SlideShare a Scribd company logo

CH1- Introduction to malware analysis-v2.pdf

W
WajdiElhamzi3

Introduction to malware analysis

Engineering
1 of 23
Download to read offline
CE0612- Advanced Malware Reverse Engineering Dr. Wajdi Elhamzi w.elhamzi@psau.edu.sa 2023-2024
Outline • Introduction to malware • Basic analysis • Advanced static analysis • Advanced dynamic analysis • Malware functionality • Anti-reverse-engineering
CH1: Introduction to malware
What Is Malware? • Malware is a code that performs malicious actions; it can take the form of an executable, script, code, or any other software. • Attackers use malware to steal sensitive information, spy on the infected system, or take control of the system. • It typically gets into your system without your consent and can be delivered via various communication channels such as email, web, or USB drives.
Malicious actions? The following are some of the malicious actions performed by malware: • Disrupting computer operations • Stealing sensitive information, including personal, business, and financial data • Unauthorized access to the victim's system • Spying on the victims • Sending spam emails • Engaging in distributed-denial-of-service attacks (DDOS) • Locking up the files on the computer and holding them for ransom
Malware types • virus • worm • backdoor • trojan • Spyware • keylogger • Botnet • Remote administration tool (RAT) • Adware • Rootkit • Banking malware • Ransomware • Downloader or dropper
Virus • The first kind of malware that is known to self-replicate. • It is also called a file infector. • Viruses survive by infecting and inserting themselves into other healthy files on the system. Worm A worm is a malware or a malware functionality that spreads and infects other computers, either via the network or some physical means like the USB.
Trojan A malware that masquerades as clean software and is installed on the victim’s machine with the user’s full knowledge, but the user is not aware of its real malicious intentions. Examples: Software hacking FB, Email, … • A backdoor is malware that allows an unauthorized user into devices, applications, and networks. • Attackers can gain backdoor access using a command-line interface or other text-based commands. Backdoor RAT: Remote Access Trojan, Remote Administrative tools
Ransomware Ransomware is a type of malware that locks and encrypts a victim's data, files, devices, or systems, rendering them inaccessible and unusable until the attacker receives a ransom payment. The first iterations of ransomware used only encryption to prevent victims from accessing their files and systems. • A logic bomb is a set of instructions in a program carrying a malicious payload that can attack an operating system, program, or network. • It only goes off after certain conditions are met. Logic Time Bomb
Spyware Spyware is malicious software that enters a user’s computer, gathers data from the device and user, and sends it to third parties without their consent. A commonly accepted spyware definition is a strand of malware designed to access and damage a device without the user’s consent. Data sent from the infected device to attacker • Adware (or advertising software) is the term used for various pop-up advertisements that show up on your computer or mobile device. • Adware has the potential to become malicious and harm your device by slowing it down, hijacking your browser, and installing viruses and/or spyware. Data sent from attacker to infected device Adware
Fileless Fileless malware is a type of malicious activity that uses native, legitimate tools built into a system to execute a cyber attack. Unlike traditional malware, fileless malware does not require an attacker to install any code on a target's system, making it hard to detect.
Advanced persistent threat (APT) An advanced persistent threat (APT) is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time. State sponsored group Remains undetected for an extended period Advanced Persistent Threat • Bootkits • Rootkits
APT: Rootkit vs Bootkit Rootkits Bootkits= boot capability + rootkits • Designed to hide the existence of certain process from normal methods of detection, to enable continued access to computer • Examples: Stuxnet, Flame,.. • Are rootkits, in which the first point of control is during the boot process. • This allows the malicious program to be executed before the operating system boot ➔ run before antivirus • Malicious boot record cannot just be deleted or moved without damaging the computer
Mass v. Targeted Malware • Mass malware – Intended to infect as many machines as possible – Most common type • Targeted malware – Tailored to a specific target – Very difficult to detect, prevent, and remove – Requires advanced analysis – Ex: Stuxnet
Incident Response • Case history – A medical clinic with 10 offices found malware on one of their workstations – Hired a consultant to clean & re-image that machine • All done—case closed?
Incident Response • After malware is found, you need to know – Did an attacker implant a rootkit or trojan on your systems? – Is the attacker really gone? – What did the attacker steal or add? – How did the attack get in • Root-cause analysis
Malware Analysis • Dissecting malware to understand – How it works – How to identify it – How to defeat or eliminate it • Acritical part of incident response
The Goals of Malware Analysis • Information required to respond to a network intrusion – Exactly what happened – Ensure you’ve located all infected machines and files – How to measure and contain the damage – Find signatures for intrusion detection systems
Signatures • Host-based signatures –Identify files or registry keys on a victim computer that indicate an infection –Focus on what the malware did to the system, not the malware itself •Different from antivirus signature • Network signatures –Detect malware by analyzing network traffic –More effective when made using malware analysis
Static Vs. Dynamic Analysis • Static Analysis – Examines malware without running it – Tools: VirusTotal, strings, a disassembler like IDA Pro • Dynamic Analysis – Run the malware and monitor its effect – Use a virtual machine and take snapshots – Tools: RegShot, Process Monitor, Process Hacker, CaptureBAT – RAM Analysis: Mandant Redline and Volatility
Basic Static Analysis Basic Dynamic Analysis • View malware without looking at instructions • Provide information about its functionality (net connexion, Reg, Domain) • Running the malware in safe and isolated lab environment • Observing its behavior on the system • Remove the infection • Produce effective signatures • Straightforward and easy • Straightforward and easy • Can be used by the most people without deep program knowledge • Fails for advanced malware and can miss important behavior • It doesn’t reveal the full extent of the malware capabilities • Fails for advanced malware and can miss important behavior • It doesn’t reveal the full extent of the malware capabilities Basic Analysis
Advanced Static Analysis Advanced Dynamic Analysis • Loading the executable into a disassembler and looking at the program instructions which executed by the CPU • Reverse-engineering with a disassembler • Run code in a debugger • Examines internal state of a running malicious executable • The ability to modify its execution path and state • It tell you exactly what the program does • Extract detailed information from the malicious executable • It requires knowledge of disassembly code, constructs windows OS concept and internal • It takes much longer time than basic static analysis • Fails for advanced malware and can miss important behavior • It doesn’t reveal the full extent of the malware capabilities Advanced Analysis
General Rules for Malware Analysis • Don’t Get Caught in Details – You don’t need to understand 100% of the code – Focus on key features • Try Several Tools – If one tool fails, try another – Don’t get stuck on a hard issue, move along • Malware authors are constantly raising the bar

