You are on page 1of 21

2

Executive SummaryThis assignment will begin with the introduction and with describing about the
malware and its various types including virus, torjan, worms, spyware, backdoor,
roolkit etc, those can disastrously impact the Microsoft windows operating system.
The role of malware analysis and the steps, its methodology has been described.
The five stage attack of cyber cycle had been analyzed and discussed in regarding
to malicious software. A virtual scenario had been prepared provide with the
screenshots.

Subject:................................................................................................................. 2
Introduction.............................................................................................................. 5

Malware.................................................................................................................. 6
Symptoms of infected system..................................................................................6
Classifications of Malware....................................................................................... 7
Worm................................................................................................................ 7
Virus................................................................................................................. 7
Trojan Horse...................................................................................................... 8
Back Door......................................................................................................... 8
Spyware............................................................................................................ 8
RoolKit.............................................................................................................. 8
Hack tool........................................................................................................... 8
Infection Vectors................................................................................................. 9
Chinese hackers hijack US government website to spread malware.................................9
Malware Analysis................................................................................................. 10
Static(Code) analysis........................................................................................ 10
Dynamic (Behavioral)Analysis............................................................................ 11
Methodology of Malware analysis.............................................................................. 11
Cyber attacks......................................................................................................... 13
Preparation......................................................................................................... 14
Research............................................................................................................ 14
Infiltration............................................................................................................ 15
Discovery........................................................................................................... 17
Capture.............................................................................................................. 17
...................................................................................................................... 17
Exfiltration....................................................................................................... 17
Forensics............................................................................................................ 17
Defence to mitigate the threat................................................................................18

Introduction
All the time individuals call everything that debases their system as infection, not
aware of what it truly implies or does. This assignment deliberately gives a prologue
to distinctive mixed bags of beasts that come under the wide umbrella called as
malware.
Internet has turned into an influential means for information sharing and in addition
commercialization. The expanding reliance on the Internet, then again, additionally
makes it a clear focus for the miscreants to spread computer viruses and different
sorts of malicious software (malware).
The ability of malware has arrived at the level where it can enter, control and
decimate data frameworks as well as can even dwell on them uncertainly picking up
complete control over them without client getting the smallest insight
One of the Av products in market or business sector can claim to hold all kind of
malware. Also, abundant vulnerabilities in the working frameworks, programs and
different requisitions further puts the malware creators at playing point. Under such
circumstances, regardless of the fact that a normal machine client commissions the
best antivirus/firewall programming and accompanies the essential safe processing
practices.
Therefore, changes must be made in numerous areas, and international or global cooperation might profit extraordinarily in ranges, for example: proactive aversion
(instruction, guidelines and norms, research and advancement); enhanced legitimate
structure as; stronger law authorization; enhanced tech industry practices; and better
arrangement of monetary impetuses with societal profits.

Malware
Malware is the malicious software, is designed to infiltrate and damage computers
without the users consent. It covers different types of threats to the computer safety
like viruses, spyware, worms, Trojans, root kits etc.
Dr. Cohen provided a definition to computer viruses in 1984.
A Virus is a program that is able to infect other programs by modifying them to
include a possibly evolved copy of itself. This definition is based on the programme
behaviour.
Malware is short form for malicious software that is specially designed to harm the
users computer data in different ways. Malware has been evolved with technology
and it has taken the advantage of new developments. Malware contains
programming like scripts, code, other soft wares and the active contents are
designed to deny the operation and gather information that leads to exploitation or
loss of privacy, gain authorized access to system resources, and other abusive
behaviour.

Symptoms of infected system


If the system is infected with the possible malware, these are some symptoms of
infected systems.

New executables which are known found the system


System will become unstable and it responds slowly as malicious software is
might be using resources of the system.
System settings if they altered like browser homepage without user consent
Pop-Ups that are shown as advertisements
Alerts that are shown by the fake security application that is never installed
like the computer is infected that asks to register the program to remove
detected threats.

Overall the system will show unexpected behaviour with impact of malicious
software.

Classifications of Malware
6

Malware is categorized based on different parameters such as how malware affects


the system and its functionality, mechanism spreading and if the programme is
asking for permission or the consent of the user before doing the below operations.

