Malware Analysis and Software Industry

Internet serves as an essential part in personal tasks and business. Many services thrive on internet, they highly rely on the connectivity. Online banking and ecommerce are the best examples for commercial use of Internet. Like real world, Internet is also targeted by hackers and criminals for its abundant personal and intellectual data available on it. Security incidents could result in catastrophic damage like real world incidents. Malwares helps such ill-intended people to accomplish these goals.

Malware has prevailed ever since internet and email communication came into existence. Any malicious software or a program designed with intent to damage or disable computer systems, network or any connected devices can be termed as ‘Malware’. Malware’s objectives can range from disrupting computing power or service, stealing critical data, accessing private networks, or exploiting critical resources.  A software can be termed a malware based on the intent of the creator rather than its actual features. Initially it was created for experiments, but eventually it is used for destruction of a business or person life. Its creation is on rise due to the money that is made through these organized crimes. Common malwares are created to make profit from forced advertising, stealing sensitive data, spreading email spam, or extorting money. Factors like defects in operating systems design, misconfiguration and network issues can make a system vulnerable to malware attacks.

Malware trends usually vary every year. However, studying these trends are necessary as they reflect adversaries’ intent and capability. Malware detection by sensors does not always indicate actual infection or attacks but weaponization of the code or attempted delivery to target victims and systems. We can detect malware at a network, application and host level on any devices. Currently cybercriminals are getting better at their hi-tech by leveraging newly announced zero-day vulnerabilities. The number of unique exploit detections is increasing constantly. Attacks against crypto mining, operational technology, Internet of Things(IoT) have risen than usual. Any piece of software that is used to disrupt computer functions, steal sensitive information, bypass access controls or harm the host system can be termed Malware. It is rather a broad term and consists of a variety of malicious programs. In Security terminology it is always recommended to identify the classification of a malware to understand its complete behavior. Each type of malware has its distinct pattern of infecting the system. The common types of malware include virus, rootkits, spyware, adware, trojan horses, ransomware and botnets. Below figure shows the different types of malware.

It is a contagious piece of code that infects software and then spreads from file to file on system. When infected software or files are shared between computers, the virus then spreads to the new host. It requires a legitimate program to execute and infect the victim’s file. It is the only form of malware that infects other systems or files. It can also spread through script files, documents, and cross-site scripting vulnerabilities in web apps. Till date, many antivirus programs fail to differentiate the actual virus and the infected file. It is the commonly reported malware by regular end-users and media personnel’s. Commonly called computer worms or trojans are the most preferred weapon of choice by hackers. They mostly disguise to be a routine useful program and forces the victim to install it on their systems. It can be any form of backdoor that allows the attackers unauthorized access. The access can be from low-level to high-level information. These malwares are the most preferred forms in stealing financial information of user. The data can include logins, financial data and electronic money.

One of the most advanced forms of malware in present days that has several destructive effects. This form of malware usually infects the system from within, locking the system and making it unusable. Then encrypts the victims file, rendering them inaccessible, and demanding a ransom payment usually in a form of cryptocurrency (bitcoins) to decrypt the files. It is the considered as a dangerous cyberthreat as its detection and removal is complicated. The best practice to prevent ransomware attack is to do an offline backup of all critical files. A type of malware that spies on user activity without their knowledge. Most of the targeted attacks begins with a spyware program that logs the keystrokes of victims and gains access to passwords or intellectual property. The capabilities include activity monitoring, keystroke collection and data harvesting (account information, logins). Additional capabilities include altering security settings of software or browsers to tamper network connections.

It is the abbreviated form of advertising-supported software. It is the most common day-to-day malware which redirects a user to land on a webpage that contains product promotions or advertisements. Common examples of adware include pop-up ads on websites and advertisements displayed by software. It is very common in for application that offers free versions to be bundled up with adware. It is considered as revenue generating tool. However, occasionally it exposes the compromised end-user to unwanted potentially malicious advertising which is usually in the form of popups and windows that cannot be closed. When a piece of software allows an attacker to gain complete control over the other device without the victim’s knowledge then the system is termed as a botnet. Attackers use this to control the device and carry out attacks on the other computers and networks, without allowing any trace of the bot. Thereby, all the infected computers are controlled remotely by cybercriminals who can use the botnet in many ways like denial of service attacks, keystroke logging, web spider that scrape server data and spam emails distribution. Websites prevent this by using ‘CAPTCHA’ tests to validate humans against bots.

