DOCSLIB.ORG

New Malware Analysis Method on Digital Forensics

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
New Malware Analysis Method on Digital Forensics ISSN (Print) : 0974-6846 Indian Journal of Science and Technology, Vol 8(17), DOI: 10.17485/ijst/2015/v8i17/77209, August 2015 ISSN (Online) : 0974-5645 New Malware Analysis Method on Digital Forensics Sunghyuck Hong and Sungjin Lee* Division of Information and Communication, Baekseok University, Korea; [email protected], [email protected] Abstract Recently, Internet usage and development of web technique are getting increased rapidly. The number of Malware occurrence has rapidly increased and new or various types of Malware have been advanced and progressed, so it is time to require analysis for malicious codes in order to defense system. However, current defense mechanisms are always one step behind of Malware attacks and there is not much research on Malware analysis. The behavior of Malware is similar Therefore, we propose to a new approach for Malware analysis method based on registry analysis. to common applications. It is difficult to detect Malware by its behavior. Malware’s registry must be analyzed to detect. Keywords: Digital Forensics, Malware, Network Security, Registry Analysis 1. Introduction cutable code, scripts, active content and other software4. Malware is often disguised as, or embedded in, non- Malware, short for malicious software, is any software used malicious files. As of 2011 the majority of active Malware to disrupt computer operation, gather sensitive informa- threats were worms or Trojans rather than viruses5. In law, tion or gain access to private computer systems. It can Malware is sometimes known as a computer contaminant, appear in the form of executable code, scripts, active con- as in the legal codes of several U.S. states6,7. Spyware or tent and other software. Malware is a general term used to other Malware is sometimes found embedded in programs refer to a variety of forms of hostile or intrusive software. supplied officially by companies, e.g., downloadable from The term bad ware is sometimes used and applied to both websites, that appear useful or attractive, but may have, true (malicious) Malware and unintentionally harm- for example, additional hidden tracking functionality that ful software. Malware means executable code which was gathers marketing statistics. An example of such software, written for malicious purposes. Virus, worm and Trojan which was described as illegitimate, is the Sony rootkit, a horse belonging to it and these are also called malicious Trojan embedded into CDs sold by Sony, which silently codes. The computer malicious codes are evolving fast installed and concealed itself on purchasers’ computers and performing malicious actions using various vulner- with the intention of preventing illicit copying; it also ability over system1. reported on users’ listening habits and unintentionally Malware may be stealthy, intended to steal information created vulnerabilities that were exploited by unrelated or spy on computer users for an extended period with- Malware8Software such as anti-virus, anti-Malware and out their knowledge, as for example Regin or it may be firewalls are used to protect against activity identified as designed to cause harm, often as sabotage (e.g., Stuxnet) malicious and to recover from attacks9. or to extort payment (Crypto Locker). ‘Malware’ is an This research paper is organized as follows. Section 2 umbrella term used to refer to a variety of forms of hostile provides related work. In Section 3, we proposed our new or intrusive software3 including computer viruses, worms, proposal for analysis Malware and Section 4 presents per- Trojan horses, ransomware, spyware, adware, scareware formance evaluation and discussion. Finally, conclusions and other malicious programs. It can take the form of exe- are given in Section 5. *Author for correspondence New Malware Analysis Method on Digital Forensics 2. Related Work Table 1. Types of Malware Recently, network security events are occurred very often. Types Specification They created disasters all around the world such as inter- A computer virus is a Malware program that, net fraud activities and data theft, etc. Malware was the when executed, replicates by inserting copies of itself into other computer programs, data key offender. Therefore, how to detect Malware is a very files or the boot sector of the hard drive; important issue for network security. Malware has the when this replication succeeds, the affected potential to harm the host, which designed to infiltrate or areas are then said to be infected. Viruses damage a computer system without the owner’s informed often perform some type of harmful activity consent (e.g., viruses, backdoors, spyware, Trojans and on infected computers, such as stealing hard disk space or CPU time, accessing