The main defense against malware continues to be antivirus software, which uses a combination of signatures and heuristic rules to detect malware infections. But where do the signatures come from? Security companies collect and inspect new malware samples to identify new ones that are interesting enough for thorough analysis. Expert analysts use a variety of tools to reverse engineer and understand a suspected binary. This lab will go through the processes of static and dynamic analysis, and inspect an analysis report. Note that no live malware is involved in this lab, which would be risky.
Part A: Static Analysis
As it sounds, static analysis is an examination of a suspected binary or executable without actually executing it. Various tools include disassemblers, decompilers, and source code analyzers. Typically, static analysis is incapable of giving a complete picture of the program’s behavior. In addition, malware creators can deliberately obstruct static analysis by means of packing, encryption, or obfuscation.
Use the textbook and online references to learn about dynamic analysis. The following are good resources to use:
- Oktavianto, D., & Muhardianto, I. (2013). Cuckoo malware analysis: Analyze malware using Cuckoo Sandbox. (Links to an external site.)
- Infosec Institute. (n.d.). Static malware analysis (Links to an external site.).
Question 1:
- Briefly summarize the static analysis attempts to learn from a suspected binary.
- What are the limitations of static analysis, or in other words, why is dynamic analysis needed?
Part B: Dynamic Analysis
Dynamic analysis involves execution of a suspected binary or executable to learn about its possibly malicious behavior. Generally, dynamic analysis looks for suspicious behavior with regards to the following:
- Actions on the machine where it is running, e.g., buffer overflows, file changes;
- Network traffic, e.g., communications with C&C (communications and control) servers;
- Attempts to self-replicate.
Dynamic analysis can be complicated when malware creators design malware to change its behavior if it detects the presence of a virtual machine.
Clearly, execution should be done in a restricted environment like a sandbox to protect the network and other machines. There are obvious costs in computing resources and execution time. Thus, it is not feasible to carry out dynamic analysis for every suspected binary. In addition, a high level of technical expertise is needed to understand the results of dynamic analysis. Dynamic analysis, as well as static analysis, is much like detective work.
Use the textbook and online references to learn about dynamic analysis. A good introduction is there in the following webpage:
- Infosec Institute. (n.d.). Dynamic analysis techniques (Links to an external site.).
Question 2:
- Give an example of program behavior that can be learned only through dynamic analysis and not static analysis.
Question 3:
- Briefly summarize the risks of dynamic analysis.
Part C: Seeing Results
You have the choice to install and experiment with a variety of software tools for static and dynamic analysis. An easier alternative is to try out one of the online services that allow you to submit a suspected binary where analysis results will be reported to you. Some choices include the following:
- Virustotal (Links to an external site.). (n.d.).
- Joe Sandbox Cloud. (n.d.). File analyzer (Links to an external site.).
- Joe Sandbox Cloud. (n.d.). Document analyzer (Links to an external site.).
In particular, Malwr is a web interface to the Cuckoo Sandbox, which is a free tool for automated malware analysis. The documentation for the Cuckoo Sandbox is in the following site:
- Cuckoo Sandbox. (n.d.). Cuckoo sandbox book (Links to an external site.).
Question 4:
- Give an example of an included package in Cuckoo Sandbox. Suggested reference:
- Cuckoo Sandbox. (n.d.). Analysis packages (Links to an external site.).
Some of these online services offer sample reports.
Optional: It may be instructive to browse a report at any of the following sites:
- Joe Security. (n.d.). Malware analysis reports (Links to an external site.).
- Joe Sandbox Cloud. (n.d.). Recent analysis (Links to an external site.).
- Joe Sandbox Cloud. (n.d.). Recent reports (Links to an external site.).
Optional: An example of a static analysis using Cuckoo is explained in the following site:
- Nieto, J. (2013, October 09). Static analysis of a packed malware sample with Cuckoo part1 (Links to an external site.). Hacking while you’re asleep.
Write a short report addressing the above questions in this lab.
The first major variant of ransomware, Cryptolocker has been mentioned in the module notes. After the takedown of Cryptolocker, CryptoWall (aka Crowti or Cryptodefense) appeared in 2014 and became the most prevalent ransomware. It encrypts a victim’s files with a public key, and the private key is kept in a remote server. In one version, the victim is directed by a link to a Tor webpage asking for payment using BitCoin. Another ransomware that became very prevalent in 2015 was TeslaCrypt (aka Tescrypt). It encrypts a victim’s file using AES-256 although it tells the user it is RSA-2048, a much longer key size. Undoubtedly, new variants will continue to victimize people as long as they are profitable.
You can refer to the following resources for more information on ransomware:
- Russinovich, M. (2013, January 7). Hunting down and killing ransomware (scareware). (Links to an external site.) Microsoft TechNet.
- S-CERT. (Last revised 2016, July 11). Alert TA16-091A: Ransomware and recent variants (Links to an external site.).
Respond to the following:
- Ransomware creators tend to keep the ransoms affordable and deliver the decryption key after payment (although there is no guarantee), in order to encourage future victims to pay. For these reasons, victims are sometimes advised to just pay the ransom. Should victims pay the ransom or seek other solutions?
- What are the latest encryption technologies and infection techniques currently being designed to tackle this issue?
- What legal issues does ransomware influence?
Do you need urgent help with this or a similar assignment? We got you. Simply place your order and leave the rest to our experts.