Professional Documents
Culture Documents
Executive SummaryThis assignment will begin with the introduction and with describing about the
malware and its various types including virus, torjan, worms, spyware, backdoor,
roolkit etc, those can disastrously impact the Microsoft windows operating system.
The role of malware analysis and the steps, its methodology has been described.
The five stage attack of cyber cycle had been analyzed and discussed in regarding
to malicious software. A virtual scenario had been prepared provide with the
screenshots.
Subject:................................................................................................................. 2
Introduction.............................................................................................................. 5
Malware.................................................................................................................. 6
Symptoms of infected system..................................................................................6
Classifications of Malware....................................................................................... 7
Worm................................................................................................................ 7
Virus................................................................................................................. 7
Trojan Horse...................................................................................................... 8
Back Door......................................................................................................... 8
Spyware............................................................................................................ 8
RoolKit.............................................................................................................. 8
Hack tool........................................................................................................... 8
Infection Vectors................................................................................................. 9
Chinese hackers hijack US government website to spread malware.................................9
Malware Analysis................................................................................................. 10
Static(Code) analysis........................................................................................ 10
Dynamic (Behavioral)Analysis............................................................................ 11
Methodology of Malware analysis.............................................................................. 11
Cyber attacks......................................................................................................... 13
Preparation......................................................................................................... 14
Research............................................................................................................ 14
Infiltration............................................................................................................ 15
Discovery........................................................................................................... 17
Capture.............................................................................................................. 17
...................................................................................................................... 17
Exfiltration....................................................................................................... 17
Forensics............................................................................................................ 17
Defence to mitigate the threat................................................................................18
Introduction
All the time individuals call everything that debases their system as infection, not
aware of what it truly implies or does. This assignment deliberately gives a prologue
to distinctive mixed bags of beasts that come under the wide umbrella called as
malware.
Internet has turned into an influential means for information sharing and in addition
commercialization. The expanding reliance on the Internet, then again, additionally
makes it a clear focus for the miscreants to spread computer viruses and different
sorts of malicious software (malware).
The ability of malware has arrived at the level where it can enter, control and
decimate data frameworks as well as can even dwell on them uncertainly picking up
complete control over them without client getting the smallest insight
One of the Av products in market or business sector can claim to hold all kind of
malware. Also, abundant vulnerabilities in the working frameworks, programs and
different requisitions further puts the malware creators at playing point. Under such
circumstances, regardless of the fact that a normal machine client commissions the
best antivirus/firewall programming and accompanies the essential safe processing
practices.
Therefore, changes must be made in numerous areas, and international or global cooperation might profit extraordinarily in ranges, for example: proactive aversion
(instruction, guidelines and norms, research and advancement); enhanced legitimate
structure as; stronger law authorization; enhanced tech industry practices; and better
arrangement of monetary impetuses with societal profits.
Malware
Malware is the malicious software, is designed to infiltrate and damage computers
without the users consent. It covers different types of threats to the computer safety
like viruses, spyware, worms, Trojans, root kits etc.
Dr. Cohen provided a definition to computer viruses in 1984.
A Virus is a program that is able to infect other programs by modifying them to
include a possibly evolved copy of itself. This definition is based on the programme
behaviour.
Malware is short form for malicious software that is specially designed to harm the
users computer data in different ways. Malware has been evolved with technology
and it has taken the advantage of new developments. Malware contains
programming like scripts, code, other soft wares and the active contents are
designed to deny the operation and gather information that leads to exploitation or
loss of privacy, gain authorized access to system resources, and other abusive
behaviour.
Overall the system will show unexpected behaviour with impact of malicious
software.
Classifications of Malware
6
Worm
Worms are very self replicating, they are stand alone malware. They dont change
other files to spread, instead makes copies of own over network shares or on other
systems. Worms are classified based upon spreading mechanism used like Email,
IRC, and P2P etc
Virus
Virus is the first category of malicious software to appear on the horizon of computer
security. Viruses are self replicating in nature and they are referred as parasitic
infectors. They insert code into existing files on the system. They could be
executable scripts of different programming languages like JS, Perl etc
Trojan Horse
Trojan is disguised as useful software and tempts user to install it and it is bundled
with hidden malicious functionality. These dont spread themselves in the event of
worms or viruses.
