Back to Subject
Practice MCQ

Unit 6 - Notes

INT250

Unit 6: Analysis of Malware

1. Define Malware and Identify Common Spreading Techniques

Definition of Malware

Malware (Malicious Software) refers to any software intentionally designed to cause damage to a computer, server, client, or computer network. It is used by threat actors to extract data, disrupt operations, or gain unauthorized access.

Key Categories:

  • Virus: Self-replicating code that attaches to clean files.
  • Worm: Standalone malware that replicates to spread to other computers, often exploiting network vulnerabilities.
  • Trojan: Software that disguises itself as legitimate but performs malicious activity in the background.
  • Ransomware: Encrypts user data and demands payment for the decryption key.
  • Spyware/Keylogger: Monitors user activity and captures keystrokes (passwords, banking info).
  • Rootkit: Tools designed to hide the existence of certain processes or programs from normal methods of detection, often operating at the kernel level.

Common Spreading Techniques

Attackers use various vectors to deliver malware to the target system:

  1. Social Engineering (Phishing/Spear Phishing):
    • Emails containing malicious attachments (Word docs, PDFs) or links to malicious sites.
    • Relies on human error and manipulation.
  2. Drive-by Downloads:
    • Unintended downloads that occur when visiting a compromised website.
    • Often utilizes Exploit Kits (automated threats that identify browser vulnerabilities).
  3. Removable Media:
    • Infection via USB drives using autorun.inf or disguised executables.
  4. Software Vulnerabilities (Exploits):
    • Exploiting unpatched flaws in Operating Systems or applications (e.g., SMB vulnerabilities like EternalBlue).
  5. Malvertising:
    • Injecting malicious code into legitimate online advertising networks.
  6. Bundling:
    • Packaging malware inside pirated software, cracks, or keygens.

2. Malware Forensics Fundamentals and Types of Analysis

Fundamentals

Malware forensics involves the study of malicious code to understand its behavior, origin, and impact. The primary goals are:

  • Identification: Determining the type of malware.
  • Capability Assessment: Understanding what the malware can do (steal data, delete files, etc.).
  • Attribution: Attempting to identify the author (difficult and often obfuscated).
  • IOC Generation: Creating Indicators of Compromise (File Hashes, C2 IP addresses, Mutexes) to detect the threat on other systems.

Safety Protocol:

  • Isolation: Never analyze malware on a production machine.
  • Virtualization: Use Virtual Machines (VMs) with "Host-Only" networking to prevent leakage.
  • Snapshots: Take snapshots of the clean VM state before execution to allow quick reversion.

Types of Malware Analysis

Type Description Pros Cons
Static Analysis Analyzing the code without executing it. Involves reverse engineering binaries. Safe; Reveals code structure; Can detect logic bombs. Can be defeated by packing/obfuscation; Time-consuming.
Dynamic Analysis Running the malware in a controlled environment (sandbox) to observe behavior. Shows true behavior; Faster than deep reverse engineering. Can be detected by malware (anti-VM techniques); specific triggers may be missed.
Hybrid Analysis Combining static and dynamic approaches. Comprehensive view. Resource intensive.
Memory Forensics Analyzing the computer's RAM dump to find artifacts of malware execution. Detects fileless malware and unpacked code. Requires a memory image capture; volatile data.

3. Understand and Perform Static Analysis of Malware

Static analysis is the first step in the triage process. It dissects the binary file to extract metadata and code structure.

Key Static Analysis Techniques

A. File Fingerprinting (Hashing)

Generating a unique cryptographic hash to identify the specific malware sample and check against databases like VirusTotal.

  • Algorithms: MD5, SHA-1, SHA-256.
  • Tools: CertUtil, HashCalc, md5sum.

B. String Analysis

Extracting readable ASCII and Unicode characters from the binary. This can reveal:

  • Filenames/Paths.
  • URL/IP addresses (Command & Control).
  • Registry keys.
  • Error messages.
  • Tool: Strings (Sysinternals or Linux command).
    • Command: strings -n 5 malware.exe (Shows strings longer than 5 chars).

C. Portable Executable (PE) Header Analysis

Windows executables follow the PE format. Analyzing headers reveals how the OS should load the file.

  • Sections:
    • .text: Contains the executable code.
    • .data: Contains global/static variables.
    • .rsrc: Resources (icons, images, embedded files).
  • Import Address Table (IAT): Lists functions the malware imports from Windows DLLs.
    • Example: If imports include InternetOpenUrl and WriteFile, the malware likely downloads and saves files.
    • Example: IsDebuggerPresent indicates anti-analysis capabilities.
  • Tools: PEStudio, CFF Explorer, PEview.

D. Obfuscation and Packing Detection

Authors compress or encrypt malware (packing) to hide the code from static analysis.

  • Indicators: High entropy (randomness) in file sections; lack of readable strings; few imports in the IAT.
  • Tools: Detect It Easy (DiE), PEiD.

E. Disassembly

Translating machine code (binary) into Assembly language for logic analysis.

  • Tools: IDA Pro, Ghidra, Cutter.

4. Analyze Suspicious Word and PDF Documents

Attackers frequently use document-based malware as an entry point.

Analyzing Malicious Word Documents (OLE)

Microsoft Office files often use the OLE (Object Linking and Embedding) format or the newer XML format (docx/docm). The primary vector is VBA Macros.

