Swinburne University of Technology

Faculty of Science, Engineering and Technology

ASSIGNMENT AND PROJECT COVER SHEET

Unit Code: Unit Title:

Assignment number and title: Assignment 1 Reseach Project Due date: 02/21/23

Lab group: Tutor: Lecturer: Dr. Tung Hoang

Nguyen
Family name: Identity no: 103488036

Viet Trung
Other names:

To be completed if this is an INDIVIDUAL ASSIGNMENT

I declare that this assignment is my individual work. I have not worked collaboratively, nor have I copied from
any other student’s work or from any other source except where due acknowledgment is made explicitly in
the text, nor has any part been written for me by another person.

Signature: Nguyen Viet Trung

To be completed if this is a GROUP ASSIGNMENT

We declare that this is a group assignment and that no part of this submission has been copied from any
other student's work or from any other source except where due acknowledgment is made explicitly in the
text, nor has any part been written for us by another person.

ID Number Name Signature

Marker's comments:

Total Mark:

Extension certification:

This assignment has been given an extension and is now due on: February 21st 2023
Signature of Convener: Date: / 2022

Abstract
Malware is a general term for viruses, worms, trojans, and other harmful computer
programs that hackers use to destroy and gain access to sensitive information. When the
Internet is gradually becoming an indispensable part of our lives, malicious objects have
been trying to sneak into the security loopholes of devices and systems, creating a serious
relationship with businesses and users.

In other words, software is identified as malicious software based on its intended use,
rather than a specific technique or technology used to build the software. They are usually
not too large, complex and have the ability to steal basic data, and affect the performance
of the device, endangering the user.

Introduction
Malware designed and created to harm devices and users, can steal data and adversely
affect device performance. Today's malware is largely designed to attack devices and
applications over the Internet. Since the Internet today has become an integral part of our
work and life, the most important thing is to track and stop these software as soon as
possible, to avoid harm and long-term risk for users. The most dangerous today is
probably the type of malware that can spread to other devices, they cause widespread
destruction, in turn affecting many users, sometimes at the same time. These are also the
most difficult to prevent, because they are like a disease, as long as there’s an 'infected’
device, the malicious virus is still there. Prevention is becoming more and more difficult as
malware developers increasingly make them harder to track and penetrate more
sophisticated devices.

Today, antivirus software is often one of the most used tools to protect the devices and
servers of users and businesses. They are created to track and prevent as well as destroy
malicious software on the machine. But as the future goes on, everything evolves, and
even malware is no exception. When malware creators get access to antivirus software,
they will penetrate and learn how these softwares work, and find their loopholes, and
creating new malware that bypasses firewalls of those software is only a matter of time.
Fortunately, thanks to the rapid development of systems science, computer software for
security is increasingly being improved, combined with tracing techniques and machine
learning are increasingly applied. , which provides greater accuracy and more efficient
tracking of malware.

The purpose of this paper is to summarise a few types of malware, the evolution of
malware disguises, and techniques for detecting and analysing malware.
Background
In 1971, Bob Thomas at BBN created the experimental computer software known as
Creeper. An updated version by Ray Tomlinson was created to duplicate itself across
computers rather than only move between DEC PDP-10 mainframe computers running
the TENEX operating system and its initial version was created to travel between them
over the ARPANET. It is widely acknowledged that this self-replicating Creeper variant
was the first computer worm. Creeper was a test designed to show the viability of a
computer software that could replicate itself and spread to other computers.

The sole consequence of the program was a message it produced to the teletype reader,
which proved that it wasn't actively hostile software because it didn't corrupt any data "I'M
THE CREEPER. CATCH ME IF YOU CAN"

Over the years,malware has also taken on many new forms, in order to make the
malicious code affect as many user files as possible, as can be seen in the image below.

