MALWARE ANALYSIS

Dear Reader,

Analyzing malware, or malicious software, is more of an art than a technique. Because of the wide nature of these products, there are limitless ways to hide functionality. We decided to get back to this topic and help you to get ninja skills!

What you have in front of you is a brand new edition of Eforensics Computer, dedicated to Malware Analysis Topic. Hopefully you will find this one special and broadening your digital horizons.

TABLE OF CONTENT

1. MALWARE ANALYSIS by Monnappa K A

When your company is attacked by malware you need to respond quickly to remediate the malware infection and prevent future ones from occurring. You also need to determine the indicators of malware to establish better security controls. Malware analysis is the process of understanding the behaviour and characteristics of malware, how to detect and eliminate it.

2. ASKING THE MALWARE DEVELOPER. THE WORLD WHERE THE INFECTED USER ASK TO THE MALWARE DEVELOPER HOW TO CLEAN HIS COMPUTER by Javier Nieto Arevalo

We live in an awesome era where the technology is being improving every day and it is really fast. We have gotten a lot of benefit with these advances but there is a problem, the hackers are improving their malicious activities faster than we can avoid them. It is like the doping and anti-doping techniques, we know that the bad guys have years of distance over the good guys.

3. EXTRACTING NETWORK SIGNATURES FROM MALWARE SAMPLES – JRAT A CASE STUDYby Kevin Breen

Reverse engineering Malware is seen by many as a dark art, Geeks in dark rooms surrounded by monitors filled with Assembly Language, Windows dominated by IDA Graphs, Olly Debugger, Breakpoints and register contents. Whilst its true that this will yield a wealth of information about the malware capabilities and can be a dark art, When it comes to providing a defensive capability to your corporation or CERT this level of analysis is not always required. Detection is the key component.

4. WINDBG TRICKS by Deepak Gupta

Many malwares these days are bundled with kernel mode drivers for their process & file protection and sometimes for data filtering. Using windbg you can easily determine if a threat uses kernel mode driver for its operations. How to know if threat uses kernel driver

5. INTRUSION DETECTION USING A VIRTUAL MACHINE ENVIRONMENT by Niranjan P. Reddy

Malware attacks against single hosts and networks are extremely dangerous and could compromise the security of the entire network. Protection from malware is one of the top worries for system administrators who have to ensure that there are no unnecessary threats to their systems. These threats can cause an adverse effect on a running business or some other mission critical operations. Over the past few years intrusion detection and other security measures have gained critical importance in the fight against malware. Selecting the right IDS is the key to mitigate malware attacks. This article discusses an attempt to create a more robust IDS while mentioning the limitations of traditional detection systems.

6. MALWARE FORENSICS: THE ART OF REVERSE ENGINEERING by Arnaud Gatignol, postgraduate student and Dr. Stilianos Vidalis, Lecturer at Staffordshire University

In any case, there are two main scenarios when it comes to malware infection: you either have experienced the specific malware before, or you haven’t. Generalising, the process of handling malware consists of two stages: the identification, and the analysis (a proper IR framework is discussed later in the article). The main stage of the process is the analysis which provides the artefacts (and the evidence) necessary for a future identification.

7. SUSPICIOUS FILE ANALYSIS WITH PEFRAME by Chintan Gurjar

What is Peframe? This is a python-based tool used to assist in the analysis of PE files. There are many different tools available for malware analysis, but this tool is strictly built for portable executable malware analysis such as .exe and .dll files.

8. INDICATORS OF COMPROMISE TO FIND EVIL by Adam Kliarsky

The threats we face today are more sophisticated than ever before. Attackers are leveraging vulnerabilities in both computers and humans alike, and their tools are more advanced.
So what happens when we’re hit with malware that is new, unknown? How can we identify the threat to remediate? Enter malware forensics. The need for incident response teams to conduct forensic analysis on systems to collect and analyze artifacts is becoming a basic requirement.

9. HOW TO ANALYZE A TRAFFIC CAPTURE by Javier Nieto Arevalo

We live in an era where the signature-based Antivirus has less sense if we want to fight against hackers who are creating customized malware only for their targets. This malware is commonly known as Advanced Permanent Threat (APT) and it’s really interesting to research where the host was infected, the connections back to the Command and Control server to get the instructions and evaluate the damage of the malware. Sometimes it is easier to detect infected hosts in the networks if we analyze the network traffic than using an Antivirus running on the host.

10. HUNTING FOR MALICIOUS ACTIVITY IN THE WINDOWS REGISTRY by Timothy Yip

The windows registry is a known source for finding trace evidence of malicious activity – from persistence mechanisms like auto-start keys and dll auto-inject keys; to traces of malware execution in the locations such as the muicache and the appcompatcache. Such evidences makes analyzing the registry hives a critical step in any intrusion analysis of windows machines. This article aims to provide a guide to fundamental tools and techniques that can be applied to intrusion investigations.