This article contains audience solution on Malware Analysis.
Q1. What is a zero-day exploit? Argue why it wouldn’t be correct to use APT for any malware analysis.
Ans1. Zero-day exploit(recently discovered vulnerability) is an attack that occurs on the same day when a vulnerability is found in the code/system. It is the most dangerous type of attack because only attacker knows about the vulnerability in the system/code. The attack is called zero-day because the vendor came across the vulnerability and on the same day vendor have to give the patch to the client company.
The advanced persistent threat is a type of attack and malware is a type of payload which is used for the attack. APT is a persistent type of attack which takes a longer time as compared to a malware attack that’s why we can not use APT as malware in any attack. APT is used for long term user whereas malware is for instant use.
Q2. Briefly Discuss The Seven Steps of the Cyber Kill Chain in Malware Analysis.
Ans2. Step1: Reconnaissance
Reconnaissance is the first phase of the where information gathering of the target is done. Like the company is the target so the attacker will harvest emails of the company, create a fingerprint of target and then make a blueprint of the company infrastructure to attack the network. This can take weeks and months depends upon the organization’s security layer. By gathering all the knowledge about the target it makes 50% easy for an attacker to attack.
In weaponization, the attacker selects the weapon means which malware will be used to attack so that the company network can not detect that malware. This phase also includes delivering payload into the network as a backdoor.
This is the most delighted phase because in this phase attacker have to insert the malware into the victims network without detecting by the victims defense. Malware are mostly delivers through websites, Email attachments and removable media device like hard disk, pen drive.
In this stage attacker exploits victims system from remote location by running embedded code which was embedded by the attacker previously. But nowadays it’s more easier by embedding auto scripts which runs by user itself without his/her knowledge.
This phase is used to install additional backdoor in the victims system to get extended time access to the victims system. This also makes difficult for victim to detect all the malware in the system like installing web shell on server, auto run keys etc.
Step6: Command and control
This phase is the last best chance to block operation by blocking commands and controls. In this phase attacker pases some commands to get control over the victims system. It basically open C2 channel for two way Communication over Dns, web and email protocols.
Step7: Action on objectives
This is the phase for which all the previous steps were executed. In this phase finally stocker gets all the access of the victims system. More level of access directly promotion to more level of impact. Attacker collects all the information, credentials and then destroys the data by corrupting it.
Also, Read | Attack Surface: How to Minimize in your Network?
Q3. Briefly discuss at least 10 of the main indicators that a system may be infected with malware.
1. Slow Startup and slow performance : If there is a virus in your system then it will take longer time than the normal and program will also take so much time to execute. If your system is working leisurely than check for the disk space and RAM and if that’s not a problem than system is infected with malware.
2. Unwanted popup window: Unexpected pop-up ads on the system is a sign virus in the system and it also helps other virus to come in the system by clicking on them. It shows like your system is infected with virus, click here to clean your system which will download malware in your system.
3. Running out of storage space: If you have lot one memory in your system and then you got an alert that you are running out of storage. It means there is a virus in your system which is trying to acquire space.
4. Malicious hard drive activity: If your hard drive is making so much spins and noise even if you are not using it or you are not running any software. Than there may be chances that your system is infected with virus which is using your drive.
5. Files missing : Malware used to change files location or delete them. Some of them used to encrypt the files so that user can not open that and then ask for ransom to decrypt it.
6. High Bandwidth usage: If your internet usage is very high as compare to your usage than there may be a chance of virus which using internet to send information to the attacker.
7. Crash: If your programs are freezing, shutting down for no reason, opening and closing automatically than there may be a chance that your system is infected with virus.
8. Security disabled: Some viruses are designed to disable victims security. SO if you are unable to install anti virus in your system than there may be chance of virus in your system.
9. Browser madness: If your browser acting slow and your pages are redirecting to some unusual websites with warning sign then there may be a chance of virus in your system.
10. Email Hijacking: If your contacts getting message from your social media account for clicking on a link which you hadn’t sent than there is a virus in your computer which is trying to replicate to other systems.
