1 / 15

1. Introduction

Explore the world of malware, from viruses to ransomware. Learn how malware is distributed and the techniques used in malware analysis including static and dynamic analysis. Discover disassembly methods, decompilation, and the types of programming languages involved.

jivy
Download Presentation

1. Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 1. Introduction Malware Analysis

  2. What is a malware? • Malicious software – causes harm to a computer system or users • Examples • Viruses • Worms • Trojans • Rootkits • Ransomware • … …

  3. How is a malware distributed? • By downloading a software from Internet • Via email attachments • Physical media • Self propagation • …

  4. Malware Examples • Virus • It propagates by inserting a copy of itself into another program. They are typically attached to an executable file. So, the program has to be executed for the virus to become activated and spread. • Worms • Similar to viruses; but, they do not require a host program or human help to propagate. They exploit a system vulnerability to infect a system. • Trojans • Look trustworthy – overt impression with covert (and malicious) action. They do not infect any other files (don’t replicate themselves).

  5. Malware Examples • Rootkits • They hide deep in the system to evade detection by anti-malware applications and allow attackers to install other (malicious) programs. • Botnets • These form a network of infected systems that are controlled by an attacker. • Backdoors • Allow attacker remote access to the system

  6. Malware Examples • Scareware • Frighten user into buying something or sending money to the attacker • Ransomware • Encrypt files and extort money from user in exchange for the decryption code

  7. Mass and Targeted Malware • The difference is the target • APT - Advanced Persistent Threats • Becoming more common • Unique and custom malware • Can be very sophisticated • Low and slow • Mass malware • Distributed through phishing campaigns • Typically reused and do not target a specific victim

  8. What is Malware Analysis? • The art of dissecting software binaries to • Identify existence of a malware • Understand what it does • Remove/Isolate it • The dissection process: • Disassembler (will be used in this course) • Decompiler

  9. Types of programming languages • 1st Generation Language • Machine Language (known as binaries or byte code) • 2nd Generation Language • Assembly Language • 3rd Generation Language • Common programming languages (platform independent) • 4th Generation Language • Non-procedural (what-to-do rather than how-to-do)

  10. Decompilation of a Binary • Decompiler: • Input: Assembly language or machine language • Output: A high-level language • It is a lossy process: • No variable names and no function names at the machine language level • It is a many-to-many operation

  11. Disassembly of a Binary • Why do it? • Malware analysis • To check software vulnerability • To check software interoperability • To validate a compiler • To check program instructions while debugging

  12. Malware Analysis • Two primary methods • Static Analysis • Review the code (don’t execute) • Goal: determine if the file contains malicious code – a quick process • Need to disassemble the binary to do that • Dynamic Analysis • Execute code in a controlled environment and observe behavior • Goal: understand how it works • No need to disassemble

  13. Disassembly methods • Linear Sweep: • Next instruction to be disassembled is the one after the current instruction • Recursive Descent: • Follows the control flow

  14. Linear sweep disassembly • Disassembly begins with the first byte of the code section and moves in a linear fashion • Program’s control flow (branches etc.) are ignored during the disassembly process • Advantage: Provides complete coverage of code section

  15. Recursive descent disassembly • The control flow determines if the next instruction will be disassembled • If the next instruction is not referenced, it is ignored • Advantage: • It can distinguish between code and data

More Related