Site Loader
Rock Street, San Francisco

University of Bahrain An introduction to malware analysis Name: fatima abubakar siddiq malik ameerENGL 219ID: 20142216 Submitted on: 12/12/2017 Submitted to: Dr. Yulia Vorobeva Table of Content Introduction …………………………………………………………………..21 What is malware………………………………………………………….31.1 Malware…………………………………………………………………..31.2 Types of malware……………………………………………………..31.3 Malware analysis………………………………………………………42 Malware analysis techniques………………………………………..52.1 basic static analysis………………………………………………….52.2 Basic dynamic analysis…………………………………………….62.3 Advanced static analysis…………………………………………..72.4 Advanced dynamic analysis………………………………………7Conclusion …………………………………………………………………..8 References ………………………………………………………………….8 Introduction Nowadays, Internet has become a significant part of the daily life for many people.There are many services available on the internet which are increasing every day and people are benefiting from these services.Some examples of commercial services provided by the internet are online banking and advertising. Just like the real world, there are people on the internet with evil intentions. They take advantage of licensed users to make money by using software with malicious intent(malware) which help these people to accomplish their goals. Recent studies imply that the effect of malware is getting worse. Thus the purpose of this report is to study malware analysis.This is done through learning about the techniques used in malware analysis while explaining their benefits and limitations. A descriptive method was used to write this report. The structure of this report is as follows; the first chapter presents the general description of malware, malware analysis and types of malware. The second chapter describes different techniques used in malware analysis.There are four types of malware analysis basic static analysis, basic dynamic analysis, advance static analysis and advance dynamic Analysis. The main reason to select this topic is to make the user aware of what kind of malware analysis one can do to identify the type and function of a particular malware in order to protect their devices since it is a critical matter.1 What is malware1.1 MalwareMalware is an abbreviated term used for “malicious software.” This kind of software is specially designed to damage a computer system or network without the knowledge of the user.it is determined according to its malicious intention, and so does not include software that causes accidental harm due to some defects.Malware includes computer viruses, worms, Trojan horses, rootkits, spyware and others that can take the form of an executable code. These malicious programs can perform a variety of functions on user’s device, including stealing personal information, deleting sensitive data, modifying main computing functions and monitoring user’s daily computer activities without their permission.malware was first created as pranks and experiments , but later on, it led to destruction and vandalism.Today, most of malware is created  to gain profit through forced advertising (adware), stealing sensitive information (spyware) or to extort money (ransomware).21.2 Types of malwareBased on the behaviour of a particular malicious software we can determine its type as one of the following:Backdoor Malicious program that will install by itself onto a computer to grant the attacker remote access.In most cases Backdoors let the attacker establish a connection to the computer with little or no authentication requirements and execute commands on the local system.1Botnet Similar to a backdoor Botnet allows the attacker gain access to the system, but all computers infected with the same botnet receive the same commands from a single command-and-control server.1Downloader Malicious code that exists only to download other malicious code. Downloaders are commonly installed by attackers when they first gain access to a system. The downloader program will download and install additional malicious code. 1Information-stealing malware also known as spyware is a type of malware that collects information from a victim’s computer and usually sends it to the attacker. Examples include sniffers, password hash grabbers, and keyloggers. This malware is typically used to gain access to online accounts such as email or online banking.1Launcher Malicious program used to launch other malicious programs. Usually, launchers use non traditional techniques to launch other malicious programs in order to ensure stealth or greater access to a system.1Rootkit Malicious code designed to conceal the existence of other code. Rootkits are usually paired with other malware, such as a backdoor, to allow remote access to the attacker and make the code difficult for the victim to detect.1Scareware Malware designed to frighten an infected user into buying something. It usually has a user interface that makes it look like an antivirus or other security program. It informs users that there is malicious code on their system and that the only way to get rid of it is to buy their “software,” when in reality, the software it’s selling does nothing more than remove the scareware. 