Malware Detection and Identification¶
links: MAI TOC - Malware Identification - Index
Detection and identification¶
Malware Families¶
- Malware, like other software, has lifecycles and versions, forming "families".
- Names (e.g., Zeus, Trickbot) are assigned by security analysts.
- Malpedia tracks thousands of malware families.
Detection vs. Identification¶
- Detection: Determining if an artifact is malicious.
- Identification: Assigning the detected malware to a known family
Importance of Identification¶
- Known malware families come with existing analyses and intelligence.
- New malware requires extensive analysis, which is rare but significant (e.g., Stuxnet).
Detection Approaches¶
- In-depth Analysis: Detecting malware through deep examination of suspicious artifacts.
- Identification-based Detection: Using known characteristics of malware families to detect new instances.
Signatures, AV and packing¶
Challenges in Detection¶
- True Positives/Negatives: Correctly identifying malicious/non-malicious artifacts.
- False Positives/Negatives: Incorrectly identifying artifacts, leading to potential security risks.
Malware Signatures¶
- Concept: Identifying malware by matching known byte sequences in files.
- Advantages: Fast, low false positive rate, useful for identifying malware families.
- Disadvantages: Vulnerable to evasion techniques like packing, not effective for entirely new malware.
Binary Packing and Evasion¶
- Technique: Modifying malware to evade detection by altering byte sequences.
- Detection: Identifying packed code through string analysis, entropy measurement, and section information.
Behavior-based Detection¶
- Idea: Detecting malware by identifying typical malicious behaviors (e.g., code injection, persistence).
- Advantages: Capable of detecting new malware.
- Disadvantages: Higher false positive rate due to the similarity between legitimate and malicious behaviors.
Practical Detection and Identification¶
- Tools and Techniques: String analysis, Yara rules, HollowsHunter and VirusTotal.
- Focus: Working with unpacked payloads from memory for effective detection and identification.
links: MAI TOC - Malware Identification - Index