CTEC5807 Malware Analysis: Investigation, Procedures, and Spreading
VerifiedAdded on 2023/04/22
|24
|6582
|157
Report
AI Summary
This report provides an overview of malware analysis, focusing on static and dynamic techniques. It discusses the increasing prevalence of malware and the limitations of static analysis, leading to a preference for dynamic analysis. The report outlines various tools and techniques used in dynamic malware analysis, emphasizing its importance in understanding malware behavior during execution. It also touches upon the challenges associated with static analysis, such as code obfuscation and the unreadability of source code. The report concludes by highlighting the advantages of dynamic analysis in observing the actual behavior of malware and its potential for automation in large-scale analysis. This document is available on Desklib, where students can find a wealth of resources, including past papers and solved assignments.
Abstract
Malware as become major problem affecting most people around the world. Studies on the internet
shows that consequences of it is getting worse and worse with time. There are two types of
malware. One is static and the other one is dynamic analysis. The static analysis as some
limitations. Therefore, we prefer dynamic malware analysis over the static malware analysis. We
use some tools and techniques while analyzing the malware using dynamic method. Such tools and
techniques used in analysis are discussed below. Malware is the way of defining the expected work
of the available malware program given that is given for a test. This step is always necessary for
most of the people to in analyzing the suspected malicious code. It is also the important step to
consider while developing tools to flush out the malware on the computer system. In the recent past
malware analysis has been a little bit difficult task and consumes a lot of time. In the current
situation the number of system to be analyzed and tested is always increasing. With that dynamic
analysis is the process of identifying it’s analysis during the execution. When the malware is
installed it tries to get updates through the command and control so that it can get instructions on
what else to be done. Most systems firewalls do not allow for external IP to connect with internal
connection. Command and control wait for the firewall to connect with an IP so that it can update,
instruct the program on what to do and finally and time that it can be back again to check for the
same updates and give instructions.
Introduction
In the modern society internet has become basic thing to the most of the people around the world.
Many services can be delivered via the internet and the services are increasing every day. Various
companies uses internet to advertise and sell there products since many people now days check the
quality of the product on internet before they purchase. Large percentage of people prefer buying
goods and services since the companies also provide delivery services at a fair price. As the services
increases day in day out most people increases on the utilization of the services available on the
internet. The use of internet has changed from basic mode of communication to being major source
of information to many people around the globe. It is also a market of the goods and services used
by many people over the internet. One the commercial activities over the internet is the online
banking. The other commercial activity over the internet is advertising for goods and services. Also
e-commerce as really dominated the internet since many people would like to check details of
products before buying. Online service has really assist many people and reduces the chance of
risks such as robbery and also time wastage to the consumer since mode of delivery is quick and
reliable .The same way people try to enrich themselves in the real world, there are some people over
the internet also who tries to enrich themselves whenever there is money exchange over the internet
by the legitimate users. Malicious people have evil intentions on users since not all users have the
knowledge of identifying the real and the fake website. These users are helped by the malware
software to carry out there activities via the internet. Some of the malware being used are;
keylogger, virus and Matploit.
What is malware?
Malware is a malicious software, developed to affect the normal functionality of the computer
system without the knowledge and permission of the owner. Some malware can be developed from
scratch while others are already developed. Some of the malware software have been developed and
they are well-known, the most common are; viruses, worms and spyware. In other words malware
can be defined as software that has a purpose of fulfilling attackers intention by collecting sensitive
information of the users and manipulating them to fit there specifications of malicious activities.
Malware as become major problem affecting most people around the world. Studies on the internet
shows that consequences of it is getting worse and worse with time. There are two types of
malware. One is static and the other one is dynamic analysis. The static analysis as some
limitations. Therefore, we prefer dynamic malware analysis over the static malware analysis. We
use some tools and techniques while analyzing the malware using dynamic method. Such tools and
techniques used in analysis are discussed below. Malware is the way of defining the expected work
of the available malware program given that is given for a test. This step is always necessary for
most of the people to in analyzing the suspected malicious code. It is also the important step to
consider while developing tools to flush out the malware on the computer system. In the recent past
malware analysis has been a little bit difficult task and consumes a lot of time. In the current
situation the number of system to be analyzed and tested is always increasing. With that dynamic
analysis is the process of identifying it’s analysis during the execution. When the malware is
installed it tries to get updates through the command and control so that it can get instructions on
what else to be done. Most systems firewalls do not allow for external IP to connect with internal
connection. Command and control wait for the firewall to connect with an IP so that it can update,
instruct the program on what to do and finally and time that it can be back again to check for the
same updates and give instructions.
