Dynamic vs Static Malware Analysis Tools

Questions and Answers

What type of malware allows an attacker to control the system?

Launcher

Botnet

Rootkit

Backdoor (correct)

Which tool is commonly used for basic static malware analysis to view malware without looking at instructions?

RegShot

Volatility

Process Monitor

VirusTotal (correct)

What is the main purpose of a downloader type of malware?

To frighten users into buying something

To conceal the existence of other code

To download other malicious code (correct)

To copy itself and infect additional computers

Which type of malware is typically used to ensure stealth or greater access to a system by employing unconventional techniques?

Rootkit

Which analysis technique involves running the malware and monitoring its effects?

Dynamic analysis

What type of malware frightens users into purchasing something they do not need?

Scareware

What is a common goal of incident response after malware is found?

To locate all infected machines and files

Which of the following is a key aspect of root-cause analysis in malware analysis?

Understanding how the attack occurred

What is a primary focus of host-based signatures in malware analysis?

Identifying infected files or registry keys

What distinguishes network signatures from host-based signatures in malware analysis?

Network signatures detect malware by analyzing network traffic

Which of the following is a primary purpose of malware analysis?

To dissect malware to understand its functionality

What is a fundamental principle of basic static analysis techniques in malware analysis?

Analyze the behavior of the malware on an isolated system

What is the main difference between mass malware and targeted malware?

Mass malware is intended to infect as many machines as possible, while targeted malware is tailored to a specific target.

What is the purpose of hashing in malware analysis?

To identify unique file fingerprints of malware

Why might using VirusTotal for antivirus scanning be a concern?

It may alert attackers that they've been caught

What does the strings command in Linux do?

Finds all strings in a file 3 or more characters long

What is the purpose of packing files in malware analysis?

To make the strings and instructions unreadable

How does dynamic linking differ from static linking?

Dynamic linking links libraries when the program is loaded

What can the PE header reveal about a program's functionality?

The names of libraries and functions that will be loaded

What does the IMAGE_SECTION_HEADER's Virtual Size represent in PE files?

RAM size of raw data

What is the purpose of Resource Hacker in browsing a program's.rsrc section?

To browse strings, icons, and menus

What is the common method for detecting packers in malware analysis?

Utilizing PEiD tool

Study Notes

Types of Malware

• Remote Access Trojans (RATs) allow attackers to take full control of infected systems.
• Downloaders enable attackers to download further malicious payloads onto a compromised device.
• Scareware tricks users into purchasing unnecessary software or services.

Malware Analysis Tools and Techniques

• Strings command in Linux extracts printable strings from binary files, aiding in static analysis.
• Basic static analysis tools provide a way to view malware without executing instructions.
• Dynamic analysis involves executing malware in a controlled environment and observing its behavior.
• Resource Hacker is used to browse and modify resources in executable files, focusing on .rsrc sections.

Malware Characteristics

• Stealthy malware often uses unconventional techniques to maintain access or remain undetected.
• Root-cause analysis aims to identify the underlying cause of malware infections.
• Host-based signatures focus on detecting malware based on indicators found within endpoint systems.
• Network signatures detect malware behaviors based on traffic patterns rather than device indicators.

Malware Classification

• Mass malware targets a wide audience, while targeted malware focuses on specific individuals or organizations.
• Packing involves compressing or encrypting malware to evade detection methods.
• IMAGE_SECTION_HEADER's Virtual Size reveals the size allocated for various sections in PE (Portable Executable) files.

Incident Response and Analysis

• A common goal of incident response is to minimize damage and recover systems after a malware incident.
• Hashing identifies unique file signatures, ensuring the integrity and authenticity of files during analysis.

Concerns in Malware Detection

• Using VirusTotal for scanning can raise privacy concerns since uploaded files might be shared with third parties.
• Dynamic linking allows programs to use shared libraries at runtime, while static linking incorporates all libraries into the executable.

Detecting Malware

• Detecting packers often involves analyzing file characteristics and behavior patterns to identify obfuscation techniques.

Description

Explore the differences between dynamic and static malware analysis, along with the tools used for each approach. Learn about examining malware without running it using tools like VirusTotal and IDA Pro, and running malware in a controlled environment with tools like RegShot and Process Monitor.