Back Door
Unauthorized access will be allowed to the comprised system by opening port on
victims system. It will create a pathway for the hackers to control the system by
sending commands of his choice. Netbus , Subseven and Back office are the
examples of Back door, that enables unauthorised people to access the user system
over the internet without user knowledge.
Spyware
Spyware is the software that collects the confidential information from user system
with user consent or knowledge. This includes monitoring on users system to gather
the confidential information like user browsing habits, most recent visited sites and
their passwords and confidential information like credit card etc. Once the software
spyware is installed on the system, it doesnt have any visible notifications to indicate
its monitoring the activities of the user. The software sends the information to the
configured remote server.
RoolKit
Roolkit is the software, used to steal the technique to hide the presence by hyding it
the components like the registry key, files, running processes. These techniques will
be used to hide the behaviour from the user and to detection from security
applications.
Hack tool
Hacker will use this tool to attack and exploit the users system to obtain
unauthorized access to users system. Bypassing the security mechanisms to the
system, the hacker will gain the information on the system. Sometimes it will be used
by Network professionals or administrators. Hackers will use this tool to hack the
data or to get unauthorised access and to transmit data over networks.
Infection Vectors
An Infection vector is referred to spreading mechanism used by malicious software.
Microsoft Windows Operating system is mostly used over other operating systems,
so malware authors target it first. Malwares appear in different executable files, VB
script, Java script, Microsoft office files, and PDF files. Mostly more than eighty
percent of malware samples will be received by Security Vendors are windows
executables.
be utilized by the hacker to enhance the viability of anticipated strike on the tainted
machines framework.
Alienvault reported following the ambush to China, adding further fuel to the war of
expressions going ahead between it and the US. The two nations have blamed each
other for mounting assaults on their systems for numerous years. This arrived at new
statures prior in the not so distant future when security firm Mandiant reported
interfacing a progressed digital crusade focusing on the US government to a
Chinese military unit. All the more as of late, Verizon asserted Chinese programmers
are answerable for 96 percent of the planet's animated digital undercover work
battles in its Data
Breach Investigations Report 2013. China has constantly denied all affirmations,
colloquialism digital strike are an issue that all legislatures face.
Malware Analysis
The purpose of Malware analysis is to study the programs behaviour and check if it
contains malicious functionality or malicious behaviour. Malware analysis will be
performed on the systems separated from environmental production environment
and network will isolate from the public network. Virtualisation softwares like virtual
box, VM ware provides option to create such an environment.
Static(Code) analysis
Code analysis is the actual viewing of code and strolling through it to get
understanding and comprehension of the malware and what it is doing. With
the static analization, the program can be studied without executing it. Under this
analysis suspicious strings can be found related to file paths, URLs, registry keys,
messages intended for the users if any are used in that related program.
Samples are obfuscated to provide challenges for static analysis. If the sample is
packed, it needs to be unpacked before diving into code analysis.
10
Dynamic (Behavioral)Analysis
Behavioural or Dynamic analysis is the manner by which the malware carries on
when executed, who it talks to, what gets instated, and how it runs. With the dynamic
analysis, the program can be studied as it executes. Changes which are made to file
system, process, registry, network communication etc need to be monitored. The
system internal tools like process explorer, TCP View, and Wire shark are useful for
observering its run time behaviour of the program. In matter of non availability of safe
environment to execute suspicious samples, user can use automated malware
analysis and submit suspicious sample for analysis and it produces the report based
file system modifications, network communication s, registry modification etc.
After covering analysis of malware, for example recognizing key terms, objectives of
analysis, and analysis types and it is basics to recognize different tools that might be
use to perform malware analysis. This is not an exhaustive rundown list of tools that
one must use, only the ones that the user or author has been used
After getting malware, assemble the malware lab where the examination will be
performed. This malware lab will comprise of four virtual frameworks utilizing
VMware server as the virtualization Software. First and foremost, make the virtual
machines (VM).Next the required operating system will installed in respective of
Virtual Machine. The lab consists one window XP Virtual Machine, other one is
windows 2003 standard server virtual machine and Linux VM.
After building the lab, copy is needed tools to the different machines. When the tools
are copied, if needed, install tools. Upon finishing of installation of tools, take MD5
hashes of all the tools that will be utilized as a part of the malware.
Next, a baseline of the system will be taken before running the malware. Various
tools will be utilized for the benchmark. After execution of the malware, the same
11
tools will be run again to be utilized to compare the malicious system against the
baseline. Finally the virtual machine snaps shot and make sure that the host
networking will be selected.
