Swinburne University of Technology

Faculty of Science, Engineering and Technology

ASSIGNMENT AND PROJECT COVER SHEET

Unit Code: COS30015 Unit Title: IT Security

Assignment number and title: Assignment 1 Reseach Project Due date: 10/15/23

Lab group: Tutor: Lecturer: Dr. Le Anh Ngoc

Nguyen
Family name: Identity no: 103488036

Viet Trung
Other names:

To be completed if this is an INDIVIDUAL ASSIGNMENT

I declare that this assignment is my individual work. I have not worked collaboratively, nor have I copied from
any other student’s work or from any other source except where due acknowledgment is made explicitly in
the text, nor has any part been written for me by another person.

Signature: Nguyen Viet Trung

To be completed if this is a GROUP ASSIGNMENT

We declare that this is a group assignment and that no part of this submission has been copied from any
other student's work or from any other source except where due acknowledgment is made explicitly in the
text, nor has any part been written for us by another person.

ID Number Name Signature

Marker's
Total comments:
Mark:

Extension certification:

This assignment has been given an extension and is now due on: October 15th 2023
Signature of Convener: Date: / 2023

Abstract

The term malware refers to all kinds of harmful computer programs, including viruses,
worms, trojans, and other malware. Malicious objects have been trying to sneak into
security holes in devices and systems as the Internet gradually becomes an essential part
of our daily lives.

Rather than being identified as malicious software based on its construction, software is
categorized as malicious based on its intended use. In most cases, they are not large,
complex, or capable of stealing basic data or impairing the device's performance, putting
the user at risk.

Introduction

Designed to harm devices and users, malware steals data and adversely affects
performance. Currently, most malware is targeted at devices and applications that are
connected to the internet. Due to the fact that the Internet today is a part of our work and
lives, it is critical to track and stop these malicious software as soon as possible, in order
to prevent long-term harm and risk to the users. It is probably the type of malware that
spreads to other devices that is most dangerous today, for they wreak havoc on a wide
number of devices, affecting a large number of users, sometimes at the same time.
Moreover, these are also the hardest to prevent, since they are like a disease, where as
long as there is an 'infected' device, the malicious virus remains. With malware developers
increasingly making them harder to detect and penetrate more sophisticated devices,
prevention is becoming more and more challenging.

Antivirus software has become increasingly popular as a way to protect users' devices and
servers. Their purpose is to track and prevent malicious software from being installed on
the system, as well as to destroy it. In the future, everything will continue to evolve,
including malware. By gaining access to antivirus software, malware creators will
penetrate and learn how these applications work, find their loopholes, and develop new
malware that bypasses firewall protections of these programs. As a result of rapid
developments in systems science, computer software for security is improving, and tracing
techniques and machine learning are increasingly being incorporated, which provides
greater accuracy and more efficient tracking of malware.

The purpose of this paper is to summarize a few types of malware, the evolution of
malware disguises, and techniques for detecting and analyzing malware.
Background
Creeper was an experimental piece of software created by Bob Thomas at BBN in 1971.
Its initial version was intended to travel between DEC PDP-10 mainframe computers
running the TENEX operating system over the ARPANET. An updated version was
created by Ray Tomlinson to duplicate itself across computers instead of only moving
between DEC PDP-10 mainframe computers. Creeper is widely recognized as the first
computer worm since it is self-replicating. In Creeper, software that was capable of
replicating itself and spreading to other computers was tested.

"I'M THE CREEPER. CATCH ME IF YOU CAN." was the only message the program
produced to the teletype reader, proving that it wasn't actively hostile software because
there was no corruption of the data.
It is also important to note that malware has taken on many forms over the years, in order
to obtain as much information as possible from a user, as is shown in the image below.

APT malware has infected 180,000 computers in Vietnamese agencies and organizations
in the past year, according to Bkav data. It is still primarily distributed via email with
content that encourages or entices the reader to open attachments. Once the user opens
the file, the malicious code is activated, making the computer silently operate: installing
other components for remote control, stealing data, escalating privileges, etc. In order to
keep attacking organizations and agencies, we need equipment to penetrate deeper into
their systems...
Malware Analysis
Understanding the behavior and function of suspicious files and links is vital to the
analysis of malware. The practice of identifying and analyzing suspicious files on
endpoints and within networks is called malware analysis. It can be either dynamic, static,
or full reverse engineering.

