top of page
Search

Malware

  • Writer: Abhilasha
    Abhilasha
  • Jul 14, 2024
  • 4 min read

Basic Static Analysis

Definition:

  • Examines the executable file without running it.

Purpose:

  • Confirms if a file is malicious.

  • Provides information about file functionality.

  • Helps create simple network signatures.

Advantages:

  • Quick and straightforward.

Limitations:

  • Ineffective against sophisticated malware.

  • Might miss important behaviors.

Basic Dynamic Analysis

Definition:

  • Runs the malware to observe its behavior.

Purpose:

  • Removes infections.

  • Produces effective signatures.

Setup:

  • Requires a safe environment to prevent damage.

Advantages:

  • Doesn't need deep programming knowledge.

Limitations:

  • Ineffective with all malware.

  • Can miss important functionality.

Advanced Static Analysis

Definition:

  • Reverse-engineers malware by disassembling it.

Purpose:

  • Provides detailed understanding of malware's function.

Tools:

  • Disassemblers.

Advantages:

  • Gives exact details of program actions.

Limitations:

  • Requires specialized knowledge.

  • Steep learning curve.

Advanced Dynamic Analysis

Definition:

  • Uses a debugger to examine running malware.

Purpose:

  • Extracts detailed information from the executable.

Advantages:

  • Useful for obtaining hard-to-gather information.

Limitations:

  • Requires specialized tools and knowledge.

Malware Hiding Places

Definition:

  • Malware hides in various places to avoid detection.

Common Hiding Spots:

  1. Restore Data:

  • Malware hides in restore partitions.

  • Anti-malware might not detect these.

  1. Registry:

  • Malware changes or adds registry keys.

  • Makes detection difficult.

  1. Startup Folder:

  • Malware runs at startup without user knowledge.

  1. Miscellaneous:

  • Hosts file: Contains URLs and IP addresses.

  • Embedded media: Found in screen savers, web pages, etc.

Diagrams

Basic Static Analysis

mathematica

Copy code

Executable File ├── Metadata Analysis ├── Header Information └── String Extraction

Basic Dynamic Analysis

mathematica

Copy code

[Isolated Environment] ├── Run Malware ├── Monitor Behavior ├── Log Network Activity └── Identify Changes

Advanced Static Analysis

css

Copy code

Executable File ├── Disassembler ├── Instruction Analysis ├── Control Flow Analysis └── Code Reconstruction

Advanced Dynamic Analysis

sql

Copy code

Running Malware ├── Debugger ├── Breakpoints ├── Memory Inspection └── Register Analysis

Malware Hiding Places

mathematica

Copy code

System ├── Restore Data │ └── Restore Partitions ├── Registry │ └── Registry Keys ├── Startup Folder │ └── Autostart Programs └── Miscellaneous ├── Hosts File └── Embedded Media

By using these methods and understanding hiding places, you can better detect and analyze malware to keep your system secure.


Collection (Live System)

Definition: A live system is a running computer.

Purpose: Collect volatile data such as passwords, IP addresses, event logs, etc., to understand malware.

Process:

  • Live Response Forensics: Acquire stateful information while the system is powered on.

  • Tools: Use trusted tools to avoid compromised native programs.

Steps:

  1. Use system integrity monitoring tools like Winalysis or InstallSpy.

  2. Use File Monitor (FileMon) and Registry Monitor (RegMon) for real-time changes.

  3. Process Monitor (ProcMon) for detailed system activity.

Guidelines:

  • Run a trusted command shell.

  • Document system date and time.

  • Acquire physical memory contents.

  • Gather system details (hostname, user, OS).

  • Inspect network connections and processes.

  • Examine open files and command line history.

  • Check for unauthorized accounts and configurations.

  • Determine scheduled tasks and audit policies.

Identifying (Dead System)

Definition: A dead system is a switched-off computer.

Purpose: Conduct a forensic examination to find malware traces in files, registry entries, logs, etc.

Process:

  • Methodology: Ensure the process is thorough, repeatable, and documented.

Steps:

  1. Create a timeline using file dates (creation, modification, access).

  2. Use NTFS dates for detailed analysis.

  3. Load disk images into a virtual environment for testing (e.g., LiveView).

  4. Perform relational analysis to examine trust relationships and network connections.

  5. Extend analysis beyond the compromised computer to include network-related functionality.

Search for Known Malware

  1. Scan for malicious files.

  2. Look for active rootkits.

  3. Inspect startup programs.

  4. Inspect running processes.

  5. Extract suspicious files.

Steps for Identifying Malware:

  • Review installed programs.

  • Examine prefetch files.

  • Inspect executables.

  • Check services, drivers, and auto-start locations.

  • Inspect logs.

  • Review user accounts.

  • Examine file system and registry.

