Introduction to Malware

What is Malware?
● Malicious Software (malware)
● software designed to harm the user’s computer or data
 Types of Malware
● Viruses: Self-replicating by modifying other computer programs and inserting its own code.
● Warm: Standalone malware computer program that replicates itself, mainly taking the vulnerability through
the network.
● Backdoor: Allows unauthorized access to compromised computers.
● Ransomware: may lock the system/files without damaging any files, will ask for ransom.
● Trojan: misleads users of its true intent.
● Rootkit: Actively hiding software
● Spyware: aims to gather information about a person or organization and send it to the attacker.
● Keylogger: recording the keys struck on a keyboard.
● Adware: generating online advertisements in the user interface.
● Bots: infect a system, steal data, or commit other fraudulent activities.
● Fileless Malware: makes changes to files that are native to the OS.
● Cryptojacking: hijacking a computer to mine cryptocurrencies.
How Does Malware Spread?
● Vulnerabilities: A security issue in software allows malware to exploit it.
● Social engineering and email : staff can be tricked to download and execute malware
using phishing attack.
● Backdooring: An intended or unintended opening in software.
● Drive-by downloads: unintended download of computer software from the
Internet.
● Privilege escalation: the attacker may use malware to gain higher permission.
● File sharing : file sharing through the network.
● Web apps: a compromised website may provide malware.
● P2p network: using p2p networks such as BitTorrent.
Where can malware hide itself?
● Email attachments ● Social media posts and messages
● Link sent by email ● Fake Wi-Fi
● Software or application ● Various files (.py, txt, jar,….)
● Online ads ● Infected browser and plug-ins
● Infected website ● USB sticks
● Torrent downloads ● Critical system files
● Documents (doc, csv,pdf,…) ● Windows registry
● Software fake update ● Temporary folders
 Malware Analysis Methodologies
● Static Analysis : basic static analysis does not require that the code is actually
run.
● Static analysis examines the file for signs of malicious intent.
● It can be useful to identify malicious infrastructure, libraries or packed files.
● Technical indicators are identified such as :
○ file names, hashes, strings such as IP addresses, domains, and file header data can be
used to determine whether that file is malicious.
● Tools like disassemblers can be used to observe the malware without actually
running it in order to collect information on how the malware works.
 Malware Analysis Methodologies (2)
● Dynamic Analysis : executes suspected malicious code in a safe environment
called a sandbox.
● Dynamic analysis provides threat hunters and incident responders with
deeper visibility, allowing them to uncover the true nature of a threat.
● And also, sandboxing eliminates the time it would take to reverse engineer a
file to discover the malicious code.
 Malware Analysis Methodologies (3)
● Hybrid Analysis : by combining static and dynamic analysis techniques,
hybrid analysis provide security team the best of both approaches.
● It can detect malicious code that is trying to hide, and then can extract many
more indicators of compromise (IOCs) by statically and previously unseen
code.
 Malware Detection Techniques
● Signature-Based Detection : Signature-based detection uses the unique digital
footprint, known as a signature (e.g. hash value/digest).
● When an antivirus program identifies software that meets a known signature,
it stops the process and either quarantines or deletes it.
 Malware Detection Techniques (2)
● Application Allowlisting : a whitelisting of approved applications (e.g blocking
others).
● This solution is not perfect but can be highly effective, especially in high-
security environments.
 Malware Detection Techniques (3)
● Heuristic analysis : a method of detecting viruses by examining code for
suspicious properties/behavior.
● It was designed to spot unknown new viruses and modified versions of
existing threats.
 Malware Detection Techniques (4)
● Machine Learning Behavioral Analysis : based on artificial intelligence and
machine learning (AI/ML), can help to learn to differentiate between
legitimate and malicious files and processes, even if they do not match any
known pattern or signature.
 Malware Detection Techniques (5)
● Sandboxing: Sandboxes detect malware by testing potentially malicious code
in an isolated virtual environment.
● This allows researchers to observe the code’s real behavior in a safe
environment.
 Malware Detection Techniques (6)
● Endpoint Detection and Response (EDR): monitors and records data and
events from endpoint logs and packets.
● The collected data is analyzed to see what happens after infection and to look
for IOCs.
Basic Static Malware Analysis

