File Name: malware forensics investigating and analyzing malicious code .zip
AbstractMalware analysis is a diverse field where it is becoming progressively difficult to keep continued track of malicious activities that deviate in their character and method of operation. In this paper we point out strong indicators that will help us to flag an executable and PDF file as being malicious or not.
- malware forensics: investigating and analyzing malicious code pdf
- Malware Forensics Investigating & Analyzing Malicious Code pdf
- Malware Forensics Investigating and Analyzing Malicious Code.pdf
Malin, Eoghan Casey, James M.
malware forensics: investigating and analyzing malicious code pdf
AbstractMalware analysis is a diverse field where it is becoming progressively difficult to keep continued track of malicious activities that deviate in their character and method of operation. In this paper we point out strong indicators that will help us to flag an executable and PDF file as being malicious or not. Closely observing the files have given us an insight into data structures and their attributes that help us with our purpose.
We have also included substantial pointers that will help in the implication of malware writers in the court of law. These observations are utilitarian to a forensic investigator who has to deal with a legion of files on an individual system by constricting them down to a few files with striking probabilities of malicious activity. In the interconnected world of computers, malware has become an omnipresent and dangerous threat.
Given the devastating effect malware has on our cyber infrastructure, identifying malicious programs is an important goal. With technology growing at its pace, criminals are making extensive use of malwares to control computers and to steal personal and confidential information for profit.
To combat these malwares a branch of cyber forensics called malware forensics was developed. Malware forensics deals with analyzing a malicious code may be a script or an executable, to identify the illegal activities and purposes. Malware analysis can be done using static analysis and dynamic analysis. By using different malware analysis techniques it helps the investigator to identify the correct intention of a particular sample .
Static analysis is a code analysis method and dynamic analysis is a behavioral analysis method. Code or static analysis is viewing the code and going through it to get a better understanding of malware and what it does. Behavioral analysis is how it behaves when executed, what interactions take place, what gets installed and if any code is executed without.
When performing malware analysis an investigator should perform both static and dynamic analysis to get a better understanding of what a malware does. Mostly the malware resides as an executable as well as scripts in documents specifically in the case of portable document format PDF files. Every executable starts as a set of source code written in any particular programming language and goes through a few organized steps before it starts its execution in the physical memory as shown in Fig.
The programming language can be of the authors choice. The resultant source code is then compiled to give a binary output in the form of object code which exists as object files with. The linker then takes the output of the compiler and the required dlls and stitches them together to give us the executable file.
It is the responsibility of the loader then to place the executable file in the physical memory for its execution. The execution can begin after the loading process is complete . A robust understanding of the PE file format shown in Fig. The basic supposition of this study is that there should be some distinctive characteristics between malware and benign programs since they are built in different intention.
PDF is the short for portable document format. PDF is one of the widely used applications for sharing and viewing documents. Solid understanding of the PDF file structure as shown in fig. A PDF file is often a combination of vector graphics, text and raster graphics, which can represent themselves as rich text, drawings, either two or three dimensional images or multimedia such as audio, video or Flash.
In such a way PDF has an incredible feature set. It contains the offset of the PE header, relative to the file beginning. This section is not mandatory for the proper working.
It is important to know how many sections are there in a PE file, more specifically, how many section headers and section bodies. Each section header and section body is laid out sequentially in the file, so the number of sections is necessary to determine where the section headers and bodies end. In addition to the sections that exist by default in a PE file, it is possible to add other sections too.
However, the Windows loader limits the number of sections to This possibility can be exploited by the malware authors to include malicious code in a PE file. Size of code: This value lets us know how big the code section is. If there are multiple code sections then it gives the combined size of all these sections.
If a malware author happens to add another code section so as to be able to execute his own malicious code then this size will not be in compliance with the expected value. Address of entry point: This is the pointer to the location for the starting point of instructions that will be executed when the executable is loaded into memory.
In case of packers this will point to the decryption code that will unfold the original compressed code. Malware writers tend to change the address of entry point so that they can redirect the flow of execution. Size of image: It gives the size of the loaded executable in memory which includes the headers and the sections, so then if someone tries to modify the headers or add extra sections then it will show a different size.
Size of headers: This value includes the combined size of the headers and the section table so then if we hve the total size, subtracting Size of headers from it will give a value that should be consistent with the size of contents after the section table. Any deviation indicates a possible modification of the executable.
Checksum: The checksum includes the dlls that will be loaded by the executable at run time and so if a call is made to a malicious dll then the checksum will change. Malware programs require system calls to be invoked to interact with the OS in order to perform malicious actions. Therefore, analyzing and extracting malicious behaviors from these programs require the identification of invoked system calls. Besides the predefined mechanism of system calls that require trapping to kernel, application programs may interact with the operating systems via higher level shared helper modules.
Most malicious. These details are revealed by the Import Directory. Each structure is twenty bytes and contains information about a DLL which the PE file imports functions from. If there is any mismatch in their number it is an indication that the executable file under consideration is suspicious.
There are two methods by which a dll can be imported: import by name and import by ordinal. If we are using import by name then the important attribute is Name1which is one byte in size and contains the name of the imported function. Since there is one such data structure each for every section present, the information here reveals a lot about each one.