According to Bkav's statistics, 180,000 computers in Vietnamese agencies and

organisations were infected with APT malware in the past year. The main distribution
route is still sending emails with content that entices or urges to open attachments. The
malicious code activates as soon as the user opens the file, thereby silently operating on
the victim's computer: installing other component modules for remote control, stealing
data, escalating privileges, taking advantage of the device. equipment to continue the
attack to penetrate deeper into the system of agencies and organisations…

Malware Analysis

An analysis of malware involves understanding how suspicious files and links behave and
function. According to Vmware.com, malware analysis is defined as 'the practice of
determining and analysing suspicious files on endpoints and within networks using
dynamic analysis, static analysis, or full reverse engineering'.
Main Objectives:

 Destroying the malware: One of the goals of malware analysis is to demystify

malware and cyberthreats so that people are aware of what they are facing. As a
matter of fact, malware is nothing more than a software program designed
specifically for causing harm. A deep understanding of the code and how it works is
 critical to preventing malware from infiltrating your ecosystem or at least preventing
it from spreading.

 Learning its characteristics and features: Malware leaves a unique digital

footprint, as does every piece of software. How does a particular malware family or
variation treat data? How is it spreaded? What is its rate of reproduction and
concealment strategy? Detecting malware is easier when you know its exact
characteristics.

 Revealing its functionality: Malware analysis relies heavily on this aspect, which
is difficult to master. Most malware waits to attack at the right time before hiding. As
a result, the user will not be able to understand its functionality until it is too late.
Analysing the code of software is part of malware analysis, which aims to
determine its intended functionality.

 Tracing back the malware’s origin: The difficulty in tracing malware makes it a
great opportunity for hackers to hold data ransom for large sums of money.
Through malware analysis, it is possible to identify not only the coder who created
the malware, but also the IP address, the location, and even the organisation where
the malware was created. As a result, legal authorities can intervene swiftly when
an attack occurs.

 Aggregating the data to predict the impact: In order to produce a probable

impact profile, the series of surveys above can be combined. Malware impacts are
determined by how well it works, which systems it attacks, and how quickly it
develops and distributes. As a result, mitigation procedures can be planned and
implemented by companies.

Malware Analysis Types:

 1. Static malware analysis
A malware file is examined using static analysis without the program being
launched. This method of malware analysis is the most secure since running the
code might infect your machine. Static analysis, in its most basic version, gathers
data from malware without even looking at the code. File name, type, and size
metadata can provide information about the malware's characteristics. Checksums
or hashes generated with MD5 may be compared to a database to see if the virus
has ever been seen before. Moreover, antivirus software scanning might indicate
the type of infection you are dealing with.

Advanced static analysis disassembles binary files to examine each component

while keeping it from being executed. Reverse engineering the code with a
disassembler is one approach, but hackers may trick disassemblers and make
malicious code continue to run. Dynamic malware analysis is also needed.

2. Dynamic malware analysis

The malware program is executed during dynamic analysis, also known as
malware behaviour analysis, to study its activity. It goes without saying that
there is some danger involved in operating malware, hence a secure
environment must be used for dynamic analysis. A virtual system known as a
"sandbox" environment allows malware to be executed without endangering
production systems since it is separated from the rest of the network. The
sandbox may be rolled back to its initial state when the study is finished without
suffering any long-term damage.

Technical signs arise when malware is executed and offer a detection signature
that dynamic analysis can recognize. The sandbox system is monitored by dynamic
analysis tools to observe how the virus changes it. New registry keys, IP
addresses, domain names, and file path locations are examples of modifications.
 Dynamic analysis will also show whether the infection is contacting an outside
server used by the hacker. Another beneficial dynamic analysis tool is debugging.
A debugger may focus on each action of the program's behaviour when the
instructions are being processed while the malware is operating.

3. Manual malware analysis

An analyst may choose for a manual analysis in which they manually disassemble
the code using debuggers, decompilers, and decryptors. When the analyst
investigates the underlying logic of the program and tries to forecast the reasoning
behind components that initially look unneeded, manual analysis frequently
discloses the strategic goal behind harmful software. As you effectively start with
the finished software, work your way back through the code, and eventually arrive
at the original logic, manual analysis is sometimes referred to as code reversing.