Recommended

Malicious
MaliciousMalicious
MaliciousKhyati Rajput
 
Attack on computer
Attack on computerAttack on computer
Attack on computerRabail khan
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKINGSweta Leena Panda
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdfCHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdfManjuAppukuttan2
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptxLakshayNRReddy
 
Computer security
Computer securityComputer security
Computer securityMahesh Singh Madai
 
Lecture 3 Security terminologies.pdf
Lecture 3 Security terminologies.pdfLecture 3 Security terminologies.pdf
Lecture 3 Security terminologies.pdfAsmaaLafi1
 
Introduction to Malwares
Introduction to MalwaresIntroduction to Malwares
Introduction to MalwaresAbdelhamid Limami
 

Recommended

Malicious
MaliciousMalicious
MaliciousKhyati Rajput
 
Attack on computer
Attack on computerAttack on computer
Attack on computerRabail khan
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKINGSweta Leena Panda
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdfCHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdfManjuAppukuttan2
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptxLakshayNRReddy
 
Computer security
Computer securityComputer security
Computer securityMahesh Singh Madai
 
Lecture 3 Security terminologies.pdf
Lecture 3 Security terminologies.pdfLecture 3 Security terminologies.pdf
Lecture 3 Security terminologies.pdfAsmaaLafi1
 
Introduction to Malwares
Introduction to MalwaresIntroduction to Malwares
Introduction to MalwaresAbdelhamid Limami
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking Institute of Information Security (IIS)
 
Malicious Software.pptx
Malicious Software.pptxMalicious Software.pptx
Malicious Software.pptxssuser6e5862
 
Information Security (Malicious Software)
Information Security (Malicious Software)Information Security (Malicious Software)
Information Security (Malicious Software)Zara Nawaz
 
23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkgUmang Gupta
 
Malware Detection By Machine Learning Presentation.pptx
Malware Detection By Machine Learning Presentation.pptxMalware Detection By Machine Learning Presentation.pptx
Malware Detection By Machine Learning Presentation.pptxalishapatidar2021
 