Main Objectives:

 Destroying the malware: As part of malware analysis, people are made aware of
malware and cyberthreats by demystifying them. Malware, in reality, is nothing
more than a software program that is specifically designed to harm. In order to
prevent malware from infiltrating your ecosystem or at least from spreading, it is
essential to understand the code and how it works.
  Learning its characteristics and features: The digital footprint left by malware is
unique, as it is with every piece of software. What treatment does a particular strain
of malware give to data in its particular variant or family? What are the ways it
spreads? How quickly does it reproduce and how does it conceal itself? Knowing
the exact characteristics of malware makes it easier to detect it.

 Revealing its functionality: There is a great deal of importance placed on this

aspect of malware analysis, which is not easy to master. A majority of malware
waits for the right time to attack before hiding. Therefore, the user will not be able to
comprehend the functionality of the application until it is too late. The purpose of
malware analysis is to determine the intended function of software by analyzing its
code.

 Tracing back the malware’s origin: It is challenging to trace malware, so hackers

are able to hold large sums of money as ransoms. In addition to identifying the
coder who created the malware, malware analysis can identify its IP address,
location, and even the organization that created it. Consequently, when an attack
occurs, legal authorities can quickly intervene.

 Aggregating the data to predict the impact: A probable impact profile can be
produced by combining the surveys above. In terms of malware impacts, its
effectiveness, its target systems, and its speed of development and distribution are
all factors. By doing so, companies can plan and implement mitigation procedures.

Malware Analysis Types:

1. Static malware analysis

 Using static analysis, a malware file is examined without the need to launch the
program in order to detect it. By using this method of malware analysis in order to
detect malware, you can be certain that your computer won't be infected by the
code. It is important to realize, however, that static analysis does not even require
looking at the code of the malware to gather data. There are a lot of metadata that
can help determine the characteristics of the malware based on the name, type,
and size of the file. The MD5 checksums or hashes can be compared to a
database to see if anyone else has detected the virus previously, by comparing the
checksums or hashes in the database. In addition to this, the scanning by your
antivirus software might indicate the type of infection you are having.
A static analysis of binary files uses advanced techniques to disassemble the
binary file and examine the components while preventing the binary file from being
executed. In order to reverse engineer a code, you can use a disassembler, but it
can be tricked by hackers and continue to run malicious code even after the
disassembler has been disabled. It's also necessary to analyze dynamic malware.

2. Dynamic malware analysis

Dynamic analysis, sometimes referred to as malware behavior analysis,

involves running the malware software in order to observe its behavior. It should
go without saying that running malware carries some risk; as a result, dynamic
analysis must be done in a secure environment. Since it is isolated from the rest
of the network, a virtual system known as a "sandbox" environment enables
malware to be operated without compromising production systems. When the
study is over, the sandbox can be reset to its initial condition without suffering
any long-term harm.

Technical signs arise when malware is executed and offer a detection signature
that dynamic analysis can recognize. The sandbox system is monitored by dynamic
analysis tools to observe how the virus changes it. New registry keys, IP
addresses, domain names, and file path locations are examples of modifications.
Dynamic analysis will also show whether the infection is contacting an outside
server used by the hacker. Another beneficial dynamic analysis tool is debugging.
A debugger may focus on each action of the program's behavior when the
instructions are being processed while the malware is operating.

3. Manual malware analysis

 An analyst can opt for a manual analysis in which they manually decompile,
decompile, and decrypt the code. Manual analysis frequently reveals the strategic
purpose behind dangerous software when the analyst looks into the program's core
logic and tries to predict the reasoning behind components that originally appear
unnecessary. Manual analysis is frequently referred to as "code reversing," as you
essentially start with the finished software, work your way back through the code,
and eventually reach the original logic.