Presented by : Dr. Vahab Iranmanesh

Date : January 15, 2023
 Basic Static Malware Analysis
● Basic static analysis examines a malware file without actually running the program.
● This is the safest way to analyze malware, as executing the code could infect your system.
● Basic static analysis is straightforward and can be quick, but it’s largely ineffective against
sophisticated malware, and it can miss important behaviors.
● In general, static analysis gathering information from malware without even viewing the code.
○ File name
○ File size
○ File strings
○ Hash value
○ Timestamps
○ Imports
○ Exports
○ ..etc
 Tools and Techniques
● Each technique and tool can provide different information, and the ones you use
depend on your goals.
● Typically, you’ll use several techniques to gather as much information as possible.
● Some popular techniques and tools are :
○ Online antiviruses
○ Hash signature
○ Finding strings
○ Detecting the packer
○ PE analysis
○ Linked libraries and functions (imported/exported)
 Antivirus Scanning
● A good first step is to run it through multiple antivirus programs, which may already
have identified it.
● They rely mainly on a database of identifiable pieces of known suspicious code (file
signatures), as well as behavioral and pattern-matching analysis (heuristics) to
identify suspect files.
● One problem is that malware writers can easily modify their code, thereby changing
their program’s signature and evading virus scanners.
● Heuristics, while often successful in identifying unknown malicious code, can be
bypassed by new and unique malware.
 Antivirus Scanning (2)
● Websites such as VirusTotal (http://www.virustotal.com/) allow you to upload a file
for scanning by multiple antivirus engines.
● VirusTotal generates a report that provides the total number of engines that marked
the file as malicious, the malware name, and, if available, additional information
about the malware.
 Hashing: A Fingerprint for Malware
● Hashing is a common method used to uniquely identify malware.
● The malicious software is run through a hashing program that produces a unique
hash that identifies that malware (a sort of fingerprint).
○ MD5
○ SHA-1
 Finding Strings
● A string in a program is a sequence of characters such as “the.”
● A program contains strings if it prints a message, connects to a URL, or copies a file to a
specific location.
● Searching through the strings can be a simple way to get hints about the functionality of a
program.
● Strings are typically stored in either ASCII or Unicode format.
Finding Strings (2)
 Packed and Obfuscated Malware
● Malware writers often use packing or obfuscation to make their files more
difficult to detect or analyze.
● Obfuscated programs are ones whose execution the malware author has
attempted to hide.
● Packed programs are a subset of obfuscated programs in which the malicious
program is compressed and cannot be analyzed.
● Both techniques will limit your attempts to statically analyze the malware.
● Malware that is packed or obfuscated contains very few strings.
 Packing Files
● When the packed program is run, a small wrapper program/stub/unpacker
also runs to decompress the packed file and then run the unpacked file
 Detecting Packers with PEiD
● One way to detect packed files is with the PEiD program.
● You can use PEiD to detect the type of packer or compiler employed to build
an application, which makes analyzing the packed file much easier.
 Unpacking Malware
● When a program is packed, you must unpack it in order to be able to perform
any analysis.
● The unpacking process is often complex, which we will cover it later on.
● UPX packing program is so popular and easy to use for unpacking.
 Linked Libraries and Functions
● One of the most useful pieces of information that we can gather about an
executable is the list of functions that it imports.
● Code libraries can be connected to the main executable by linking.
● Code libraries can be linked statically and at runtime (dynamically).
● When a library is statically linked to an executable, all code from that library is
copied into the executable, which makes the executable grow in size.
● Runtime linking is commonly used in malware, especially when it’s packed or
obfuscated.
● Executables that use runtime linking connect to libraries only when that function is
needed, not at program star.
 Linked Libraries and Functions (2)
● The Dependency Walker program can lists only dynamically linked functions
in an executable.
 Imported/Exported Functions
● The names of these Windows functions/APIs can give you a good idea about
what the executable does.
● APIs can be access by .h header files, which can refer to .DLL files in order to
deal with specific functions.
● .EXE and .DLL files export functions to interact with other programs and code.
 The PE File Headers and Sections
● The PE file format contains a header followed by a series of sections.
● The header contains metadata about the file itself.
 The PE File Headers and Sections (2)
● The most common and interesting sections in a PE file are:
○ .text :contains the instructions.
○ .rdata : contains the import and export information.
○ .data : contains the program’s global data, which is accessible from anywhere in the
program.
○ .rsrc : the resources used by the executable such as icons, images and strings.
Packers and Unpacking

