Week 1 - Lecture
Week 1 - Lecture
Malware Forensics
What to expect?
● Challenging module material, caveat it is highly relevant to Cyber Security
and well-paid.
● Labs will mostly form analysing malware samples and some C/assembly
programming exercises to understand reverse engineering
● Lectures will be in-person and labs
● Leads into the Vulnerability Discovery and Exploitation (VDE) module
● Expected to understand assembly and C (not to create programs, but to
reverse engineer).
Assessments
● Coursework - Malware Analysis, Report, 3000 words (70%)
● Exam - 60 mins (30%)
Disclaimer
● We will be using real malware (malicious software)
● Hence, some of it will designed to
○ Malicious
○ Propagate automatically
○ Hide itself cunningly
○ Destroy / copy / etc. your data
https://www.amazon.co.uk/Practical-Malware-Analysis-Hands-Dissecting/dp/
1593272901/
● C in a Nutshell
https://www.amazon.co.uk/C-Nutshell-Peter-Prinz/dp/1491904755/
Malware Analysis and Malware Types
What Is Malware and Malware Analysis?
Definitions
● MALicious softWARE – MALWARE
● Malware Analysis - The art of dissecting malware to understand how it works to defeat
or it.
Characteristics
● A payload which does something malicious
● May propagate
● May call home
● May hide itself
● May cause damage
● May be obfuscated
Goals
● Make money, destroy data, steal files or data, encrypt files, annoy, etc
Why learn it?
Malware analyst (Jobs [Search Indeed.com])
● Incident response
● Security Operations Center (SOC) analyst
Threat researcher/Malware researcher
● Threat hunting
Security engineer
● Configuring security products like firewall, Endpoint, IPS, IDS etc.
● Configuring operating systems
Blue / Red team
● “Blue team is a group of individuals who perform an analysis of information systems to ensure
security, identify security flaws, verify the effectiveness of each security measure, and to make
certain all security measures will continue to be effective after implementation.” Ref:
https://en.wikipedia.org/wiki/Blue_team_(computer_security)
● “A red team or team red are a group that plays the role of an enemy or competitor to provide
security feedback from that perspective.” Ref: https://en.wikipedia.org/wiki/Red_team
Timeline Goals of Malware Analysis*
● Incident response - determine exactly what happened, and to ensure that you’ve located all
infected machines and files.
● Analyzing of the suspected malware - determine exactly what a particular suspect binary can do,
how to detect it on your network, and how to measure and contain its damage.
● Full malware analysis of identified malware(s) and explanation of a major intrusion (i.e., via a
report).
Used to detect malicious code on victim computers by focussing on what the malware does to a system.
Network signatures
Used to detect malicious code by monitoring network traffic for distinct characteristics/activity.
● Looking for patterns of activity e.g., domain queries, ip addresses, protocols, command and control
access
● Patterns identified can be used to build rules to find such traffic on the network e.g., via IDS rules
Basic Static Analysis consists of examining the executable file without viewing the actual instructions.
Basic Dynamic Analysis involves running the malware and observing its behavior on the system.
● Before you can run malware safely, you must set up an environment that will allow you to study the running
malware.
● Provides insights into the actions the malware takes on a system without delving into its code/asm.
● Won’t be effective with all malware and can miss important functionality.
Malware Analysis Techniques
Advanced Static Analysis
● Advanced static analysis consists of reverse-engineering the malware’s internals by
loading the executable into a disassembler and looking at the program instructions
in order to discover what the program does.
● Has a much steeper learning curve than basic static analysis and requires
specialized knowledge of disassembly, code constructs, and Windows operating
system concepts.
Advanced Dynamic Analysis
● Advanced dynamic analysis uses a debugger to examine the internal state of a
running malicious executable.
● Advanced dynamic analysis techniques provide another way to extract detailed
information from an executable.
● These techniques are most useful when you’re trying to obtain information that is
difficult to gather with the other techniques.
Types of Malware
There are some signs and behaviors that could indicate the presence of different types of malware.
● Malwares can be broadly segregated based on its characteristics and behaviors.
● Often will speed up your analysis as you can make educated guesses about the type of malware.
● You can make better guesses if you know the kinds of things that malware usually does.