Introduction
In the modern society internet has become basic thing to the most of the people around the world.
Many services can be delivered via the internet and the services are increasing every day. Various
companies uses internet to advertise and sell there products since many people now days check the
quality of the product on internet before they purchase. Large percentage of people prefer buying
goods and services since the companies also provide delivery services at a fair price. As the services
increases day in day out most people increases on the utilization of the services available on the
internet. The use of internet has changed from basic mode of communication to being major source
of information to many people around the globe. It is also a market of the goods and services used
by many people over the internet. One the commercial activities over the internet is the online
banking. The other commercial activity over the internet is advertising for goods and services. Also
e-commerce as really dominated the internet since many people would like to check details of
products before buying. Online service has really assist many people and reduces the chance of
risks such as robbery and also time wastage to the consumer since mode of delivery is quick and
reliable .The same way people try to enrich themselves in the real world, there are some people over
the internet also who tries to enrich themselves whenever there is money exchange over the internet
by the legitimate users. Malicious people have evil intentions on users since not all users have the
knowledge of identifying the real and the fake website. These users are helped by the malware
software to carry out there activities via the internet. Some of the malware being used are;
keylogger, virus and Matploit.
What is malware?
Malware is a malicious software, developed to affect the normal functionality of the computer
system without the knowledge and permission of the owner. Some malware can be developed from
scratch while others are already developed. Some of the malware software have been developed and
they are well-known, the most common are; viruses, worms and spyware. In other words malware
can be defined as software that has a purpose of fulfilling attackers intention by collecting sensitive
information of the users and manipulating them to fit there specifications of malicious activities.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Here is an example that involves distribution of the malware and the consequences that comes with
it. There is a bot which is remotely controlled and has already affected several computers. The so
called bot also allows the external feature known as boot master to take control of the systems
remotely. All the systems that are in control by this malware are known as bootnet. The boot master
present in this situation is called sell it to those advertisers so that it can spy and send the mails
details to the systems regularly. The said emailed send can contain links to various websites and
various usernames and passwords of personal accounts such as e-commerce or online banking. The
sites can installs spyware to the visitor’s computer without any notification. The spyware in-turns
can collect personal information about the visitor. These personal information includes credit and
and debit cards number and pin, mail pin and any other sensitive information that can be used to
extract the user. All this information is now under the hands of the attacker which he or she can
misuse it. The attacker can now change password and performs its malicious activities without the
owner noticing at that particular moment. With the increase of the host and number of visitors to the
internet, they can attack several people in a short period of time by creating common and similar
website used by many people then collects information.
What is malware analysis?
Malware analysis is the process of defining the expected work of the given malware sample that is
given for a test. This step is always necessary and crucial for analyzing the suspected malicious
code. It is also the important step to consider while developing tools to flush out the malware on the
affected computer system. In the recent past malware analysis has been a little bit difficult task and
consumes a lot of time. Assembling the appropriate tools to be used is tedious and it requires a lot
of patients and skills to ensure accuracy. In the current situation the number of system to be
analyzed and tested is always increasing due to advancement in technology. With that therefore, the
most appropriate method is dynamic analysis since it involves the process of identifying it’s
analysis during the execution.
Types of malware analysis
a) Static malware analysis
Static analysis is the process of analyzing malware software without executing it on the system.
This can be used in different parts of the program. Whenever the source code is available, static
analysis can help in restoring the memory back that is corrupted and also identifying the model
number of the system being used. Also it can be used in binary representation in a program. The
normal process of compiling the source code into binary for execution can lead to the loss of the
information. Analyzing this lost information during the process can be a little bit tedious if we do it
in a manual way. In this scenario we can use the source code to analyze the information given when
translating to binary executable from the source code. Only relevant information and necessary is
collected then used to perform the task.
