Introduction To Malware
Introduction To Malware
Introduction To Malware
What is Malware?
● Malicious Software (malware)
● software designed to harm the user’s computer or data
Types of Malware
● Viruses: Self-replicating by modifying other computer programs and inserting its own code.
● Warm: Standalone malware computer program that replicates itself, mainly taking the vulnerability through
the network.
● Backdoor: Allows unauthorized access to compromised computers.
● Ransomware: may lock the system/files without damaging any files, will ask for ransom.
● Trojan: misleads users of its true intent.
● Rootkit: Actively hiding software
● Spyware: aims to gather information about a person or organization and send it to the attacker.
● Keylogger: recording the keys struck on a keyboard.
● Adware: generating online advertisements in the user interface.
● Bots: infect a system, steal data, or commit other fraudulent activities.
● Fileless Malware: makes changes to files that are native to the OS.
● Cryptojacking: hijacking a computer to mine cryptocurrencies.
How Does Malware Spread?
● Vulnerabilities: A security issue in software allows malware to exploit it.
● Social engineering and email : staff can be tricked to download and execute malware
using phishing attack.
● Backdooring: An intended or unintended opening in software.
● Drive-by downloads: unintended download of computer software from the
Internet.
● Privilege escalation: the attacker may use malware to gain higher permission.
● File sharing : file sharing through the network.
● Web apps: a compromised website may provide malware.
● P2p network: using p2p networks such as BitTorrent.
Where can malware hide itself?
● Email attachments ● Social media posts and messages
● Link sent by email ● Fake Wi-Fi
● Software or application ● Various files (.py, txt, jar,….)
● Online ads ● Infected browser and plug-ins
● Infected website ● USB sticks
● Torrent downloads ● Critical system files
● Documents (doc, csv,pdf,…) ● Windows registry
● Software fake update ● Temporary folders
Malware Analysis Methodologies
● Static Analysis : basic static analysis does not require that the code is actually
run.
● Static analysis examines the file for signs of malicious intent.
● It can be useful to identify malicious infrastructure, libraries or packed files.
● Technical indicators are identified such as :
○ file names, hashes, strings such as IP addresses, domains, and file header data can be
used to determine whether that file is malicious.
● Tools like disassemblers can be used to observe the malware without actually
running it in order to collect information on how the malware works.
Malware Analysis Methodologies (2)
● Dynamic Analysis : executes suspected malicious code in a safe environment
called a sandbox.
● Dynamic analysis provides threat hunters and incident responders with
deeper visibility, allowing them to uncover the true nature of a threat.
● And also, sandboxing eliminates the time it would take to reverse engineer a
file to discover the malicious code.
Malware Analysis Methodologies (3)
● Hybrid Analysis : by combining static and dynamic analysis techniques,
hybrid analysis provide security team the best of both approaches.
● It can detect malicious code that is trying to hide, and then can extract many
more indicators of compromise (IOCs) by statically and previously unseen
code.
Malware Detection Techniques
● Signature-Based Detection : Signature-based detection uses the unique digital
footprint, known as a signature (e.g. hash value/digest).
● When an antivirus program identifies software that meets a known signature,
it stops the process and either quarantines or deletes it.
Malware Detection Techniques (2)
● Application Allowlisting : a whitelisting of approved applications (e.g blocking
others).
● This solution is not perfect but can be highly effective, especially in high-
security environments.
Malware Detection Techniques (3)
● Heuristic analysis : a method of detecting viruses by examining code for
suspicious properties/behavior.
● It was designed to spot unknown new viruses and modified versions of
existing threats.
Malware Detection Techniques (4)
● Machine Learning Behavioral Analysis : based on artificial intelligence and
machine learning (AI/ML), can help to learn to differentiate between
legitimate and malicious files and processes, even if they do not match any
known pattern or signature.
Malware Detection Techniques (5)
● Sandboxing: Sandboxes detect malware by testing potentially malicious code
in an isolated virtual environment.
● This allows researchers to observe the code’s real behavior in a safe
environment.
Malware Detection Techniques (6)
● Endpoint Detection and Response (EDR): monitors and records data and
events from endpoint logs and packets.
● The collected data is analyzed to see what happens after infection and to look
for IOCs.
Basic Static Malware Analysis
○ The program has few imports, and particularly if the only imports are LoadLibrary and GetProcAddress.
○ When the program is opened in IDA Pro/Ghidra, only a small amount of code is recognized by the automatic analysis.
○ When the program is opened in OllyDbg (debugger), there is a warning that the program may be packed.
○ The program shows section names that indicate a particular packer (such as UPX0).