Diagrams

Live System Collection

sql

Copy code

Live System ├── Volatile Data Collection │ ├── Passwords │ ├── IP Addresses │ └── Event Logs ├── Trusted Tools │ ├── Winalysis │ └── FileMon, RegMon, ProcMon └── Forensic Steps ├── System Details ├── Network Connections └── Running Processes

Dead System Identification

mathematica

Copy code

Dead System ├── Forensic Analysis │ ├── File Dates │ ├── Registry Entries │ └── Logs ├── Virtual Environment │ └── LiveView └── Network Analysis ├── Trust Relationships └── Network Connections

Summary

  • Live System: Collect volatile data using trusted tools and document everything.

  • Dead System: Conduct a thorough forensic analysis using file dates, registry entries, and virtual environments.

  • Search for Malware: Scan files, check for rootkits, and inspect startup programs, processes, and logs.


Building a Malware Research Lab

Purpose: A dedicated environment for analyzing and researching malware.

Types of Labs

  1. Malware Collection Lab: Systems designed to collect malware samples.

  2. Static Analysis Lab: Analyzes malware without executing it.

  3. Dynamic Analysis Lab: Analyzes malware by running it to observe behavior.

Collecting Samples

  • Sources:

  • Contagio Malware Dump

  • KernelMode.info

  • MalShare.com

  • Malware.lu

  • Malware Blacklist

  • Malwarebytes Forum

  • Malekal’s Forum

  • Using Honeypots:

  • Honeypots attract and collect automated malware for study.

Static Analysis Lab

  • Purpose: Analyze files without execution.

  • Setup: Can be in a virtual or physical environment.

  • Tools Needed: File inspection tools for static analysis.

Dynamic Analysis Lab

  • Purpose: Analyze malware by running it.

  • Setup: Similar steps to static analysis lab; beware of virtual-aware malware.

  • Tools Needed: Real-time monitoring tools.

Virtual Machine Setup

  • Advantages: Easy backup and restore.

  • Software: VMware and VirtualBox (supports Windows, Linux, Mac).

  • Steps:

  1. Choose hardware.

  2. Install OS.

  3. Configure for malware.

  4. Anonymize the lab.

  5. Isolate the lab.

Real Systems Setup

  • Steps:

  1. Choose hardware.

  2. Install OS.

  3. Configure for malware.

  4. Anonymize the lab.

  5. Isolate the lab.

Malware Analysis Tools

  • Variety: Both commercial and open-source tools are available for static and dynamic analysis.

Memory Forensics

  • Purpose: Capture and analyze system memory for critical evidence.

  • Goals:

  1. Recover executable code from memory.

  2. Extract associated data (e.g., encryption keys, usernames, passwords).

  • Tools: List open files, active network connections, running processes, and hidden processes.

Malware Reporting

  1. Executive Summary: Overview of findings, impact, and recommendations.

  2. Technical Details:

  • Detailed analysis of the malware behavior.

  • Infection vectors.

  • Persistence mechanisms.

  1. Indicators of Compromise (IOCs):

  • IP addresses, domain names, file hashes, registry keys.

  1. Mitigation Strategies:

  • Steps to remove the malware.

  • Preventive measures to avoid future infections.

  1. Appendices:

  • Logs, screenshots, and detailed technical data.

Diagram: Malware Research Lab Setup

sql

Copy code

Malware Research Lab ├── Collection Lab │ ├── Contagio Malware Dump │ ├── KernelMode.info │ └── Honeypots ├── Static Analysis Lab │ ├── File Inspection Tools │ ├── Virtual or Physical Setup ├── Dynamic Analysis Lab │ ├── Real-Time Monitoring Tools │ ├── Virtual or Physical Setup └── Virtual Machine Setup ├── VMware / VirtualBox └── Backup & Restore

Summary

  • Malware Research Lab: Dedicated environment for analyzing malware.

  • Types of Labs: Collection, static analysis, and dynamic analysis.

  • Tools and Setup: Use trusted tools, virtual machines, and ensure lab isolation.

  • Memory Forensics: Crucial for extracting hidden and volatile data.

  • Malware Reporting: Document findings, provide technical details, and suggest mitigation strategies.

 
 
 

Recent Posts

See All
PE internals

Linked Libraries and Functions Imported Functions: Definition: These are functions used by a program that are actually stored in...

 
 
 
OS internals

Privilege Separation Concept: Modern operating systems separate user applications (untrusted) from critical operating system components...

 
 
 
Memory Management in short

Address Space CPU Access: To run instructions and access data in main memory, the CPU needs unique addresses for that data. Definition:...

 
 
 

Comments

Subscribe Form

Thanks for submitting!

©2021 by just dump 1. Proudly created with Wix.com

bottom of page