The beginning step of malware analysis is to run the organisations. Anti Virus (AV)
softwre against the malware. It is additionally savvy to run AV Software from various
sources. The author runs AV software from three separate sources. The three
vendors are the AV application the author supervises or manages for his
employment, the AV application that the author runs on the systems at home, and a
third AV application that the author changes time to time. Test to check whether the
AV software discovers the malware, making notes like which Av applications detect,
and what the applications identify the malware as.
After the malware is scanned with AV software, open the Malware up in a hex
editor to see what sort of index the malware may be. While analyzing the record
with the hex editor, endeavour to confirm if the malware is utilizing a packer
application like for UPX
Some of the packers, for example UPX, will take into consideration for the
decompression of the file. Assuming that the malware is packed with one these
packers, endeavor to unpack the application. By unpacking or decompressing the
malware, different tools could be run against the malware. Before, endeavouring to
decompress the malware, make a duplicate or the copy of the malware. The
malware may not work if the repacking of the malware is carried out wrongly.
A standout amongst the most of service tools is Strings. Strings, is the application
that ventures for ASCI,Unicode, or both sorts in an index. The strings pursuit can
give data, for example ports, protocols, Ip addresses, files and the information about
the malware's. By looking over the data produced by running strings more
understanding into the inward workings of malware could be picked up.
After finishing the search for strings, it is time to malware disassemble. The
outcomes from disassembly will be different from malware to malware. For the
purpose of this assignment, the disassembly code will be reviewed and it will keep it
focus on the calls the malware code will make to different DLL's and as well as
Malware will make the system changes.
12
While analyzing system traffic, observe how the malware capacities. Make notes on
what the activity looks like. This will be utilized to aid with composing access record
and IDS rules. in this case, if the back door is installed by malware, a server will set
up, so that can download back door. By permitting it to download an back door, the
system can be connected to the backdoor to see what the malware author sees.
Cyber attacks
Mainly Online security is not secure and it is no longer a matter of patching the
significant software and keeping the antivirus solution up to date. To give an effective
IT security solution in pace and and secure the data, it is necessary to take the
consideration of malicious cyber attacks.
Recently a study had been released is Websense 2012 threat report that makes
sobering reading and concerned security of their data particularly the confidential
business data.
The below are some findings
There are three important basic phases in cyber attack cycle. They are
I.
II.
III.
Preparation
Attack Lunch
Forensics
Preparation
Preparation is the process of probing for information and without arms, wars cannot
be fought. Weapons will not be constructed in short time or overnight. In order to
enter the war the weapons should be ready to be deployed. Preparation will be
13
played a major role in cyber attacks as hostile acts occur in minutes or seconds.
Additionally to training the personnel to produce the cyber weapons, the preparation
stage contains broad range of information collecting techniques. Thus the
preparation contains of research, reconnaissance and vulnerability enumeration.
This phase never reaches a conclusion, the research is ongoing will produce new
tools, exploits, vulnerabilities and reconnaissance must go continually found new
targets while removing stale targets, vulnerability enumeration must keep track of old
and new targets or goals, while testing the most recent vulnerability enumeration.
Research
A Cyber attack does not require the base contribute that physical arms do.
Notwithstanding it is needed quite remarkably prepared faculty's to get advance and
improve digital weapons. The procedure of preparing to the needed ability levels
which involves a noteworthy exercises before to dangers breaking the programming.
Notwithstanding this, once the personnels picked up fundamental abilities or skills
they require opportunity to uncover vulnerabilities and transform them into usable
weapons.
The imperfection or bug finder's abilities tend towards comprehension that how the
provision or the framework is, no doubt manufactured and scraper they frequently
come up short utilizing the normal utilization [patterns and the capability to invert
specialist conventions rapidly. Talented bug discoverers are skilled at the
computerizing process. The bug finder undertaking is to find info that will make the
memory defilement happen after which of the experiments will gave to the scholar.
Vulnerabilities will be discovered at the all the layers that are let all know phases of
the advancement or the improvement. The essayist has uncommon information of
the inward working of the working framework on which the provision will run, the
endeavour author guarantees that it run without smashing over the an extensive
variety of conceivable variants.
