{"id":2508,"date":"2024-10-27T22:18:01","date_gmt":"2024-10-27T16:48:01","guid":{"rendered":"https:\/\/iciss.isrdc.in\/?page_id=2508"},"modified":"2024-12-12T12:05:57","modified_gmt":"2024-12-12T06:35:57","slug":"tutorial-3-malware-hunt-demystifying-the-invisible-threats","status":"publish","type":"page","link":"https:\/\/iciss.isrdc.in\/2024\/?page_id=2508","title":{"rendered":"Tutorial 3: Malware Hunt-Demystifying the Invisible Threats"},"content":{"rendered":"\n<p>by Saurabh Sharma<br>Senior Security Researcher<br>GReAT, Kaspersky<br><a rel=\"noreferrer noopener\" href=\"https:\/\/www.linkedin.com\/in\/saurabh-sharma-813a6154\" target=\"_blank\">https:\/\/www.linkedin.com\/in\/saurabh-sharma-813a6154<\/a><br><br>Date: 16 December 2024; Time: 9:30 AM; Venue: LNMIIT, CP3 (beside Library)<\/p>\n\n\n\n<hr class=\"wp-block-separator is-style-wide\"\/>\n\n\n\n<p><strong>Prerequisites<\/strong><br><br>C\/C++ familiarity, Assembly basics<br><br>VirtualBox with Windows 10 VM installed<\/p>\n\n\n\n<p>Disable windows defender: <a href=\"https:\/\/www.windowscentral.com\/how-permanently-disable-windows-defender-windows-10\">https:\/\/www.windowscentral.com\/how-permanently-disable-windows-defender-windows-10<\/a><br><br>Download Sysinternals suite: <a href=\"https:\/\/learn.microsoft.com\/en-us\/sysinternals\/\">https:\/\/learn.microsoft.com\/en-us\/sysinternals\/<\/a><br><br>IDA Free Version: <a href=\"https:\/\/hex-rays.com\/ida-free\">https:\/\/hex-rays.com\/ida-free<\/a><\/p>\n\n\n\n<p>Netcat: <a href=\"https:\/\/eternallybored.org\/misc\/netcat\/\">https:\/\/eternallybored.org\/misc\/netcat\/<\/a><br><br><strong>Outline<\/strong><br><br><strong>Module 1: Dynamic Analysis: Demystifying the Behaviour of Malware<br><\/strong>Understanding how malware operates and how to detect it is crucial in today\u2019s cybersecurity landscape. In this module, we will be covering an end-to-end attack chain, which is a common method used by cybercriminals to infect systems. Here\u2019s a breakdown of the different steps involved in this module:<br><br><strong>Phishing Email:<\/strong> The attack begins with a phishing email, where an attacker sends a fraudulent email to a user, typically pretending to be a trusted entity. The email may contain malicious attachments, links, or instructions to trick the user into taking specific actions, such as clicking on a link.<br><br><strong>Silent Malware Deployment:<\/strong> When the user falls for the phishing email and clicks on the provided link or opens the malicious attachment, the malware is silently deployed in the background without the user\u2019s knowledge. This step is crucial for the attacker, as they gain access to the user\u2019s system without raising suspicion.<br><br><strong>Identifying Suspicious Network Connections:<\/strong> After the malware is deployed, it may attempt to communicate with the attacker\u2019s command-and-control (C2) server or other malicious entities over the network. Detecting these suspicious network connections can be a vital clue for identifying a potential malware infection.<br><br><strong>Suspicious Processes:<\/strong> Next, you\u2019ll be exploring the system\u2019s processes to find any suspicious ones that might be associated with the malware. Malware often runs as a hidden process, evading the user\u2019s attention.<br><br><strong>Host-Based Indicators:<\/strong> You\u2019ll then search for host-based indicators of the malware\u2019s presence. These indicators include persistence mechanisms, which are techniques used by malware to survive system reboots and maintain their foothold on the infected system. Additionally, you\u2019ll analyze disk activity performed by the malware to better understand its behavior.<br><br><strong>Malware\u2019s Motive:<\/strong> Lastly, you\u2019ll try to identify the motive behind the malware. This involves understanding the malware\u2019s purpose, whether it\u2019s ransomware seeking financial gain, spyware collecting sensitive information, or any other malicious intent.<br><br>By following these steps, users can gain a better understanding of how to detect and respond to potential malware infections on their systems. It\u2019s essential to stay vigilant and continuously update cybersecurity practices to protect against evolving threats. Remember, prevention is always better than remediation when it comes to cybersecurity.<\/p>\n\n\n\n<p><strong>Module 2: Static Analysis: Demystifying the Code of Malware<\/strong><br><strong>Limitations of Dynamic Analysis:<br><\/strong>Some malware can detect that it\u2019s being analysed and may behave differently or not execute at all. The analysis environment might not perfectly replicate a real user\u2019s system, leading to potential differences in behaviour.