Techniques used in static analysis
a) File formatting – File formatting is mainly used in Unix system to define the file type and also to
breaking down the information of the file system itself by formatting it into the required format.
b) Packer Detector – The most secured and best method of sending messages is encrypting before
sending them to the desired users. This process of encryption or compression is achieved through
the use of packer.
it. There is a bot which is remotely controlled and has already affected several computers. The so
called bot also allows the external feature known as boot master to take control of the systems
remotely. All the systems that are in control by this malware are known as bootnet. The boot master
present in this situation is called sell it to those advertisers so that it can spy and send the mails
details to the systems regularly. The said emailed send can contain links to various websites and
various usernames and passwords of personal accounts such as e-commerce or online banking. The
sites can installs spyware to the visitor’s computer without any notification. The spyware in-turns
can collect personal information about the visitor. These personal information includes credit and
and debit cards number and pin, mail pin and any other sensitive information that can be used to
extract the user. All this information is now under the hands of the attacker which he or she can
misuse it. The attacker can now change password and performs its malicious activities without the
owner noticing at that particular moment. With the increase of the host and number of visitors to the
internet, they can attack several people in a short period of time by creating common and similar
website used by many people then collects information.
What is malware analysis?
Malware analysis is the process of defining the expected work of the given malware sample that is
given for a test. This step is always necessary and crucial for analyzing the suspected malicious
code. It is also the important step to consider while developing tools to flush out the malware on the
affected computer system. In the recent past malware analysis has been a little bit difficult task and
consumes a lot of time. Assembling the appropriate tools to be used is tedious and it requires a lot
of patients and skills to ensure accuracy. In the current situation the number of system to be
analyzed and tested is always increasing due to advancement in technology. With that therefore, the
most appropriate method is dynamic analysis since it involves the process of identifying it’s
analysis during the execution.
Types of malware analysis
a) Static malware analysis
Static analysis is the process of analyzing malware software without executing it on the system.
This can be used in different parts of the program. Whenever the source code is available, static
analysis can help in restoring the memory back that is corrupted and also identifying the model
number of the system being used. Also it can be used in binary representation in a program. The
normal process of compiling the source code into binary for execution can lead to the loss of the
information. Analyzing this lost information during the process can be a little bit tedious if we do it
in a manual way. In this scenario we can use the source code to analyze the information given when
translating to binary executable from the source code. Only relevant information and necessary is
collected then used to perform the task.
Techniques used in static analysis
a) File formatting – File formatting is mainly used in Unix system to define the file type and also to
breaking down the information of the file system itself by formatting it into the required format.
b) Packer Detector – The most secured and best method of sending messages is encrypting before
sending them to the desired users. This process of encryption or compression is achieved through
the use of packer.
c) Finger printing of a file – This is the technique of exploring of the data on the file that involves
Cryptographic hashing of the binary source code to identify it from others present. It will also
examine and verify the file that has not been sorted.
d) Extracting of string values – All software always prints out the strings for instance the error
messages which is will be readable text message. This will let someone to identify the binary code
used in the string values.
e) Disassembly – This is the main technique used in static analysis. This is achieved by
disassembling the source code of the samples then studying it. The assembly code can also be
reversed to the machine code by use of this method. The process is normally achieved by carrying
out using appropriate tools and techniques. This makes the static analysis to be more secured and
save than the dynamic analysis since the source code is not always executable.
Limitation of static malware analysis
Malicious code has become the main challenge and a serious problem to computer users. The
problem is increasingly becoming hard to prevent as time goes by. In the recent past, malware like
viruses and spyware were scanned by scanners but now days due to technology advancement,
simple code can be used to bypass and avoid such scanners hence it has really cause a lot of
problems. To solve this issue, more powerful static analysis tools and techniques has been
developed and formulated to help solve it. However, the methods has not be more effective since
scanning and detecting such malware software only has become successful but using only static
malware analysis tools and techniques cannot yield 100% solution to such malicious malware
software.
Binary obfuscation scheme has been used but it is not sufficient since it only relies on the idea of
opaque. This opaque method track and analyze the malicious code hence the malicious analyzers
can be evaded by use of this method. This approach can prove that its hard for the static analyzer to
provide more precise results since its somehow primitive on code analyzer. Moreover, the process
only use one approach of solving the problem hence also malicious can change tactics as well. This
as prove that static malware analysis tools and techniques are not enough to effectively solve the
problem.
The main challenge with static analysis is that the source code are not always readable. This will
make static analysis method not reliable hence it will minimize its uses. Also, if we use self made
code, binary disassembling may occur in such programs. This may lead to difficulties since a lot of
work need to be done for proper analysis and accurately illuminating the malicious source code
before finally affecting the targeted software parts. We should consider all tools and techniques for
proper and reliable problem solving using static analysis techniques.