CyberSecurity presentation for basic knowledge about this topic
CyberSecurity presentation for basic knowledge about this topicCyberSecurity presentation for basic knowledge about this topic
CyberSecurity presentation for basic knowledge about this topicpiyushkamble6
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software securityG Prachi
 
BAIT1003 Chapter 11
BAIT1003 Chapter 11BAIT1003 Chapter 11
BAIT1003 Chapter 11limsh
 
Virus & Computer security threats
Virus & Computer security threatsVirus & Computer security threats
Virus & Computer security threatsAzri Abdin
 
Computer Security threat
Computer Security threatComputer Security threat
Computer Security threatAzri Abdin
 
Module 5.pdf
Module 5.pdfModule 5.pdf
Module 5.pdfSitamarhi Institute of Technology
 
Module 5.Malware
Module 5.MalwareModule 5.Malware
Module 5.MalwareSitamarhi Institute of Technology
 
Chapter 1 malware analysis primer
Chapter 1 malware analysis primerChapter 1 malware analysis primer
Chapter 1 malware analysis primerManjuA8
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptxMuhammadRehan856177
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Pruthvi Monarch
 
Anti Virus Software
Anti Virus SoftwareAnti Virus Software
Anti Virus SoftwarePradeepkrajyaguru
 
Cyber Security
Cyber SecurityCyber Security
Cyber Securityparveen837153
 
Malware
MalwareMalware
MalwareMichael Carthy
 
Introduction To Malware
Introduction To MalwareIntroduction To Malware
Introduction To MalwareMichael Carthy
 
Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and crackingHarshil Barot
 
computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction managementMariconPadriquez1
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 

More Related Content

Similar to CH1- Introduction to malware analysis-v2.pdf

Malicious Software.pptx
Malicious Software.pptxMalicious Software.pptx
Malicious Software.pptxssuser6e5862
 
Information Security (Malicious Software)
Information Security (Malicious Software)Information Security (Malicious Software)
Information Security (Malicious Software)Zara Nawaz
 
23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkgUmang Gupta
 
Malware Detection By Machine Learning Presentation.pptx
Malware Detection By Machine Learning Presentation.pptxMalware Detection By Machine Learning Presentation.pptx
Malware Detection By Machine Learning Presentation.pptxalishapatidar2021
 
CyberSecurity presentation for basic knowledge about this topic
CyberSecurity presentation for basic knowledge about this topicCyberSecurity presentation for basic knowledge about this topic
CyberSecurity presentation for basic knowledge about this topicpiyushkamble6
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software securityG Prachi
 
BAIT1003 Chapter 11
BAIT1003 Chapter 11BAIT1003 Chapter 11
BAIT1003 Chapter 11limsh
 
Virus & Computer security threats
Virus & Computer security threatsVirus & Computer security threats
Virus & Computer security threatsAzri Abdin
 
Computer Security threat
Computer Security threatComputer Security threat
Computer Security threatAzri Abdin
 
Chapter 1 malware analysis primer
Chapter 1 malware analysis primerChapter 1 malware analysis primer
Chapter 1 malware analysis primerManjuA8
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Pruthvi Monarch
 
Introduction To Malware
Introduction To MalwareIntroduction To Malware
Introduction To MalwareMichael Carthy
 
Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and crackingHarshil Barot
 

Similar to CH1- Introduction to malware analysis-v2.pdf (20)

Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
 
Malicious Software.pptx
Malicious Software.pptxMalicious Software.pptx
Malicious Software.pptx
 
Information Security (Malicious Software)
Information Security (Malicious Software)Information Security (Malicious Software)
Information Security (Malicious Software)
 
23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkg
 
Malware Detection By Machine Learning Presentation.pptx
Malware Detection By Machine Learning Presentation.pptxMalware Detection By Machine Learning Presentation.pptx
Malware Detection By Machine Learning Presentation.pptx
 
CyberSecurity presentation for basic knowledge about this topic
CyberSecurity presentation for basic knowledge about this topicCyberSecurity presentation for basic knowledge about this topic
CyberSecurity presentation for basic knowledge about this topic
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
BAIT1003 Chapter 11
BAIT1003 Chapter 11BAIT1003 Chapter 11
BAIT1003 Chapter 11
 
