Malware Analysis

Kiran Dodiya
Faculty at DBFS
 History of
Malware
•The History of Malware
Malware, short for "malicious software," has evolved significantly since the
beginning of computers, reflecting technological changes and the growing
complexity of cyber threats.

The term malware was first used by computer scientist and security researcher
Yisrael Radai in 1990.
 1. The Early Days: 1970s - 1980s
1971: The Creeper Virus

The first known computer virus, "Creeper," was created by Bob Thomas as an experimental
program on the ARPANET, the precursor to the internet. It was designed to move from one
computer to another, displaying the message "I'm the creeper, catch me if you can!" It wasn't
malicious, but it demonstrated the concept of self-replicating code.

1982: Elk Cloner

Elk Cloner, created by a high school student named Rich Skrenta, was the first known virus
to spread "in the wild" via floppy disks on Apple II computers. It infected the disk’s boot
sector and displayed a poem after the 50th boot.
 2. The Rise of Computer Viruses: 1980s - 1990s
1986: Brain Virus
Brain, the first IBM PC-compatible virus, was created by two brothers in Pakistan. It was intended as a copy protection tool for their
software, but it inadvertently spread, infecting floppy disks and altering the boot sector.(MBR)

1988: The Morris Worm

The Morris Worm, created by Robert Tappan Morris, was one of the first worms to spread across the Internet, infecting UNIX
systems. It caused significant disruption, affecting about 10% of all computers connected to the Internet. The incident led to the
Computer Emergency Response Team (CERT) creation.

• 1990: The Birth of Anti-Virus Software

As viruses like the Vienna, Cascade, and the Lehigh virus spread, the first antivirus software emerged. Companies like McAfee and
Norton started offering protection against these early threats.
 The Internet Era and the Proliferation of Malware:
1990s - 2000s
1995: The Concept Virus
The concept was the first macro virus through Microsoft Word documents. This marked the beginning of malware
that could infect documents and spread through email attachments, a method that would become common in the
years.

1999: Melissa Virus

The Melissa virus spread via email, infecting Microsoft Word documents and sending itself to the first 50 contacts
in the user's address book. It caused widespread disruption and highlighted the dangers of email-based malware.
2000: I LOVE YOU, Virus
The ILOVEYOU virus, also known as the Love Bug, was a worm that spread via
email with the subject line "I Love You." It infected millions of computers
worldwide, causing billions of dollars in damage by overwriting files and
stealing passwords.

2001: Code Red and Nimda

Code Red was a worm that targeted Microsoft IIS web servers, spreading rapidly
and causing widespread outages. Nimda followed shortly after, combining
features of viruses and worms to infect both web servers and user PCs, causing
significant disruption.
The Rise ofCybercrime: 2000s - 2010s
2003: The SQL Slammer Worm
SQL Slammer was a fast-spreading worm that targeted a vulnerability in
Microsoft SQL Server. Within minutes of its release, it caused widespread
internet outages, demonstrating the speed and impact of modern malware.

2004: MyDoom
MyDoom became the fastest-spreading email worm at the time, causing
significant disruption to internet traffic. It was designed to launch a Distributed
Denial of Service (DDoS) attack against websites.
2007: Storm Worm
The Storm Worm was a Trojan horse that infected millions of computers,
creating one of the largest botnets ever seen. It was used for spam and DDoS
attacks, demonstrating the rise of botnet-driven cybercrime.

•2008: Conficker
Conficker was a highly sophisticated worm that infected millions of computers
worldwide, creating a massive botnet. It used advanced techniques to evade
detection and spread rapidly across networks
 5. Advanced Persistent Threats and State-Sponsored
Malware: 2010s - Present
2010: Stuxnet
Stuxnet was a highly sophisticated worm believed to have been developed by state
actors to target Iran's nuclear program. It was the first known example of malware
designed to cause physical damage by targeting industrial control systems.

2013: Ransomware Emerges

Ransomware, a type of malware that encrypts a victim's files and demands payment for
the decryption key, began to gain prominence. Early examples like CryptoLocker paved
the way for more sophisticated ransomware attacks.
2017: WannaCry and NotPetya
WannaCry was a ransomware worm that spread rapidly across the globe, exploiting
a vulnerability in Windows systems. It affected hundreds of thousands of computers,
including critical infrastructure. NotPetya, another destructive malware disguised as
ransomware, followed shortly after, causing significant damage to companies
worldwide.

2020s: Advanced Malware and Supply Chain Attacks

The 2020s have seen the rise of more sophisticated malware, often associated with
state-sponsored cyber espionage. The SolarWinds attack in 2020, in which malware
was inserted into a widely used software update, demonstrated the growing threat of
supply chain attacks. Ransomware continued to evolve, with high-profile attacks
targeting critical infrastructure, hospitals, and government agencies.
 MALWARE SAMPLE REPO
1.Malwarebazar
2.virusshare
3.Virustotal
4. Tekdefense
5. Github - https://github.com/Virus-Samples/Malware-Sample-Sources
6. https://contagiodump.blogspot.com/
7. https://thezoo.morirt.com/ - Linux
8. Malshare: https://malshare.com
9. Das Malwerk: http://dasmalwerk.eu/
10. Virusign: http://www.virusign.com/
 Whatis Malware Analysis?
•Malware analysis plays a key role in detecting and reducing potential threats in
a website, application, or server, thereby maintaining computer security.

