Okay! So I have finally set up my blog after having a real hard time with CSS settings in Jekyll themes. So without much delay lets begin!!!
What is Malware Analysis
Any software that causes harm to a user, computer or a network can be considered a malware and the art of dissecting malware to understand how it works, how to identify it and how to defeat or eliminate it is Malware Analysis
Malware Analysis Techniques
Static Analysis
This involves the analysis of the file without actually running it. Basic static analysis involves dumping strings, checking digital signatures, hashes, file header, packers etc. More advanced static analysis requires reverse-engineering the malware internals, loading the executable into disassembler and figuring out what the program does by looking at CPU instructions. Advanced static analysis requires a deeper knowledge of OS internals.
Dynamic Analysis
This process involves running the malware in a sandbox and observe its behavior on the system to remove/prevent the infection. Advanced Dynamic Analysis involves running the malware under a debugger by stepping through the CPU instructions. This requires deep knowledge of Assembly as well as OS internals.
Types of Malware
| Type | Description |
|---|---|
| Backdoor | Malicious code that installs itself on the victim’s computer and usually allows an attacker to connect to the computer with little or no authentication and execute commands on the local system. |
| BotNet | It is similar to a backdoor in that it allows attackers to access the system. The key difference is that botnets typically receive instructions from a Common and Control (C&C) server instead of an attacker manually accessing it. DDOS is a good example of the types of attacks performed by botnets. |
| Rootkits | Malicious code that is designed to conceal its own existence, or existence of other malicious code. Advanced rootkits leverage kernel components to perform malicious activity like hiding processes, files,network connections etc. |
| Spyware | Gathers information from victim’s computer without his knowledge and sends it to the attacker. |
| Ransomware,Wiper | Such malwares try and encrypt the user files like documents , audio and video and demand ransom in return. |
Common detecting Techniques
Antivirus either relies on file signatures or some basic behavioral techniques using which they can only detect known malware or known types of attacks. I will discuss more about it in the upcoming sections. While debugging malware, we should chase the following artifacts:
Processes
This is a no brainer. These are the things we should be on the lookout for
- What processes were running before and after the malware?
- Any new process/existing process running with elevated privileges?
- Any process being run from suspicious location (like temp directory or explorer.exe running from a different location) or with a suspicious name?
Network
- Check for any suspicious connections being made. (Closing your browsers is a good idea unless your malware is somehow playing with your browser)
- Check for ports being used/opened by malware.
Drivers And Servies
Check if any unauthorized driver or service is running or is newly installed?
File System
Check if any activity is happening on a special directory or not. Example include : Writing a DLL in APPINIT directory(windows) or trying to read /etc/shadow(unix)
Registry - Windows
Registry is an integral part of windows. Many settings are controlled via registry. While running malware we should analyze new and modified registry keys.
VT
Whenever you come across any piece of code you want to analyze/run, its usually a good idea to either upload hash/file on virustotal.com to see if its a known malicious file or not.
WHY DO ANTI-VIRUSES SUCK ?
To get into a detailed answer as to why anti-viruses is not always effective, we have to first understand what a 0-day malware/attack is. “Zero-day” describes a concept of a successful attack on a system’s security before the developers of said security know about it. This makes zero-day attacks deadly, as sometimes developers may not even realize they’re under attack until after the damage is done. Even after the developers realise the security hole exists, it may take some time for them to build and deploy a patch to fix it, during which the exploit will be vulnerable to attacks.
Anti-viruses at the end of the day rely on known heuristics or known vulnerabilities to flag alarm. For example, If you run a tool like mimikatz your AV will trigger an alert because it already has file/behavior signatures for it.
Now, let me give a small example to illustrate in what scenario AV can fail. Eternal blue, an exploit against a zero-day vulerability in SMB protocol of MS Windows was released on 14 April,2017. However, this expolit was reportedly used by Chinese group BuckEye since March 2016 (and of course by NSA). Microsoft had released a patch for this vulnerability only in March 2017. So all this while this vulenrability was exploited and it wouldn’t have been detected ever unless it would have been leaked/reported.
That’s it for now!!!
In my next post, I will a short post on setting up your own windows Sandbox.