Text Practice Mode
Malware Analysis and Detection Engineering
created Apr 12th 2022, 17:22 by MuathNasr
1
1596 words
8 completed
0
Rating visible after 3 or more votes
00:00
Introduction
“My computer has a virus!” Almost anyone who has been involved with any kind of
computing device has either said or heard this phrase. These days, we frequently hear
about virus attacks. Some of these attacks impact millions of users across the globe. As
security professionals, we explain that the term virus is not very accurate. The correct
scientific terminology is malware. A virus is a category of malware.
What is malware? Malware is a weapon used by malicious entities to execute sinister
motives. In technical terms, malware (or rather mal-ware) is malicious software—a piece
of software whose intentions are malicious.
Malware has always existed, but in the early days of computing, it was hardly a
concern for end users. Industry sectors like banking, finance, and government were
more concerned about malware attacks compared to the rest of the industry. But the
malware landscape has changed drastically over time. Previously, it all seemed to be
about money, but data is now the greatest currency in every facet of our lives, and it has
become the primary target of malware.
To make sure our data is protected, data protection laws are strictly enforced. Any
organization that stores information about the public is held responsible for all forms
of misuse and loss of data. This has ensured that no organization in the world can take
cybersecurity for granted anymore.
At the same time, not only organizations, but we end users can’t take it lightly. The
kind of computing devices available now, and their usability has changed massively
over the last decade. Personal computers and cellphones are used to carry out bank
transactions, hotel bookings, flight bookings, pay our utility bills, act as key fobs for
our cars, operate the appliances at home, control IoT devices, and so on. Our personal
devices hold a lot of private data, including usernames, passwords, and images.
Today, no one can afford to be hacked. In the past, malware attacks directly involved a
corporation or a government body. Today, malware attacks have grown to target and
attack end users’ computing devices to monetize Malware is pretty much a part of every cyberattack carried out by attackers.
Malicious threat actors release malware in millions every day. But the number of
security professionals who work on malware is much smaller than the required number
of security individuals who can handle this deluge of malware. Even lesser are the
percentage of said security professionals who are qualified to detect and analyze them.
Malware analysis is a growing business, and security professionals need to learn
more about analyzing malware. Some of the studies carried out expect the malware
analysis market to grow from 3 billion in 2019 to 11 billion by 2024.1
This growth
projection comes from the fact that not only is the amount of malware increasing every
day, but it is becoming more complex with the advent and use of new technologies. Also,
the availability of new computing platforms like the cloud and IoT, has given malware
new attack surfaces that they can target and monetize. While the attack surface and
complexity has increased, the defense remains largely unmanned due to a shortage of
security professionals with the requisite skills to tackle malware.
The step-by-step walkthrough of a malware analysis workflow in this book ensures
that its readers (malware analysts, reverse engineers, network engineers, security
operations center (SoC) analysts, IT admins, network admins, or managers and chief
information security officers (CISOs)) advance their malware analysis and reversing
skills and improve their preparedness for any kind of malware attack. At the same time,
the introduction to the internals of how antiviruses, sandboxes, IDS/IPS, and other
malware detection–related tools give a fresh look at new ideas on how to use these tools
and customize them to improve your analysis infrastructure.
Before you dive into learning how to analyze malware, let’s first go through the terms
for various types of malware and their functionalities.
Types of Malware
As malware analysts, you will not only come across malware samples that you need
to investigate, but you also need to read through analysis reports, blogs, and technical
articles on the Internet and other sources that discuss malware and cyberattacks around
the world. The malware analysis world has coined various terms for malware and its
functionalities, which are commonly used. Let’s discuss some of the various terms.
These terms can indicate malware, and in some cases, it can refer to malware code,
features, or functionalities that make up the larger malware. The following are some of
the common malware types or features.
• A virus is the first kind of malware that is known to self-replicate.
It is also called a file infector. Viruses survive by infecting and
inserting themselves into other healthy files on the system. When
executed, these infected healthy programs run, execute, and display
the intended functionality, but can also execute the virus in the
background.
• A worm is malware or a malware functionality that spreads and
infects other computers, either via the network or some physical
means like the USB.
• A backdoor is an unauthorized entry point by which an attacker
can enter the victim’s system. For example, malware can create an
open network port on the system which has shell access, that can be
accessed by the attacker to gain entry into the system.
• A trojan is malware that masquerades as a clean software and is
installed on the victim machine with the user’s full knowledge, but
the user is not aware of its real malicious intentions.
• Spyware or InfoStealer spies on and steals sensitive data from your
system. The data targeted by spyware can be usernames, passwords,
images, and documents.
• A keylogger is a kind of spyware that can log the user’s keystrokes
and send the recorded keystrokes back to the attacker.
A botnet is a bot network or robot network that comprises of multiple
machinesinfected by malware. The malware that forms this bot
network or botnet works together as a herd, accepting and acting
on commands sent by an attacker from a central server. Botnets can
carry out denial-of-service (DOS) attacks, send spam, and so forth.