4. Automated malware analysis

With an automated workflow, the malware's many behavioural and static features
are examined during automated analysis. The software's logic may not be revealed
by this, but it is incredibly helpful for determining its general categorization and
which malware family it may belong to. Automation is capable of producing
comprehensive reports and supplying data to incident response systems, ensuring
that a human analyst receives just the most crucial signals. Among the tools that
can assist you in doing this are the Falcon Sandbox and the SNDBOX with AI.

Malware Detection
As mentioned above, malware is aggressive in nature and may ruin, disrupt, and have
many other negative impacts on computer systems in order to serve criminal ends. On the
other hand, malware detection is a collection of defensive methods and tools needed to
spot, stop, and counteract the negative consequences of malware. This preventive
approach comprises a vast body of methods, amplified by various instruments dependent
on the sort of malware that infected the system.

1. Signature-Based Detection

Software applications executing on a secured system leave a distinct digital trail

known as a signature, which is used in signature-based detection. Software is
scanned by antivirus applications, which then analyze their signatures and match
them to those of known malware.

A huge library of recognized malware signatures is used by antivirus software, and

it is generally updated by a security research team run by the antivirus company.
The most recent version of this database is synced with secured devices and is
constantly updated.
2. Heuristic Based Detection

The malware analyst will go through and analyse reams of data for any abnormal
behaviour or activity. Using this method, the analyst must search for harmful code
that displays questionable behaviour. It is possible to identify and respond to known
and unknown malware assaults using heuristic-based detection. Heuristic-based
detection is based on two components. The system's behaviour is first watched
over without being attacked, and a record of crucial information is kept. The second
keeps track of this distinction to find malware unique to a given family.
 Heuristic virus detection is typically combined with signature-based detection and
sandboxing for the best outcome.

LITERATURE REVIEW
Keeping systems safe from malware is becoming increasingly challenging these days,
despite significant improvements in modern computer security. The malware causes
errors as well as damage to the computer system and infects nearby devices. They affect
the system, disturb or steal important data and information. Compared with traditional
malware, today's modern types are more concealed, with increasingly lower detection
levels. They are not like the traditional type, which is open to the public, today's types are
installed and executed surreptitiously and strike directly at the target targeted by the bad
actors, they even create many variables. new body, accompanied by many different
concealment techniques.
 1. Signature based detection
F. Zolkipli and Jantan proposed a new malware detection framework based on s-
based detection, genetic algorithm (GA), and signature generator. Tang et al.
proposed a bioinformatics technique to generate accurate exploit-based signatures
for polymorphic worms. Borojerdi and Abadi proposed a MalHunter detection
system based on sequence clustering and alignment. The proposed method is
limited to polymorphic malware and has been tested on only hundreds of malware.
The test results showed that by choosing the cluster radius 0.4 and similarity
threshold 0.05, they achieved detection rate of 90.83% with a FPR of 0.80%. The
proposed system outperformed state-of-the-art signature generation methods.

Hancock is a proposed schema that can generate high-quality string signatures

with minimal FPs and maximal malware coverage. Santos et al. proposed n -
grams-based file signatures to detect malware. Zheng et al. presented
DroidAnalytics, an Android malware analytic system that can automatically collect
malware, generate signatures for applications, identify malicious code segments,
and associate the malware under study with various malware in the database. The
results have shown that the suggested schema performs well when compared to
the Clam-AV scanner, and provides huge memory savings while maintaining fast
scanning speed.

2. Heuristic based detection

Arnold and Tesauro proposed an automatically generated Win32 heuristic virus
detection system that reduces the risk of FP to an arbitrarily low level. Yanfang et
al. proposed post-processing techniques of associative classification to reduce the
number of generated rules and improve the detection time and accuracy rate.

