Skip to content

Malware Detection and Identification

links: MAI TOC - Malware Identification - Index

Detection and identification

Malware Families

  • Malware, like other software, has lifecycles and versions, forming "families".
  • Names (e.g., Zeus, Trickbot) are assigned by security analysts.
  • Malpedia tracks thousands of malware families.

Detection vs. Identification

  • Detection: Determining if an artifact is malicious.
  • Identification: Assigning the detected malware to a known family

Importance of Identification

  • Known malware families come with existing analyses and intelligence.
  • New malware requires extensive analysis, which is rare but significant (e.g., Stuxnet).

Detection Approaches

  • In-depth Analysis: Detecting malware through deep examination of suspicious artifacts.
  • Identification-based Detection: Using known characteristics of malware families to detect new instances.

Signatures, AV and packing

Challenges in Detection

  • True Positives/Negatives: Correctly identifying malicious/non-malicious artifacts.
  • False Positives/Negatives: Incorrectly identifying artifacts, leading to potential security risks.

Malware Signatures

  • Concept: Identifying malware by matching known byte sequences in files.
  • Advantages: Fast, low false positive rate, useful for identifying malware families.
  • Disadvantages: Vulnerable to evasion techniques like packing, not effective for entirely new malware.

Binary Packing and Evasion

  • Technique: Modifying malware to evade detection by altering byte sequences.
  • Detection: Identifying packed code through string analysis, entropy measurement, and section information.

Behavior-based Detection

  • Idea: Detecting malware by identifying typical malicious behaviors (e.g., code injection, persistence).
  • Advantages: Capable of detecting new malware.
  • Disadvantages: Higher false positive rate due to the similarity between legitimate and malicious behaviors.

Practical Detection and Identification

  • Tools and Techniques: String analysis, Yara rules, HollowsHunter and VirusTotal.
  • Focus: Working with unpacked payloads from memory for effective detection and identification.

links: MAI TOC - Malware Identification - Index