Malware Forensics: Discovery Of The Intent Of Deception

Today's malware includes a several types of investigation avoidance methods which highly impacts the forensic processes to understand or decipher them. However there are some applications which can perform a thorough analysis of these malwares to shield against reverse engineering and to save intellectual data, it still makes the process of analysis very hard to work at and takes much more time. These methods are being used by malware which can dodge the analytical processes and becomes evident that a harmful intentions are present.

Although there are capabilities for applications and software’s to detect the presence of malware, and keeps a tab on the avoidance methods used by them. Introduction Since the advent of the IT industry the issue of Malware is one of the most important. As days goes by the malware problem becomes more hindrance to the cyber security and slowly becoming harder to detect and to mitigate the risks associated with it. The goal of this paper is to explain the types of malware attacks, how to prevent it and be successfully able to detect it even before the attack takes place. Also there are of several examples of malware explained in order to understand them better. It also highlights the better knowledge of malware attacks and steps provided to help individuals how to reduce the amount of damage done by malware.

Current scenario for the IT industry belongs to the commonly dominated computers systems of the individuals, businesses and the financial environment. Due to the fact that we are very reliable on these computer systems it makes us highly prone to cyber-criminal activities. According to the Semantec in 2012, the overall damage these cyber criminals create is about $110 billion USD and approximately 566 million people are affected by it. The term malware is short for malicious software that also consists of worms, Trojans, computer viruses and spyware, all of these which are used by a hacker to carry out illegal cyber activities like sending spam emails and hacking valuable information.

Literature

As we know that a malware is nothing but just a malicious software, however if it’s given a chance it can do more harm than we can imagine. So the moment from when we receive a malware is received by an antivirus company till the time of its detection on a computer system or a host is very critical to any IT enterprise or even for individual users. Three steps are very crucial part of how a malware is identified. Firstly, it’s when we receive the malware. Following this it creates a signature through few complex tasks. Secondly, it does some reverse engineering to understand the code extraction process. Finally, it understand how to tackle your anti-virus software of your defense system to avoid any analysis.

Examples of few malwares that spread out over the starting of the internet:

1. Creeper: This is considered to be the first virus back in 1971. The Creeper system was created as an experimental self-replicating application which affected all the computer which operated on TENEX with a DEC PDP-10. The operation of Creeper was done by getting into ARPANET, and its aim was to look for a machine within its network transmitting itself, showing a specific message, and moving from one system to another. Again it was fabricated with the goal of keeping this within the academic research purposes.
2. Elk Cloner: Elk Cloner is known to be the first virus outbreak back in 1982. It was developed by a 15 year old school student whose intention was just to play plank. It worked by Entering into apple computers through the usage of floppy disks. So whenever someone inserted this floppy disk it used to display a poem rather than playing a game which it was intended for. This malware is known as the first one for travelling outside of a lab or computer system in which it was developed.
3. Happy99: This is a type of worm that was produced in 1999 and would affect the computers via email attachment. The operation of Happy99 would be showing a firework on the display, and then copy its file to the windows system folder and further spreading through all the contact lists on the system via an email. As mentioned it was just a prank so all it would do is just a display and would not cause harm to the affected computer.
4. Code Red: The objective of code red is to affect the web servers, and this was observed back in 2001. So Code Red functioned by taking benefit of a vulnerability in Microsoft IIS servers. Within a week’s time almost 40, 000 servers were affected because of this attack. Whenever someone is affected their screen says "Hacked by Chinese". There another goal was to flood all the white house websites including all the traffic from affected servers. This instance of hacking was showcased as hactivism on a large scale.
5. Blaster: This was again considered a prank created in the year 2003. The objective of blaster was of a worm that affected computers running on Windows XP and 2000. The overall damage that was caused due this worm is staggering hundreds of millions of dollars. The operation of this worm was to show a text of strings of which the first part said "I just want to say Love you SAN" and the second part consisted a message sent to Bill Gates the CEO of Microsoft.
6. Zeus: Zeus was a functional as a malware service. It was observed that from the people who were affected by this service it cost them around $70 million. It was so highly sophisticated in its time that it was not detected by very well-known anti-virus software’s of that time. It was also known that Zeus carried the potential to carry harmful activities like capturing banking data. This took place back in year 2007 and within next two years it was said that it had damaged about 74000 FTP servers for some well-known organizations like Bank of America, Amazon, Cisco, NASA etc.

Distinct deception methods used by malware are as follows: These techniques that are mentioned here can make malware presence very difficult to detect. These methods can be deployed in conjunction with one another to make it more effective.

