Practical Malware Analysis (Introductory)

Hi folks, just started the series on PMA (Practical Malware Analysis). Being an analyst i would recommend to gain expertise on "Malware Analysis". This blog help us to quick recap the concepts of malware as well as from analysis perspective. We'll start from basic and proceed towards advance level.

Introduction:

Malware refers to "Malicious Binary" which is instructive by the threat actors (called as "Hackers") to achieve their motives. Motives can be vary like it could be data stealing, damage/destroy organization systems.

  • Viruses
  • Worms
  • Trojan
  • Spyware
  • Adware
  • Ransomware

Aforementioned names are the malware types which is collectively called "Malware". Let's jump into the main topic of this blog without going into the details.

Malware Analysis:

Malware analysis is the process of understanding the working flow/behavior/malicious activity of malware. The results of the malware analysis help the analysts to detect and prevent the threats. Analysts can also use this originated information to attribute the malware to specific threat actor. The main goal of malware analysis is to collect the artifacts that can be used to build the detection use cases.

Malware Techniques:

Following techniques discussed in the PMA (Practical Malware Analysis)

  • Basic static analysis

Basic static analysis is a quick analysis. In this analyst's main focus is on collecting the raw artifacts and determining whether the binary is malicious or not with the help of some basic tools. Analysts can use these artifacts to perform OSINTing. Artifacts can be execution paths, hashes, strings, resources, PE headers, libraries, imported functions and command-line etc.

  • Basic dynamic analysis

Basic dynamic analysis is the type of quick analysis to understand the behavior of malware by executing it. (also called run time analysis). Analysts mostly used this approach after the dead-end of the basic static analysis. Unlike static analysis dynamic analysis provide the analysts clear picture of the malware. Dynamic analysis is mostly performed in the sandbox environment which we will learn in upcoming blogs. 

  • Advance static analysis:

Advance static analysis is a complex approach for most of the analysts. It includes the reverse engineering of the malware to understand the actual instructions that are given to the malware.

  • Advance dynamic analysis:

In advance, dynamic analysis analysts mostly use the debugger to collect the detailed artifacts and malicious intents of the malware. In later blogs, we'll discuss in detail.

Conclusion:

Without covering the detailed concepts of the malware analysis concluded this article. I hope that readers recap their basic concepts of malware analysis and prepare themselves for upcoming series which would be more insightful.


Comments

Post a Comment

Popular posts from this blog

Analyzing Spear Phishing Email

Image
Phishing is the technique of fraudulent attempt by the attacker to obtain sensitive and confidential information i.e. Credentials, PII information, credit card, bank details. It can also be targeted attack to focus on the specific organization of individual. The attacker often tailors an email to speak directory to targeted user. There are many types of phishing as follow. I wouldn't explain the types. You can read Here . In this article you'll learn how to analyze the sophisticated phishing email. So, Let's start the case study to explain.  Spearphising :  Spearphising is the technique in which attacker aims at one person and lures him/her into providing confidential data. Attacker compile the email according to the specific user. The email would consist some of the target's email, username, designation.  Case Study: User receive the spearphising email containing the PDF attachment with double extension. Email body contains the unprofessional statement "Kindly m
Read more

Cyber Threat Intel

Image
What is Cyber Threat Intel? Threat intel is the information about the threats. Cyber threat intel is used to better understand, predict and adopt to the behavior of malicious actors. It plays an important role in preventing the zero-day attacks. " Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes " (NIST). Threat Intel life Cycle: Intelligence lifecycle is the process of developing raw information into finished intelligence for policymaker to use in decision making and action. CTI Life Cycle Planning and Direction Planning and direction helps in setting up the goals for the threat intel program. Priorities and requirements are defined in this phase. Collection: Collection means gathering of data to produce the finished intelligence. Data includes logs(Firewall, IPS/IDS, Endpoints), threat feeds and OSINT(reports, social media, public forums). Collection Types of Collectio
Read more

Authentication Services

Image
  Authentication Services: In this section we will discuss the authentication services. The main goal of these services are to ensure that unencrypted credentials are not sent across the network. In other words they ensure that credentials are not sent in clear text. Kerberos: It is a network authentication mechanism mostly used in both windows active directory domain and some Unix environments. Kerberos provides mutual authentication that can help prevent MITM attacks and uses tickets to help prevent replay attacks. Working of Kerberos: The KDC(key distribution center) uses a complex process of issuing TGTs(Ticket granting tickets) and other tickets. The KDC packages user credentials within the ticket. Tickets provide authentication for users when they access resources such as files on the file server. These tickets are sometimes referred to as tokens. NTLM: New Technology LAN Manager is a suite of protocols that provide authentication, integrity, and confidentiality within windows sy
Read more