Prologue

Malware, short for “malicious software”, refers to any program or file intentionally designed to harm or exploit a computer, network or device. In today’s interconnected world, malware poses a significant threat to individuals, organizations, and even governments, often leading to data breaches, financial losses, and privacy violations.

The evolution of malware has been driven by advancements in technology, making it more sophisticated and difficult to detect. Cybercriminals continue to innovate in their tactics, constantly finding new ways to bypass security measures. Understanding malware, its types and how it operates is crucial for improving cybersecurity defenses and mitigating the risk associated with these malicious threats

Definition of malware

As defined in the introduction, malware is known as malicious software, which is contain code that perform malicious actions. It can be derived in the form of an executable (.exe or .dll), script or any other software.

The main objective of attackers leverage the use of malware is to steal sensitive information, spy on the infected system or even take full control of the system. It typically gets into system without the user’s acknowledge or awareness and can be delivered via various communication channels, for instance like emails, website or USB drives.

Malicious Actions

There are numerous malicious actions can be performed by malware. The common operations performed by malware are:

• Disrupting computer operations
• Stealing sensitive information
• Unauthorized access
• Sending spam emails
• Engaging in DDoS attacks
• Locking up the files and holding them for ransom (ransomware)

Categories of Malware

Here are the common categories of malware

1. Backdoor: Allow attacker connect to the computer with little or no authentication and execute commands on the local system
2. Botnet: Similar to backdoor but infected system is controlled with same instructions from a single command-and-control server
3. Downloader: Allow to download another malicious code, think of it as a first delivery payload which is to gain initial access to a system
4. Information-stealing malware: Collect informations from a victim’s computer and usually sends to the attacker. It also includes sniffers, password hash grabbers and keyloggers
5. Launcher: To launch other malware, use non-traditional techniques to ensure stealth or greater access to a system
6. Rootkit: Usually paired with other malware like backdoor which allow remote access to the attacker and make the code difficult for the victim to read
7. Scareware: Designed to frighten an infected user into buying something, comes with a user interface that makes it looks like antivirus or other security programs
8. Spam-sending malware: Uses infected system to send spam email which attacker able to generate income by selling spam-sending services
9. Worm: Malware that copy itself and spread to other computers
10. Virus: Usually hidden with another program which will produce copies of itself and insert them into other programs or files
11. Trojan: Malware that disguises itself as a regular program to trick users into installing it on their system

Malware often combines multiple functions, making strict classification difficult. For example, a single threat might log keystrokes, spread like a worm and install ransomware upon successful exploitation.

Instead of only focusing on how malware behaves, it is also helpful to consider the attacker’s goal. Mass malware, like scareware, targets as many users as possible and is usually easier to detect. In contrast, targeted malware is customized for specific victims, often more sophisticated, and harder to defend against using standard tools. In a “bashshell”, malware is complex and multi-functional, and understanding its intent and structure is key to effective analysis and defense.

Objective and Reason of Malware Analysis

Objectives:

• To extract information from malware sample which helps in responding to a malware incident or network intrusion.
• To determine the capability of malware, detect it and contain it
• Assist in deciding identifiable patterns that can be used to cure and prevent future infections

  Reasons:

• Understand the intrusion and its impacts To determine exactly what happened during a network intrusion and identify all infected machines and files
• Analyzed suspected binaries To find out what a specific binary is capable of, how to detect it on the network, and assess the damage it may cause
• Develop detection signatures To create host-based and network-based signatures that help in identifying and responding to infections effectively
• Create host-based indicators To detect malware on victim systems by identifying changes made by the malware, such as new files or registry modifications
• Improve network traffic monitoring To enhance network-based detection through effective signatures that reduce false positives and increase detection accuracy
• Provided detailed technical explanations To explain how the malware works, especially for reporting to management or during incident response investigations

Types of Malware Analysis

There are two fundamental approaches to malware analysis: static and dynamic. Static analysis involves examining the malware without running it. Dynamic analysis involves running the malware. However, with both techniques can be more specific and vastly different from one another.

1. Basic Static Analysis
   • Examining the executable without viewing its actual instructions
   • Extract information about its functionality
   • Straight forward and quick however is largerly ineffective against sophisticated malware
2. Basic Dynamic Analysis
   • Involve running the malware
   • Observe behavior on the system
   • Able to produce effective signature
3. Advanced Static Analysis
   • Consist of reverse engineering the malware internals by loading the malware into a disassembler
   • Looking at its instructions to discover the behavior
   • Able to know what exactly program does
   • Require knowledge of disassembly, code constructs and concepts of operating systems
4. Advanced Dynamic Analysis
   • Uses debugger to examine the internal state of a running malicious code
   • Provide another way to extract detailed information from an executable
5. Memory analysis/Memory forensic:
   • Analyzing the RAM which able to determine the stealth and evasive/obscure capabilities of malware