Presented by : Dr. Vahab Iranmanesh

Date : January 24, 2023
 What is a Packer?
● Packing programs, known as packers, have become extremely popular with malware
writers because they help malware hide from antivirus software, complicate malware
analysis, and shrink the size of a malicious executable.
● Most packers are easy to use and are freely available.
● Basic static analysis isn’t useful on a packed program; packed malware must be unpacked
before it can be analyzed statically, which makes analysis more complicated and
challenging.
 Packer Anatomy
● In order to unpack an executable, we must undo the work performed by the packer, which requires that we
understand how a packer operates.
● The packed executable is compressed, encrypted, or otherwise transformed, making it harder to recognize
and reverse-engineer.
● Most packers use a compression algorithm to compress the original executable.
● Packers can pack the entire executable, including all data and the resource section, or pack only the code
and data sections.
● To maintain the functionality of the original program, a packing program needs to store the program’s import
information.
● Reconstructing the import section can sometimes be challenging and time-consuming.
 The Unpacking Stub
● With packed programs, the unpacking stub is loaded by the OS, and then the
unpacking stub loads the original program.
● The code entry point (EP) for the executable points to the unpacking stub rather
than the original code/OEP.
● The original program is generally stored in one or more extra sections of the file.
● The unpacking stub can be viewed by a malware analyst, and understanding the
different parts of the stub is fundamental to unpacking the executable.
● Stub function is typically simple, unpack the original executable.
 The Unpacking Stub (2)
● If you attempt to perform static analysis on the packed program, you will be
analyzing the stub, not the original program.

● The unpacking stub performs three steps:

○ Unpacks the original executable into memory.

○ Resolves all of the imports of the original executable
○ Transfers execution to the original entry point (OEP)
 Loading the Executable
● When regular executables load, a loader reads the PE header on the disk, and allocates
memory for each of the executable’s sections based on that header.
● The loader then copies the sections into the allocated spaces in memory.
● Packed executables also format the PE header so that the loader will allocate space for the
sections.
● The unpacking stub unpacks the code for each section and copies it into the space that was
allocated.
 Resolving Imports
● Nonpacked PE files include a section that tells the loader which functions to
import, and another section that stores the addresses of the names of all the
imported functions.
● The Windows loader cannot read import information that is packed.
● For a packed executable, the unpacking stub will resolve the imports.
● The most common approach is to have the unpacking stub import only the :
○ LoadLibrary : loads the DLL into memory.
○ GetProcAddress : gets the address for each function.
Resolving Imports (2)
 The Tail Jump
● Once the unpacking stub is complete, it must transfer execution to the OEP.
● The instruction that transfers execution to the OEP is commonly referred to
as the tail jump.
● Since it’s so common, many malicious packers will attempt to obscure this function by
using a ret or call instruction.
 Indicators of a Packed Program
● The following signs to look for when determining whether malware is packed :

○ The program has few imports, and particularly if the only imports are LoadLibrary and GetProcAddress.
○ When the program is opened in IDA Pro/Ghidra, only a small amount of code is recognized by the automatic analysis.
○ When the program is opened in OllyDbg (debugger), there is a warning that the program may be packed.
○ The program shows section names that indicate a particular packer (such as UPX0).
○ The program has abnormal section sizes, such as a .text section with a Size of Raw Data of 0 and Virtual Size of nonzero.
○ Packer-detection tools such as PEiD can also be used to determine if an executable is packed.
○ Packed executables can also be detected via a technique known as entropy calculation (randomization).
 Unpacking Options
● There are three options for unpacking a packed executable:

○ Automated static unpacking :

■ this is the fastest method
■ specific to a single packer
■ PE Explorer tool has some unpacking plugins

○ Automated dynamic unpacking :