The both procedures joined of uncovering the imperfections or bugs and composing
an endeavour for it can take months and not all the vulnerabilities require the level of
data. Essentially Cyber weapons are not just abuses, arrangement and operational
flops are common however deeper issues in conventions and calculations likewise
exist
14
Infiltration
Infiltration in which we pick up the right to gain entrance we have to attain our
objective. This may include numerous steps, as it did in this illustration in which we
initially picked up access to the "next host", and after that utilized that right to gain
entrance to get into the target host.
The objective of this phase is to gain control of a host on the target's system
network. This is normally done by picking up remote access to a shell or terminal as
the administrator on that have.
Getting known a weakness is insufficient to infiltrate the target; the attacker must find
an approach to exploit that shortcoming. This doesn't essentially require advanced
earning and aptitude of computer programming; however having it can fundamentally
enhance the likelihood of triumph. Anybody can surmise feeble passwords to
increase access; however improving an uniquely custom made project to exploit
poorly written code in programming requires advanced programming knowledge,
information and skill. In any case not everybody needs to develop exploits, so as to
utilize them. For example, everyone in all doesnt have the knowledge and skill or
ability to build a car. But that learning is not needed to acquire a driver licence. The
same will be applied for cyber exploits. Inasmuch as somebody has the information
and ability to make misuse programs, others can utilize them with little or no
comprehension of how they function.
There are numerous automated tools for abuse of known computer weakness freely
accessible on Internet. The most prominent misuse program accessible is called
Metasploit.
Once the system network is infiltrated, the malicious code will be established on the
connection between the malware which has been installed on the significant system
and command and control server. This channel furnishes a mechanism to the handoff orders, recover status, and furnish updates to the malware that has been
installed.
Install and establish utilities and gather data that is important to do the tasks.
Most of actions are occurring within these phases of the attack happens with
negligible, if there is any communication outside the company own network. If any
perimeter is defending in place is totally useless in discovering this sort of activity.
The Hacker may penetrate the focused on system and use weeks, months and even
the course of a year in the network before the malware is initiated to do its mission.
For Example to steal/exfiltrate information from the organisation or nation, the
malware might begin moving information to a significant system, where the
information or data is Stored, jumbled or encrypted, and sent over the perimeter to
an outside server controlled by the attacker, and in doing along these actions, makes
it extremely hard for Data Loss Prevention devices to find exfiltration.
Indeed after doing the introductory or initial mission, malware might endure in the
network and stay in contact with the hacker or attacker who controls C2 server on a
irregular time period for extra updates or a new mission. While the malware is
decently quite with the C2server, it might likewise still attempt to spread to other
systems.
The capacity for APT to contaminate and work inside a focused on organisation's
network, with such obscurity make them unsafe and dangerous in today's world.
Discovery
16
At this stage, spoiled hosts download extra segments with the capability to uncover
target information on the tainted has, on mapped system drives, and in other network
areas. Key targets might incorporate Active Directory (Ad) and authentication PKI
servers to build accounts and pick up access benefits to confidential data inside the
network. Observing information being used once a client gains entrance to it with
their accreditations is an alternate finding strategy, plus breaking into systems where
system users have administrative rights .The attacker may try to get more control by
finding extra hosts within the target system network and utilizing system network or
other system level vulnerabilities to spoil those hosts .Very regularly, the tools will be
used to get more control are standard system tools, for example gsecdump, (to split
passwords)Cain&abel.
Capture
Process of controlling or regulating focused assets while still inside the system
network.
Exfiltration
Process of deleting or removing assets from the network.
Forensics
Coherent application of investigatory methods to recover the evidence of crime,
involving protection, identification, extraction, documentation and understanding of
media for root cause analysis or evidentiary analysis.
At this phase the
That arrives at past the beginning interruption, to look for signs over all stages.
organisation network. In spite of the fact that malware can't be ceased at the border,
if it resides within the system,. The malware will not be stopped if it resides within the
network, it will convey over that system. this progressed malware has developed to
be even more dependant on the inside network for propagation, control and pay
loading functionality.
By building a new innovative technology that will work beyond significant malware
and concentrates on malicious activity that maps the phases of the attack. By
analyzing malicious traffic and its potentiality and the host generating the malicious
functionalities or activities can be identified .
18
http://www.dynamicbusiness.com.au/technology/beware-six-stages-of-maliciouscyber-crime-attacks-21052012.html
19
20
21