Name: Some packers and malcodes add their own sections. These names might ring a bell if they have been noticed previously. Size of raw data: It shows the size of the initialized data but if it is less than Virtual size then the rest of it is filled with zeros. This sequence of zeros can be replaced by malware authors to fit in their malicious code. Pointer to raw data: This gives us the starting of the first page of the particular section.
This could be edited to redirect the section to any other content. If it is an executable section and someone tries to lead it to a malicious script then it could lead to unwanted damage. Characteristics: This could decide whether a particular section is supposed to be executable or not and is supposed to contain only data items either initialized or uninitialized. A malware can overwrite a particular section or an empty space that initially is not executable but then can edit the Charecteristics flag to make it executable.
This could go undetected easily. As mentioned every section has its own characteristics. Any deviation from the normal standards could be indication of something suspicious. Below are a few standard sections but any section that comes up in an executable should be checked for its attributes. A few attributes could help the case when a malware writers contribution to a particular crime is to be proved. These are not detrimental in nature and can be used as supportive facts to help the cause of the prosecution.
TimeDateStamp: This can help us to know when the malware writer created the executable file. It is the time when the linker did its job. The time and date are represented as the number of seconds that have passed since the midnight on 1st January, Linker version: The linker used by the malware author in the creation of his executable. It could be checked with the one present on his system. This header or magic number can be placed anywhere in this bytes. So this space can be used to include some other hexadecimal data or strings and can include some other header malformed header to make investigation tricky and to make the investigator consider it as some other document.
In the analysis of a document we should always consider the first bytes instead of considering only the first 4 bytes. All the objects inside a PDF should be checked. Indirect objects in the body should be specifically considered. Because indirect objects are the objects that may refer other objects, so all the relations between the objects should be derived to get the actual logical structure of a PDF file.
There are many actions that must be considered. Many obfuscations techniques can be used to hide the data. Some of the obfuscation techniques include simple obfuscation, split strings, using regular expressions etc.
The cross reference table is the important part of the PDF that is analyzed by the investigators and also this is the tedious task for the investigator since all the objects have to be identified. The problems that arise in the case of cross- reference table that makes it suspicious is that sometimes the number of objects specified in the subsection of cross- reference table will not match the objects in the file.
Somtime if the line feed character is missing then it may result to 19 byte long instead of 20 bytes. All the indirect objects have a unique identifier. This object identifier consists of two parts. A object number and a generation number. Object number are numbered sequentially in normal case but this is not required it can be assigned in arbitrary order too.
Malware Forensics Investigating & Analyzing Malicious Code pdf
Boudriga, N. Our analysts examine vast amounts of real malware samples daily and hold the internationally recognised GIAC certification in Digital Forensics and Malware Analysis. Written by authors who have investigated and prosecuted federal malware cases, this book deals with the emerging and evolving field of live forensics, where investigators examine a computer system to collect and preserve critical live data t Highly recommend this book for novice malware analysts. Malware code analysis Thorough malware analysis is vital when investigating complex attacks. Malware Forensics: Investigating and Analyzing Malicious Code covers the complete process of responding to a malicious code incident. Readers from all educational and technical backgrounds will benefit from the clear and concise explanations of the applicable legal case law and statutes covered in every chapter. Email Forensics: This forensic branch handles the recovery the trashed data and analyzing the contents of the emails, that include the emails that are deleted or the calendar or the contacts in the email.
Ahead of we drop by the details of converting a Term file into PDF file, it can be crucial for us to know the difference between the two file formats. Term file is usually a file created with Microsoft Term, a word processing application to start with released by Microsoft in for your IBM Computer. The extension of Term file is. Compared with the earlier. There are plenty of approaches to transform a Term doc to PDF and among the easiest approaches is through Adobe Acrobat, a loved ones of applications designed to check out, generate, manipulate and handle documents in PDF. Adobe Acrobat is dear but there is a no cost trial Edition which you can use for the time frame.
Quite possibly the most extensively use structure as a consequence of its ease is the phrase structure. Phrase, Conversely, supports copy, Slash and paste features. This also helps you to utilize the Slash, copy, paste performance of Phrase along with your modifying will turn out to be much easier. Thus, we need to change them to phrase. Nevertheless, it can be quickly completed for those who review the attributes in the converter application and see to it that what other features will it perform besides changing. They even have attributes like partial conversion if you wish to change specific parts in the file than your entire file.
Request PDF | Malware Forensics: Investigating and Analyzing Malicious Code | Malware Forensics: Investigating and Analyzing Malicious Code covers the.
Malware Forensics Investigating and Analyzing Malicious Code.pdf
Malware Forensics Field Guide for Linux Systems is a handy reference that shows students the essential tools needed to do computer forensics analysis at the crime scene. It is part of Syngress Digital Forensics Field Guides , a series of companions for any digital and computer forensic student, investigator or analyst. Each Guide is a toolkit, with checklists for specific tasks, case studies of difficult situations, and expert analyst tips that will aid in recovering data from digital media that will be used in criminal prosecution. This book collects data from all methods of electronic data storage and transfer devices, including computers, laptops, PDAs and the images, spreadsheets and other types of files stored on these devices.
Когда она уезжает. Двухцветный словно будто только что очнулся. - Когда? - Он заржал. - Она давно уехала.