■ run the executable
■ The unpacked malware can be written to disk, then import table must be fixed
■ needs to understand the end of unpacking, unless, it will fail

○ Manual dynamic unpacking :

■ discover the packing algorithm and write an unpacker for it
■ *or letting the malware to unpack itself, then dump the unpacked process, finally fixing the PE header
● can be done by making another process
● then unpacking the packed malware into the generated process using APIs
 Unpacking Via Manual Dynamic (dumping approach)
● We need to use a debugger such as x32/64 tool to intercept the execution.
● This will help us to identify the OEP and also dump the unpacked malware.
● The dumped malware does include the packed malware PE header, which must be
changed to replaced the OEP with original EP.
● And also, the dumped malware requires to fix the import table for execution.
Basic Dynamic Analysis

Presented by : Dr. Vahab Iranmanesh

Date : January 29, 2023
 Dynamic Analysis and Environment
● Running malware while monitoring the results.

● It requires a safe environment such as virtual machine.

● A real machine can be used but must be air gapped :

○ Disadvantages : no internet connection (no traffic analysis), might be difficult to remove malware

○ Advantages : some malware may detect virtual machine and wont run properly.
 Why Dynamic Analysis?
● Static malware analysis might not be able to extract information about the malware due to
:

○ Obfuscation
○ Packing
○ Encryption
○ Confusion

● Dynamic analysis will gather more information since it will focus on the behavior of the
malware.
 Sandboxes
● All-in-one software for basic dynamic analysis.
● Virtualized environment that simulates network services.
● The sandboxes can make a nice PDF report in the end.
● Some examples are :

○ Any.run website
○ Hybrid-analysis.com website
○ Joe sandbox
○ Cuckoo sandbox
 Sandboxes (2)
● Sandboxes may have some disadvantages :
○ the sandbox simply runs the executable, without command-line options.
○ a dropper malware will not be working since the second part will not be downloaded.
○ the sandbox also may not record all events, because sandbox may wait long enough (sleep()).
○ malware can detect the sandboxing execution, therefore it will stop.
○ some real registry values that can be used by malware will not be provide.
○ lack of dealing with .DLL malware to be executed properly.
○ the sandbox environment OS may not be correct for the malware.
○ a sandbox cannot tell you what the malware does, it may report basic functionality.
○
 Running Malware
● EXE files can be run directly, but DLL files can not.

● We can use Rundll32.exe in order to run .DLL malware :

○ E.g. : run32.dll DLLname, value or number (#5)  rundll32.exe malware.dll, install

● The export value is one of the exported functions you found in dependency walker, for example.

● We can also modify PE header to convert DLL into EXE file.

 Monitoring with Process Monitor Tool
● Monitors registry, file system, network, process and thread activity.
● We can apply filter the display to make it easier to find specific items.
● Do not run it too long, unless it will fill up all RAM and crash the machine.
 Monitoring with Process Explorer Tool
● Monitors the running processed.
● It can show the parent (PPID) and child process (PID).
● Pinks are the services.
● Blues are the running processes.
● Reds are terminated processes.
● Properties of each process may offer various information such as :
○ Image location
○ Strings (image and memory)
○ TC/IP connections
Monitoring with Process Explorer Tool (2)
 Monitoring Registry with Regshot Tool
● Regshot is an open source registry comparison tool that allows you to take
and compare two registry snapshots.
 Faking a Network
● Malware often beacons out and eventually communicates with a command
and-control (C2) server.
● You can create a fake network and quickly obtain network indicators, without
actually connecting to the Internet.
●

.
 Packet Sniffing with Wireshark
● Wireshark is an open source sniffer, a packet capture tool that intercepts and
logs network traffic.
●

.
Windows Registry Analysis

Presented by : Dr. Vahab Iranmanesh

Date : February 7, 2023
 Windows Registry
● Windows Registry can store operating system and program configuration settings:

○ E.g. : desktop background, mouse preferences, etc.

● Malware uses the registry for persistence :

○ Making malware re-start when the system reboots

Registry Terms
● Root keys/Hives: the main 5 sections of Windows registry.

● Key: a section or folder.

● Subkey: a section or folder under another section or folder.

● Value or Data: the data to store in registry.

