🦠

Comprehensive Guide to Malware Analysis

Feb 6, 2025

View transcript

Malware Analysis Lecture Notes

Introduction to Malware

  • Traditional antivirus signatures are outdated for detecting malware.
  • New malware is constantly created to evade signature detection.

Modern Malware Detection Strategies

Community Efforts

  • Use platforms like VirusTotal to submit files for scanning against multiple antivirus engines.
  • Contributions help update security products with real data.

Signature Updates

  • Regularly update signatures to detect emerging malware.
  • Standardized naming conventions, e.g., family name, group name, etc.

Detection Rules

  • YARA: Used to standardize detection rules.
  • Writing malware signatures requires programming knowledge.

Sandbox Analysis

  • Sandboxing: Analyzing malware in a controlled, virtual environment.
  • Observations may include system file changes, network activity, and system calls.
  • Time Acceleration: Simulate future behavior of malware.
  • Cuckoo Sandbox: Free sandboxing solution.

Risks of Virtual Environments

  • Potential vulnerabilities in hypervisors.
  • Hypervisors mediate between virtual and physical hardware.

Reverse Engineering

  • Process to understand how malware is built without execution.
  • Tools include decompilers and disassemblers.
    • Decompilers: Attempt to retrieve high-level source code.
    • Disassemblers: Convert machine code to assembly code.

Strings and File Analysis

  • Strings: Search for readable text in binaries to identify malware.
  • Magic Numbers: File headers used to identify file types over extensions.

Program Packers

  • Compressed executables that can obscure malware detection.
  • Malware may self-recompress to evade detection.

Exploit Techniques

Types of Malware

  • Viruses: Infect files on the disk.
  • Worms: Propagate through networks without user interaction.
  • Fileless Malware: Uses scripts to execute code, often via droppers.

Malware Persistence

  • Remote Access Trojans (RATs): Maintain access remotely.
  • Code Injection: Techniques to execute code within legitimate processes.
    • Masquerading, DLL Injection, Process Hollowing

Living Off The Land

  • Using existing tools on an infected machine for malicious purposes, e.g., invoking PowerShell or Bash.

Key Takeaways

  • Remember different tools and techniques used for malware analysis.
  • Recognize various exploit techniques and how they are used by malware.

Next Topic: Cloud computing (upcoming lecture).

Full transcript