4. Automated malware analysis

Using an automated approach, automated analysis examines the malware's

numerous behavioral and static properties. This may not reveal the logic of the
software, but it is quite useful for classifying the software generally and identifying
the malware family it might be a part of. Automation is able to generate thorough
reports and provide information to incident response systems, ensuring that a
human analyst only receives the most important signals. The SNDBOX with AI and
the Falcon Sandbox are two tools that can help you with this.

Malware Detection
The malware that serves criminal ends is aggressive and may cause interference,
disruption, and other negative effects on computers. Malware detection, however, refers to
a set of defensive strategies and tools that help detect, stop, and counteract malware's
negative effects. Depending on the type of malware that infected the system, this
preventive approach consists of many different methods amplified by an array of
instruments.

1. Signature-Based Detection

Signature-based detection uses the digital signatures left by software executing on

a secured system as proof of their integrity. An antivirus application scans software
and analyzes its signatures in order to match them with known malware
signatures.

Malware signatures are stored in a huge library by antivirus software, which is

periodically updated by the antivirus company's security research team. This
database's up-to-date version is continuously updated and synced with protected
devices.
2. Heuristic Based Detection

Reams of data will be combed and thoroughly examined by the malware analyst for
any unusual activity or behavior. By employing this technique, the analyst is
responsible for looking for malicious code that exhibits suspicious behavior.
Heuristic-based detection enables detection and response to any known and new
malware assaults. The foundation of heuristic-based detection consists of two
parts. The system's behavior is initially monitored without being attacked, and vital
data is recorded. The second monitors this distinction to identify malware specific to
a certain family.
LITERATURE REVIEW
Modern computer security has significantly improved over the years, but it remains
challenging to keep systems safe from malware. Malware damages a computer system
and infects nearby devices, causing errors as well as damage. These malicious programs
affect the system, disrupt data and information, and steal information and data. The latest
types of malware are less detectable and more concealable than traditional ones. As
opposed to the traditional style, which goes under the radar, today's types are installed
and executed surreptitiously and attack directly at the target that has been targeted by the
bad actors, generating several variables in the process, a new body, accompanied by
many different concealment techniques.
1. Signature based detection
Using S-based detection, genetic algorithms (GA), and signature generators,
Zolkipli and Jantan proposed a sophisticated malware detection system. The
bioinformatics technique proposed by Tang et al., allows for the generation of
accurate exploits for polymorphic worms based on exploit-based signatures. An
alignment and clustering system based on sequence clustering and alignment was
proposed by Borojerdi and Abadi. Only hundreds of malware specimens have been
tested using the proposed method, which is limited to polymorphic malware. In
those tests, they achieved an FPR of 0.80% by selecting 0.4 cluster radius and
0.05 similarity threshold. Compared with state-of-the-art methods for signature
generation, the proposed system performed better.

A schema named Hancock allows for the generation of high-quality string

signatures while reducing the number of FPs and maximizing malware coverage.
An n-gram-based file signature was proposed by Santos et al. for detecting
malware. As recently as 2009, Zheng et al. presented a malware analysis system
for Android called DroidAnalytics that automatically identifies malicious code
segments, generates signatures for applications, and associates malware under
study with other malware. According to the results, the recommended schema
outperforms the Clam-AV scanner and offers significant memory savings without
sacrificing scanning performance.
 2. Heuristic based detection

FP can be reduced to an arbitrarily low level by using Arnold and Tesauro's

automatic Win32 heuristic virus detection system. Associative classification is a
method for reducing the number of rules generated and improving detection
accuracy and time. Yanfang et al. presented post-processing techniques to reduce
the number of rules generated and improve detection accuracy.

To detect malware that cannot be detected by traditional signature-based antivirus

programs, B. Zahra et al. proposed a first-of-its-kind intelligent malware detection
system (IMDS) based on objective-oriented association mining. Three parts make
up the IMDS: the PE (portable executables) parser, the OOA rule generator, and
the rule-based classifier. There is statistically significant difference in opcode
frequency distributions between malware and benign programs according to a
statistical analysis of opcode frequency distributions. It is important to test the
suggested methods on more samples and compare their results with those of other
well-known heuristic methods in order to get more reliable results. Dynamic and
static features can be combined to improve the performance of the detection
system.