The programme can be identified as malware if it is performing these


activities.
It replicates through the file system or network without the user consent
Modifying another programme functionality
Allowing an authorized person to take control over a remote system
In order to deny the normal functionality, the data will be sent to the system
It opens the port for listening on local machine to accept the commands from
the remote control server.
It downloads and executes the programme from suspicious remote servers
Connects to remote suspicious servers
Key strokes will be recorded and the information will be send to remote
servers
Programme will be copied to the multiple locations
Code will be injected to another program
Protected system settings will be changed
Registry settings will be modified that are used for launching programs upon
starts up
Based upon the above features malware can be categorised such as -

Worm
Worms are very self replicating, they are stand alone malware. They dont change
other files to spread, instead makes copies of own over network shares or on other
systems. Worms are classified based upon spreading mechanism used like Email,
IRC, and P2P etc
Virus
Virus is the first category of malicious software to appear on the horizon of computer
security. Viruses are self replicating in nature and they are referred as parasitic
infectors. They insert code into existing files on the system. They could be
executable scripts of different programming languages like JS, Perl etc
Trojan Horse
Trojan is disguised as useful software and tempts user to install it and it is bundled
with hidden malicious functionality. These dont spread themselves in the event of
worms or viruses.

Back Door
Unauthorized access will be allowed to the comprised system by opening port on
victims system. It will create a pathway for the hackers to control the system by
sending commands of his choice. Netbus , Subseven and Back office are the
examples of Back door, that enables unauthorised people to access the user system
over the internet without user knowledge.
Spyware
Spyware is the software that collects the confidential information from user system
with user consent or knowledge. This includes monitoring on users system to gather
the confidential information like user browsing habits, most recent visited sites and
their passwords and confidential information like credit card etc. Once the software
spyware is installed on the system, it doesnt have any visible notifications to indicate
its monitoring the activities of the user. The software sends the information to the
configured remote server.

RoolKit
Roolkit is the software, used to steal the technique to hide the presence by hyding it
the components like the registry key, files, running processes. These techniques will
be used to hide the behaviour from the user and to detection from security
applications.
Hack tool
Hacker will use this tool to attack and exploit the users system to obtain
unauthorized access to users system. Bypassing the security mechanisms to the
system, the hacker will gain the information on the system. Sometimes it will be used
by Network professionals or administrators. Hackers will use this tool to hack the
data or to get unauthorised access and to transmit data over networks.

Infection Vectors
An Infection vector is referred to spreading mechanism used by malicious software.

Email- Email worms

Networks Network worms


Boot sector Infecting Master boot record of the physical disk
Peer to Peer Networks- Kazaa, IM etc
Bluetooth Worms for devices like mobiles, IPods etc
Web Applications use scripting (cross-site) vulnerable
Vulnerabilities- Abode Reader, Web browser, Operating system

Microsoft Windows Operating system is mostly used over other operating systems,
so malware authors target it first. Malwares appear in different executable files, VB
script, Java script, Microsoft office files, and PDF files. Mostly more than eighty
percent of malware samples will be received by Security Vendors are windows
executables.

Chinese hackers hijack US government website to spread malware


Most recently the cyber attack had on the US government website to spread it
malware all over the network.
The US Department of Labor's site has been penetrated by Chinese programmers,
consistent with a report from security firm Alienvault. The company's Labs executive,
Jaime Blasco, reported uncovering the assault on Wednesday evening. "Throughout
the most recent not many hours we have recognized that the US Department of
Labour site has been hacked and it is serving pernicious code," he said that the
organization is still at present exploring the ambush, yet that it is obviously intended
for reconnaissance."All we know is the following: the hacker picked up access to the
US Department of Labor site. They altered a few records in the site so when a client
visits the site a few oxious code will be stacked from a malignant server. This
malevolent code gathers data about the chump's framework (Software instituted,
variants, and so forth)," Blasco told V3. He said the firm has likewise recognized a
second capacity in the strike code, educating it to focus on a fixed weakness in
Microsoft's Internet Explorer.
"Provided that the powerlessness is misused a secondary passage is instituted in the
framework. That indirect access speaks with server and the assailants can truly send
requests to the framework, for example transferring and downloading documents,
executing charges, introducing new malware," he illustrated.The ambush sends the
programmers helpful data like what security programmes the contaminated
framework has, what Java and Flash rendition is constantly utilized. The data could

be utilized by the hacker to enhance the viability of anticipated strike on the tainted
machines framework.

