Malware Analysis CIS-672

Lecture 01: Introduction

Dr. Muhammad Abid,
DCIS, PIEAS

Malware Analysis, PIEAS

 What's Malware?

Malware is a code that performs

malicious actions or actions without
user consent.
Shapes of Malware:
Executable
Script
Code, e.g. DLL lib or
any other software.

Malware Analysis, PIEAS

 Purpose of Malware

To steal sensitive information,

To spy on the infected system, or
To take control of the system.

Malware Analysis, PIEAS

 How Malware makes it way?

It typically gets into your system without your

consent and can be delivered via various
communication channels such as
email,
web,
or USB drives.

Malware Analysis, PIEAS

 What is Malware Analysis?

Malware analysis is the study of malware's

behavior.
The objective of malware analysis is to
understand the working of malware and how
to detect and eliminate it.
It involves analyzing the suspect binary in a
safe environment to identify its
characteristics and functionalities so that
better defenses can be built to protect an
organization's network.

Malware Analysis, PIEAS

 Malware Analysis Objectives

To determine the nature and purpose of the

malware. For example, it can help you
determine whether malware is an information
stealer, spam bot, keylogger, and so on.
To gain an understanding of how the system
was compromised and its impact.
To determine the attacker's intention and
motive. For instance, during your analysis, if
you find that the malware is stealing banking
credentials, then you can deduce that the
motive of the attacker is monetary gain.

Malware Analysis, PIEAS

 Malware Analysis Objectives

To identify the network indicators associated

with the malware, which can then be used to
detect similar infections using network
monitoring.
For example, during your analysis, if you
determine that a malware contacts a particular
domain/IP address, then you can use this
domain/IP address to create a signature and
monitor the network traffic to identify all the hosts
contacting that domain/IP address.

Malware Analysis, PIEAS

 Malware Analysis Objectives

To extract host-based indicators such as

filenames, and registry keys, which, in turn,
can be used to determine similar infection
using host-based monitoring.
For instance, if you learn that a malware creates a
registry key, you can use this registry key as an
indicator to create a signature, or scan your
network to identify the hosts that have the same
registry key.

Malware Analysis, PIEAS

 Why study this subject?

Given the increasing number of devices

(computers, laptops, servers, mobiles, IoTs
devices, sensors, gateways, etc.) being
connected to internet & increasing number of
cyber attacks on government, military, pubic
and private sectors require strongly
manpower who are capable of dealing with
cyberattacks.

Malware Analysis, PIEAS

 Books

Primary:
Learning Malware Analysis, 2018 By Monnappa
Secondary:
Practical Malware Analysis, 2012 By Sikorski
Advanced Malware Analysis, 2015 By Christopher
Malware Analyst’s Cookbook, 2011 By Hale Ligh

Malware Analysis, PIEAS

 Course Evaluation

Paper reading and Presentation: 10%

Applied Assignment: 20%
Quizzes: 5%
Mid Term Exam: 15%
Final Exam: 50%

Malware Analysis, PIEAS

 Course Contents

Introduction to Malware Analysis

Static Analysis
Dynamic Analysis
Assembly Lang. and Disassembly Primer
Disassembly Using IDA
Debugging Malicious Binaries
Malware Functionalities and Persistence
Code Injection and Hooking
Malware Obfuscation Techniques
Hunting Malware Using Memory Forensics
Detecting Advanced Malware Using Memory
Forensics

Malware Analysis, PIEAS

 Prerequisite

You will be much more comfortable in this

subject if you know:
Python
X86/ X64 assembly Programming
Windows application programming interface
PE format

Malware Analysis, PIEAS

 Introduction to Malware
Analysis

Malware Analysis, PIEAS

 Malicious Actions

Some of the malicious actions performed by

malware:
Stealing sensitive information, including personal,
business, and financial data
Unauthorized access to the victim's system
Spying on the victims
Sending spam emails
Engaging in distributed-denial-of-service attacks
(DDOS)
Locking up the files on the computer and holding
them for ransom

Malware Analysis, PIEAS

 Malware Types

Virus or Worm: Malware that is capable of

copying itself and spreading to other
computers. A virus needs user intervention,
whereas a worm can spread without user
intervention.
Trojan: Malware that disguises itself as a
regular program to trick users to install it on
their systems. Once installed, it can perform
malicious actions such as stealing sensitive
data, uploading files to the attacker's
server, or monitoring webcams.

Malware Analysis, PIEAS

 Malicious Types

Backdoor / Remote Access Trojan (RAT):

This is a type of Trojan that enables the
attacker to gain access to and execute
commands on the compromised system.
Adware: Malware that presents unwanted
advertisements (ads) to the user. They
usually get delivered via free downloads
and can forcibly install software on your
system.

Malware Analysis, PIEAS

 Malicious Types

Botnet: This is a group of computers infected

with the same malware (called bots), waiting
to receive instructions from the command-
and-control server controlled by the attacker.
The attacker can then issue a command to
these bots, which can perform malicious
activities such as DDOS attacks or sending
spam emails.