1. Anti- Emulation: Backups for a VM is very easy and this provides an opportunity for a data security analyst to easily and quickly recover the image or data back for that specific VM. These days a number of methods are available to successfully discover the presence of malware that is running inside of a VM, these are VMWare or a Virtual PC. In certain important instances where it becomes difficult to anti-emulation method because of various unknown reasons, it is suggested to make use of a real machine rather than a VM.
2. Anti-Hardware: There are multiple ways to be noticed by a malware which can benefit itself from using hardware data from CPU and registers whenever a debugging process is in use. Also whenever a pre fetch queue is performed by an application during a debug process the malware can abuse this method by affecting it on the right time. There are few available mechanisms which can predict this occurrence.
3. Anti-tools: Many malware has the potential to feel the presence of tools that are used by a security analyst. Whenever a malware can successfully note this tools presence, it can also have the ability to operate under deceptive mode. Few of the malware also hold a capabilities of understanding a tool's weak points and affect them accordingly. Some well-known tools like OllyDbg and IDA Pro can notice the presence of certain online analysis tools.
4. Anti-Memory: If a complicated application has successfully unpacked itself some security analysts use the method of dumping the memory. They can capture such instances by stopping and grabbing the applications whenever they are unpacking itself, and from there they dump the unpacked application of the memory. Further doing so also allows security analysts to decipher the code that is being used. Generally these application packers can make this technique useless by formatting some of the part of the code, often termed as stolen bytes. Whenever one needs to run the dumped application these bytes has to be restored.
5. Anti-Process: Whenever a debugging session is under its way, there are multiple methods that can be targeted in this manner. An instance of Thread Local Storage which is abused could serve as a perfect example to this. The process here involves manipulating the real entry point of the application to another entry point which is noticeable during a debugging session by a security analyst. This is often performed by modifying portable executable loader in order for entry point to be referenced through Thread Local Storage.

Out of all the security breaches affecting the existing internet network Malware accounts for nearly 51 percent of them. For a typical antivirus software or tool the most well-known process of detecting the presence of malware is through signature matching. However, the process of detection through signature based approach is becoming very difficult in identifying today's malware instances. Below are few points on how a signature based technique is being ineffective.

1. Morphic Malware: As the word suggests, morphing is a method of changing and current malware techniques utilizes morphing to avoid its detection by a signature based method. Also there are polymorphic viruses which are derived from encrypted viruses. These encrypted viruses are comprised of two parts, one is the harmful code and other is the decrypter. Such viruses manipulates its entire body during its transmission, while on the other hand a decrypter is unaffected whenever a virus travels from one system to another. However, a signature based detecting method proved beneficial whenever there was a need to notice any decrypters amongst them.
2. Polymorphic Malware: These polymorphic malware are made of two very important parts, they are the virus body and a mutation engine. Whenever a malware is transmitting it is the job of mutation engine to create a new decryption schedule. Also during this activity, new decryption is enrolled into a virus body as well as the mutation engine. Furthermore, for every polymorphic virus doubles, there are no two permutations that are similar to each other.
3. Metamorphic Malware: This is the type of malware which consists of two parts, namely the virus body and a mutation engine. Whenever this malware is duplicating itself it never uses a encryption technique. Now for every instance a metamorphic malware travels it is the job of mutation engine to recode malware on each and every of such instances. Doing so it never generates same infection as the previous ones. As with a signature based detection, it does all the performance of capturing by noticing a pattern or sequence of bytes. The malwares based on polymorphic and metamorphic concepts has the ever evolving ability to keep modifying, this is the process which makes a signature based pattern very hard to match.
4. Packing: Also a type of well-known method to avoid a signature based antivirus tool or a software. It comprises of nearly 80 percent of the malware evasion instances. What it does basically is to gather an executable file and put a compression algorithm over it. This process develops a new executable file as a result. The resulting new file is made up of all the compressed, unreadable part of the real code, and also a portion of application called as unpacking stub. Packing has this ability of mask a harmful code within this compressed code. For a applying the process of unpacking many antivirus software’s make use of static unpackers. Such static unpackers are created into decompression routines for multiple known packers.

Conclusion

These signature based identifying methods uses principles that are dependent on patterns or the available sequence of bytes that belongs to a malware. Currently, in the age of the internet malware makes use of numerous techniques that helps it to avoid detection namely signature based detection. So this paper has introduced many well-known techniques that a malware seeks to avoid any type of detection. Generally some malware uses this process of avoidance which is also known as morphing. As mentioned earlier polymorphic malware is the type to really encrypt a typical metamorphosis, whilst the kind of metamorphic malware depends upon the mutation of the engine. Collectively both of these methods affects morphing differently, however they do have the innate ability to modify their structure limitations to increase their effectiveness. Alternatively, packing is also another mechanism effectively used by malware to avoid getting detected. Packing uses the mechanism where it has the ability to modify the structure of malicious code. There are certain malware currently that are very difficult to find them even with a signature based detection technique. This malware are called as zero day malware. Apparently these type of malware are not known by the manufacturers of anti-virus applications and ultimately no signature is available to verify the presence of malware.

Furthermore, it is evident that not any approach is available that can provide us with defense against all types of attacks. Hence we have to use a layered approach towards such cases where it’s not just using of tools and software but also making use of tactics and methods which are fabricated to mitigate the occurrences of infection. Some of the mechanisms that are followed by such tactic usage are host hardening, principle of least privilege, patch management and educating users for how to identify malware and step to take further.

Multiple tools are available for the layered approach to offer security, however each of those tools have some sort of mechanisms to counter the malware. Despite of these cautious measures malicious soft wares still make their way to us and do quite a harm. Hence it is our duty as good citizens of the society and as a part of organization to take every possible step to avoid such attack occurrence and always be proactive towards them.