Ethical Hacking: The Complete Malware Analysis Process — Notes
Today’s article will be on the seventh course “Ethical Hacking: The Complete Malware Analysis Process” in the LinkedIn learning Path called “Become an Ethical Hacker”. The course is divided into four sections:
- Introduction to Malware
- Malware Detection
- Advanced Techniques
- Reverse Engineering Malware
Introduction to Malware
Let’s begin with some definitions:
Malware: is a virus designed to do 2 things: propagates itself and attacks the host system.
Trojan: A program that looks legitimate but it has malicious code in it.
Worm: a special form of virus, it doesn’t require user intervention to replicate.
Spyware: it collects information on targets. Used mainly to sell the information for marketing purposes.
Adware: it’s a form of spyware, it pops up ads based on the information gathered on the victim.
Malware can be in different forms; it can be a executable file, an inject-able module (dll) or a rootkit (it implements itself in a privileged area of the system), the malware aims to not be detected. That’s why anti-viruses must always update their signature DBs to keep up with the new malware.
Examples of well-known malware are, Christmas Tree malware worm (the first known worm which spread to affect over 6000 targets), Melissa I love you and Code Red.
The success of the early malware encouraged the the emergence of organized crimes especially in Eastern Europe, the birth of what is known as ransomware. Ransomware encrypted the company’s assets and forced them to pay to get them decrypted.
Some of the NSA (National Security Agency) malware source code got leaked which was picked up criminals and started producing sophisticated and hard to defeat malware.
Malware can be an executable file such as a Trojan, it will execute when the user clicks on it. Or it’s been carried in a remote exploit then it executes after the exploit code penetrates the target and passes control to it. Malware can be designed to execute immediately or remain latent for longer term use.
Sofacy (also known as fancy bear) is a cyber espionage campaign. It’s typical attack consists of an exploit triggering a dropper to plant a malware onto a target. The initial Trojan which is planted is known as CORESHELL , what is does, it downloads a second level backdoor called X-Agent which is intended to gather information about the target using escalated privileges.
Persistence of a malware is achieved when even if the victim machine is rebooted the malware will restart. Since the malware basic ^persistence can be detected, Rootkits are used to hide the malware deep in the OS. Rootkits don’t exploit vulnerabilities themselves and don’t propagate, they’re just a, implant to place the malware.
Rootkits insert themselves into the OS startup code -> they master the boot record and partition record. They’re used to identify and disable anti-viruses and to make the investigation harder.
Rootkits are developed as drivers, they hide in the Kernel using Direct Kernel Object Modification by changing the pointers away from where the rootkit is installed.
Another way to achieve persistence is through DLL hijacking, the malware presents itself as a legitimate DLL and it will insert itself in the folder earlier than the legitimate one.
MITRE ATT&CK is website that provides a library of techniques and tactics used in real world attacks.
Malware Detection
There are a number of Indicators of Compromise (IOC):
- MD5 hash
- Command and Control Name
- Malicious IP
- Registry Key known to be used by malware
Lifecycle of an IOC is:
- Identify compromise
- Collect Date
- Analyze date
- Create IOCs
- Deploy IOCs
IOC bucket is a community when people share their IOCs and learn from each other.
Although they change, malware use the same techniques: process injection, credential dumping, token stealing, host enumeration. By developing a way to detect these techniques and to add them to the standard IOC check, there will be an enhancement in malware detection’s success rate.
Stix: is a language for modelling and representing cyber threat intelligence.
TAXII: a protocol for exchanging cyber threat intelligence.
Indicators of Attacks IOA: are intended to detect the methods and intent of the attacker. they address hard problems and monitor for signs for an attack.
Cyber hunting: is to manually search for signs of intrusion, it is hard and difficult to do effectively.
Anomaly Detection System (ADS) device that watches the behavior of data streams a detect anomalies. They’re first ran in learning mode to detect normal behavior then switched to detection mode. They also can have manual entries for know anomaly thresholds.
Sandboxing malware: all the malware to execute in a contained environment and watch its behavior
Advanced Techniques
Since anti-viruses companies created signatures for malware and installed them in their products, they can now detect the malware before it executes. That gave birth to polymorphic and metamorphic malware, new
types of malware that hide (using obfuscation) or change their code with each iteration. The way used to change may include:
- Placing routines in different places
- changing register user
- code permutation
- code expansion
- code shrinking
- and garbage code insertion
WannaCry is an example of ransomware (It encrypts the data and asks for ransom to get the data back). It can delivered via phishing, on the internet using port or over the LAlanN using the port. It connects through TCP, the payload installs tasksche.exe which will be set as service to ensure persistence. IT will propagate to all active addresses on the LAN and then tries to propagate through random internet IP addresses.
A Well-known Trojan is called BlackEnergy. It comes as a kit, GUI based and encrypted payloads + drivers for persistence. Its characteristics are; has a help file in Russian, has highly customizable attacks:
- ICMP ping flooding,
- TCP SYN attacks
- UDP flooding
- HTTP GET request flooding
- DNS flooding
- Binary data flooding
BlackEnergy evolved to become BlackEnergy 2 which was more complicated and used to attack crucial resources in the USA in 2014. A new version of it called BlackEnergy 3 was detected in Poland and Ukraine. Then, it was spawned to Telebots and Grey Energy.
Reverse Engineering Malware
To be able to fight against malware, you will need to reverse engineer it. Reverse engineering requires Assembly ad low level coding knowledge. It also requires knowledge of how networking works.
Reverse engineering malware involves disassembling (and sometimes de-compiling) a software program. Through this process, binary instructions are converted to code mnemonics (or higher level constructs) so that engineers can look at what the program does and what systems it impacts. Only by knowing its details are engineers then able to create solutions that can mitigate the program’s intended malicious effects.