○ The program has abnormal section sizes, such as a .text section with a Size of Raw Data of 0 and Virtual Size of nonzero.
○ Packer-detection tools such as PEiD can also be used to determine if an executable is packed.
○ Packed executables can also be detected via a technique known as entropy calculation (randomization).
Unpacking Options
● There are three options for unpacking a packed executable:
○ Disadvantages : no internet connection (no traffic analysis), might be difficult to remove malware
○ Advantages : some malware may detect virtual machine and wont run properly.
Why Dynamic Analysis?
● Static malware analysis might not be able to extract information about the malware due to
:
○ Obfuscation
○ Packing
○ Encryption
○ Confusion
● Dynamic analysis will gather more information since it will focus on the behavior of the
malware.
Sandboxes
● All-in-one software for basic dynamic analysis.
● Virtualized environment that simulates network services.
● The sandboxes can make a nice PDF report in the end.
● Some examples are :
○ Any.run website
○ Hybrid-analysis.com website
○ Joe sandbox
○ Cuckoo sandbox
Sandboxes (2)
● Sandboxes may have some disadvantages :
○ the sandbox simply runs the executable, without command-line options.
○ a dropper malware will not be working since the second part will not be downloaded.
○ the sandbox also may not record all events, because sandbox may wait long enough (sleep()).
○ malware can detect the sandboxing execution, therefore it will stop.
○ some real registry values that can be used by malware will not be provide.
○ lack of dealing with .DLL malware to be executed properly.
○ the sandbox environment OS may not be correct for the malware.
○ a sandbox cannot tell you what the malware does, it may report basic functionality.
○
Running Malware
● EXE files can be run directly, but DLL files can not.
● The export value is one of the exported functions you found in dependency walker, for example.
.
Packet Sniffing with Wireshark
● Wireshark is an open source sniffer, a packet capture tool that intercepts and
logs network traffic.
●
.
Windows Registry Analysis
● HKEY_CURRENT_USER (HKCU): contains data specific to each user with a logon account.
● HKEY_LOCAL_MACHINE (HKLM): contains all the computer-specific information about the hardware
installed and software settings.
● HKEY_USERS (HKU): contains information about all the users who log on to the computer.
● HKEY_CURRENT_CONFIG (HKCC): contains the current hardware profile settings attached to the
computer.
Run Key in Registry
● Run key can refer to the place where the application at the startup should be
executed automatically.
● HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Autoruns Tool
● Autoruns is Sysinternals tool, which can be used to detect any autorun value
through Windows Registry.
○ Exe files
○ DLL files, which can be loaded into applications
○ Drivers that will be loaded into the Kernel
Common Registry Functions
● RegOpenKeyEx: Opens a registry key for editing and querying.
● RegSetValueEx: Adds a new value to the registry & sets its data.
CPU Components:
● CU: fetches instructions from RAM using Instruction
Pointer (IP).
● Registers: data storage within CPU.
● ALU: executes an instruction to place results in RAM or
registers.
Main Memory
Memory Components:
● Data: static data or global constants.
● Code: the instructions for the CPU
● Heap: dynamic memory, allocate and free may require.
● Stack: local variables and parameters for functions.
Registers Types:
● General : used by the CPU during execution.
● Segment : used to track sections of memory.
● Status Flags : used to make the decisions.
● Instruction Pointer (IP) : address of the next
instruction to execute.
MOV Instruction
● The simplest and most common instruction is mov, which is used to move data
from one location to another.
● The mov instruction can move data into registers or RAM.
● The format is mov destination, source.
MOV vs. LEA Instruction
Arithmetic
The Stack
● Memory for functions, local variables and flow control
● Prologue: instructions at the start of function to prepare stack and registers for the
function.
● Epilogue: instructions at the end of a function to restore the stack and registers to
● C# --> where Net languages can be used to develop some software, application as well as
malware
● Calling Windows APIs using C# is much more easier, which can be used by the author of
malware.
How .Net work?
• Unlike C / C++ / C# software and
applications including malware, where we
unable to extract x86 assembly code when
the source code is not compiled directly.
When .Net source code compiled it will be
compiled into Microsoft Intermediate
Language (MSIL) format. Where the MSIL
will be fully compiled by Just-in-time (JIT)
compiler when it will be executed on the
machine.
How to Analyze .Net Malware?
When we try to RE an executable file, which is written in C/C++, the
disassembler or debugger will show us assembly code. Where with .Net
compiled executable file, the code can be extracted. Thus, we may need to
have .Net decompile such as dnSpy in order to see the code, which is very
close to malware source code. In this way, the malware authors can use
code obfuscation to ensure that the malware analysis process will be
difficult. We may use static or dynamic analysis after accessing the code.