private worms)17. There are many security incidents arisen by Virus information, corrupting data, displaying botnet, which has caused series dangers recently. Botnet political or humorous messages on the user’s is not a specific malware. However, a method, that pos- screen, spamming their contacts or logging sibly comprised of thousands or millions hosts controlled their keystrokes. However, not all viruses by hackers. In the past years, botnet-based attacks became carry a destructive payload or attempt to popular and dangerous. In order to facilitate observation hide themselves-the defining characteristic of botnets, many researchers have proposed separate of viruses is that they are self-replicating computer programs which install themselves detection schemes and detection mechanism for moni- without the user’s consent. toring and defending against them. Network worm is usually a standalone prog- Security expert Joe Stewart revealed that in late 2007, ram which runs without any user intervention. the operators of the botnet began to further decentralize It spreads itself to other computers in the their operations, in possible plans to sell portions of the same LAN which has vulnerabilities. While botnet to other operators18. Some reports as of late 2007 the virus is a program or programming indicated the botnet to be in decline, but many security code that can graft its copy onto another program including the operating system. The experts reported that they expect the botnet to remain Worm virus cannot run automatically, it needs to 19 a major security risk online and FBI considers that the be activated by the host program. Both the botnet is a major risk to increase bank fraud, identity theft computer worm and virus can replicate and and other cybercrimes18. As a result, the further research spread themselves, which makes it difficult to on the advanced botnet designed by the attackers becomes distinguish them. Especially, in recent years, important. It is necessary to conduct such research, so as to more and more virus comes to use worms’ technology. Meanwhile, worm adopts the deal with the threat of botnet facing today. Otherwise, our virus technology too. Internet will frequently be attacked by the Nalware in the Trojan horses are computer programs that future. This paper developed a Malware behavioral analy- presented as useful or harmless in order sis tool, Taiwan Malware Analysis Net, which can analysis to induce the user to install and run them, the varietal Malware and output analysis report. The result but also have some hidden malicious goal, scan support anti-virus to detect the known or unknown such as enabling remote access and control malware. There are many types of Malware. Table 1 shows with the aim of gaining full or partial access to the infected system. On the one hand, all types of Malware2-4,12-16. since polymorphism of Trojan horses, it is Trojan Horse hard for the signature-based technology, 3. Virtual Environment for which is the mainly used method in current anti-virus program, detecting them; On the Malware Analysis other hand, Trojan horses have very little immediate impact on the normal operation VMware virtual computing environment was used for of a system and they may go under detected analysis Malware in order to prevent infection on a local for a significant period of time, allowing the PC because the PC has a need to analyze downloaded attacker a large window of opportunity. Malware on virtual computing environments in the same The detection of bots, Malware instances that manner as the end user environment such as a CD-ROM Bot run autonomously on a compromised host, has or a USB device can also be directly connected to analysis. been a challenging problem since the bots, 2 Vol 8 (17) | August 2015 | www.indjst.org Indian Journal of Science and Technology Sunghyuck Hong and Sungjin Lee played a key role in launching all Internet activity on the Internet and transmits that threats such as DDoS, spam, information information in the background to someone extortion, click fraud, etc. Signature-based else. Spyware can also gather information malware detection has been the major defense about e-mail addresses and even passwords against any malware including bots. and credit card numbers. Security threats are coming from various Adware is the common name used to sources, like natural factors or users do not describe software that is given to the user with have authorization to access to the network advertisements embedded in the application. and using the software. These threats Adware is considered a legitimate alternative are result to the lack of authentication, offered to consumers who do not wish to pay authorization and auditing control, cipher for software. There are many ad-supported algorithms weaknesses, weak keys,
Load more

Recommended publications
  • What Are Kernel-Mode Rootkits?