Malware Analysis, PIEAS

 Malicious Types

Information stealer: Malware designed to

steal sensitive data such as banking
credentials or typed keystrokes from the
infected system. Some examples of these
malicious programs include key loggers,
spyware, sniffers, and form grabbers.
Ransomware: Malware that holds the
system for ransom by locking users out of
their computer or by encrypting their files.

Malware Analysis, PIEAS

 Malicious Types

Rootkit: Malware that provides the attacker

with privileged access to the infected
system and conceals its presence or the
presence of other software.
Downloader or dropper: Malware designed
to download or install additional malware
components

Malware Analysis, PIEAS

 Types Of Malware Analysis

Static analysis:
analyzing a binary without executing it.
allows you to extract the metadata associated
with the suspect binary.
might not reveal all the required information, but it
can sometimes provide interesting information
that helps in determining where to focus your
subsequent analysis efforts.

Malware Analysis, PIEAS

 Types Of Malware Analysis

Dynamic analysis (Behavioral Analysis):

executing the suspect binary in an isolated
environment and monitoring its behavior.
gives valuable insights into the activity of the
binary during its execution.
This analysis technique is useful but does not
reveal all the functionalities of the hostile
program.

Malware Analysis, PIEAS

 Types Of Malware Analysis

Code analysis:
analyzing the code to understand the inner
workings of the binary.
Static code analysis involves disassembling the
suspect binary and looking at the code to
understand the program's behavior, whereas
Dynamic code analysis involves debugging the
suspect binary in a controlled manner to
understand its functionality.
Code analysis requires an understanding of the
programming language and operating system
concepts.

Malware Analysis, PIEAS

 Types Of Malware Analysis

Memory analysis:
analyzing the computer's RAM for forensic
artifacts.
especially useful to determine the stealth and
evasive capabilities of the malware.

Malware Analysis, PIEAS

 Setting Up The Lab Environment

Keep your virtualization software up to

date. This is necessary because it might be
possible for malware to exploit a
vulnerability in the virtualization software,
escape from the virtual environment, and
infect your host system.
Install a fresh copy of the operating system
inside the virtual machine (VM), and do not
keep any sensitive information in the virtual
machine.

Malware Analysis, PIEAS

 Setting Up The Lab Environment

While analyzing a malware, if you don't want

the malware to reach out to the Internet, then
you should consider using host-only
network configuration mode or restrict your
network traffic within your lab environment
using simulated services.
Do not connect any removable media that
might later be used on the physical
machines, such as USB drives.

Malware Analysis, PIEAS

 Setting Up The Lab Environment

Since we will be analyzing Windows malware

(typically Executable or DLL), it is
recommended to choose a base operating
system such as Linux or macOS X for your
host machine instead of Windows. This is
because, even if a Windows malware
escapes from the virtual machine, it will still
not be able to infect your host machine.

Malware Analysis, PIEAS

 Overview Of Lab Architecture

Malware Analysis, PIEAS

 Overview Of Lab Architecture

Host machine (running Ubuntu 18.04) have

instances of Linux virtual machine (running
Ubuntu 18.04) & Windows virtual machine
(running Windows).
These virtual machines will be configured to
be part of the same network and use Host-
only network configuration mode so that the
malware is not allowed to contact the Internet
and network traffic is contained in the
isolated lab environment.

Malware Analysis, PIEAS

 Overview Of Lab Architecture

Windows VM is where the malware will be

executed during analysis, and
the Linux VM is used to monitor the network
traffic and will be configured to simulate
Internet services (DNS, HTTP, and so on) to
provide an appropriate response when the
malware requests for these services.
For example, the Linux VM will be configured
such that when the malware requests a service
such as DNS, the Linux VM will provide the
proper DNS response.

Malware Analysis, PIEAS

 Another Lab Architecture

Malware Analysis, PIEAS

 Setting Up And Configuring Linux VM

Download Ubuntu 18.04 (Desktop image)

from http://releases.ubuntu.com/18.04/ and
install it in VM VirtualBox 6.1.
Install the Virtualization Tools on Ubuntu
To accomplish this, from the VirtualBox menu,
select Devices | Insert guest additions CD
image.
Install packages:
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install python-pip
$ pip install --upgrade pip
Malware Analysis, PIEAS
 Setting Up And Configuring Linux VM

$ sudo apt-get install python-magic

$ sudo apt-get install upx
$ sudo pip install pefile
$ sudo apt-get install yara
$ sudo pip install yara-python
$ sudo apt-get install ssdeep
$ sudo apt-get install build-essential libffi-dev
python python-dev libfuzzy-dev
$ sudo pip install ssdeep
$ sudo apt-get install wireshark
$ sudo apt-get install tshark
Install INetSim
Malware Analysis, PIEAS
 Setting Up And Configuring Windows
VM
Download and install Windows 10 or
Windows 7 OS in a virtualBox
Install Python 2.7

Malware Analysis, PIEAS

 Linux and Windows VMs

Malware Analysis, PIEAS

 Linux and Windows VMs

Malware Analysis, PIEAS

 Malware Sources

https://www.virustotal.com/gui/

Malware Analysis, PIEAS