojans:This kind of Trojan horses is designed to use the victim's computer as a proxy server. This lets the attacker do anything from your computer, including credit card fraud and other illegal activities and even use your system to launch malicious attacks against other networks.
  • FTP Trojans:This Trojan horse opens port 21 (the port for FTP transfer) and lets the attacker connect to your computer using File Transfer Protocol (FTP).
  • Security software disabler Trojans:This nasty Trojan horse stops or kills computer security software such as antivirus programs or firewalls without the user knowing. It’s usually combined with another type of Trojan as a “payload”.
  • Denial-of-service attack (DoS) Trojans:A DoS Trojans is a type of attack that brings a network to its knees by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For all known DoS attacks, there are software fixes that system administrators can install to limit the damage caused by the attacks. But, like viruses, new DoS attacks are constantly dreamed up by hackers. 
Viruses: A virus needs user intervention, whereas a worm can spread without user intervention.
Worms: Malware that is capable of copying itself and spreading to other computers.
Adware: Malware that presents unwanted advertisements (ads) to the user. They usually get delivered via free downloads and can forcibly install software on your system.
Downloader or dropper: Malware designed to download or install additional malware components.
Information stealer: Malware designed to steal sensitive data such as banking credentials or typed keystrokes from the infected system. Some examples of these malicious programs include key loggers, spyware, sniffers, and form grabbers.

What is Malware Analysis ?
                        Malware analysis is the process of learning how malware functions and any potential repercussions of a given malware.The objective of malware analysis is
to understand the working of malware and how to detect and eliminate it. It involves analyzing the suspect binary in a safe environment to identify its characteristics and functionalities so that better defenses can be built to protect an organization's network. The primary motive behind performing malware analysis is to extract information from the malware sample, which can help in responding to a malware incident.            
Types of Malware Analysis
  • Static analysis
  • Dynamic analysis
  • Code analysis
  • Memory analysis
What is Malware signature?
                                        A unique string of bits, or the binary pattern, of a virus. The virus signature is like a fingerprint in that it can be used to detect and identify specific viruses. Anti-virus software uses the virus signature to scan for the presence of malicious code.

What is PE(portable Executable) ?
                                       The suspect has a file type of "PE" which is the file format for windows executable files(.dll , .exe , .sys )


Author: Megala Shanmugam is a Researcher and Malware Analyst. Can be Contacted on LinkedIn

 





Comments

Post a Comment

Popular posts from this blog

Malware Sample Analysis (29F228F3375C489A8A6E31203AB25787)

Image
File hash: MD5 : 29F228F3375C489A8A6E31203AB25787 Sha1 : 14D713A5C8A2FC01FA2F01D993A249B9FB292810 Sha256: EC905CB2CB8E9F74790ADDE2C138807F3A6CDBECD5735FA5035B547280D7DB79 Note : cmd are mentioned in blue.Imp data marked as "purple". Basic Static Analysis: Determine the file type: Using file command:   test$ file Unknown Unknown: PE32 executable (console) Intel 80386, for MS Windows Using File Signature: Test$ hexdump Unknown  0000000 5a4d 0090 0003 0000 0004 0000 ffff 0000 0000010 00b8 0000 0000 0000 0040 0000 0000 0000 0000020 0000 0000 0000 0000 0000 0000 0000 0000 0000030 0000 0000 0000 0000 0000 0000 00d8 0000 0000040 1f0e 0eba b400 cd09 b821 4c01 21cd 6854 0000050 7369 7020 6f72 7267 6d61 6320 6e61 6f6e 0000060 2074 6562 7220 6e75 6920 206e 4f44 2053 0000070 6f6d 6564 0d2e 0a0d 0024 0000 0000 0000 0000080 4be3 9a53 2aa7 c93d 2aa7 c93d 2aa7 c93d 0000090 b7bc c9a3 2aa6 c93d b7bc c997 2aa1 c93d 00000a0 52ae c9ae 2aa2 c93d 2aa7 c93c 2ab5 c93d 00000b0 b7bc c992 2aa6 c93d ...
Read more

Static Analysis

Image
Static Analysis                                          Examine the executable file without viewing the actual instruction. Try to figure out what the malware is trying to do and the commands it is attempting to execute. Identifying the File type Extracting the String Analysis binary with Virus Total   Determining Obfuscation of binary   Examine the PE header Malware Sources:                          Once you have a lab set up, you will need malware samples for performing analysis.The following are some of the sources from where you can get malware samples for your analysis.             ...
Read more