Dynamic Malware analysis
It is the process of analyzing the malware by executing it in a controlled and monitored
environment so as to take observation of the all process. The malware analysis is always carried out
during the run-time thus it avoids the challenges of the static malware analysis. So, it is easy to see
the actual outlook of the program in the dynamic analysis. Dynamic analysis can also be automated
in such a way that it assists in large scale analysis of malware. It also runs the sample malware to
observe its functionality and technicalities involved which will be useful during the detection .The
problem that is experienced with dynamic analysis is the incomplete coding hence the process can
only examine the running program meaning it must be completed and running without bugs for it to
be examined via dynamic analysis. With third party systems there should be a given environment
Cryptographic hashing of the binary source code to identify it from others present. It will also
examine and verify the file that has not been sorted.
d) Extracting of string values – All software always prints out the strings for instance the error
messages which is will be readable text message. This will let someone to identify the binary code
used in the string values.
e) Disassembly – This is the main technique used in static analysis. This is achieved by
disassembling the source code of the samples then studying it. The assembly code can also be
reversed to the machine code by use of this method. The process is normally achieved by carrying
out using appropriate tools and techniques. This makes the static analysis to be more secured and
save than the dynamic analysis since the source code is not always executable.
Limitation of static malware analysis
Malicious code has become the main challenge and a serious problem to computer users. The
problem is increasingly becoming hard to prevent as time goes by. In the recent past, malware like
viruses and spyware were scanned by scanners but now days due to technology advancement,
simple code can be used to bypass and avoid such scanners hence it has really cause a lot of
problems. To solve this issue, more powerful static analysis tools and techniques has been
developed and formulated to help solve it. However, the methods has not be more effective since
scanning and detecting such malware software only has become successful but using only static
malware analysis tools and techniques cannot yield 100% solution to such malicious malware
software.
Binary obfuscation scheme has been used but it is not sufficient since it only relies on the idea of
opaque. This opaque method track and analyze the malicious code hence the malicious analyzers
can be evaded by use of this method. This approach can prove that its hard for the static analyzer to
provide more precise results since its somehow primitive on code analyzer. Moreover, the process
only use one approach of solving the problem hence also malicious can change tactics as well. This
as prove that static malware analysis tools and techniques are not enough to effectively solve the
problem.
The main challenge with static analysis is that the source code are not always readable. This will
make static analysis method not reliable hence it will minimize its uses. Also, if we use self made
code, binary disassembling may occur in such programs. This may lead to difficulties since a lot of
work need to be done for proper analysis and accurately illuminating the malicious source code
before finally affecting the targeted software parts. We should consider all tools and techniques for
proper and reliable problem solving using static analysis techniques.
Dynamic Malware analysis
It is the process of analyzing the malware by executing it in a controlled and monitored
environment so as to take observation of the all process. The malware analysis is always carried out
during the run-time thus it avoids the challenges of the static malware analysis. So, it is easy to see
the actual outlook of the program in the dynamic analysis. Dynamic analysis can also be automated
in such a way that it assists in large scale analysis of malware. It also runs the sample malware to
observe its functionality and technicalities involved which will be useful during the detection .The
problem that is experienced with dynamic analysis is the incomplete coding hence the process can
only examine the running program meaning it must be completed and running without bugs for it to
be examined via dynamic analysis. With third party systems there should be a given environment
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
for the dynamic analysis to take place otherwise it can cause a lot of problems on the whole system.
Although, malware samples can lead to the stoppage of a program at any point in time.
Approach of dynamic malware analysis
There are two main approaches, namely;
a) Difference between given points. Whenever there is a malware analysis to be carried out in a
certain period of time the outcome of the program after analysis should be compared with the initial
state. With that we can get the behavior of the program through the comparison of the state before
and the state after. These can actually give the precise results and it will greatly assist the analyst to
study and apply the most suitable method.
b) Run-time appearance. In this scenario malicious activities found in the program are taken note by
the analysis. The sample analyzed is tested by executing and running the code to show were the
malicious code are actually located. This method is most appropriate since the source code can
actually spot and identify the spyware and viruses.
In the first scenario malware is executed in the first analysis using the windows operating systems
rather than using the virtual environment. After executing the program the program is restarted and
executed into bootable Linux image. The Linux operating system then uses the windows on
extraction of sample data to be examined. Finally we reset the windows to it’s initial state and
everything will restart up and running now. One should observe the current running behavior of the
program in order to carry out the dynamic analysis using the appropriate techniques and tools.
A run-time environment can be partitioned into different partitions in order to have a different
environment of carrying out the dynamic analysis. This approach is most promising and precise
since it utilizes the controlled and isolated run-time environment where the malicious malware can
be clearly observed hence the analyst can now remove or delete such malware before it spreads to
the entire systems.