    www.it-ebooks.info Hacking Exposed™ Malware & Rootkits Reviews “Accessible but not dumbed-down, this latest addition to the Hacking Exposed series is a stellar example of why this series remains one of the best-selling security franchises out there. System administrators and Average Joe computer users alike need to come to grips with the sophistication and stealth of modern malware, and this book calmly and clearly explains the threat.” —Brian Krebs, Reporter for The Washington Post and author of the Security Fix Blog “A harrowing guide to where the bad guys hide, and how you can find them.” —Dan Kaminsky, Director of Penetration Testing, IOActive, Inc. “The authors tackle malware, a deep and diverse issue in computer security, with common terms and relevant examples. Malware is a cold deadly tool in hacking; the authors address it openly, showing its capabilities with direct technical insight. The result is a good read that moves quickly, filling in the gaps even for the knowledgeable reader.” —Christopher Jordan, VP, Threat Intelligence, McAfee; Principal Investigator to DHS Botnet Research “Remember the end-of-semester review sessions where the instructor would go over everything from the whole term in just enough detail so you would understand all the key points, but also leave you with enough references to dig deeper where you wanted? Hacking Exposed Malware & Rootkits resembles this! A top-notch reference for novices and security professionals alike, this book provides just enough detail to explain the topics being presented, but not too much to dissuade those new to security.” —LTC Ron Dodge, U.S.
    [Show full text]
  • Classification of Malware Using Reverse Engineering and Data
    CLASSIFICATION OF MALWARE USING REVERSE ENGINEERING AND DATA MINING TECHNIQUES A Thesis Presented to The Graduate Faculty of The University of Akron In Partial Fulfillment of the Requirements for the Degree Master of Science Ravindar Reddy Ravula August, 2011 CLASSIFICATION OF MALWARE USING REVERSE ENGINEERING AND DATA MINING TECHNIQUES Ravindar Reddy Ravula Thesis Approved: Accepted: ______________________________ ______________________________ Advisor Department Chair Dr. Kathy J. Liszka Dr. Chien-Chung Chan ______________________________ ______________________________ Committee Member Dean of the College Dr. Chien-Chung Chan Dr. Chand K. Midha ______________________________ ______________________________ Committee Member Dean of the Graduate School Dr. Zhong-Hui Duan Dr. George R. Newkome _____________________________ Date ii ABSTRACT Detecting new and unknown malware is a major challenge in today’s software security profession. A lot of approaches for the detection of malware using data mining techniques have already been proposed. Majority of the works used static features of malware. However, static detection methods fall short of detecting present day complex malware. Although some researchers proposed dynamic detection methods, the methods did not use all the malware features. In this work, an approach for the detection of new and unknown malware was proposed and implemented. 582 malware and 521 benign software samples were collected from the Internet. Each sample was reverse engineered for analyzing its effect on the operating environment and to extract the static and behavioral features. The raw data extracted from the reverse engineering was preprocessed and two datasets are obtained: dataset with reversed features and dataset with API Call features. Feature reduction was performed manually on the dataset with reversed features and the features that do not contribute to the classification were removed.
    [Show full text]
  • Tools and Techniques for Malware Detection and Analysis
    Tools and Techniques for Malware Detection and Analysis Sajedul Talukder Department of Mathematics and Computer Science Edinboro University, PA, USA [email protected] Abstract—One of the major and serious threats that the in volume (growing threat landscape), variety (innovative ma- Internet faces today is the vast amounts of data and files which licious methods) and velocity (fluidity of threats). These are need to be evaluated for potential malicious intent. Malicious evolving, becoming more sophisticated and using new ways to software, often referred to as a malware that are designed by target computers and mobile devices. McAfee [6] catalogs over attackers are polymorphic and metamorphic in nature which have 100,000 new malware samples every day means about 69 new the capability to change their code as they spread. Moreover, the threats every minute or about one threat per second. With the diversity and volume of their variants severely undermine the effectiveness of traditional defenses which typically use signature increase in readily available and sophisticated tools, the new based techniques and are unable to detect the previously unknown generation cyber threats/attacks are becoming more targeted, malicious executables. The variants of malware families share persistent and unknown. The advanced malware are targeted, typical behavioral patterns reflecting their origin and purpose. unknown, stealthy, personalized and zero day as compared to The behavioral patterns obtained either statically or dynamically the traditional malware which were broad, known, open and can be exploited to detect and classify unknown malware into one time. Once inside, they hide, replicate and disable host their known families using machine learning techniques.
