Malware Analysis

Security tools are designed to be used to protect computer systems and

networks. These can also be used by unauthorized individuals to probe for
weaknesses.
Many of the programs that fall in the malware categories (viruses, worms,
ransomware, Trojan horses, keyloggers, rootkits, spyware, adware) have
benevolent uses.
For example, worms can be used to distribute computation on idle
processors etc….
The purpose, not the approach, makes a program malicious.
In the past, malicious programs arrived via tapes and disks, and the spread of
a virus around the world took many months. Antivirus companies had time
to identify a new viral strain, and create cleaning procedures. Today, Trojan
horses, and viruses are network deliverable as E-mail, self-extracting
packages etc…
A simple .bat file in Windows
ECHO off
Echo name
Pause
In the above script (.bat file windows), ECHO off cleans up the console by
hiding the commands from being printed at the prompt, ECHO prints the text
“name” to the screen, and then waits for the user to press a key so the
program can be ceased.
Common Vulnerabilities and Exposures (CVE) is a catalog of known security
threats. For example, the vulnerability may allow an attacker to pose as
a superuser or system administrator who has full access privileges. For
example, an exposure may allow an attacker to secretly gather customer
information that could be sold.
Choose when to be notified for changes to your Windows machine (Control
panel: User account control settings: make sure it is notified)
Trojan horses are programs that appear to have one function but
perform another function. A Trojan horse is a program with an overt
(documented or known) effect and a covert (undocumented or
unexpected) effect. Eg: Often a Trojan horse masquerades as a
commonly used program, such as ls command.
The access control models of Unix and windows cannot prevent Trojan
horse. The Unix model permits the sharing of files with all users by
granting read access to others. However, if a user has write access to
any file that others can read, then the malware can leak secrets by
writing them to this file.
Discretionary access control(DAC) permits the users to modify access
control policies. Any program that the user runs can modify the
permission assignments to files that the user owns. Thus, any of the
user’s files may be leaked by malware simply by changing the file
permissions.
A remote access Trojan (RAT) is a malware program that includes
a backdoor for administrative control over the target computer. RATs
are usually downloaded invisibly with a user-requested program -- such
as a game -- or sent as an email attachment.
Back doors, sometimes called trap doors, allow unauthorized access to
your system. eg: msfvenom (Metasploit)
Keyloggers are extremely malicious Trojans, entirely designed for
profit. While they do not disrupt normal operation on the infected
computers, they monitor, log and send each keystroke to a remote
location, either using e-mail or FTP services.
Bacteria, or rabbit programs, make copies of themselves to overwhelm a
computer system's resources. Bacteria do not explicitly damage any files.
Their sole purpose is to replicate themselves. A typical bacteria program may
do nothing more than execute two copies of itself simultaneously on
multiprogramming systems, or perhaps create two new files, each of which is
a copy of the original source file of the bacteria program. Both of those
programs then may copy themselves twice, and so on. Bacteria reproduce
exponentially, eventually taking up all the processor capacity, memory, or
disk space, denying the user access to those resources.
while true
do
mkdir x
chdir x
done
Logic bombs are programmed threats that lie dormant for an extended
period of time until they are triggered; at this point, they perform a
function that is not the intended function of the program in which they
are contained. Logic bombs usually are embedded in programs by
software developers who have legitimate access to the system.
Will Damage the system.
cd /
rm –rf*
Viruses are "programs" that modify other programs on a computer,
inserting copies of themselves. A program is a file that adheres to a
strict description of how its content is organized. In this sense, viruses
are not programs - they cannot run on their own, and need to become
part of some host program. When such an infected program is
executed, the virus attaches itself to another and so on.
Structure of a Virus
V()
{ infectExecutable(); if (triggered()) { doDamage(); }
jump to main of infected program;}

void infectExecutable() { file = chose an uninfected executable file;

