Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
155 views28 pages

TOPIC 1-Malware Analysis

The document provides an introduction to malware analysis. It discusses that after malware is found on a system, further analysis is needed to understand how the attack occurred and ensure removal of all infected files. The goals of malware analysis are to gather information required to respond to the intrusion, determine how to measure and contain damage, and find signatures for detection systems. It also describes common types of malware like viruses, worms, trojans, ransomware, and adware as well as the impact they can have on security. The document outlines static and dynamic analysis techniques and demonstrates setting up a malware analysis lab environment using VirtualBox, Windows, and Ubuntu virtual machines along with recommended tools.

Uploaded by

Nithiya Sukunaran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
155 views28 pages

TOPIC 1-Malware Analysis

The document provides an introduction to malware analysis. It discusses that after malware is found on a system, further analysis is needed to understand how the attack occurred and ensure removal of all infected files. The goals of malware analysis are to gather information required to respond to the intrusion, determine how to measure and contain damage, and find signatures for detection systems. It also describes common types of malware like viruses, worms, trojans, ransomware, and adware as well as the impact they can have on security. The document outlines static and dynamic analysis techniques and demonstrates setting up a malware analysis lab environment using VirtualBox, Windows, and Ubuntu virtual machines along with recommended tools.

Uploaded by

Nithiya Sukunaran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

1.

0
Introduction To Malware Analysis
Incident Response- Case history

A medical clinic with


Hired a consultant to All done—
10 offices found
clean & re-image
malware on one of
that machine case closed?
their workstations
Incident Response

Did an attacker
After malware is implant a What did the
Is the attacker How did the Root-cause
found, you rootkit or trojan attacker steal or
really gone? attack get in analysis
need to know on your add?
systems?
Malware Analysis

Dissecting
A critical part of
malware to
incident response
understand

How it works

How to
identify it

How to
defeat or
eliminate it
The Goals of Malware Analysis

Ensure you’ve
located all
Exactly what
infected
happened
machines and
Information required to files
respond to a network intrusion
Find
How to
signatures for
measure and
intrusion
contain the
detection
damage
systems
1.1 Describe term of Malware

Malware is a code that performs malicious actions; it


can take the form of an executable, script, code, or
any other software.

Attackers use malware to steal sensitive information,


spy on the infected system, or take control of the
system.

It typically gets into your system without your consent


and can be delivered via various communication
channels such as email, web, or USB drives.
1.1.1 Explain type of Malware

Trojan : Malware that disguises


itself as a regular program to Adware : Malware that presents
Ransomware : Malware that
Virus : Malware that is capable trick users to installit on their unwanted advertisements (ads)
Worm : whereas a worm can holds the system for ransom by
of copying itself and spreading systems. Once installed, it can to the user. They usually get
spread without user locking users out of their
to other computers. A virus perform malicious actions such delivered via free downloads
intervention. computer or by encrypting
needs user intervention, as stealing sensitive data, and can forcibly install software
their files.
uploading files to the attacker's on your system.
server, or monitoring webcams.
1.1.2 Describe the impact of malware in
security environment
The following are some of the malicious actions performed by malware:

Disrupting computer operations

Stealing sensitive information, including personal, business, and financial data

Unauthorized access to the victim's system

Spying on the victims

Sending spam emails

Engaging in distributed-denial-of-service attacks (DDOS)

Locking up the files on the computer and holding them for ransom
1.2 Identifies types of Malware Analysis

1.2.1 Explain Static Analysis

1.2.2 Explain Dynamic Analysis


1.2.1 Explain Static Analysis

This is the process of analyzing a binary without executing it. It is

easiest to perform and allows you to extract the metadata associated with the

suspect binary. Static analysis might not reveal all the required information, but

it can sometimes provide interesting information that helps in determining

where to focus your subsequent analysis efforts


1.2.2 Explain Dynamic Analysis

This is the process of executing the suspect binary in an isolated


environment and monitoring its behavior. This analysis technique is easy
to perform and gives valuable insights into the activity of the binary
during its execution. This analysis technique is useful but does not reveal
all the functionalities of the hostile program
1.3 Demonstrate Malware Analysis Lab
Environment

1.3.1 Uses VirtualBox/ Vmware for Malware Analysis Lab Environment

1.3.2 Uses Windows for Malware Analysis Lab Environment

1.3.3 Uses Ubuntu for Malware Analysis Lab Environment


Lab Environment setup

Lab Environment setup

1. VirtualBox
Vmware
1. Windows
2. Ubuntu
Lab Environment setup

1. VirtualBox
2. Windows 7
3. Ubuntu
Linux VM – Update and tool installation

$ sudo apt-get update

$ sudo apt-get install python-pip


 $ sudo pip install yara-python
$ pip install --upgrade pip
 $ sudo apt-get install ssdeep
 $ sudo apt-get install build-essential libffi-dev
$ sudo apt-get install python-magic
python python-dev \ libfuzzy-dev

$ sudo apt-get install upx  $ sudo pip install ssdeep


 $ sudo apt-get install wireshark
$ sudo pip install pefile  $ sudo apt-get install tshark

$ sudo apt-get install yara


Linux VM – Update and tool installation

• sudo apt-get install software-properties-


common

• sudo apt-add-repository universe

• sudo apt-get update

• sudo apt-get install python-pip


Linux VM – Installing INetSIM

INetSIM is a powerful utility that allows simulating various Internet services (such as
DNS, and HTTP) that malware frequently expects to interact with.

 apt-key adv --fetch-keys http://www.inetsim.org/inetsim-


archive-signing-key.asc

 cat inetsim-archive-signing-key.asc | apt-key add -

 apt install inetsim

https://www.youtube.com/watch?v=BGhZ0o0s7eM
Linux VM - Networking

sudo gedit /etc/network/interfaces

Add the following entries at the end of the file (make sure you
replace ens33
with the interface name on your system) and save it:

auto ens33
iface ens33 inet static
address 192.168.1.100
netmask 255.255.255.0
Linux VM - Networking

$ sudo gedit /etc/inetsim/inetsim.conf

Go to the service_bind_address section in the configuration file and add the


entry shown here:

service_bind_address 192.168.1.100
Linux VM - Networking

$ sudo gedit /etc/inetsim/inetsim.conf

By default, INetSim's DNS server will resolve all the domain names to 127.0.0.1.

Instead of that, we want the domain name to resolve to 192.168.1.100 (the IP address of
Linux VM).

To do that, go to the dns_default_ip section in the configuration file and add an entry as
shown
here:

dns_default_ip 192.168.1.100
Linux VM - Networking
Linux VM

Install Guest Additions

Shared Clipboard and Drag 'n’ Drop - Bidirectional


Windows 7 – Networking
Windows 7 – Turn off Windows Defender

Windows key + R to open the Run menu, enter gpedit.msc,

Computer Configuration |
Administrative Templates
| Windows Components |
Windows Defender.
Windows 7 – Flare VM

After installation of Win 7 – Install Flare VM

https://github.com/fireeye/flare-vm

Follow the instructions in the github


Windows 7 – Flare VM

After installation of Win 7 – Install Flare VM

https://github.com/fireeye/flare-vm

Follow the instructions in the github


• thezoo: http:/ / thezoo. morirt. com/

• hybrid analysis: https:/ / www. hybrid-

Malware Sources analysis. com/

• virusbay: https:/ / beta. virusbay. io/

• virusshare: https:/ / virusshare. com/

You might also like