•It is a crucial process that ensures computer security as well as the safety and
security of an organisation about sensitive information.

•Malware analysis addresses vulnerabilities before they get out of hand

 Key Benefits of Malware
❑
Analysis
Malware analysis is of immense use to Security Analysts and incident responders. Here are some key
benefits of the process:

• Identifying the source of the attack.

• Determining the damage from a security threat.

• Identifying malware’s exploitation level, vulnerability, and appropriate patching preparations.

• Triaging the incidents according to the level of severity of the threat in a practical manner.

• Uncovering hidden Indicators of Compromise (IOC) that must be blocked.

• Improving the efficacy of IOC, alerts, and notifications.

• Enriching context when trying to uncover threats.

 TYPES OF MALWARE ANALYSIS

Static
Malware
Analysis

Types of
Manual Dynamic
Code Malware Malware
Reversing Analysis Analysis

Hybrid
Malware
Analysis
 Static malware analysis
•Static malware analysis examines files for signs of malicious intent. A basic static
analysis does not require a malware code to be running.

•It is useful for revealing malicious infrastructure, packed files, or libraries.

• < UNK>This kind of malware analysis identifies technical indicators
like file names, hashes, and strings such as IP addresses, domains, and file header
data.

•Various tools like disassemblers and network analysers can observe

the malware without running it.

•These tools can gather information on how the particular malware works.
•Since static malware analysis does not run the malware code, there can be
malicious runtime behavior in some sophisticated malware, which can go
undetected.

•For example, a file that generates a string and downloads a malicious file
depending on the dynamic string.

•The malware could go undetected if a basic static malware analysis is used.

•In these cases, dynamic analysis is more helpful in getting a complete
understanding of the file behavior.
 Dynamic Malware Analysis
• In dynamic malware analysis, a suspected malicious code is run in a safe sandbox
environment. This isolated virtual machine is a closed system that allows security experts to
observe the malware closely without the risk of system or network infection. This technique
provides deeper visibility of the threat and its true nature.

• Automated sandboxing, as a secondary benefit, eliminates the time that would otherwise have
been spent reverse engineering a file to discover malicious code.

• Dynamic analysis can be challenging, especially against smart adversaries who know
sandboxes will be used eventually. So, as a form of deception, adversaries hide their code in
a way that it remains dormant until specific conditions are met. The code will run only then.
 Hybrid Malware Analysis
• We already know now that basic static analysis isn’t reliable when the malware has a more sophisticated code,
and sophisticated malware are sometimes, able to avoid detection by sandbox technology.

• Combining both types of malware analysis techniques offers the best of both approaches.
• Hybrid analysis can detect hidden malicious code, and extract many more IOCs by statically and previously
unseen code.

• It is capable of detecting unknown threats, even from the most sophisticated malware.
• The hybrid analysis applies static analysis to the data that is generated by behavioral analysis. Consider a
piece of malicious code that runs and causes some changes in memory.

• The dynamic analysis will be able to detect that and Analysts will immediately know to perform static
analysis on that memory dump.

• This will result in more IOCs and exposed zero-day exploits.

Manual Code Reversing
• The last stage in the malware analysis process is reverse engineering the code. You
can understand the logic behind the malware and its algorithms by doing this. You
can also discover other capabilities that the malware may have.

• Reverse engineering is typically done manually. Analysts often use the help of
debugging and disassembling tools. The goal is to decode the encrypted data and
find its logic. This process can be time-consuming and requires great skills. That’s
why some analysts skip this stage. However, it is not wise to do so, as manual
reversing the code can help you understand the nature of the malware sample.
Understanding analysis flow for malware
analysis

1. Code
1. Static Analysis Behavior
1. Sandbox Anal 2. Summary Mitigation and Post-Analysis
,Technical Response
and Tools ysis Disassembly
Details, Impact
and
2. Dyna Assessment
Decompilatio
mic n
•A.Preparation of •Initial Analysis •Document •Removal, •Update
Analysis Findings
safe environment •Detailed Analysis prevention Threat
and IR Intelligence
•Continuous
Improvement
 Examining Static Properties Of Suspicious Programs
(A)File Type Identification
Identifying the file type is crucial for understanding its potential purpose. We can
determine theformat by examining thefile’s header for
numbers—specific byte sequences that indicate file magic types.
Additionally,
inspecting embedded metadata provides further clues about the file’s origin and
intended use, helping to reveal any hidden or disguised elements
 Static Analysis of Executable Files
• In our analysis of executable files, the Portable Executable (PE) header takes
centre stage. It's a crucial source of information about the file’s structure and
components.

• Key areas include the Import Table and Export Table, where we look for any
anomalies or suspicious file

•Using tools like strings, extracting readable strings from the binary helps
identify hardcoded URLs, file paths, or other indicators of malicious
behaviour.
•When analysing executable files, we focus on the Portable Executable (PE)
header, which provides information about the file’s structure and components.

• Key areas include the Import and Export Table, where we look for
anomalies or suspicious entries.

• Using tools like strings, extracting readable strings from the binary helps
identify hardcoded URLs, file paths, or other indicators of malicious behaviour.