    [Show full text]
  • Malicious Software
    Malicious Software Virus - a piece of software that can “infect” other programs by modifying them in the file system; the modification includes injecting the original program with a routine to make copies of the virus program, which can then go on to infect other programs. Virus code can be prepended or appended to an executable program, or it can be embedded in some other fashion. The key to its operation is that the infected program, when invoked, will first execute the virus code and then execute the original code of the program. Example: sality PE infector http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf Encrypted virus: A portion of the virus creates a random encryption key and encrypts the remainder of the virus. The key is stored with the virus. When an infected program is invoked, the virus uses the stored random key to decrypt the virus. When the virus replicates, a different random key is selected. Execution Flow of an Infected File Types of Viruses: • Boot sector infector: Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus. Example: stoned, Michelangelo, mebroot, rovnix • File infector: Infects files that the operating system or shell consider to be executable. • Macro virus: Infects files with macro code that is interpreted by an application. Example: Melissa, iloveyou Macro viruses were popular until about the year 2000 when Windows executables became the prominent form. Virus prevalence by type However, in 2014, there were some new macro viruses created and social engineering was used to turn off security controls which disabled macros by default: http://blog.dynamoo.com/ show macros 2014 Macro Virus in a MS Office document used Social Engineering to get macros turned on to distribute the Napolar virus.
    [Show full text]
  • K-Tracer: a System for Extracting Kernel Malware Behavior
    K-Tracer: A System for Extracting Kernel Malware Behavior Andrea Lanzi1,2 Monirul Sharif1 Wenke Lee1 1School of Computer Science, College of Computing, Georgia Institute of Technology, USA {msharif, wenke}@cc.gatech.edu 2Dipartimento di Informatica e Comunicazione, Universita` degli Studi di Milano, Italy [email protected] Abstract install backdoors, and maliciously manipulate other system level data. Kernel rootkits can easily hide activities from Kernel rootkits can provide user level-malware programs user-level programs and at the same time cripple kernel- with the additional capabilities of hiding their malicious ac- level security programs. tivities by altering the legitimate kernel behavior of an op- Since rootkits are not used alone, discovering their ma- erating system. While existing research has studied rootkit licious behaviors is essential in understanding the impli- hooking behavior in an effort to help develop defense and cations of malware that utilizes them. Determining that remediation mechanisms, automated analysis of the actual a rootkit has a backdoor capability that waits for network malicious goals and capabilities of rootkits has not been packets on a specific port with specific contents can enable adequately investigated. In this paper, we present an ap- the identification of infected hosts in a network by way of proach based on a combination of backward slicing and examining the network traffic. Network perimeter defense chopping techniques that enables automatic discovery of systems can also use this information to stop further mali- the system data manipulation behaviors of rootkits. We have cious activities on infected hosts. Rootkits that hide pro- built a system called K-Tracer that can dynamically analyze cesses with specific names can help identify the malicious Windows kernel-level code and extract malicious behaviors programs that are being hidden by the rootkit.
    [Show full text]
  • Introduction to Malware
    The Dark side of the Internet: Introduction to Malware By: Brian Pohlman Master of Science in Information Security Lewis University December 2009 1 (Page intentionally left blank) 2 ABSTRACT The Internet can now be accessed almost anywhere by various means, especially through mobile devices. These devices allow users to connect to the Internet from anywhere there is a wireless network supporting that device’s technology. Services of the Internet, including email and the web, may be available. The Internet has also become a large market for companies [1]; some of the biggest companies today have grown by taking advantage of the efficient nature of low-cost advertising and commerce through the Internet. It is the fastest way to spread information to a vast number of people simultaneously. The Internet has also revolutionized shopping. For example, a person can order a CD online and receive it in the mail within a couple of days, or they can download it directly and have it in a matter of minutes. The Internet has also greatly facilitated personalized marketing which allows a company to market a product to a specific person or a specific group of people more so than any other advertising medium. Examples of personalized marketing include online communities such as MySpace, Facebook, and Twitter. The low-cost and nearly instantaneous sharing of ideas, knowledge, and skills has made collaborative work much easier. Not only can a group cheaply communicate and share ideas, but the wide reach of the Internet allows such groups to easily form in the first place. The Internet also allows users to remotely access other computers and information easily, wherever they may be located in the world.