Malware analysis tools
In this report, we have the tools and approaches that are used to analyze the suspected malicious
software in the system. The tools and techniques used generate analysis report which helps in
disseminating the information down to a useful one so that we can remove the malicious software
using the appropriate method. The reports generated gives inner understanding of what is going on
here and how the malicious software can be identified and eliminated in affected systems.
It is the way of defining the expected work of the available malware program given that is given for
a test. This step is always necessary for most of the people to in analyzing the suspected malicious
code. It is also the important step to consider while developing tools to flush out the malware on the
computer system. In the recent past malware analysis has been a little bit difficult task and
consumes a lot of time. In the current situation the number of system to be analyzed and tested is
always increasing. With that dynamic analysis is the process of identifying it’s analysis during the
execution.
a) Anubis. This performs analysis of the unknown binaries on the sample data. This is executed
under a windows operating system known as windows XP. The actions performed involves
monitoring the windows XP API functioning. There are some parameters passed to these functions
which are always examined and get to know what there are doing with the program in analysis.
Although, malware samples can lead to the stoppage of a program at any point in time.
Approach of dynamic malware analysis
There are two main approaches, namely;
a) Difference between given points. Whenever there is a malware analysis to be carried out in a
certain period of time the outcome of the program after analysis should be compared with the initial
state. With that we can get the behavior of the program through the comparison of the state before
and the state after. These can actually give the precise results and it will greatly assist the analyst to
study and apply the most suitable method.
b) Run-time appearance. In this scenario malicious activities found in the program are taken note by
the analysis. The sample analyzed is tested by executing and running the code to show were the
malicious code are actually located. This method is most appropriate since the source code can
actually spot and identify the spyware and viruses.
In the first scenario malware is executed in the first analysis using the windows operating systems
rather than using the virtual environment. After executing the program the program is restarted and
executed into bootable Linux image. The Linux operating system then uses the windows on
extraction of sample data to be examined. Finally we reset the windows to it’s initial state and
everything will restart up and running now. One should observe the current running behavior of the
program in order to carry out the dynamic analysis using the appropriate techniques and tools.
A run-time environment can be partitioned into different partitions in order to have a different
environment of carrying out the dynamic analysis. This approach is most promising and precise
since it utilizes the controlled and isolated run-time environment where the malicious malware can
be clearly observed hence the analyst can now remove or delete such malware before it spreads to
the entire systems.
Malware analysis tools
In this report, we have the tools and approaches that are used to analyze the suspected malicious
software in the system. The tools and techniques used generate analysis report which helps in
disseminating the information down to a useful one so that we can remove the malicious software
using the appropriate method. The reports generated gives inner understanding of what is going on
here and how the malicious software can be identified and eliminated in affected systems.
It is the way of defining the expected work of the available malware program given that is given for
a test. This step is always necessary for most of the people to in analyzing the suspected malicious
code. It is also the important step to consider while developing tools to flush out the malware on the
computer system. In the recent past malware analysis has been a little bit difficult task and
consumes a lot of time. In the current situation the number of system to be analyzed and tested is
always increasing. With that dynamic analysis is the process of identifying it’s analysis during the
execution.
a) Anubis. This performs analysis of the unknown binaries on the sample data. This is executed
under a windows operating system known as windows XP. The actions performed involves
monitoring the windows XP API functioning. There are some parameters passed to these functions
which are always examined and get to know what there are doing with the program in analysis.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
b) CWSandbox. This is executed under a sample either in virtual environment or under the windows
XP operating system. Hook functions helps in the analysis implementation and in the api level
monitoring. Also there is implementation of monitoring call system which is under the api level.
This system is designed in such a manner that it can capture the operating system behavior in
regards to file system, network, communication and registry.
c) Norman Sandbox. It is a dynamic analysis which is carried out either in the virtual environment
or the windows XP operating system. This programs simulate a computer that is the host and as
well as the local area network surrounding that place. All the required should be available to
convince the system that is running on a real system rather than the virtual environment. It focuses
on the malware that are available on the email. Also it focuses on the viruses that goes over the
internet. It also tries to capture other techniques that are available via the internet.
d) JoeBox. Whenever there is any performance concerning the malware analysis JoeBox stores all
the log information including file system, communication, networking and all the system activities
going on in the system. It is developed in such a manner that it supports real hardware alone and not
the virtual environment when carrying out the malware analysis. It also has a single controller
which coordinates all activities being carried out in the malware analysis. Analysis system collects
all the data used in the malware analysis process.
e) Google Rapid Response. This is the framework developed by google experts to support in
analyzing of the malware. An agent is involved in this process where they can study the given
system then they do forensic by analyzing it and ensuring that the targeted systems are save.
f) Remnux. This tool is Linux based that was developed to support in circumstances like reversed
engineering malware samples. It consist of several tools where they can perform general analysis by
searching and inspecting the suspected items in then machine then it will decoded it and clear. This
tool is very powerful and its comes with operating system already installed.