Alienvault reported following the ambush to China, adding further fuel to the war of
expressions going ahead between it and the US. The two nations have blamed each
other for mounting assaults on their systems for numerous years. This arrived at new
statures prior in the not so distant future when security firm Mandiant reported
interfacing a progressed digital crusade focusing on the US government to a
Chinese military unit. All the more as of late, Verizon asserted Chinese programmers
are answerable for 96 percent of the planet's animated digital undercover work
battles in its Data
Breach Investigations Report 2013. China has constantly denied all affirmations,
colloquialism digital strike are an issue that all legislatures face.

Malware Analysis
The purpose of Malware analysis is to study the programs behaviour and check if it
contains malicious functionality or malicious behaviour. Malware analysis will be
performed on the systems separated from environmental production environment
and network will isolate from the public network. Virtualisation softwares like virtual
box, VM ware provides option to create such an environment.

Static(Code) analysis
Code analysis is the actual viewing of code and strolling through it to get
understanding and comprehension of the malware and what it is doing. With
the static analization, the program can be studied without executing it. Under this
analysis suspicious strings can be found related to file paths, URLs, registry keys,
messages intended for the users if any are used in that related program.

Samples are obfuscated to provide challenges for static analysis. If the sample is
packed, it needs to be unpacked before diving into code analysis.

10

Dynamic (Behavioral)Analysis
Behavioural or Dynamic analysis is the manner by which the malware carries on
when executed, who it talks to, what gets instated, and how it runs. With the dynamic
analysis, the program can be studied as it executes. Changes which are made to file
system, process, registry, network communication etc need to be monitored. The
system internal tools like process explorer, TCP View, and Wire shark are useful for
observering its run time behaviour of the program. In matter of non availability of safe
environment to execute suspicious samples, user can use automated malware
analysis and submit suspicious sample for analysis and it produces the report based
file system modifications, network communication s, registry modification etc.
After covering analysis of malware, for example recognizing key terms, objectives of
analysis, and analysis types and it is basics to recognize different tools that might be
use to perform malware analysis. This is not an exhaustive rundown list of tools that
one must use, only the ones that the user or author has been used

Methodology of Malware analysis


While performing a malware analysis, is not attached to the system network with the
exception of the malware lab networks. Launching the malware flare-up on the
corporate system network won't satisfy the organizations management.

After getting malware, assemble the malware lab where the examination will be
performed. This malware lab will comprise of four virtual frameworks utilizing
VMware server as the virtualization Software. First and foremost, make the virtual
machines (VM).Next the required operating system will installed in respective of
Virtual Machine. The lab consists one window XP Virtual Machine, other one is
windows 2003 standard server virtual machine and Linux VM.

After building the lab, copy is needed tools to the different machines. When the tools
are copied, if needed, install tools. Upon finishing of installation of tools, take MD5
hashes of all the tools that will be utilized as a part of the malware.
Next, a baseline of the system will be taken before running the malware. Various
tools will be utilized for the benchmark. After execution of the malware, the same
11

tools will be run again to be utilized to compare the malicious system against the
baseline. Finally the virtual machine snaps shot and make sure that the host
networking will be selected.

The beginning step of malware analysis is to run the organisations. Anti Virus (AV)
softwre against the malware. It is additionally savvy to run AV Software from various
sources. The author runs AV software from three separate sources. The three
vendors are the AV application the author supervises or manages for his
employment, the AV application that the author runs on the systems at home, and a
third AV application that the author changes time to time. Test to check whether the
AV software discovers the malware, making notes like which Av applications detect,
and what the applications identify the malware as.

After the malware is scanned with AV software, open the Malware up in a hex
editor to see what sort of index the malware may be. While analyzing the record
with the hex editor, endeavour to confirm if the malware is utilizing a packer
application like for UPX
Some of the packers, for example UPX, will take into consideration for the
decompression of the file. Assuming that the malware is packed with one these
packers, endeavor to unpack the application. By unpacking or decompressing the
malware, different tools could be run against the malware. Before, endeavouring to
decompress the malware, make a duplicate or the copy of the malware. The
malware may not work if the repacking of the malware is carried out wrongly.