    [Show full text]
  • Analysis and Defense of Emerging Malware Attacks
    ANALYSIS AND DEFENSE OF EMERGING MALWARE ATTACKS A Dissertation by ZHAOYAN XU Submitted to the Office of Graduate and Professional Studies of Texas A&M University in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY Chair of Committee, Guofei Gu Committee Members, Jyh-Charn Liu Riccardo Bettati Weiping Shi Head of Department, Nancy Amato August 2014 Major Subject: Computer Engineering Copyright 2014 Zhaoyan Xu ABSTRACT The persistent evolution of malware intrusion brings great challenges to current anti-malware industry. First, the traditional signature-based detection and preven- tion schemes produce outgrown signature databases for each end-host user and user has to install the AV tool and tolerate consuming huge amount of resources for pair- wise matching. At the other side of malware analysis, the emerging malware can detect its running environment and determine whether it should infect the host or not. Hence, traditional dynamic malware analysis can no longer find the desired malicious logic if the targeted environment cannot be extracted in advance. Both these two problems uncover that current malware defense schemes are too passive and reactive to fulfill the task. The goal of this research is to develop new analysis and protection schemes for the emerging malware threats. Firstly, this dissertation performs a detailed study on recent targeted malware attacks. Based on the study, we develop a new technique to perform effectively and efficiently targeted malware analysis. Second, this disserta- tion studies a new trend of massive malware intrusion and proposes a new protection scheme to proactively defend malware attack. Lastly, our focus is new P2P malware.
    [Show full text]
  • A Transparent Malware Analysis Tool for Integrating Dynamic and Static Examination
    Scholars' Mine Masters Theses Student Theses and Dissertations Spring 2010 EtherAnnotate: a transparent malware analysis tool for integrating dynamic and static examination Joshua Michael Eads Follow this and additional works at: https://scholarsmine.mst.edu/masters_theses Part of the Computer Sciences Commons Department: Recommended Citation Eads, Joshua Michael, "EtherAnnotate: a transparent malware analysis tool for integrating dynamic and static examination" (2010). Masters Theses. 4762. https://scholarsmine.mst.edu/masters_theses/4762 This thesis is brought to you by Scholars' Mine, a service of the Missouri S&T Library and Learning Resources. This work is protected by U. S. Copyright Law. Unauthorized use including reproduction for redistribution requires the permission of the copyright holder. For more information, please contact [email protected]. ETHERANNOTATE: A TRANSPARENT MALWARE ANALYSIS TOOL FOR INTEGRATING DYNAMIC AND STATIC EXAMINATION by JOSHUA MICHAEL EADS A THESIS Presented to the Faculty of the Graduate School of MISSOURI UNIVERSITY OF SCIENCE AND TECHNOLOGY in Partial Fulfillment of the Requirements for the Degree MASTER OF SCIENCE IN COMPUTER SCIENCE 2010 Approved by Dr. Ann Miller, Advisor Dr. Bruce McMillin Dr. Daniel Tauritz Copyright 2010 Joshua Michael Eads All Rights Reserved iii ABSTRACT Software security researchers commonly reverse engineer and analyze current malicious software (malware) to determine what the latest techniques malicious at- tackers are utilizing and how to protect computer systems from attack. The most common analysis methods involve examining how the program behaves during ex- ecution and interpreting its machine-level instructions. However, modern malicious applications use advanced anti-debugger, anti-virtualization, and code packing tech- niques to obfuscate the malware’s true activities and divert security analysts.