Part 1: Basic malware analysis
1) Social Engineering
Social engineering has been used to lure any user to launch the folder on there computer. The
malware takes the personal information from one’s system. It tells one to install it as a software.
The software just pop up in your system then it will ask you to install and if you install it will
always takes control of your systems by hanging up your computer system operations then takes
the target information from the system.
2) After Opening
The computer slows down in activity functioning and performance. It also has some pop up
messages on the screen. Such messages may look familiar and friendly therefore one is tempted to
click the permission key carried by such messages mostly which indicate ‘open’ or ‘start’. Unusual
messages also pops up on the screen. There are also unusual error messages popping up on the
window. Apart from all these everything seems to work as it has been before.
3) Steps of extracting the malware
(i) It request for the password to extract it.
(ii) Key in “infected”
(iii) Requesting for installation
XP operating system. Hook functions helps in the analysis implementation and in the api level
monitoring. Also there is implementation of monitoring call system which is under the api level.
This system is designed in such a manner that it can capture the operating system behavior in
regards to file system, network, communication and registry.
c) Norman Sandbox. It is a dynamic analysis which is carried out either in the virtual environment
or the windows XP operating system. This programs simulate a computer that is the host and as
well as the local area network surrounding that place. All the required should be available to
convince the system that is running on a real system rather than the virtual environment. It focuses
on the malware that are available on the email. Also it focuses on the viruses that goes over the
internet. It also tries to capture other techniques that are available via the internet.
d) JoeBox. Whenever there is any performance concerning the malware analysis JoeBox stores all
the log information including file system, communication, networking and all the system activities
going on in the system. It is developed in such a manner that it supports real hardware alone and not
the virtual environment when carrying out the malware analysis. It also has a single controller
which coordinates all activities being carried out in the malware analysis. Analysis system collects
all the data used in the malware analysis process.
e) Google Rapid Response. This is the framework developed by google experts to support in
analyzing of the malware. An agent is involved in this process where they can study the given
system then they do forensic by analyzing it and ensuring that the targeted systems are save.
f) Remnux. This tool is Linux based that was developed to support in circumstances like reversed
engineering malware samples. It consist of several tools where they can perform general analysis by
searching and inspecting the suspected items in then machine then it will decoded it and clear. This
tool is very powerful and its comes with operating system already installed.
Part 1: Basic malware analysis
1) Social Engineering
Social engineering has been used to lure any user to launch the folder on there computer. The
malware takes the personal information from one’s system. It tells one to install it as a software.
The software just pop up in your system then it will ask you to install and if you install it will
always takes control of your systems by hanging up your computer system operations then takes
the target information from the system.
2) After Opening
The computer slows down in activity functioning and performance. It also has some pop up
messages on the screen. Such messages may look familiar and friendly therefore one is tempted to
click the permission key carried by such messages mostly which indicate ‘open’ or ‘start’. Unusual
messages also pops up on the screen. There are also unusual error messages popping up on the
window. Apart from all these everything seems to work as it has been before.
3) Steps of extracting the malware
(i) It request for the password to extract it.
(ii) Key in “infected”
(iii) Requesting for installation
(iv) Installation complete
4) Static Analysis
Static analysis is the process of analyzing software without executing it on the system. This can be
used in different parts of the program. Whenever the source code is available, static analysis can
help in restoring the memory that is corrupted and also identifying the model number of the system
being used there. Also it can be used in binary representation in a program since it has the source
code. The normal process of compiling the source code into binary for execution can lead to the loss
of the information. Analyzing this lost information can be a little bit tedious if we do it in a manual
way.
Finding strings
Strings can help you identify the intended functionality of the program. Microsoft assists us in
searching for the strings as it has a utility called “string” that will actually assist us to it with less
time and more efficient.
Example 1
Below I have extracted some keywords from the malicious file. The strings give us first good hand
information like “FindNextFile”, “FindFirstFile”.