1Spam-sending malware Malware that infects a user’s machine and then uses that machine to send spam. This malware generates income for attackers by allowing them to sell spam-sending services.1 Worm or virus Malicious code that can copy itself and infect additional computers.11.3 Malware analysisMalware analysis is the  mechanism  of determining  the function and characteristics of a particular malware sample such as a  virus,  worm, or Trojan horse. As Sikorski states “Malware analysis is the art of dissecting malware to understand how it works, how to identify it, and how to defeat or eliminate it”1:29.This process is a mandatory step to take that will allow analysts to develop effective detection techniques for malicious code.The  tools  used  for  malware  analysis  can primarily be  divided into  two main types:  static and  dynamic. The  static analysis tools  try to  analyse  a malicious program without actually executing the program. dynamic analysis tools will investigate the  behaviour  of a  malicious program after its  execution. Static  and  Dynamic  analysis  are further discussed in  detail in  next sections.22 Malware analysis techniques2.1 basic static analysis The  investigation of malware analysis starts with static analysis and that is typically the first stage in examining malware. Basic static analysis is implemented through the examination of  executable files without inspecting the actual instructions. Basic static analysis can verify if  a file is malicious or not, provide information about its functionality, and periodically give details that will let  the analyst to construct simple network signatures. Basic static analysis is unambiguous and can be fast,but it’s generally inefficient against complicated malware, and it can fail to catch critical behaviors.There are numerous methods to derive valuable information from executables. Some of the recognized  methods for basic static analysis are the following:Using antivirus tools to confirm maliciousness, Using hashes to identify malware,  and gathering information from a file’s strings, functions, and headers.Each of those techniques can give various types of  information  and the technique chosen rely upon the goals of the analyst. consistently,  different techniques are used  to collect a considerable amount of  information 1.According to bhojani , finding source code samples of malware is a difficult task. The lack of available samples reduce chances of applying basic static analysis to investigate malware for those that retrieve the information from the code representation of the malware. In such case results of the analysis might be ambiguous if the program has self-modifying code techniques.2. 2.2 Basic dynamic analysis Any examination implemented after execution of malware is called dynamic analysis. Dynamic analysis techniques are the second stage in the malware analysis process.When basic static analysis has reached a deadlock, because of  confusion, packing, or the analyst having depleted the available static analysis techniques then Basic dynamic analysis is performed . It can involve observing the behavior of malware as it runs or examining the system after the malware has executed in order to remove the virus, produce effective signatures, or both.different from static analysis, dynamic analysis permit observation of  the malware’s real functionality.However, in order to run malware safely on a computer, setting up an environment that will allow the analyst to examine the running malware without risk of damage to the system or the network. Although dynamic analysis techniques are extremely powerful, they should be performed only after basic static analysis has been completed, because dynamic analysis can put the network and the system at risk.Dynamic techniques do have their limitations, because not all code paths may execute when a piece of malware is run. For example, in the case of command-line malware that requires arguments, each argument could execute different program functionality, and without knowing the options the analyst wouldn’t be able to dynamically examine all of the program’s functionality. best option will be to use advanced dynamic or static techniques to figure out how to force the malware to execute all of its functionality. This chapter describes the basic dynamic analysis techniques. Like basic static analysis techniques, basic dynamic analysis techniques can be used by most people without deep programming knowledge, but they would not be effective with all malware and can miss important functionality. 2.3 Advanced static analysis Advanced static analysis consists of reverse engineering the malware’s internals through storing the executable into a disassembler And scanning the program instructions in order to identify what is the program’s main function. The instructions are performed by the CPU, so advanced static analysis can determine exactly what the program does. However, advanced static analysis has an excessive way of learning than basic static analysis and demands advanced knowledge of code constructs,disassembly, and Windows operating system concepts. 12.4 Advanced dynamic analysisAdvanced dynamic analysis is done by using a debugger to investigate the internal condition of a running malicious executable. Advanced dynamic analysis techniques provide a different method to obtain explicit information from an executable. These techniques are most convenient when trying to extract information that is difficult to gather with the other techniques.1  Conclusion Malware is malicious software in form of a program or a file that will cause harm to a computer user. Malware includes computer viruses, worms, Trojan horses and others. Determining the purpose of a malicious code is done through malware analysis .there are four techniques to do malware analysis. Basic static analysis illustrates the procedure of analyzing the code or structure of a program to determine its function.The program itself is not run at this time. static analysis can be used to draw some initial results, but more in-depth analysis is required to get more information.On the other hand, in basic dynamic analysis the analyst actually runs the program. Basic dynamic analysis also has shortcomings. basic static and dynamic malware analysis techniques are good to get initial results, but they do not provide enough information to analyze malware completely.Since both basic static analysis and basic dynamic analysis have their limitations there are advanced analysis techniques. But for using advanced analysis techniques the analyst is required to have more knowledge of code constructs and disassembly References 2Malware Analysis (PDF Download Available). Available from: https://www.researchgate.net/publication/267777154_Malware_Analysis accessed Nov 15 2017.Appendix

Post Author: admin

x

Hi!
I'm Eunice!

Would you like to get a custom essay? How about receiving a customized one?

Check it out