    [Show full text]
  • Guide to Malware Incident Prevention and Handling for Desktops and Laptops
    NIST Special Publication 800-83 Revision 1 Guide to Malware Incident Prevention and Handling for Desktops and Laptops Murugiah Souppaya Karen Scarfone C O M P U T E R S E C U R I T Y NIST Special Publication 800-83 Revision 1 Guide to Malware Incident Prevention and Handling for Desktops and Laptops Murugiah Souppaya Computer Security Division Information Technology Laboratory Karen Scarfone Scarfone Cybersecurity Clifton, VA July 2013 U.S. Department of Commerce Cameron F. Kerry, Acting Secretary National Institute of Standards and Technology Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director Authority This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is responsible for developing information security standards and guidelines, including minimum requirements for Federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate Federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A- 130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III, Security of Federal Automated Information Resources. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other Federal official.
    [Show full text]
  • Malware Analysis and Mitigation in Information Preservation
    IOSR Journal of Computer Engineering (IOSR-JCE) e-ISSN: 2278-0661,p-ISSN: 2278-8727, Volume 20, Issue 4, Ver. I (Jul - Aug 2018), PP 53-62 www.iosrjournals.org Malware Analysis and Mitigation in Information Preservation Aru Okereke Eze and Chiaghana Chukwunonso E. Department Of Computer Engineering, Michael Okpara University Of Agriculture, Umudike Umuahia, Abia State-Nigeria. Corresponding Author: Aru Okereke Eze Abstract: Malware, also known as malicious software affects the user’s computer system or mobile devices by exploiting the system’s vulnerabilities. It is the major threat to the security of information in the computer systems. Some of the types of malware that are most commonly used are viruses, worms, Trojans, etc. Nowadays, there is a widespread use of malware which allows malware author to get sensitive information like bank details, contact information, which is a serious threat in the world. Most of the malwares are spread through internet because of its frequent use which can destroy large information in any system. Malwares from their early designs which were just for propagation have now developed into more advanced form, stealing sensitive and private information. Hence, this work focuses on analyzing the malware in a restricted environment and how information can be preserved. So, in other to address the negative effects of malicious software, we discussed some of the malware analysis methods which was used to analyze the software in an effective manner and helped us to control them. Various malware detection coupled with malware propagation techniques were also highlighted. This work was concluded by examining malware mitigation strategies which can help us protect our system’s information.
    [Show full text]
  • GOLDENEYE: Efficiently and Effectively Unveiling Malware’S Targeted Environment
    GOLDENEYE: Efficiently and Effectively Unveiling Malware’s Targeted Environment Zhaoyan Xu1, Jialong Zhang1, Guofei Gu1, and Zhiqiang Lin2 1Texas A&M University, College Station, TX fz0x0427, jialong, [email protected] 2The University of Texas at Dallas, Richardson, TX [email protected] Abstract. A critical challenge when combating malware threat is how to effi- ciently and effectively identify the targeted victim’s environment, given an un- known malware sample. Unfortunately, existing malware analysis techniques ei- ther use a limited, fixed set of analysis environments (not effective) or employ ex- pensive, time-consuming multi-path exploration (not efficient), making them not well-suited to solve this challenge. As such, this paper proposes a new dynamic analysis scheme to deal with this problem by applying the concept of speculative execution in this new context. Specifically, by providing multiple dynamically created, parallel, and virtual environment spaces, we speculatively execute a mal- ware sample and adaptively switch to the right environment during the analysis. Interestingly, while our approach appears to trade space for speed, we show that it can actually use less memory space and achieve much higher speed than existing schemes. We have implemented a prototype system, GOLDENEYE, and evalu- ated it with a large real-world malware dataset. The experimental results show that GOLDENEYE outperforms existing solutions and can effectively and effi- ciently expose malware’s targeted environment, thereby speeding up the analysis in the critical battle against the emerging targeted malware threat. Keywords: Dynamic Malware Analysis, Speculative Execution 1 Introduction In the past few years, we have witnessed a new evolution of malware attacks from blindly or randomly attacking all of the Internet machines to targeting only specific systems, with a great deal of diversity among the victims, including government, mil- itary, business, education, and civil society networks [17,24].
    [Show full text]