Identifying types of malware can be challenging due to their often stealthy nature and the increasing
sophistication of malware techniques and polymorphism.
● Encrypts the victim's data and demands a ransom for the decryption key.
● Can be particularly damaging
● Used in high-profile attacks against organizations and municipalities.
Spyware
● Designed to spy on the user - can capture keystrokes, screenshots, and other sensitive
information, often without the user's knowledge.
● Can be installed via deceptive pop-up ads, free software installations, or malicious email
attachments.
Adware
● Serves unwanted ads to the user, often in the form of pop-up windows or banners.
Simple Adware in C - only for reference
#include <windows.h>
int main() {
ShellExecute(0, 0, L"http://www.mysite.com/showad", 0, 0, SW_SHOW); // Windows
APII call
// Opened window loads HTML page with Ad, etc. will open the URL in the user's
default web browser.
return 0;
}
Common Types of Malware
Rootkits
● Specifically designed to hide their presence and actions, making detection and removal more
difficult.
Keyloggers
Fileless Malware
● This is a relatively new category of malware that operates directly in the computer’s memory and
does not write any files to the disk, making it more difficult to detect.
Simple Keylogger in C - only for reference
#include <windows.h>
#include <stdio.h>
int main() {
while (1) {
return 0;
}
Common Types of Malware
Botnets
● Not standalone type of malware per se.
● Botnets are networks of compromised computers controlled by an attacker via a command and
control server.
● Each machine is a "bot," can be used to send spam, spread more malware, or carry out attacks like
Distributed Denial of Service (DDoS).
● Criminals purchase services from botnet operator often on dark web.
● Bot phones home to C&C server (Command and Control).
Common Types of Malware
Cryptominers
● These are types of malware that hijack system resources to mine
cryptocurrencies without the user's consent.
Scareware
● Malware designed to frighten an infected user into buying something.
Spam-sending malware
● Malware that infects a user’s machine and then uses that machine to send
spam.
Multi-Stage Malware
Downloaders
● Downloaders are small programs or scripts designed to download additional malicious files.
Droppers
● Droppers are somewhat similar to downloaders but generally contain one or more pieces of
malware embedded within them.
● Upon execution, the dropper installs the embedded malware onto the target system.
Launcher
All serve as delivery mechanisms for other malware. They are generally the first step in a multi-stage
infection process, enabling more significant forms of malware to compromise a system.
Downloader Example
int main(void) {
// Read the data from the internet and write to the file
HINTERNET hInternet, hConnect;
while (InternetReadFile(hConnect, buffer, sizeof(buffer),
DWORD bytesRead;
&bytesRead) && bytesRead > 0) {
char buffer[4096];
fwrite(buffer, bytesRead, 1, fp);
}
// Initialize WinINet
hInternet = InternetOpen("Web Agent",
// Close handles and file
INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
fclose(fp);
if (hInternet == NULL) {
InternetCloseHandle(hConnect);
fprintf(stderr, "InternetOpen failed\n");
InternetCloseHandle(hInternet);
return 1;
}
printf("Download completed\n");
// Connect to the website
return 0;
hConnect = InternetOpenUrl(hInternet,
}
"http://example.com/file.txt", NULL, 0,
INTERNET_FLAG_RELOAD, 0);
if (hConnect == NULL) {
fprintf(stderr, "InternetOpenUrl failed\n");
InternetCloseHandle(hInternet);
return 1;
}
Script files
● Shell scripts, Powershell scripts (.PS1), python files (.py) etc.
Most of the malware files are either PE/ELF executables and script files.
file <File>
The file command reads the files specified by the File parameter, performs a series of tests on the file, and
attempts to classify it.
Step 2 - Antivirus Scanning / Online Tools
● Run a sample file through multiple antivirus programs.
Websites such as VirusTotal (http://www.virustotal.com/) allow you to upload a file for scanning
by multiple antivirus engines.
Issues
● They rely mainly on a database of identifiable pieces of known suspicious code ( file
signatures), as well as behavioral and pattern-matching analysis (heuristics) to identify
suspect files.
● Malware writers can easily modify their code, thereby changing their program’s signature
and evading virus scanners.