● Regedit: the command to open Windows registry.

Registry Root Keys/Hives
● HKEY_CLASSES_ROOT (HKCR): contains data related to applications, shortcuts, and file extension
associations.

● HKEY_CURRENT_USER (HKCU): contains data specific to each user with a logon account.

● HKEY_LOCAL_MACHINE (HKLM): contains all the computer-specific information about the hardware
installed and software settings.

● HKEY_USERS (HKU): contains information about all the users who log on to the computer.

● HKEY_CURRENT_CONFIG (HKCC): contains the current hardware profile settings attached to the
computer.
 Run Key in Registry
● Run key can refer to the place where the application at the startup should be
executed automatically.
● HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Autoruns Tool
● Autoruns is Sysinternals tool, which can be used to detect any autorun value
through Windows Registry.
○ Exe files
○ DLL files, which can be loaded into applications
○ Drivers that will be loaded into the Kernel
 Common Registry Functions
● RegOpenKeyEx: Opens a registry key for editing and querying.

● RegSetValueEx: Adds a new value to the registry & sets its data.

● RegGetValue: Returns the data for a value entry in the Registry.

C and Assembly Code
Construction
 Basic Techniques
● Basic static analysis: look at the malware from outside (no execution).
● Basic dynamic analysis: show how the malware operates (execution).
● Disassembly: converting machine code into low-level language such as
assembly.
 Disassembly
● Malware on a disk is in Binary form at the machine code level.

● Disassembly converts the binary form to assembly language.

● IDA Pro and Ghidra are most popular disassemblers.

The x86 Architecture

CPU Components:
● CU: fetches instructions from RAM using Instruction
Pointer (IP).
● Registers: data storage within CPU.
● ALU: executes an instruction to place results in RAM or
registers.
 Main Memory
Memory Components:
● Data: static data or global constants.
● Code: the instructions for the CPU
● Heap: dynamic memory, allocate and free may require.
● Stack: local variables and parameters for functions.
Registers Types:
● General : used by the CPU during execution.
● Segment : used to track sections of memory.
● Status Flags : used to make the decisions.
● Instruction Pointer (IP) : address of the next
instruction to execute.
MOV Instruction
● The simplest and most common instruction is mov, which is used to move data
from one location to another.
● The mov instruction can move data into registers or RAM.
● The format is mov destination, source.
MOV vs. LEA Instruction
Arithmetic
The Stack
● Memory for functions, local variables and flow control

● Last in, first out

● SP (stack pointer)- top of stack

● BP (base pointer) – bottom of stack

● PUSH puts data on the stack

● POP tales data off the stack

 Function Calls
● When calling a small programs such as printf().

● Prologue: instructions at the start of function to prepare stack and registers for the

function.

● Epilogue: instructions at the end of a function to restore the stack and registers to

their state before function call.

Stack Frames
Conditionals
Branching
C Main Method
Global vs. Local Variables
Arithmetic Operations
If statements
Loops
Arrays
.Net Malware Analysis
 Introduction
● Malware can be created using C / C++, Delphi, .Net, OR any programming languages
● .NET  is a programming framework introduce by Microsoft to make programming easier.
■ Allocating or freeing memory in C
■ Very long and complicated code in C++

● C# --> where Net languages can be used to develop some software, application as well as
malware
● Calling Windows APIs using C# is much more easier, which can be used by the author of
malware.
 How .Net work?
• Unlike C / C++ / C# software and
applications including malware, where we
unable to extract x86 assembly code when
the source code is not compiled directly.
When .Net source code compiled it will be
compiled into Microsoft Intermediate
Language (MSIL) format. Where the MSIL
will be fully compiled by Just-in-time (JIT)
compiler when it will be executed on the
machine.
How to Analyze .Net Malware?
When we try to RE an executable file, which is written in C/C++, the
disassembler or debugger will show us assembly code. Where with .Net
compiled executable file, the code can be extracted. Thus, we may need to
have .Net decompile such as dnSpy in order to see the code, which is very
close to malware source code. In this way, the malware authors can use
code obfuscation to ensure that the malware analysis process will be
difficult. We may use static or dynamic analysis after accessing the code.