• Remote administration tool (RAT) is malware or a malware
feature that can give the hacker full control of your system. These
tools are very similar to desktop sharing software usually used by
administrators to access our systems for troubleshooting purposes.
The only difference being malware RATs are used by attackers to
access our computers without any authorization.
• Adware is a common type of malware that most of us have come
across but never noticed. Adware is included with software
downloads from third-party websites. While installing the
downloaded software, adware is installed behind the scene without
our knowledge. Do note that not all adware is malicious. But you can
call these as a category of trojan but only responsible for displaying
unwanted ads on your system. Many of them are known to change
the default search engines for the browsers on our computers.
• A rootkit is malware or a malware functionality combined with
another piece of malware, whose aim is to conceal its activity or
that of another malware on the system. Rootkits mostly function by
modifying system functions and data structures.
• Banking malware works by intercepting and modifying browser
communication to capture information on banking transactions and
credentials.
• Point-of-sale (PoS) malware infects PoS devices, which are used
by most retail, shopping outlets, and restaurants worldwide. PoS
malware’s main functionality includes trying to steal credit card
information from the PoS software.
• Ransomware works by taking hostage of the data, files, and other
system resources on the system, and demand the victim for ransom
in return to release these resources. Compared to other malwar types, ransomware is easy for a hacker to program. At the same time,
from a remediation standpoint, ransomware is very hard to deal
with since once encrypted, the data causes huge losses for the users,
and requires a lot of effort to neutralize the damage and restore the
system to its former state.
• A cryptominer is a relatively new member of the malware family,
having become popular with the increasing use of cryptocurrencies.
This malware is rarely known to steal data from the victim’s machine,
but they eat up system resources by mining cryptocurrencies.
• A downloader is malware that downloads other malware. Botnets
work as downloaders and download malware upon receiving a
command from the central server. These days most of the Microsoft
Office file-based macro malware are downloaders, which downloads
another piece of the bigger malware payload. Emotet is a popular
malware that uses a Microsoft document-based macro downloader.
• Spammers send out spam emails from the victim’s machine. The
spam may contain emails containing links to malicious sites. The
malware may read contacts from email clients like Microsoft Outlook
installed on the victim’s machine and send out emails to those
contacts.
• An exploit is not malware but rather malicious code that is meant to
take advantage of a vulnerability on the system and exploit it to take
control of the vulnerable program and thereby the system. These
days most exploits are responsible for downloading other malware.
Platform Diversity
People often question which programming language is used to create malware. The
answer is malware can be written and are written in almost any programming language,
such as C, JavaScript, Python, Java, Visual Basic, C#, and so on. Attackers are also taking
it one step further by using a technique called Living Off the Land, where they develop
attacks that carry
“My computer has a virus!” Almost anyone who has been involved with any kind of
computing device has either said or heard this phrase. These days, we frequently hear
about virus attacks. Some of these attacks impact millions of users across the globe. As
security professionals, we explain that the term virus is not very accurate. The correct
scientific terminology is malware. A virus is a category of malware.
What is malware? Malware is a weapon used by malicious entities to execute sinister
motives. In technical terms, malware (or rather mal-ware) is malicious software—a piece
of software whose intentions are malicious.
Malware has always existed, but in the early days of computing, it was hardly a
concern for end users. Industry sectors like banking, finance, and government were
more concerned about malware attacks compared to the rest of the industry. But the
malware landscape has changed drastically over time. Previously, it all seemed to be
about money, but data is now the greatest currency in every facet of our lives, and it has
become the primary target of malware.
To make sure our data is protected, data protection laws are strictly enforced. Any
organization that stores information about the public is held responsible for all forms
of misuse and loss of data. This has ensured that no organization in the world can take
cybersecurity for granted anymore.
At the same time, not only organizations, but we end users can’t take it lightly. The
kind of computing devices available now, and their usability has changed massively
over the last decade. Personal computers and cellphones are used to carry out bank
transactions, hotel bookings, flight bookings, pay our utility bills, act as key fobs for
our cars, operate the appliances at home, control IoT devices, and so on. Our personal
devices hold a lot of private data, including usernames, passwords, and images.
Today, no one can afford to be hacked. In the past, malware attacks directly involved a
corporation or a government body. Today, malware attacks have grown to target and
attack end users’ computing devices to monetize Malware is pretty much a part of every cyberattack carried out by attackers.
Malicious threat actors release malware in millions every day. But the number of
security professionals who work on malware is much smaller than the required number
of security individuals who can handle this deluge of malware. Even lesser are the
percentage of said security professionals who are qualified to detect and analyze them.
Malware analysis is a growing business, and security professionals need to learn
more about analyzing malware. Some of the studies carried out expect the malware
analysis market to grow from 3 billion in 2019 to 11 billion by 2024.1
This growth
projection comes from the fact that not only is the amount of malware increasing every
day, but it is becoming more complex with the advent and use of new technologies. Also,
the availability of new computing platforms like the cloud and IoT, has given malware
new attack surfaces that they can target and monetize. While the attack surface and
complexity has increased, the defense remains largely unmanned due to a shortage of
security professionals with the requisite skills to tackle malware.