Q4. Differentiate Between a Downloader and a Dropper.
Ans4. Downloader: Downloader main purpose is to download unusual file from internet, malware, misleading applications for upgrading the existing attack.
Dropper: Dropper used to install additional viruses or backdoors to the system. Sometime dropper contains malware code in it and after entering into the system it executes that code on the victims system by avoiding detection of virus protection software.
We can say that final purpose of downloader is similar to the dropper, just the difference is that downloader enter malware in the system by bypassing security checks whereas dropper contains malware in itself and extract that after entering in the system
Q5. What is change monitoring? Briefly describe your approach and what tools you would use.
Ans5. Change monitoring is used to capture the changes happens on the daily basis by capturing the snapshots of the state and then by comparing it with the previous snapshot, and then identifies the changes added, deleted or modified in the system. Changes found will form by malware or by OS of the system.
Advantage of change monitoring is that organization can quickly monitor the changes and disadvantage is that files created or deleted between the snapshots that can not captured.
Approach to change monitoring is that to “capture snapshot”, “run malware” and then take another “snapshot” and at last compare them to see the changes. Every change motoring process involves some of the aspects like unmodified logs, centralized audit, real time and human readable changes. There are also phases for approach like quantitative phase, qualitative phase and mixed method approach.
Tools used for Change monitoring like Regshot, OSForensic, Whatchanged, Regfromapp, Process monitor and many more. They take snapshot after installing than install malware and then take one more snapshot and compare them.
Q6. What is FakeNet and How would you use it for Malware Analysis?
Ans6. FakeNet is a tool used to monitor malicious software with dynamic malware analysis. The tool monitors the activity when malware interacts with the remote host and captures malware network activity by simulating a network.
- 1.Easy to install and no third party libraries needed
- 2. Common protocol supported which is used by malware
- 3. Local machine is used for all activity to avoid mess up
- 4. Python extensions are used for adding new protocol
- 5. Don’t stop malware from running for monitoring activity
- 6. Flexible configuration
FakeNet is used for malware analysis by using custom HTTP and DNS server for responding to the request. For wrapping with any SSL connection it uses openSSL. For listening traffic on new port or for redirecting traffic it uses LSP(Winsock Layered Service Provider). It also creates .pcap file based on traffic by reconstructing packet header.
- Encoding Obfuscation :. First method is ASCII code in this normal code is converted into ASCII character. Second method is using encoding function for creating obfuscate code and for decoding attach decode function with it.
Obfuscation example using hexadecimal representation
Example of encoding decoding function by obfuscation a) is encoding function b) is obfuscate code
a)Insert independent instruction b) use of additional conditional branches
Q8. Differentiate between a DGA and a fast-flux botnet.
Domain generation algorithm is a method used to generate large number of pseudo random domain name for C&C by embedding malware binary. Then those domain names are resolved by the malware by sending DNS queries until domain resolves with IP of C&C server. It is used to safeguard C&C server from blacklist attempt or taken down.
DGA seeds and algorithm helps in predicting DGA domain in advance. Seeds are required for the calculation of AGD. DGA generates pseudo random string by taking seeds as an input value.
There are two types of seed.
- 1 static seed
- 2 Dynamic seed
Static seeds are a combination of random string and number of anything that can be modified. Whereas Dynamic seeds modify with time, they are time-dependent.
Also, Read | What is Information Security Management System?
Fast Flux Botnet
Main work of fast flux network is to assign one domain name with multiple IP and then change IP frequently after specific interval of time. Task is for malicious content which act as a server reserved for few machines, rest help for redirecting for masking real address of system which is controlled by the attacker.
Single Flux Network: For a single domain registering and deregistering IP address as a part of DNS. Registration have very short life span (5 minutes) constantly Changing IP’s while access a domain.
Double flux network: It contains an extra layer which makes it more sophisticated and difficult to locate the system which is actually serving the malware to every machine.