This form of malware remotely accesses or controls the computer without victim’s knowledge or security programs. The rootkit once installed allows the malicious party to remotely execute files, access/steal information, alter security configuration, tamper software, install concealed malware and control it like a bot. Rootkit prevention using software is not effective due to its stealthy operations as it hides its presence. Hence its prevention highly relies on manual methods like monitoring irregular activity, signature scanning, and storage dump analysis. Regularly patching the vulnerabilities, updating virus definitions, avoiding illegit downloads, and performing static analysis scans can prevent rootkits.

The process of identifying and studying the lifecycle of a computer malware can be termed as malware analysis. This study also extends in understanding its behavior and prevention techniques. The two key techniques in malware analysis that security professionals perform include code (static) analysis and behavioral (dynamic) analysis. Although both types accomplish the same goal of explaining how malware works, the tools, time and skills required to perform the analysis are very different. Code analysis is the actual viewing of code and walking through it to get a better understanding of the malware and what it is doing. Behavioral analysis is how the malware behaves when executed, who it talks to, what gets installed, and how it runs. When performing Malware analysis, both static and dynamic analysis should be performed to understand the complete behavior and impact on the host system. Below figure depicts the high-level process involved in malware analysis.

Code or Static analysis is the process of analyzing a malware binary without running the actual code. First, the signature of the binary file is determined which serves as a unique identifier for the corresponding binary file. A cryptographic hash value of the file is then calculated, and each component is studied. Reverse engineering technique is used to understand the binary file by loading the executable into disassembler. Later, the machine-readable code is converted into assembly language for further analysis. Some of the other techniques used in static analysis are file fingerprinting, virus scanning, memory dumping, packer detection, and debugging. Basic analysis usually gathers indicators like file name, MD5 checksums or hashes, file type, file size and antivirus recognition patterns. Mostly, static analysis is much safer than dynamic analysis. However, it is largely ineffective against present day malware, as it can miscue some important behaviors.

A sophisticated form of analysis where the malware under study is run in a controlled or an isolated environment to observe its behavior. In advanced levels of analysis, a debugger can be used to determine the functionality of the malware executable which rather is difficult to obtain using other static techniques. Dynamic analysis reveals indicators like domain name, IP addresses, file path locations, registry keys, and additional files on the server or network. It is also useful in identifying an attacker-controlled external server for command and control purposes to download additional malware files. Manual analysis is replaced by automated analysis through commercial sandboxes that is fully equipped with advanced detection tools. Though it is a detailed process, it is likely to miss important behaviors in dynamic analysis as some malware are designed to overcome such environments.

Apart from regularly applying patches and updates, conducting penetration testing and forming usage policies, security researchers prepare a response plan to tackle security incidents. Malware response is an organized approach to respond and manage the aftermath of a security incident. A malware incident response plan does not usually focus on an attack; rather, it emphasizes on the payload(malware) left behind on the targeted systems. There are six steps involved for an effective response which is explained in detail below. Gathers an appropriate team to create malware-specific incident handling policies and procedures. Run a malware-oriented training and exercises to identify the gaps in organization policies and procedures. Determine the actual working procedure based on the organization. Ensure the overall preparedness of the malware response team.

Ensure to deliver complete immunity against any known malware or its variants by deploying and monitoring antivirus/anti-spyware software. Install toolkits on any form of removable media for identifying, examining and performing analysis. Perform static analysis in frequent intervals to ensure safety of the product. Conduct dynamic sandbox testing for an overall vigilance. Ensure to adapt to the technological advancements. Malware incidents may have to be contained by shutting down a server/workstation or block services (e.g., e-mail, Web browsing, or Internet access). Backups of critical resources should be mandated. Also, responsible authorities for such approvals must be quick and proactive during response. Early containment can stop the spread of malware and prevent further damage to systems both internal and external to your network.

