Malware Analysis

-

 

Malware analysis is the process of studying a malware sample to determine the origin of malware, it's functionality and potential impact. This is one of the major part of the cyber security field. When you will detect malware, you must need to analyze this so that you can protect your system from this malware.


You will get several malwares for analysis on the internet. I will share some sample sites for you. Remember, this can be dengerous for your system, so do analysis into virtual machine. 


The sites are: 

- github.com/vxunderground/MalwareSourceCode/ - Virustotal.com (accessing samples requires a VT Enterprise subscription) - Malware-traffic-analysis.net - zeltser.com/malware-sample-sources/

Techniques in Malware analysis:

There are three types of malware analysis. Static analysis, Dynamic analysis, Hybrid analysis.

Static Analysis:

This is also known as code analysis. You can analyze this without running by this method.

- Analyze binaries without actually running them - Look at file metadata, disassemble or decompile the executable
- Look for file names, hashes, strings such as IP addresses, domains, and file header data Identify malicious infrastructure, libraries or packed files

Dynamic Analysis:
This is quite dangerous. You must shoud run this into virtual box. If you will run this into your regular machine, you device and data may fall into danger.

- Run the executable in a sandboxed environment - Watch the malware in action without the risk of infection or escape - Watch for malicious runtime behavior that static analysis might not reveal

Hybrid Analysis:

This is the combination of static and dynamic analysis. Combination of static and dynamic techniques. Apply static analysis to data generated by behavioral analysis, e.g. examine a memory dump after malicious code has made changes in memory.

The most important part is, creating the environment. So all the processes are given below:

1. Prepare the test bed:
- Create a virtual machine in a host computer - Isolate the host system - Configure the guest VM NIC to be in host-only mode - Disable shared folders/guest VM isolation - Copy malware to the guest O/S

2. First analyze the malware in a static (non-running) state
- Use tools such as binText or Sysinternals Strings to search the binary for hard-coded names, IP addresses, or other text.

3. Run the malware and monitor/analyze its activities
- Use tools like Process Monitor, Dependency Walker, or API Monitor to observe processes and API calls - Use tools like NetResident, TCPview or even Wireshark to observe network activity, ports and connections, beaconing, ARPing, etc.

4. Check to see what files the malware adds, changes, or deletes
- Tools - IDA Pro, VirusTotal, Anubis, Threat Analyzer.

Sample report of malware analysis:
                                                    img: Malware analysis review

There are also some malware analysis sites. They are called cloud based sites. Cloud-based malware analysis takes advantage of: Collecting a wide range of samples from many protected sites. Using a provider's cloud, rather than local scanning, to identify viruses. The lists of the sites are given below:

- VirusTotal - Malwr.com - www.hybrid-analysis.com - Anubis - Avast! Online Scanner - Malware Protection Center - UploadMalware.com - ThreatExpert - Dr. Web Online Scanners - Metascan Online - Bitdefender QuickScan - Online Malware Scanner - ThreatAnalyzer

You can also do reverse engineering method to do analysis. The methods are:

Examine the code .- Use a hex dumper to look for bit patterns. Use a disassembler to read executable instructions in text format.
Examine the malware's exploitation techniques - If the malware obfuscates itself, focus on reverse engineering only the new parts Look for mistakes in ransomware encryption implementation. Look for command & control activity.
Categorization and clustering
Do broad stroke analysis on bulk samples rather than a deep dive into a single sample.

You must need to uderstand the basic of assebly language to do reverse engineering.

Some tools for this:
- Disassembler - IDA Pro, dotPeek, ODA, Relyze, Hopper Disassembler, Binary Ninja
- Decompiler - IDA Pro + Hex
- Debugger - OllyDbg, WinDbg, Immunity, Syser, Zend Studio, GNU Debugger - System Monitor - Process Monitor, RegShot, Process Explorer
- Network Monitor - TCP View, Wireshark - Packer Identifier - PEID, Exeinfo PE
- Unpacking Tools - Qunpack. GUNPacker
- Binary Analysis Tools - PE Explorer, Malcode Analysts Pack, Strings - Code Analysis Tools - LordPE, ImpRec, Dependency Walker, PowerShell, HashMyFiles

Malware Counter Measures:
- Install a good antivirus program - Keep it updated - Scan your system regularly - Consider enabling real-time protection - Keep your system patched - Regularly back up data - Store backups in a safe location - Safely store clean original copies of all software - Enable browser security features such as popup blockers and site safety - Set restore points before and after installing any new program on a Windows system.

Trojan Counter Measures:
- Block unnecessary ports at the host and edge firewalls - Restrict desktop permissions - Harden/disable weak/default configurations settings - Do not blindly type commands or use pre-made scripts/programs
- Ensure internal traffic is monitored for encrypted traffic/unusual ports
- Ensure that file integrity at each workstation is consistently managed.