● New malware often goes undetected by antivirus software because it’s simply not in the
database. Finally, heuristics, while often successful in identifying unknown malicious code,
can be bypassed by new and unique malware.
Step 3 - Create a Hash
● Create a hash to uniquely identify a malware sample
● Run through a hashing program that produces a unique hash that identifies that malware (a sort
of fingerprint).
● Can use freely available md5deep program to calculate the hash:
○ m5deep64.exe <somefile>
Once you have a unique hash for a piece of malware, you can use it as follows:
● Use the hash as a label.
● Share that hash with other analysts to help them to identify malware.
● Search for that hash online to see if the file has already been identified.
Step 4 - String analysis
● A string in a program is a sequence of characters such as “the.” A program contains
strings if it prints a message, connects to a URL, or copies a file to a specific location.
● Both ASCII and Unicode formats store characters in sequences that end with a NULL
terminator to indicate that the string is complete. ASCII strings use 1 byte per
character, and Unicode uses 2 bytes per character.
The string BAD stored as ASCII. The ASCII string is stored as the bytes: 0x42, 0x41,
0x44, and 0x00
The Unicode string is stored as the bytes 0x42, 0x00, 0x41, and so on. The NULL
terminator is two 0x00 bytes in a row.
● Searching through the strings can be a simple way to get hints about the functionality
of a program.
Strings
Finding Strings with strings
● Searching through the strings in a suspect file can be a simple way to get
hints about the functionality of a program.
● For this we can use the strings program.
● strings searches an executable for ASCII and Unicode strings, it ignores
context and formatting, so that it can analyze any file type and detect strings
across an entire file.
● Strings searches for a three-letter or greater sequence of ASCII and Unicode
characters, followed by a string termination character.
Finding Strings with strings
Step 5 Check if Packed Malware and Unpack
● Packing or obfuscation can be used make it more difficult to detect or
analyze malware.
● Obfuscated programs are ones whose execution the malware author has
attempted to hide.
● Packed programs are a subset of obfuscated programs in which the malicious
program is compressed and cannot be analyzed.
● Legitimate programs almost always include many strings. Malware that is
packed or obfuscated contains very few strings.
Packed Malware
● When the packed program is run, a small wrapper program also runs to
decompress the packed file and then run the unpacked file.
● When a packed program is analyzed statically, only the small wrapper
program can be dissected.
Detecting Packers with PEiD
● You can use PEiD to detect the type of packer or compiler employed to build an application,
which makes analyzing the packed file much easier.
● Here PEiD has identified the file as being packed with UPX version 0.89.6-1.02 or 1.05-
2.90
● When a program is packed, you must unpack it in order to be able to perform any analysis.
Unpacking UPX
● UPX is a popular packer, files can be packed or unpacked via the command-
line too
○ upx <some file>
○ upx -d <somefile>
Sometimes unpacking is a dead end
● An unknown or custom packer may have been used to evade reverse
engineering or detection by firewalls/Anti-Virus, etc
Obscure packer
Step 6 File analysis - Portable Executable File Format (Windows)
The Portable Executable (PE) file format is used by Windows executables and
DLLs.
● Essentially a data structure for Windows OS loader to manage and run the
executable code.
● PE files begin with a header that includes information about the code,the type
of application, required library functions, and space requirements.
● The information in the PE header is of great value to the malware analyst.
Portable Executable File Format (Windows)
Parts of interest for malware analysis
● Imports Functions from other libraries that are used by the malware.
● Exports Functions in the malware that are meant to be called by other programs or
libraries (i.e., DLL)
● Sections Names of sections in the file and their sizes on disk and in memory
● Resources Strings, icons, menus, and other information included in the file
Portable Executable File Format (Windows)
.text The .text section contains the instructions that the CPU exe-
cutes. All other sections store data and supporting information.
.rdata The .rdata section typically contains the import and export infor-
mation.
.data The .data section contains the program’s global data, which is
accessible from anywhere in the program variables and strings.
.rsrc The .rsrc section includes the resources used by the executable
that are not considered part of the executable, such as icons, images,
menus, and strings.
Inspecting files with PE View (or PEiD)
Creation time
Inspecting files with PE View (or PEiD)
List of imported
functions