  • Mechanism:
    • AutoOpen() / Document_Open(): Macros that execute immediately upon opening the file.
    • Payload: Typically spawns PowerShell or CMD to download the actual exe payload.
  • Analysis Tools (OLETools Suite):
    • oleid: Analyzes OLE streams to detect dangerous properties.
    • olevba: Extracts and decompiles VBA macros, highlighting suspicious keywords (e.g., Shell, Call, CreateObject).
    • olebrowse: Browses the internal structure of the file.

Analyzing Malicious PDF Documents

PDFs consist of a header, body (objects), cross-reference table, and trailer. Malware usually resides in specific objects.

  • Mechanism:
    • JavaScript: Embedded JS execution (/JS, /JavaScript).
    • OpenAction: Commands executed upon opening (/OpenAction, /AA).
    • Launch: Launching external applications.
  • Analysis Tools:
    • pdfid: Scans for keywords like /JS, /Encrypt, /OpenAction.
    • pdf-parser: Extracts specific objects or streams for further analysis.
    • peepdf: Comprehensive python tool for PDF analysis.

5. Dynamic Malware Analysis Fundamentals and Approaches

Dynamic analysis involves detonating the malware. The environment must be strictly controlled to prevent the malware from spreading or signaling the attacker that it is being analyzed.

The Environment (The Sandbox)

  • Virtual Machine: VMware or VirtualBox.
  • Network Simulation:
    • Host-Only Adapter: The VM can talk to the host (if allowed) but not the internet.
    • FakeNet / INetSim: Tools running on a Linux gateway that simulate internet services (DNS, HTTP, SMTP) so the malware "thinks" it is online and reveals its network behavior.
  • Agents: Monitoring agents installed inside the VM.

Approaches

  1. Automated Sandboxing: Submitting the file to a system that runs it and generates a report automatically.
    • Examples: Cuckoo Sandbox, Joe Sandbox, Any.Run.
  2. Manual Dynamic Analysis: The analyst runs the tools and the malware manually to observe specific behaviors in real-time.
  3. Debugging: Using a debugger (x64dbg, OllyDbg) to step through the assembly instructions line-by-line while the program runs. This allows manipulation of the CPU registers and memory.

6. Analyze Malware Behavior on System Properties in Real-time

When malware executes, it interacts with the Operating System. Analysts monitor these interactions to determine the malware's intent.

A. Process Activity

  • What to look for:
    • Child processes (e.g., a Word doc spawning powershell.exe).
    • Process Injection/Hollowing: Malware replacing the memory of a legitimate process (like svchost.exe) with malicious code to hide.
  • Tool: Process Explorer (Sysinternals). Look for color-coded processes (purple for packed/compressed) and verify digital signatures.

B. File System Activity

  • What to look for:
    • Dropping files (payloads) into %TEMP% or System32.
    • Modifying user files (Ransomware encryption).
    • Self-deletion (cleaning up the dropper).
  • Tool: Procmon (Process Monitor).
    • Filter: Filter by Process Name is [malware_name] and Operation contains WriteFile.

C. Registry Activity (Persistence)

Malware modifies the registry to survive reboots (Persistence).

  • Key Locations:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • HKLM\System\CurrentControlSet\Services
  • Tool: Regshot.
    • Method: Take "1st shot" before infection. Infect system. Take "2nd shot". Click "Compare" to see changes.

7. Analyze Malware Behavior on Network in Real-time

Malware usually requires network access for Command & Control (C2), exfiltration, or downloading additional payloads.

Network Artifacts

  1. DNS Queries: Malware resolves the domain name of the C2 server.
    • Suspicious: Random looking domains (DGA - Domain Generation Algorithms) or non-existent TLDs.
  2. TCP/UDP Connections: Establishing connections (SYN packets).
  3. HTTP/HTTPS Requests:
    • User-Agent: Often abnormal or mimics outdated browsers.
    • Payload: Data sent in POST requests (stolen passwords, system info).

Tools and Techniques

  • Wireshark: The standard for packet capture.
    • Filter: http.request, dns, or ip.addr == [victim_ip].
    • Follow TCP Stream: Reconstructs the data exchange to read plaintext traffic.
  • TCPView: Shows active ports and the processes linked to them on the host.
  • Fiddler / Burp Suite: Intercepts and decrypts HTTPS traffic (requires installing a root CA on the victim VM).
  • ApateDNS / Fakedns: Redirects all DNS queries to a specific IP (usually the analysis machine) to trick malware into connecting.

8. Fileless Malware Attacks

Fileless malware is a technique where threats execute without writing malicious executables to the hard drive, making them invisible to traditional antivirus file scanning.

How it Happens (The Infection Chain)

It leverages "Living off the Land" (LotL) tactics, using legitimate system administration tools.

  1. Delivery: Usually via a Phishing email with a script or macro, or a drive-by download.
  2. Execution (Memory Only):
    • The script (e.g., VBA in a Word doc) executes.
    • It launches a trusted system utility like PowerShell, WMI (Windows Management Instrumentation), or Mshta.exe.
    • The malicious code is injected directly into the RAM of these trusted processes.
  3. Persistence:
    • Since there is no file to run at startup, the malware stores scripts in the Windows Registry or creates Scheduled Tasks that invoke PowerShell commands stored in registry keys upon boot.

Analysis of Fileless Malware

Since there is no binary to analyze statically:

  • Memory Forensics: Analysts must capture a RAM image (using tools like DumpIt or FTK Imager) and analyze it with Volatility Framework.
  • Behavioral Monitoring: Rely on EDR (Endpoint Detection and Response) tools to flag suspicious behavior (e.g., PowerShell launching a network connection to an unknown IP).
  • Script Analysis: De-obfuscating the PowerShell or VBScript extracted from macros or registry keys.