Incorporate a variety of eradication techniques to remove malware from the infected systems. Ensure to clean up the attacker’s artifacts. If required shut down or stop services to prevent malware from spreading. Restore confidentiality, integrity, and availability of data on the infected systems, and bring the system back to normalcy in a secure manner from containment measures. This includes recoupling systems networks and upgrading compromised systems from scratch or any known good backups. Assessment of the risks for restoring network services, and response guide for restoration of services is devised. All the process involved should be documented and drafted. Any changes in security policy, software configurations, and the addition of malware detection and prevention controls is identified periodically and reported. User’s environment can greatly affect when malicious programs are replicated. It can lead to deletion, modification or corruption of files in systems. It can even reset a secure setting existing in an environment leading to ultimate ineffectiveness of the system. To mitigate this threat a sandbox environment is required. Any malware program can be discharged in such an environment without the fear of actual impact in rest of the core network. Actions within the sandbox is used in the malware study either to prevent the larger systems from getting affected or to deploy preventive software. Generally, to understand the complete impact of a program it is recommended to use a full system emulation sandbox that is capable of replicating both hardware and software attached to the host system. Below are some of the common types of sandboxes used:

Cuckoo Sandbox – It is an Open Source software for automating analysis of suspicious files.

DroidBox – Developed to offer dynamic analysis of Android applications.

Malwasm – It is a tool based on Cuckoo Sandbox designed to help perform step by step analysis, log all malware activities and store them into a web accessible database.

Behavioral monitoring tools gives sense for the key capabilities involved in a malicious software. Tools are classified based on the behavior they identify: Process monitoring: Process Explorer and Process Hacker replace the built-in Windows Task Manager. This helps in observing malicious processes including open local network ports, unencrypted files in server, insecure network connections. ProcDOT a powerful process monitoring tool helps to observe how local processes read, write, or delete registry entries and files. It helps to understand ways in which a malware attempts to embed into the system upon infection. Network monitoring: Wireshark and Burp Suite is a popular network sniffer. It can monitor network traffic for malicious communication attempts, such as DNS resolution requests, bot traffic, or downloads. Change detection: Regshot, a lightweight tool helps in comparing a system’s current state before and after the infection. It also highlights the key changes a malware makes to the file system and its file registry.

A basic code analysis always helps uncover important characteristics that is difficult to derive from behavioral analysis. It is usually hard to extract a malicious executable’s source code from its source. However, such source codes can be reversed using compiled Windows executables. Disassemblers and Message dumper helps in such static analysis of codes. Disassembler and debugger: OllyDbg and IDA Pro Freeware are the most popular disassemblers used in static analysis. It can parse compiled Windows executables and, acting as disassemblers, display their code in assembly instructions. These tools also have debugging capabilities, which allow you to execute the most remarkable parts of the malicious program slowly and under highly controlled conditions. Further it also helps to understand the purpose of the code. Memory dumper: Scylla and OllyDumpEx help to obtain the protected code located in a lab system’s memory and dump it to a file. This technique is useful while analyzing packed executables, which are difficult to disassemble. Because they usually encode or encrypt the instructions, extracting them into RAM only during run-time.

The present-day malwares are increasingly sophisticated. Cybercriminals ensure that they constantly match with any technological advancement. They assure that malware is undetectable by present day tools while building them. Practically every offensive technique is included in malware designing to make it more complex to defend against. Malwares are built responsively to hide from users or software that try to detect them. Hence, malware analysis is an integral step to be able to develop effective techniques for malicious code. It is also required to understand its types, nature and attacking methodologies. Malware Analysis also serves as primary source of information along with responding to network intrusions. It helps us to determine the nature of the incident and locate all infected machines and files. The end goal is typically to inspect the binaries capabilities, its level of infection in the network and ways to manage and contain them.