The step-by-step walkthrough of a malware analysis workflow in this book ensures
that its readers (malware analysts, reverse engineers, network engineers, security
operations center (SoC) analysts, IT admins, network admins, or managers and chief
information security officers (CISOs)) advance their malware analysis and reversing
skills and improve their preparedness for any kind of malware attack. At the same time,
the introduction to the internals of how antiviruses, sandboxes, IDS/IPS, and other
malware detection–related tools give a fresh look at new ideas on how to use these tools
and customize them to improve your analysis infrastructure.
Before you dive into learning how to analyze malware, let’s first go through the terms
for various types of malware and their functionalities.
Types of Malware
As malware analysts, you will not only come across malware samples that you need
to investigate, but you also need to read through analysis reports, blogs, and technical
articles on the Internet and other sources that discuss malware and cyberattacks around
the world. The malware analysis world has coined various terms for malware and its
functionalities, which are commonly used. Let’s discuss some of the various terms.
These terms can indicate malware, and in some cases, it can refer to malware code,
features, or functionalities that make up the larger malware. The following are some of
the common malware types or features.
• A virus is the first kind of malware that is known to self-replicate.
It is also called a file infector. Viruses survive by infecting and
inserting themselves into other healthy files on the system. When
executed, these infected healthy programs run, execute, and display
the intended functionality, but can also execute the virus in the
background.
• A worm is malware or a malware functionality that spreads and
infects other computers, either via the network or some physical
means like the USB.
• A backdoor is an unauthorized entry point by which an attacker
can enter the victim’s system. For example, malware can create an
open network port on the system which has shell access, that can be
accessed by the attacker to gain entry into the system.
• A trojan is malware that masquerades as a clean software and is
installed on the victim machine with the user’s full knowledge, but
the user is not aware of its real malicious intentions.
• Spyware or InfoStealer spies on and steals sensitive data from your
system. The data targeted by spyware can be usernames, passwords,
images, and documents.
• A keylogger is a kind of spyware that can log the user’s keystrokes
and send the recorded keystrokes back to the attacker.
A botnet is a bot network or robot network that comprises of multiple
machinesinfected by malware. The malware that forms this bot
network or botnet works together as a herd, accepting and acting
on commands sent by an attacker from a central server. Botnets can
carry out denial-of-service (DOS) attacks, send spam, and so forth.
• Remote administration tool (RAT) is malware or a malware
feature that can give the hacker full control of your system. These
tools are very similar to desktop sharing software usually used by
administrators to access our systems for troubleshooting purposes.
The only difference being malware RATs are used by attackers to
access our computers without any authorization.
• Adware is a common type of malware that most of us have come
across but never noticed. Adware is included with software
downloads from third-party websites. While installing the
downloaded software, adware is installed behind the scene without
our knowledge. Do note that not all adware is malicious. But you can
call these as a category of trojan but only responsible for displaying
unwanted ads on your system. Many of them are known to change
the default search engines for the browsers on our computers.
• A rootkit is malware or a malware functionality combined with
another piece of malware, whose aim is to conceal its activity or
that of another malware on the system. Rootkits mostly function by
modifying system functions and data structures.
• Banking malware works by intercepting and modifying browser
communication to capture information on banking transactions and
credentials.
• Point-of-sale (PoS) malware infects PoS devices, which are used
by most retail, shopping outlets, and restaurants worldwide. PoS
malware’s main functionality includes trying to steal credit card
information from the PoS software.
• Ransomware works by taking hostage of the data, files, and other
system resources on the system, and demand the victim for ransom
in return to release these resources. Compared to other malwar types, ransomware is easy for a hacker to program. At the same time,
from a remediation standpoint, ransomware is very hard to deal
with since once encrypted, the data causes huge losses for the users,
and requires a lot of effort to neutralize the damage and restore the
system to its former state.
• A cryptominer is a relatively new member of the malware family,
having become popular with the increasing use of cryptocurrencies.
This malware is rarely known to steal data from the victim’s machine,
but they eat up system resources by mining cryptocurrencies.
• A downloader is malware that downloads other malware. Botnets
work as downloaders and download malware upon receiving a
command from the central server. These days most of the Microsoft
Office file-based macro malware are downloaders, which downloads
another piece of the bigger malware payload. Emotet is a popular
malware that uses a Microsoft document-based macro downloader.
• Spammers send out spam emails from the victim’s machine. The
spam may contain emails containing links to malicious sites. The
malware may read contacts from email clients like Microsoft Outlook
installed on the victim’s machine and send out emails to those
contacts.
• An exploit is not malware but rather malicious code that is meant to
take advantage of a vulnerability on the system and exploit it to take
control of the vulnerable program and thereby the system. These
days most exploits are responsible for downloading other malware.
Platform Diversity
People often question which programming language is used to create malware. The
answer is malware can be written and are written in almost any programming language,
such as C, JavaScript, Python, Java, Visual Basic, C#, and so on. Attackers are also taking
it one step further by using a technique called Living Off the Land, where they develop
attacks that carry
saving score / loading statistics ...