Example 2
Below is another extraction of the file that is suspected to be suspicious malicious malware.
“CreateProcessA” will create a process or processes
4) Static Analysis
Static analysis is the process of analyzing software without executing it on the system. This can be
used in different parts of the program. Whenever the source code is available, static analysis can
help in restoring the memory that is corrupted and also identifying the model number of the system
being used there. Also it can be used in binary representation in a program since it has the source
code. The normal process of compiling the source code into binary for execution can lead to the loss
of the information. Analyzing this lost information can be a little bit tedious if we do it in a manual
way.
Finding strings
Strings can help you identify the intended functionality of the program. Microsoft assists us in
searching for the strings as it has a utility called “string” that will actually assist us to it with less
time and more efficient.
Example 1
Below I have extracted some keywords from the malicious file. The strings give us first good hand
information like “FindNextFile”, “FindFirstFile”.
Example 2
Below is another extraction of the file that is suspected to be suspicious malicious malware.
“CreateProcessA” will create a process or processes
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
5) Dynamic analysis
Software installed to the system normally comes with required files that are necessary for the
program to run and function properly. When the user wants to uninstall the software then they
require powerful so that it can uninstall all related files to the software to be removed. The most
sure way is to confirm what is on your system before installation then check also after installation to
confirm the changes. I can be achieved by testing in windows machines using appropriate tools.
There are some tools that can track such files and any registry changes:
a) Regshot Unicode
This is a tool that can take the snapshot of the machine before and after registry. Also the new
versions have the ability to monitor file changes in your system by use of checksum. However the
process can be turned off by setting the system to default function.
Below is the screenshot of the regshot taken to demonstrate how it function.
Software installed to the system normally comes with required files that are necessary for the
program to run and function properly. When the user wants to uninstall the software then they
require powerful so that it can uninstall all related files to the software to be removed. The most
sure way is to confirm what is on your system before installation then check also after installation to
confirm the changes. I can be achieved by testing in windows machines using appropriate tools.
There are some tools that can track such files and any registry changes:
a) Regshot Unicode
This is a tool that can take the snapshot of the machine before and after registry. Also the new
versions have the ability to monitor file changes in your system by use of checksum. However the
process can be turned off by setting the system to default function.
Below is the screenshot of the regshot taken to demonstrate how it function.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Regshot can be utilized since its more advanced and experienced way to counter check system
changes on two different times in a short period of time. Then program is very friendly to use since
after installation you just have to take 1st shot before and 2nd shot after then compare the two.
b) SpyMe Tools
This utility is unique in a way that is very different from others. It function by monitoring the real
time of the folder by detecting some minor changes hence it’s more efficient when troubleshooting.
It is old program but still it’s capable of doing perfect job more effective than the current programs.
Here is the image of the SpyMe Tool:
6) Sandbox and VM Detection
Malware analyst experts normally uses sandbox and virtual machine (VM) to analyze the suspected
malicious code in an isolated environment. To avoid and bypass such activities of the malicious
program, the use sandbox and VM approach will prevent malicious software from locating and
attacking the targeted system. It is the way of defining the expected work of the available malware
program given that is given for a test. This step is always necessary for most of the people to in
analyzing the suspected malicious code. It is also the important step to consider while developing
tools to flush out the malware on the computer system. In the recent past malware analysis has been
a little bit difficult task and consumes a lot of time. In the current situation the number of system to
be analyzed and tested is always increasing. With that dynamic analysis is the process of identifying
it’s analysis during the execution. These environments can actually secure internal programs from
the attack but the user can actually use the installed programs properly.
Virtual machine software is programmed to emulate the real hardware functionality of the system.
changes on two different times in a short period of time. Then program is very friendly to use since
after installation you just have to take 1st shot before and 2nd shot after then compare the two.
b) SpyMe Tools
This utility is unique in a way that is very different from others. It function by monitoring the real
time of the folder by detecting some minor changes hence it’s more efficient when troubleshooting.
It is old program but still it’s capable of doing perfect job more effective than the current programs.