Virus & Computer security threats
Virus & Computer security threatsVirus & Computer security threats
Virus & Computer security threats
 
Computer Security threat
Computer Security threatComputer Security threat
Computer Security threat
 
Module 5.pdf
Module 5.pdfModule 5.pdf
Module 5.pdf
 
Module 5.Malware
Module 5.MalwareModule 5.Malware
Module 5.Malware
 
Chapter 1 malware analysis primer
Chapter 1 malware analysis primerChapter 1 malware analysis primer
Chapter 1 malware analysis primer
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch
 
Anti Virus Software
Anti Virus SoftwareAnti Virus Software
Anti Virus Software
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Malware
MalwareMalware
Malware
 
Introduction To Malware
Introduction To MalwareIntroduction To Malware
Introduction To Malware
 
Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and cracking
 

Recently uploaded

computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction managementMariconPadriquez1
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
An introduction to Semiconductor and its types.pptx
An introduction to Semiconductor and its types.pptxAn introduction to Semiconductor and its types.pptx
An introduction to Semiconductor and its types.pptxPurva Nikam
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfROCENODodongVILLACER
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEroselinkalist12
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptSAURABHKUMAR892774
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...asadnawaz62
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
Comparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization TechniquesComparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization Techniquesugginaramesh
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxPoojaBan
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleAlluxio, Inc.
 

Recently uploaded (20)

computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction management
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
An introduction to Semiconductor and its types.pptx
An introduction to Semiconductor and its types.pptxAn introduction to Semiconductor and its types.pptx
An introduction to Semiconductor and its types.pptx
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdf
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.ppt
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
Comparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization TechniquesComparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization Techniques
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptx
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at Scale
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 

