11

IRMA Notes

WireShark FiltersNetwork ForensicsAdvanced Network ForensicsSecurity Information and Event Management (SIEM)Incident Response Models & Host ForensicsLive Forensics & ToolkitMemory Analysis With Volatility FrameworkIntroduction to Malware AnalysisAdvanced Static Analysis and Reverse EngineeringDynamic Malware AnalysisMalware Analysis Summary

Malware Analysis Summary

Unit 10 - Tools and Techniques

Last Update Unknown

Malware Analysis Summary

First Steps

  • Don't just start disassembling the code or running malware in debugger.
  • First Review the data you already have
    • Mine logs, alerts and package captures that have already been generated by the malware
    • More accurate but less samples.
  • Live-captured information provides more transparent view of malicious applications true behaviour.
  • Real traffic provides information about the malware at both end points (client and server).
  • Analysing what we already have is safer

Countermeasures

  • Understand how the malware uses the network
    • IP addresses
    • TCP and UDP ports
    • Domain names
    • Traffic content
  • Mitigation (network based)
    • Firewalls and routers can be used to restrict access to a network based on IP address or ports
    • DNS servers can be configured to reroute known malicious domains to an internal host (sinkhole)
    • Proxy Servers can be configured to detect or prevent access to a specific domain.
  • Mitigation (content based)
    • Intrusion Detect Systems
    • Intrusion Prevention Systems
    • Email proxy
    • Web proxy
  • Technologies can be deployed to employ content-based countermeasures.

Network Countermeasures

  • Mitigation (content based)
    • Create a signature
    • Check uniqueness (run over real traffic to verify no false positives)
  • When writing signatures, it is important to identify variable elements of the targeted content so that they are not mistakenly included in the signature.
  • Make signature as complete as possible
    • More likely to catch different versions of the Malware

Other Dangers

  • Targeted malware may provide the attacker information when being analysed
    • Spear-phishing email with a link specific to the target/li>
    • Encoded link within the malware/li>
    • Embed a custom domain
  • These might alert the attacker
  • Protection
    • Tor
    • Dedicated connection

Hiding Techniques

  • Mimic existing protocols
    • IRC, HTTP, HTTPS and DNS
  • Using existing infrastructure
    • Servers dedicated solely to Malware are easier to find
  • Client beaconing
    • NAT

Detecting Virtual Machines

  • Most home users don't use virtual machines so some malware attempts to detect virtual environment to make sure that it is attacking a home user.
  • Popularity of anti-virtualisation techniques is going down because of the increased use of virtualisation.