Here is the image of the SpyMe Tool:
6) Sandbox and VM Detection
Malware analyst experts normally uses sandbox and virtual machine (VM) to analyze the suspected
malicious code in an isolated environment. To avoid and bypass such activities of the malicious
program, the use sandbox and VM approach will prevent malicious software from locating and
attacking the targeted system. It is the way of defining the expected work of the available malware
program given that is given for a test. This step is always necessary for most of the people to in
analyzing the suspected malicious code. It is also the important step to consider while developing
tools to flush out the malware on the computer system. In the recent past malware analysis has been
a little bit difficult task and consumes a lot of time. In the current situation the number of system to
be analyzed and tested is always increasing. With that dynamic analysis is the process of identifying
it’s analysis during the execution. These environments can actually secure internal programs from
the attack but the user can actually use the installed programs properly.
Virtual machine software is programmed to emulate the real hardware functionality of the system.
Virtual environment is much different from the real hardware functionality such as some processes,
networking adapters among others. Malware experts may use a technique known as “design flaw”
of identifying the virtual environment and building some code to attack and bypass the
environment. Such situation are called “ant-sandbox” and “anti-VM”.
Experts have come out with methods of identifying and detecting sandboxes in general and specific
virtual environments. Experts have come out with various methods and technologies of identifying
and bypassing the malicious software. Such methods are:
a) Checking CPU Instructions: The CPU instructions can actually help the malware analyzer to
identifies the virtual environment by executing the instructions which will analyze the malware.
This instructions can greatly influence the execution of the instructions.
b) Registry Keys
The registry keys shown in the screen shot below shows the presence of virtualization environment.
The environment is isolated to facilitate the efficient working.
networking adapters among others. Malware experts may use a technique known as “design flaw”
of identifying the virtual environment and building some code to attack and bypass the
environment. Such situation are called “ant-sandbox” and “anti-VM”.
Experts have come out with methods of identifying and detecting sandboxes in general and specific
virtual environments. Experts have come out with various methods and technologies of identifying
and bypassing the malicious software. Such methods are:
a) Checking CPU Instructions: The CPU instructions can actually help the malware analyzer to
identifies the virtual environment by executing the instructions which will analyze the malware.
This instructions can greatly influence the execution of the instructions.
b) Registry Keys
The registry keys shown in the screen shot below shows the presence of virtualization environment.
The environment is isolated to facilitate the efficient working.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
c) Checking the processes indicating a VM: Many processes may indicate the virtual environment
such as Win API and CMD. Such process will give out the required and the desired results to be
used in the malware analysis of the virtual environment.
There are various Sandbox processes such us:
Sandbox Evasion Techniques
It has really become a challenge to evade tools based on static analysis. The use of sandboxes
techniques has really lead to advanced appropriate method of solving malware programs. This
method as been considered the best and more secured method of malicious evasion. Operation of
this sandbox is very simple since it can clearly show whether the program is malicious or its
secured to used. Sandbox analyze the program by itself then it gives out the solution.
such as Win API and CMD. Such process will give out the required and the desired results to be
used in the malware analysis of the virtual environment.
There are various Sandbox processes such us:
Sandbox Evasion Techniques
It has really become a challenge to evade tools based on static analysis. The use of sandboxes
techniques has really lead to advanced appropriate method of solving malware programs. This
method as been considered the best and more secured method of malicious evasion. Operation of
this sandbox is very simple since it can clearly show whether the program is malicious or its
secured to used. Sandbox analyze the program by itself then it gives out the solution.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Sandbox Detection
Sandbox detects the difference between the sandbox environment and the malicious environment. If
the sandbox is detected then the program terminates immediately or shows some malicious
behaviors hence the process is quickly checked.
Sandbox detects the difference between the sandbox environment and the malicious environment. If
the sandbox is detected then the program terminates immediately or shows some malicious
behaviors hence the process is quickly checked.
Exploring Sandbox Gaps
In the surrounding environment, detection methods exploit weakness and attack directly. Some
software cannot handle the sandbox hence it has really become the major challenge on correctly
analyzing the malicious samples.
7) Sample about to do network wise
When we creates a virtual environment the malware detects that we are no longer on the real part of
the machine. The malicious malware detected that it is in virtual environment thus failing to run and
having the malicious part not displaying anything that can be suspected. This is the most secured
and best method. The normal functioning of the system works but in an secured isolated
environment.
In the surrounding environment, detection methods exploit weakness and attack directly. Some
software cannot handle the sandbox hence it has really become the major challenge on correctly
analyzing the malicious samples.
7) Sample about to do network wise
When we creates a virtual environment the malware detects that we are no longer on the real part of
the machine. The malicious malware detected that it is in virtual environment thus failing to run and
having the malicious part not displaying anything that can be suspected. This is the most secured
and best method. The normal functioning of the system works but in an secured isolated
environment.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 24
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.