CH1- Introduction to malware analysis-v2.pdf

  • 1. CE0612- Advanced Malware Reverse Engineering Dr. Wajdi Elhamzi w.elhamzi@psau.edu.sa 2023-2024
  • 2. Outline • Introduction to malware • Basic analysis • Advanced static analysis • Advanced dynamic analysis • Malware functionality • Anti-reverse-engineering
  • 4. What Is Malware? • Malware is a code that performs malicious actions; it can take the form of an executable, script, code, or any other software. • Attackers use malware to steal sensitive information, spy on the infected system, or take control of the system. • It typically gets into your system without your consent and can be delivered via various communication channels such as email, web, or USB drives.
  • 5. Malicious actions? The following are some of the malicious actions performed by malware: • Disrupting computer operations • Stealing sensitive information, including personal, business, and financial data • Unauthorized access to the victim's system • Spying on the victims • Sending spam emails • Engaging in distributed-denial-of-service attacks (DDOS) • Locking up the files on the computer and holding them for ransom
  • 6. Malware types • virus • worm • backdoor • trojan • Spyware • keylogger • Botnet • Remote administration tool (RAT) • Adware • Rootkit • Banking malware • Ransomware • Downloader or dropper
  • 7. Virus • The first kind of malware that is known to self-replicate. • It is also called a file infector. • Viruses survive by infecting and inserting themselves into other healthy files on the system. Worm A worm is a malware or a malware functionality that spreads and infects other computers, either via the network or some physical means like the USB.
  • 8. Trojan A malware that masquerades as clean software and is installed on the victim’s machine with the user’s full knowledge, but the user is not aware of its real malicious intentions. Examples: Software hacking FB, Email, … • A backdoor is malware that allows an unauthorized user into devices, applications, and networks. • Attackers can gain backdoor access using a command-line interface or other text-based commands. Backdoor RAT: Remote Access Trojan, Remote Administrative tools
  • 9. Ransomware Ransomware is a type of malware that locks and encrypts a victim's data, files, devices, or systems, rendering them inaccessible and unusable until the attacker receives a ransom payment. The first iterations of ransomware used only encryption to prevent victims from accessing their files and systems. • A logic bomb is a set of instructions in a program carrying a malicious payload that can attack an operating system, program, or network. • It only goes off after certain conditions are met. Logic Time Bomb
  • 10. Spyware Spyware is malicious software that enters a user’s computer, gathers data from the device and user, and sends it to third parties without their consent. A commonly accepted spyware definition is a strand of malware designed to access and damage a device without the user’s consent. Data sent from the infected device to attacker • Adware (or advertising software) is the term used for various pop-up advertisements that show up on your computer or mobile device. • Adware has the potential to become malicious and harm your device by slowing it down, hijacking your browser, and installing viruses and/or spyware. Data sent from attacker to infected device Adware
  • 11. Fileless Fileless malware is a type of malicious activity that uses native, legitimate tools built into a system to execute a cyber attack. Unlike traditional malware, fileless malware does not require an attacker to install any code on a target's system, making it hard to detect.
  • 12. Advanced persistent threat (APT) An advanced persistent threat (APT) is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time. State sponsored group Remains undetected for an extended period Advanced Persistent Threat • Bootkits • Rootkits
  • 13. APT: Rootkit vs Bootkit Rootkits Bootkits= boot capability + rootkits • Designed to hide the existence of certain process from normal methods of detection, to enable continued access to computer • Examples: Stuxnet, Flame,.. • Are rootkits, in which the first point of control is during the boot process. • This allows the malicious program to be executed before the operating system boot ➔ run before antivirus • Malicious boot record cannot just be deleted or moved without damaging the computer
  • 14. Mass v. Targeted Malware • Mass malware – Intended to infect as many machines as possible – Most common type • Targeted malware – Tailored to a specific target – Very difficult to detect, prevent, and remove – Requires advanced analysis – Ex: Stuxnet
  • 15. Incident Response • Case history – A medical clinic with 10 offices found malware on one of their workstations – Hired a consultant to clean & re-image that machine • All done—case closed?
  • 16. Incident Response • After malware is found, you need to know – Did an attacker implant a rootkit or trojan on your systems? – Is the attacker really gone? – What did the attacker steal or add? – How did the attack get in • Root-cause analysis
  • 17. Malware Analysis • Dissecting malware to understand – How it works – How to identify it – How to defeat or eliminate it • Acritical part of incident response
  • 18. The Goals of Malware Analysis • Information required to respond to a network intrusion – Exactly what happened – Ensure you’ve located all infected machines and files – How to measure and contain the damage – Find signatures for intrusion detection systems
  • 19. Signatures • Host-based signatures –Identify files or registry keys on a victim computer that indicate an infection –Focus on what the malware did to the system, not the malware itself •Different from antivirus signature • Network signatures –Detect malware by analyzing network traffic –More effective when made using malware analysis
  • 20. Static Vs. Dynamic Analysis • Static Analysis – Examines malware without running it – Tools: VirusTotal, strings, a disassembler like IDA Pro • Dynamic Analysis – Run the malware and monitor its effect – Use a virtual machine and take snapshots – Tools: RegShot, Process Monitor, Process Hacker, CaptureBAT – RAM Analysis: Mandant Redline and Volatility
  • 21. Basic Static Analysis Basic Dynamic Analysis • View malware without looking at instructions • Provide information about its functionality (net connexion, Reg, Domain) • Running the malware in safe and isolated lab environment • Observing its behavior on the system • Remove the infection • Produce effective signatures • Straightforward and easy • Straightforward and easy • Can be used by the most people without deep program knowledge • Fails for advanced malware and can miss important behavior • It doesn’t reveal the full extent of the malware capabilities • Fails for advanced malware and can miss important behavior • It doesn’t reveal the full extent of the malware capabilities Basic Analysis
  • 22. Advanced Static Analysis Advanced Dynamic Analysis • Loading the executable into a disassembler and looking at the program instructions which executed by the CPU • Reverse-engineering with a disassembler • Run code in a debugger • Examines internal state of a running malicious executable • The ability to modify its execution path and state • It tell you exactly what the program does • Extract detailed information from the malicious executable • It requires knowledge of disassembly code, constructs windows OS concept and internal • It takes much longer time than basic static analysis • Fails for advanced malware and can miss important behavior • It doesn’t reveal the full extent of the malware capabilities Advanced Analysis
  • 23. General Rules for Malware Analysis • Don’t Get Caught in Details – You don’t need to understand 100% of the code – Focus on key features • Try Several Tools – If one tool fails, try another – Don’t get stuck on a hard issue, move along • Malware authors are constantly raising the bar