DISCUSSION

As a result of our discussion, we identified two primary methods used to analyze malware.
It is further difficult to identify malware because it uses many camouflage strategies. The
writer responds to new methods of analysis by developing new counter analyses,
detections, analyses, and finally countermeasures. It is not possible to identify every new
generation of sophisticated malware, even after the publication of multiple new methods
based on these diverse malware detection approaches. Despite having high FPRs,
signature- and heuristic-based detection techniques are effective in finding known
malware. Furthermore, it appears that a number of known and ongoing assaults have
been recognized by deep learning-based technologies, mobile devices, and the Internet.
However, using these techniques won't be able to stop all assaults. A reliable method for
identifying malware is difficult to build, hence there is a pressing need for new research
methodologies.
CONCLUSION
Static analysis examines malware files without launching the program. Because running
the code might infect your machine, this malware analysis method is the most secure. The
most basic form of static analysis gathers information about malware without even looking
at the code. Information contained in metadata such as the file name, type, and size can
be helpful in identifying the malware's characteristics. A database can be searched to
detect viruses previously seen on the basis of checksums and hashes generated with
MD5. You may also be able to tell what type of infection you have from antivirus software
scanning.

Binary files can be disassembled using advanced static analysis so that each component
can be examined without the binary files being executed. Hackers may trick
disassemblers into continuing to run malicious code by reverse engineering the code with
a disassembler. Malware must also be analyzed dynamically.

References
1) Evolution of Malware Threats and Techniques: A Review:
https://www.proquest.com/openview/9cba498838c4c7e7eb8a69a27b9ab042/1?pq-
origsite=gscholar&cbl=52057
Access: September 28th 2023

2) An ninh mạng 2022 tại Việt Nam vẫn còn những điểm đáng quan ngại:
https://www.qdnd.vn/giao-duc-khoa-hoc/cac-van-de/an-ninh-mang-2022-tai-viet-nam-van-
con-nhung-diem-dang-quan-ngai-713907
Access: September 28th 2023

3) An Emerging Malware Analysis Techniques and Tools: A Comparative Analysis:

https://www.ijert.org/research/an-emerging-malware-analysis-techniques-and-tools-a-
comparative-analysis-IJERTV10IS040071.pdf
Access: September 29th 2023

4) What Is Malware Analysis? Definition, Types, Stages, and Best Practices:

https://www.spiceworks.com/it-security/data-security/articles/what-is-malware-analysis-
definition-types-stages-best-practices/
Access: October 1st 2023

5) A Research on the Heuristic Signature Virus Detection Based on the PE Structure

https://www.semanticscholar.org/paper/A-Research-on-the-Heuristic-Signature-Virus-
Based-Gao/a720f283a65a8320b51dc231d9406388ebc1ed3f#extracted
Access: October 1st 2023
6) 4 Malware Detection Techniques and Their Use in EPP and EDR:
https://www.cynet.com/malware/4-malware-detection-techniques-and-their-use-in-epp-
and-edr/#:~:text=Malware%20detection%20involves%20using%20techniques,%2C
%20checksumming%2C%20and%20application%20allowlisting.
Access: October 1st 2023

7) On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the

Context of Web Attacks:
https://www.researchgate.net/publication/357840708_On_the_Detection_Capabilities_of_
Signature-Based_Intrusion_Detection_Systems_in_the_Context_of_Web_Attacks
Access: October 2nd 2023

7) A Comprehensive Review on Malware Detection Approaches:

https://www.researchgate.net/publication/
338377124_A_Comprehensive_Review_on_Malware_Detection_Approaches
Access: October 2nd 2023

8) Malware Analysis and Classification: A Survey:

https://www.researchgate.net/publication/276495476_Malware_Analysis_and_Classificati
on_A_Survey
Access: October 2nd 2023

9) A study of methodologies used in intrusion detection and prevention system (IDPS):

https://www.researchgate.net/publication/
234082442_A_study_of_methodologies_used_in_intrusion_detection_and_prevention_sy
stem_IDPS
Access: October 2nd 2023