Malware: Malicious code is any code added, changed, or removed from a software system in order to intentionally cause harm or subvert the intended function of the system.

• Released on 19th January 1986
• First computer virus for the IBM Personal Computer
• Developed by Pakistani brothers Basit and Amjad Farooq Alvi, who were annoyed at having their heart monitoring software copied for free.
• A boot sector virus which moves the original boot sector to another section, marking it as bad.
• The virus only slowed down the floppy disk and did no other damage.
• Not malicious and displays a message claiming infection and asking payment to innoculate the machine.
• Written in Assembly for use on MS DOS

• Released on 2nd November 1988 from a computer at the Massachusetts Institute of Technology (MIT)
• Developed by Robert Tappan Morris
• Exploited several vulnerabilities of targeted systems
  • A hole in the debug mode of the Unix sendmail program
  • A buffer overflow or overrun hole in the finger network service
  • The transitive trust enabled by people setting up network logins with no password requirements via remote execution (rexec) with Remote Shell (rsh), termed rexec/rsh
• The worm exploited weak passwords. Morris's exploits became generally obsolete due to decommissioning rsh (normally disabled on untrusted networks), fixes to sendmail and finger, widespread network filtering, and improved awareness of weak passwords.
• The worm was not intended to be actively destructive, instead seeking to merely highlight the weaknesses present in many networks of the time.
• It was initially programmed to check each computer to determine if the infection was already present, but Morris believed that some system administrators might counter this by instructing the computer to report a false positive. Instead, he programmed the worm to copy itself 14% of the time, regardless of the status of infection on the computer. This resulted in a computer potentially being infected multiple times, with each additional infection slowing the machine down to unusability. This had the same effect as a fork bomb, and crashed the computer several times.
• Resulted in the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act

• Released on 8th May 2003
• Fizzer email worm spreads in infected email messages and in the Kazaa peer-to-peer (P2P) file-sharing network.
• First proven virus whose only purpose was to generate money./li>
• It came in an infected attachment, and turned the infected machine into a spam sender
• Sells details to spammers

Exploit kit: Efficient and effective tools for cybercriminals to distribute malware. Often include exploits for multiple vulnerabilities within a single malicious webpage.

• Nuclear Pack
• Angler
• Blackhole

It's much easier now than 20 years ago, to become a hacker. There is no need to write any programs or have extensive knowledge of Computer Science as an exploit kit is a programming tool which allows someone who does not have any experience writing software code to create, customize and distribute malware.

Malware-as-a-Service (MaaS): A business model under which cybercriminals provide access to malicious software and related infrastructure for a fee.

MaaS lowers the barrier to entry into cybercrime, allowing anyone with minimal coding skills to carry out attacks.

Hacking strategies and techniques are more sophisticated than they used to be. This makes the life of a malware analyst tougher.

• Brain → 700 Lines of Code (LOC)
• Morris → 99 LOC
• Stuxnet → ~15,000 LOC
• ZeuS → ~25,000 LOC

• Change of ambitions for malware authors
• Huge growth of malware samples
• New variants exposed every day
• Increasing number of platforms to target
• Exploit kits & MaaS
• Lots of research into automated analysis - but the need of a human link is always present
• Before using automated tools, it is important to understand basic principles

• Know your enemy
• Use knowledge for good
• https://www.schneier.com/blog/archives/2007/06/teaching_viruse.html
• Safe environment

• AV scanning (avoid wasting time)
• Fingerprinting malware
• Strings
• Packing/Obfuscation
• Portable Executable file format
• Libraries and Functions
• Reverse engineering + assembly

• Running the malware and monitor activity
• Processes
• System calls
• Registry keys
• Network activity
• Debugging

• Understanding malware and creating signatures / better methods of detecting them
• In an IR scenario, making sure we understand what happened, and that everything has been fixed

• As close to real world as can get
• More resources to setup
• More hassle

• Much easier to setup and manage
• Easier to roll back
• Not always the safest solution
• Recent malware can detect virtual environments

Why is it important to keep the VMs isolated?

• Avoid infecting other local networks
• Avoid possible return traffic back to a remote location (although in some cases that is a necessity)

Can you see an issue with this when analysing samples?

• Running conditions for malware (malware may crash itself if it cannot connect to its remote location, so we may have to fake a network within the VM)

8 "generic" types

• Virus
• Worm
• Trojan
• Spyware
• Backdoor
• Rootkit
• Botnet
• Ransomware

Additional types for different platforms, e.g. mobile

• Infect system without user's knowledge, but still need their interaction
• Attach itself to program file
• Duplicate itself and deliver malicious tasks

• Spread automatically between systems without permission (typically exploiting vulnerabilities)
• Operates without user's knowledge
• Impact on system's resources

• Remember that Troy wooden horse from the Greeks? Same principle
• Legitimate-looking piece of software
• Trick user into loading and executing the program
• Once executed, can perform a number of actions...

• Collects information, e.g. for advertising purposes or simply stealing confidential information
• Generally stealthy and difficult to detect

• Controlled remotely over a network (typically the internet)
• Can run a number of tasks, e.g. upload/download files, create services, and so on...
• May be legitimate...

• Basically a backdoor with added stealth capabilities
• Typically modify the kernel of the OS

• A ensemble of compromised devices
• Typically used for large scale network attacks, e.g. Distributed Denial of Service (DDoS), email spam, etc.

• Can be used to simply scare the user into paying a ransom (typically a frightening message)
• Crypto ransomware: encrypt the user's system and ask for ransom to decrypt
• Important research challenge

• Analysis/classification of malware
  • Gandotra, E., Bansal, D., & Sofat, S. (2014). Malware Analysis and Classification: A Survey. Journal of Information Security, 5(April), 56-64.
• Heuristic techniques
  • Bazrafshan, Z., Hashemi, H., Fard, S. M. H., & Hamzeh, A. (2013). A Survey on Heuristic Malware Detection Techniques. In 5th Conference on Information and Knowledge Technology (IKT) (pp. 113-120).
  • Nath, H. V, & Mehtre, B. M. (2014). Static Malware Analysis Using Machine Learning Methods, 440-450.
• Similarity hashes
  • Azab, A., Layton, R., Alazab, M., & Oliver, J. (2014, November). Mining Malware to Detect Variants. In Cybercrime and Trustworthy Computing Conference (CTC), 2014 Fifth (pp. 44-53). IEEE.
• Applying digital forensics techniques
• Polymorphic/metamorphic malware
• Smartphone malware
• Ransomware
• Internet of Things (IoT) malware
• OP codes analysis
• APTs