A standout amongst the most of service tools is Strings. Strings, is the application
that ventures for ASCI,Unicode, or both sorts in an index. The strings pursuit can
give data, for example ports, protocols, Ip addresses, files and the information about
the malware's. By looking over the data produced by running strings more
understanding into the inward workings of malware could be picked up.

After finishing the search for strings, it is time to malware disassemble. The
outcomes from disassembly will be different from malware to malware. For the
purpose of this assignment, the disassembly code will be reviewed and it will keep it
focus on the calls the malware code will make to different DLL's and as well as
Malware will make the system changes.

12

While analyzing system traffic, observe how the malware capacities. Make notes on
what the activity looks like. This will be utilized to aid with composing access record
and IDS rules. in this case, if the back door is installed by malware, a server will set
up, so that can download back door. By permitting it to download an back door, the
system can be connected to the backdoor to see what the malware author sees.

Cyber attacks
Mainly Online security is not secure and it is no longer a matter of patching the
significant software and keeping the antivirus solution up to date. To give an effective
IT security solution in pace and and secure the data, it is necessary to take the
consideration of malicious cyber attacks.
Recently a study had been released is Websense 2012 threat report that makes
sobering reading and concerned security of their data particularly the confidential
business data.
The below are some findings

Fifty five percent of malware communications regarding to data stealing are


web based. The problem is it is not just email to be worried, but more than
that.
Eighty two percent of malicious websites are being hosted on comprised
hosts.
Fifty percent malware connections are leading the U.S, making it as largest
host of malware in all over the world.
Sixty percent of the malware connections are being hosted in the U.S

There are three important basic phases in cyber attack cycle. They are
I.
II.
III.

Preparation
Attack Lunch
Forensics

Preparation
Preparation is the process of probing for information and without arms, wars cannot
be fought. Weapons will not be constructed in short time or overnight. In order to
enter the war the weapons should be ready to be deployed. Preparation will be
13

played a major role in cyber attacks as hostile acts occur in minutes or seconds.
Additionally to training the personnel to produce the cyber weapons, the preparation
stage contains broad range of information collecting techniques. Thus the
preparation contains of research, reconnaissance and vulnerability enumeration.
This phase never reaches a conclusion, the research is ongoing will produce new
tools, exploits, vulnerabilities and reconnaissance must go continually found new
targets while removing stale targets, vulnerability enumeration must keep track of old
and new targets or goals, while testing the most recent vulnerability enumeration.

Research
A Cyber attack does not require the base contribute that physical arms do.
Notwithstanding it is needed quite remarkably prepared faculty's to get advance and
improve digital weapons. The procedure of preparing to the needed ability levels
which involves a noteworthy exercises before to dangers breaking the programming.
Notwithstanding this, once the personnels picked up fundamental abilities or skills
they require opportunity to uncover vulnerabilities and transform them into usable
weapons.

The imperfection or bug finder's abilities tend towards comprehension that how the
provision or the framework is, no doubt manufactured and scraper they frequently
come up short utilizing the normal utilization [patterns and the capability to invert
specialist conventions rapidly. Talented bug discoverers are skilled at the
computerizing process. The bug finder undertaking is to find info that will make the
memory defilement happen after which of the experiments will gave to the scholar.
Vulnerabilities will be discovered at the all the layers that are let all know phases of
the advancement or the improvement. The essayist has uncommon information of
the inward working of the working framework on which the provision will run, the
endeavour author guarantees that it run without smashing over the an extensive
variety of conceivable variants.

The both procedures joined of uncovering the imperfections or bugs and composing
an endeavour for it can take months and not all the vulnerabilities require the level of
data. Essentially Cyber weapons are not just abuses, arrangement and operational
flops are common however deeper issues in conventions and calculations likewise
exist

14

Infiltration
Infiltration in which we pick up the right to gain entrance we have to attain our
objective. This may include numerous steps, as it did in this illustration in which we
initially picked up access to the "next host", and after that utilized that right to gain
entrance to get into the target host.

The objective of this phase is to gain control of a host on the target's system
network. This is normally done by picking up remote access to a shell or terminal as
the administrator on that have.