Backdoor counter measures:
- Run netstat -naob to find unexpected open ports
    >Determine the owning process and source files
- Block unnecessary ports on the host firewall

Rootkit counter measures:
- Perform a file integrity check using a tool such as RootkitRevealer from SysInternals - If a system has a kernel-level rootkit, the only safe and secure way to clean it is to:     > Completely wipe the hard drive   > Perform a clean installation of the operating system
RAT Counter Measures:
- Recognize that RATs are challenging to detect . >An infection can go undetected for years >RAT software can only be identified once it is operating on your system >RATs use obfuscation methods such as parallel programs to cloak their activities   >Persistence modules that use rootkit techniques make RATs very difficult to delete. - Install a HIDS on newly-deployed hosts - Install a NIDS to watch for suspicious network activity
RAT Detectors:
- SolarWinds Security Event Manager - Snort - OSSEC - Zeek - Suricata - Sagan Security Onion - AIDE - OpenWIPS-NG - Samhain - Fail2Ban.

File less malware mitigation techniques
- Perform behavior-based analysis to identify malicious activities and patterns - Identify the scripts or actions responsible for loading the malware into memory
- Set PowerShell script policy to Restricted - Keep up with patches and updates.

Some anti malware softwares are:
- TotalAV - PCProtect - Symantec Endpoint Protection - ScanGuard - Bitdefender - Norton - Windows Defender - AVG - Avast - McAfee - Malwarebytes - BullGuard - Kaspersky - ESET - Panda - Trend Micro - F-Secure - ZoneAlarm - SpeedyClean

Cloud based antivirus:
- Stores information about malware variants in the cloud, rather than on a user's device. - Access to a larger threat database without having to house it on your hard drive. - Smaller installation agent for your antivirus software, so it takes up less space.

Name of the cloud based antiviruses:
- Kaspersky Security Cloud - Malwarebytes - Webroot - Sophos Endpoint Protection - AVAST Business Hub - ESET Endpoint Security - Bitdefender - AVIRA - McAfee - Panda Antivirus.

I have discussed the theoritical part of all about malware analysis and prevention. You must study more and do some practical to learn more about this topic. This is important and most common issues in this era. You can try this ➨➨➨ Click here....

Comments

Post a Comment

Popular posts from this blog

DevSecOps - Beginners guide

-
Image
  DevSecOps is the combination of development, securities and operations. It's an approaches that imposes the security practices and processes into the entire software development lifecycle. It should be applied on planning and coding stages to testing, deployment and on going operations. After all this will work on the whole development process.  Why DevSecOps needed? With the rapid pace of software development and deployment organizations needed the secured platform to develope the software and then deploy. Without slowing down the process, the DevSecOps is needed to perform all the tasks altogether. That's why DevSecOps is needed. How it works? It works in 4 ways. They are:  1. Collaboration 2. Automation 3. Continuous Security 4. MOnitoring You can relate this topic with DevOps. But the difference is the Security. Benefits of DevSecOps: The two main benefits of DevSecOps are speed and security. Development teams deliver better, more-secure code faster, and, therefore,...
Read more

The Cloud Is More Vulnerable Than You Think

-
Image
  Considering the growth in the Internet-of-Things (IoT), perhaps one of the most concerning items on our list of cyber security facts involves the vulnerabilities of cloud computing. Nearly half of all  data breaches  (45%) occur in the cloud, but organizations with a hybrid cloud model which is a mixed computing model that combines public and private clouds had lower average costs per breach, at $3.80 million, than those with public ($5.02 million) or private ($4.24 million) cloud models.  Types of Cloud Computing Vulnerabilities Now that you understand what a cloud vulnerability is, let’s cover the different types of vulnerabilities out there. Misconfigured Cloud Storage Organizations use the cloud to store all kinds of corporate data, such as customer records, employment contracts, receipts, invoices, and intellectual property. For this reason, cloud storage is a goldmine for cybercriminals. Once they gain access to corporate cloud accounts, they could steal sens...
Read more

DSA

-
Image
  What is DSA? DSA stands for Data Structure and Algorithms. This is a very important form for managing and organizing data. Data Structure is a way to store data efficiently. Algorithms are nothing but a way to solve problems. This will give you an efficient way to solve problems while working with data. Abstract Data Type An Abstract Data Type (ADT) in Data Structures and Algorithms (DSA) is a mathematical model that defines a data structure along with its operations but hides the underlying implementation. It focuses on what operations can be performed rather than how they are implemented. Common ADTs include List, Stack, Queue, Deque, Set, and Map, each serving different purposes in data management. For example, a Stack follows the LIFO (Last In, First Out) principle, while a Queue follows FIFO (First In, First Out). ADTs provide a structured way to organize and manipulate data efficiently, ensuring encapsulation, reusability, and flexibility in programming.  Arrays  ...
Read more