MALWARE FORENSICS

INTRODUCTION
 MALWARE
• MALICIOUS SOFTWARE
• any program or file that is harmful to a computer
user.
• TYPES:-computer viruses, worms, Trojan horses and
spyware
• malicious programs can perform a variety of
functions such as stealing, encrypting or deleting
sensitive data, monitoring users' computer
activity,asking for randsomware,lock computer
system,talk to internet.
 What does malware do?

• Malware can infect networks and devices and is designed to

harm those devices, networks and/or their users in some way.
• Depending on the type of malware, this harm can take many
forms and may present itself differently to the user.
• In some cases, the effect malware has is relatively mild and
benign, and in others, it can be disastrous.
• No matter the method, all types of malware are designed to
exploit devices at the expense of the user and to the benefit of
the hacker -- the person who has designed and/or deployed
the malware.
 How do malware infections happen?

• Malware authors use a variety of physical and virtual means to spread

malware that infects devices and networks.
• For example, malicious programs can be delivered to a system with a
USB drive or can spread over the internet through drive-by downloads,
which automatically download malicious programs to systems without
the user's approval or knowledge.
• Phishing attacks are another common type of malware delivery where
emails disguised as legitimate messages contain malicious links or
attachments that can deliver the malware executable file to
unsuspecting users.
• Sophisticated malware attacks often feature the use of a command-
and-control server that enables threat actors to communicate with the
infected systems, exfiltrate sensitive data and even remotely control the
compromised device or server.
 CONTINUE…
• Emerging strains of malware include new evasion and
obfuscation techniques that are designed to not only
fool users but security administrators and antimalware
products as well.
• Some of these evasion techniques rely on simple tactics,
such as using web proxies to hide malicious traffic or
source IP addresses.
• More sophisticated threats include polymorphic
malware that can repeatedly change its underlying code
to avoid detection from signature-based detection tools.
 Different ways Malware can get into system:
I

• Instant messenger applications

• Internet relay chat
• Removable devices
• Links and attachments in emails
• Browser and email
• NetBIOS (File sharing)
• Fake programs
• Untrusted sites & freeware software
• Downloading files, games screensavers from websites .
Common types of malware
 CONTINUE…
• A virus is the most common type of malware that can damage the
operations of computer system.
• A worm can self-replicate without a host program and typically
spreads without any human interaction .
• A Trojan horse is designed to appear as a legitimate software program
to gain access to a system. Once activated following installation,
Trojans can execute their malicious functions.
• Spyware is made to collect information and data on the device and
user, as well as observe the user's activity without their knowledge.
• Ransomware is designed to infect a user's system and encrypt its
data. Cybercriminals then demand a ransom payment from the victim
in exchange for decrypting the system's data.
• A rootkit is created to obtain administrator-level access to the victim's
system. Once installed, the program gives threat actors root or privileged
access to the system.
• A backdoor virus or remote access Trojan (RAT) secretly creates a
backdoor into an infected computer system that enables threat actors to
remotely access it without alerting the user or the system's security
programs.
• Adware is used to track a user's browser and download history with the
intent to display pop-up or banner advertisements that lure the user into
making a purchase. For example, an advertiser might use cookies to track
the webpages a user visits to better target advertising.
• Keyloggers, also called system monitors, are used to track nearly
everything a user does on their computer. This includes emails, opened
webpages, programs and keystrokes.
 How to detect malware

• A user may be able to detect malware if they observe unusual activity

such as a sudden loss of disc space, unusually slow speeds, repeated
crashes or freezes, or an increase in unwanted internet activity and
pop-up advertisements.
• Antivirus software may also be installed on the device to detect and
remove malware. These tools can provide real-time protection or
detect and remove malware by executing routine system scans.

• Windows Defender, for example, is Microsoft anti-malware software

included in the Windows 10 operating system (OS) under the Windows
Defender Security Centre. Windows Defender protects against threats
such as spyware, adware and viruses. Users can set automatic "Quick"
and "Full" scans, as well as set low, medium, high and severe priority
alerts.
 How to remove malware

• many security software products are designed to

both detect and prevent malware, as well as remove
it from infected systems.
• Malwarebytes is an example of an antimalware tool
that handles both detection and removal of malware.
• It can remove malware from Windows, macOS,
Android and iOS platforms. Malwarebytes can scan a
user's registry files, running programs, hard drives
and individual files. If detected, malware can then be
quarantined and deleted.
 History of malware

• The term malware was first used by computer scientist and security researcher Yisrael
Radai in 1990. However, malware existed long before this.
• One of the first known examples of malware was the Creeper virus in 1971, which was
created as an experiment by BBN Technologies engineer Robert Thomas. Creeper was
designed to infect mainframes on ARPANET. While the program did not alter functions --
or steal or delete data -- it moved from one mainframe to another without permission
while displaying a teletype message that read, "I'm the creeper: Catch me if you can."
• Creeper was later altered by computer scientist Ray Tomlinson, who added the ability to
self-replicate to the virus and created the first known computer worm.

• The concept of malware took root in the technology industry, and examples of viruses
and worms began to appear on Apple and IBM personal computers in the early 1980s
before becoming popularized following the introduction of the World Wide Web and the
commercial internet in the 1990s. Since then, malware, and the security strategies to
prevent it, have only grown more complex.
 MALWARE FORENSICS
• It is a way of finding, analyzing & investigating
various properties of malware to seek out the
culprits and reason for the attack.
• the method also includes tasks like checking
out the malicious code, determining its entry,
method of propagation, impact on the system,
ports it tries to use etc.
• investigators conduct forensic investigation
using different techniques and tools.
 investigative & forensic methodologies

• When malware is discovered on a

system,there are many decisions that must be
made and actions that must be taken.
• Breaking investigations into 5 phases:
1. Forensic preservation and examination of volatile data
2. Examination of memory
3. Forensic analysis: examination of hard drives
4. Static analysis of malware
5. Dynamic analysis of malware