prepend V to file;}

void doDamage() { ...}

int triggered() { return (some test? 1 : 0); }

In the infected binary, at a known byte location in the file, a virus
inserts a signature byte used to determine if a potential carrier
program has been previously infected. The virus makes the infected file
longer than it was, making it easy to spot. There are many techniques
to leave the file length and even a check sum unchanged and yet infect.
For example, many executable files often contain long sequences of
zero bytes, which can be replaced by the virus and re-generated. It is
also possible to compress the original executable code like the typical
Zip programs do, and uncompressing before execution and pad with
bytes so that the check sum comes out to be what it was.
A stealth virus has code in it that seeks to conceal itself from discovery or
defends itself against attempts to analyze or remove it. The stealth virus
adds itself to a file or boot sector but, when you examine, it appears normal
and unchanged. The stealth virus performs this trickery by staying in memory
after it is executed. From there, it monitors and intercepts your system calls.
When the system seeks to open an infected file, the stealth virus displays the
uninfected version, thus hiding itself.
Eg : Rootkits are programs that typically replace kernel programs and DLL
files with malware. Since it’s a system file that has been replaced it’s much
easier to mask and hide the malware process from anti-virus software.
A macro virus is a piece of self-replicating code inserted into an auto-execute
macro. Once a macro is running, it copies itself to other documents, delete
files, etc.
A Encrypted virus means change the appearance of. The decrypted code is
same in each case thus memory based signature detection is possible.
A Polymorphic/Metamorphic virus automatically change the appearance of
itself each time it propagates or is distributed.
A worm is a malicious program that copies itself from one computer to
another on a network. A worm is an independent program, in the sense
described above, unlike a virus which is a part-program that must insert
itself into a whole-program. A worm typically does not modify other
programs. A typical worm may carry other code, including programs
and viruses.
Ransomware is a type of malicious software from cryptovirology that
threatens to publish the victim's data or perpetually block access to it
unless a ransom is paid. Eg: WannaCry
Blended threats combine the characteristics of viruses, worms, Trojan Horses, and
malicious code with server and Internet vulnerabilities to initiate, transmit, and spread an
attack. By using multiple methods and techniques, blended threats can rapidly spread and
cause widespread damage. Characteristics of blended threats include:
• Causes harm: Launches a Denial of Service (DoS) attack at a target IP address, defaces
Web servers, or plants Trojan Horse programs for later execution.
• Propagates by multiple methods: Scans for vulnerabilities to compromise a system, such
as embedding code in HTML files on a server, infecting visitors to a compromised Web
site, or sending unauthorized email from compromised servers with a worm attachment.
• Attacks from multiple points: Injects malicious code into the .exe files on a system, raises
the privilege level of the guest account, creates world read and writeable network
shares, makes numerous registry changes, and adds script code into HTML files.
• Spreads without human intervention: Continuously scans the Internet for vulnerable
servers to attack.
• Exploits vulnerabilities: Takes advantage of known vulnerabilities, such as buffer
overflows, HTTP input validation vulnerabilities, and known default passwords to gain
unauthorized administrative access.
Effective protection from blended threats requires a comprehensive security solution
that contains multiple layers of defense and response mechanisms.
The primary indicators that a computer has been infected by a virus are
the following:
• Some programmes work slower.
• The file sizes rise (especially for editable files).
• The appearance of suspicious files that did not exist before.
• A significant decrease in available system memory compared to the
normal work situation.
• The appearance of unexpected video and/or sound effects.
Use antivirus software's to prevent it : Norton Antivirus, F-Secure,
McAfee, AVG, Symantec etc….
Fred Cohen has proven mathematically that perfect detection of
unknown viruses is impossible: no program can look at other programs
and say either "a virus is present" or "no virus is present", and always
be correct. But, in the real world, most new viruses are sufficiently like
old viruses that the same sort of scanning that finds known viruses also
finds the new ones. And there are a large number of heuristic tricks
that anti-virus programs use to detect new viruses, based either on
how they look, or what they do. These heuristics are only sometimes
successful, but since brand-new viruses are comparatively rare, they
are sufficient to the purpose.
Static analysis involves analyzing the signature of the malware binary file
which is a unique identification for the binary file. The binary file can be
reverse-engineered using a disassembler such as IDA to convert the
machine-executable code into assembly language code to make it human
readable. Some of the techniques used for static analysis are file
fingerprinting, virus scanning, memory dumping, packer detection, and
debugging. Dynamic analysis involves analyzing the behavior of malware in a
sandbox environment so that it won’t affect other systems. Manual analysis
is replaced by automated analysis through commercial sandboxes.
Static Analysis : Virus Total
Dynamic Analysis: Cuckoo Sandbox
CuckooML: Machine Learning for Cuckoo Sandbox
Through the project, state of the art data science and machine learning
approaches will be implemented and integrated into the Cuckoo Sandbox
A packer is a way of obfuscating an executable program, i.e., transforming so
the result is still executable and has the same effect when run, but looks
different (so it won't be detected by static anti-virus). This usually is short for
“runtime packers” which are also known as “self-extracting archives”.
Software that unpacks itself in memory when the “packed file” is executed.
Bad guys often use custom packers to obfuscate their malware, to make it
less likely that anti-virus will detect the malware or to make it harder for
anti-virus vendors to reverse engineer the malware and figure out what it is
doing.
• There are many known ways to identify packers. The most common packer
UPX and its variations are usually flagged as 'suspicious' by Anti-virus
engines due to a signature detection in the EXe.
• There's a couple of handy tools called:
• RDG Packer Detector which detects specific packers based on signature
checking (presumably the same way Antivirus does it)
• PEiD detects most common packers, cryptors and compilers for PE files as
well as allowing for disassembly (available to download via softpedia)
• IDAPRO with the universal unpacker plugin.
Mandatory access control (Multi level security)
Security classes: top-secret, secret, confidential and unclassified.
Bell-LaPadula model:
Only subjects whose security class dominates or is equal to that of the data
may read it. (simple security property)
In order to prevent leakage via malware, subjects can only write to objects
whose security class dominates that of the subject. (*-security property)
Eg: SELinux, Apparmor

But cannot prevent covert channels (storage covert channel , timing covert
channel) Steganography