<br><br><strong>Static Analysis (Code Analysis):<\/strong><br>Static analysis involves examining the malware\u2019s code and characteristics without executing it. This typically involves reverse engineering the code, disassembling it, and studying its structure to understand its functionality and inner workings. Static (code) Analysis helps us to uncover the below details:<br><br><strong>Hidden behaviour discovery:<\/strong> Static analysis can reveal hidden or encrypted parts of the malware that might not be evident during dynamic analysis.<br><br>In-depth understanding: By examining the code, we can gain a deeper understanding of the malware\u2019s inner workings, for example;<br>\u2013 Process Injection: Techniques used to run malware inside a process<br>\u2013 Network Protocol Analysis: Understanding and decoding Command and Control packets format.<\/p>\n\n\n\n<p><strong>Module 3: Exploring Signature-Based Intrusion Detection: YARA and Snort<\/strong><br>Once we learn how to demystify the behaviour of the malware in the first two modules of this tutorial, you will learn to write signatures to hunt similar malware on other hosts or want to detect\/block malware command-and-control traffic at the firewall level. This module will cover popular tools used for signature-based intrusion detection, but they have slightly different purposes and approaches:<\/p>\n\n\n\n<p><strong>Yara \u2013<\/strong> Allows you to create and define custom rules (signatures) to identify patterns within files or processes. These signatures are written in a human-readable and straightforward syntax. Yara is particularly effective for detecting specific characteristics, behaviour, or patterns of known malware or other targeted files.<br>Identifying known malware: Yara is effective in detecting the presence of known malware families by matching their unique patterns.<br>Hunting for specific behaviour: You can create Yara rules to identify specific behaviour, such as suspicious file names or registry keys.<br>Indicator of Compromise (IOC) scanning: Yara can be used to scan systems for known IOCs related to recent security breaches or threat intelligence.<br><br><strong>Snort \u2013<\/strong> It is an open-source network intrusion detection and prevention system. Unlike Yara, which primarily focuses on file-based analysis, Snort is designed to monitor network traffic and detect malicious activity in real-time. It uses a combination of predefined rules (known as Snort rules) and customizable rules to identify specific patterns or characteristics of known network-based attacks.<br><strong>Network intrusion detection:<\/strong> Snort can be deployed on network devices, such as firewalls or routers, to monitor traffic and detect attempts at unauthorized access or attacks.<br>Network traffic analysis: It helps in identifying unusual patterns in network traffic, which may indicate malicious behavior like port scans or brute-force attacks.<br><strong>Prevention and response:<\/strong> Snort can be integrated with other security systems to block malicious traffic and facilitate incident response.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>by Saurabh SharmaSenior Security ResearcherGReAT, Kasperskyhttps:\/\/www.linkedin.com\/in\/saurabh-sharma-813a6154 Date: 16 December 2024; Time: 9:30 AM; Venue: LNMIIT, CP3 (beside Library) Prerequisites C\/C++ familiarity, Assembly basics VirtualBox with Windows 10 VM installed Disable windows defender: https:\/\/www.windowscentral.com\/how-permanently-disable-windows-defender-windows-10 Download Sysinternals suite: https:\/\/learn.microsoft.com\/en-us\/sysinternals\/ IDA Free Version: https:\/\/hex-rays.com\/ida-free Netcat: https:\/\/eternallybored.org\/misc\/netcat\/ Outline Module 1: Dynamic Analysis: Demystifying the Behaviour of MalwareUnderstanding how malware [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/iciss.isrdc.in\/2024\/index.php?rest_route=\/wp\/v2\/pages\/2508"}],"collection":[{"href":"https:\/\/iciss.isrdc.in\/2024\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/iciss.isrdc.in\/2024\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/iciss.isrdc.in\/2024\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/iciss.isrdc.in\/2024\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2508"}],"version-history":[{"count":9,"href":"https:\/\/iciss.isrdc.in\/2024\/index.php?rest_route=\/wp\/v2\/pages\/2508\/revisions"}],"predecessor-version":[{"id":2739,"href":"https:\/\/iciss.isrdc.in\/2024\/index.php?rest_route=\/wp\/v2\/pages\/2508\/revisions\/2739"}],"wp:attachment":[{"href":"https:\/\/iciss.isrdc.in\/2024\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}