150 likes | 155 Views
1. Introduction. Malware Analysis. What is a malware?. Malicious software – causes harm to a computer system or users Examples Viruses Worms Trojans Rootkits Ransomware … …. How is a malware distributed?. By downloading a software from Internet Via email attachments Physical media
E N D
1. Introduction Malware Analysis
What is a malware? • Malicious software – causes harm to a computer system or users • Examples • Viruses • Worms • Trojans • Rootkits • Ransomware • … …
How is a malware distributed? • By downloading a software from Internet • Via email attachments • Physical media • Self propagation • …
Malware Examples • Virus • It propagates by inserting a copy of itself into another program. They are typically attached to an executable file. So, the program has to be executed for the virus to become activated and spread. • Worms • Similar to viruses; but, they do not require a host program or human help to propagate. They exploit a system vulnerability to infect a system. • Trojans • Look trustworthy – overt impression with covert (and malicious) action. They do not infect any other files (don’t replicate themselves).
Malware Examples • Rootkits • They hide deep in the system to evade detection by anti-malware applications and allow attackers to install other (malicious) programs. • Botnets • These form a network of infected systems that are controlled by an attacker. • Backdoors • Allow attacker remote access to the system
Malware Examples • Scareware • Frighten user into buying something or sending money to the attacker • Ransomware • Encrypt files and extort money from user in exchange for the decryption code
Mass and Targeted Malware • The difference is the target • APT - Advanced Persistent Threats • Becoming more common • Unique and custom malware • Can be very sophisticated • Low and slow • Mass malware • Distributed through phishing campaigns • Typically reused and do not target a specific victim
What is Malware Analysis? • The art of dissecting software binaries to • Identify existence of a malware • Understand what it does • Remove/Isolate it • The dissection process: • Disassembler (will be used in this course) • Decompiler
Types of programming languages • 1st Generation Language • Machine Language (known as binaries or byte code) • 2nd Generation Language • Assembly Language • 3rd Generation Language • Common programming languages (platform independent) • 4th Generation Language • Non-procedural (what-to-do rather than how-to-do)
Decompilation of a Binary • Decompiler: • Input: Assembly language or machine language • Output: A high-level language • It is a lossy process: • No variable names and no function names at the machine language level • It is a many-to-many operation
Disassembly of a Binary • Why do it? • Malware analysis • To check software vulnerability • To check software interoperability • To validate a compiler • To check program instructions while debugging
Malware Analysis • Two primary methods • Static Analysis • Review the code (don’t execute) • Goal: determine if the file contains malicious code – a quick process • Need to disassemble the binary to do that • Dynamic Analysis • Execute code in a controlled environment and observe behavior • Goal: understand how it works • No need to disassemble
Disassembly methods • Linear Sweep: • Next instruction to be disassembled is the one after the current instruction • Recursive Descent: • Follows the control flow
Linear sweep disassembly • Disassembly begins with the first byte of the code section and moves in a linear fashion • Program’s control flow (branches etc.) are ignored during the disassembly process • Advantage: Provides complete coverage of code section
Recursive descent disassembly • The control flow determines if the next instruction will be disassembled • If the next instruction is not referenced, it is ignored • Advantage: • It can distinguish between code and data