B. Zahra et al. proposed an intelligent malware detection system (IMDS) that uses
objective-oriented association (OOA) mining to detect malware that cannot be
detected by traditional signature-based antivirus systems. The IMDS consists of 3
parts: PE (portable executables) parser, OOA rule generator, and rule based
classifier. A statistical analysis of opcode frequency distributions showed that there
is a statistically significant difference in opcode distribution between malware and
benign. To get more reliable results, more samples need to be analysed and
suggested method results' need to be compared with other well-known heuristic
methods. A detection system that combines static and dynamic features improves
the method performance.

DISCUSSION
Based on our discussion, we found that malware analysis uses two main strategies.
Moreover, malware uses a variety of camouflage strategies that make it difficult for
analysts to identify it. A writer's response to the development of new methods of analysis
is to develop new methods of counteranalysis, detection, analysis, and then finally to
create countermeasures. It is not possible to identify every new generation of
sophisticated malware, even after the publication of multiple new methods based on these
diverse malware detection approaches. It is efficient to detect known malware using
signature- and heuristic-based detection approaches even though they have high FPRs.
Further, deep learning-based technologies, mobile devices, and the Internet seem to have
detected several known and ongoing assaults. It is, however, impossible to prevent certain
assaults with these methods. There is a critical need for new research techniques for
detecting malware, as developing a reliable approach to detecting malware is
challenging.

CONCLUSION
Malware threats are evolving at an accelerating rate. Networks are now constantly
targeted by malware assaults because they have grown susceptible. No one is completely
safe, not even a single system or an entire network of an organisation. This aspect has
made forensic digital examination of these offences extremely important in recent studies.
Malware assaults are becoming more frequent, more severe, and more complicated, and
they are also costing the globe more money. The repercussions of using this type of
malware to attack are terrible and seriously harm both people and businesses' assets.
However many unanswered problems remain about the detection and eradication of
malware. The article provides a detailed analysis of the most recent research on malware
detection, including approaches, tactics, and algorithms. In addition to being succinctly
discussed and summarised, each approach for detecting malware has been split down
into its benefits and drawbacks.

References

1) A Brief History of The Evolution of Malware: https://www.fortinet.com/blog/threat-

research/evolution-of-malware
Access: February 1st 2022

2) An ninh mạng 2022 tại Việt Nam vẫn còn những điểm đáng quan ngại:
https://www.qdnd.vn/giao-duc-khoa-hoc/cac-van-de/an-ninh-mang-2022-tai-viet-
nam-van-con-nhung-diem-dang-quan-ngai-713907
Access: February 1st 2022

3) What is Malware Analysis?:

https://www.vmware.com/topics/glossary/content/malware-analysis.html#:~:text=Malware
%20Analysis%20is%20the%20practice,analysis%2C%20or%20full%20reverse
%20engineering.
Access: February 1st 2022

4) What Is Malware Analysis? Definition, Types, Stages, and Best Practices:

https://www.spiceworks.com/it-security/data-security/articles/what-is-malware-analysis-
definition-types-stages-best-practices/
Access: February 2nd 2022
5) What Is a Heuristic Virus and How to Remove It:
https://www.pandasecurity.com/en/mediacenter/security/heuristic-virus/
Access: February 3rd 2022

6) 4 Malware Detection Techniques and Their Use in EPP and EDR:

https://www.cynet.com/malware/4-malware-detection-techniques-and-their-use-in-epp-
and-edr/#:~:text=Malware%20detection%20involves%20using%20techniques,%2C
%20checksumming%2C%20and%20application%20allowlisting.
Access: February 3rd 2022

7) On the Detection Capabilities of Signature-Based Intrusion Detection

Systems in the Context of Web Attacks:
https://www.researchgate.net/publication/357840708_On_the_Detection_Capab
ilities_of_Signature-
Based_Intrusion_Detection_Systems_in_the_Context_of_Web_Attacks
Access: February 3rd 2022

7) A Comprehensive Review on Malware Detection Approaches:

https://ieeexplore.ieee.org/abstract/document/8949524
Access: February 3rd 2022