Getting known a weakness is insufficient to infiltrate the target; the attacker must find
an approach to exploit that shortcoming. This doesn't essentially require advanced
earning and aptitude of computer programming; however having it can fundamentally
enhance the likelihood of triumph. Anybody can surmise feeble passwords to
increase access; however improving an uniquely custom made project to exploit
poorly written code in programming requires advanced programming knowledge,
information and skill. In any case not everybody needs to develop exploits, so as to
utilize them. For example, everyone in all doesnt have the knowledge and skill or
ability to build a car. But that learning is not needed to acquire a driver licence. The
same will be applied for cyber exploits. Inasmuch as somebody has the information
and ability to make misuse programs, others can utilize them with little or no
comprehension of how they function.

There are numerous automated tools for abuse of known computer weakness freely
accessible on Internet. The most prominent misuse program accessible is called
Metasploit.
Once the system network is infiltrated, the malicious code will be established on the
connection between the malware which has been installed on the significant system
and command and control server. This channel furnishes a mechanism to the handoff orders, recover status, and furnish updates to the malware that has been
installed.

These Command and control server associated connections may be short


Existed and connected with a solitary comprised system, inside the organisations
network.
15

Raise benefits also access levels on the system

Install and establish utilities and gather data that is important to do the tasks.

Perform revelation by scanning and mapping out the system

Spread the infection by rotating inside the network

Most of actions are occurring within these phases of the attack happens with
negligible, if there is any communication outside the company own network. If any
perimeter is defending in place is totally useless in discovering this sort of activity.

The Hacker may penetrate the focused on system and use weeks, months and even
the course of a year in the network before the malware is initiated to do its mission.
For Example to steal/exfiltrate information from the organisation or nation, the
malware might begin moving information to a significant system, where the
information or data is Stored, jumbled or encrypted, and sent over the perimeter to
an outside server controlled by the attacker, and in doing along these actions, makes
it extremely hard for Data Loss Prevention devices to find exfiltration.

Indeed after doing the introductory or initial mission, malware might endure in the
network and stay in contact with the hacker or attacker who controls C2 server on a
irregular time period for extra updates or a new mission. While the malware is
decently quite with the C2server, it might likewise still attempt to spread to other
systems.

The capacity for APT to contaminate and work inside a focused on organisation's
network, with such obscurity make them unsafe and dangerous in today's world.

Discovery

16

At this stage, spoiled hosts download extra segments with the capability to uncover
target information on the tainted has, on mapped system drives, and in other network
areas. Key targets might incorporate Active Directory (Ad) and authentication PKI
servers to build accounts and pick up access benefits to confidential data inside the
network. Observing information being used once a client gains entrance to it with
their accreditations is an alternate finding strategy, plus breaking into systems where
system users have administrative rights .The attacker may try to get more control by
finding extra hosts within the target system network and utilizing system network or
other system level vulnerabilities to spoil those hosts .Very regularly, the tools will be
used to get more control are standard system tools, for example gsecdump, (to split
passwords)Cain&abel.

Capture
Process of controlling or regulating focused assets while still inside the system
network.
Exfiltration
Process of deleting or removing assets from the network.

Forensics
Coherent application of investigatory methods to recover the evidence of crime,
involving protection, identification, extraction, documentation and understanding of
media for root cause analysis or evidentiary analysis.
At this phase the

relevant items will be identified


the evidence will be gained without damage or alteration
The steps will taken to assure the evidence, is at each step verifiably not
changed from the time it was stooped.
The data will be analyzed without unauthorised access or risking modification
Reporting the finds to the significant authority.

That arrives at past the beginning interruption, to look for signs over all stages.

Defence to mitigate the threat


A new way will be required of adopting the challenge that will reach beyond the
intrusion. malware requires reviewing and monitoring the traffic, inside the
17

organisation network. In spite of the fact that malware can't be ceased at the border,
if it resides within the system,. The malware will not be stopped if it resides within the
network, it will convey over that system. this progressed malware has developed to
be even more dependant on the inside network for propagation, control and pay
loading functionality.
By building a new innovative technology that will work beyond significant malware
and concentrates on malicious activity that maps the phases of the attack. By
analyzing malicious traffic and its potentiality and the host generating the malicious
functionalities or activities can be identified .

18

http://www.dynamicbusiness.com.au/technology/beware-six-stages-of-maliciouscyber-crime-attacks-21052012.html

19

20

21

You might also like