 Today we're going to be talking about malware and what malware is and how it's used in cybercrime. So, first off, definitions. Malware is just malicious software, software that's trying to do something negative to your computer. It plays a part in most computer intrusion and security incidents because it can be programmed basically to do lots of different types of attacks, lots of different functions, let us gain access to systems and things like that. So it's a very, I guess, there's a lot of different types of malware that play very significant roles in the conducting of cybercrime in today's environment. It's defined as any software that does something that causes harm to a user, computer or network. Now we talked before about spyware saying that spyware basically is looking for trying to collect information about users or the system and that also counts as a type of malware, one that is collecting information. So any software that's trying to harm a user, computer or network, now it can target the user specifically like we talked about. It could be programmed to do some type of social engineering or social manipulation. It can go after the computer directly, the functions or the software on the computer, or it can go after the network, trying to gain access to the network, trying to gain access to information sent over the network and copy it out and send it, usually for information gathering purposes. Viruses, Trojan horses, worms, rootkits, scareware and spyware all generally classify as malware. Viruses, there's lots of different types of viruses but basically they just infect systems and then do some action while they're in the system. There's lots of different types and we'll talk a little bit more about those. Trojan horses specifically try to let somebody gain access to a system. So if a Trojan horse is installed then the attacker can gain access to that computer and potentially log in remotely, run commands on that computer, something like that. Worms are very similar to viruses, they get infect the system and then they attempt to replicate themselves out onto the network and other devices, other systems. Rootkits attempt to basically hide other software. So whenever software is another piece of malicious software is running, rootkits try to gain access to basically the operating system so that way it can better hide other pieces of malware that are running, so they work in conjunction. Scareware is designed again to trick the user into doing some action, either inputting information or in many cases buying another piece of software that also doesn't work. Those are things like fake antiviruses. They scare you into saying you have a virus, make sure you install our software to get rid of it, but you don't actually have a virus potentially. But whenever you are scared into clicking on the link, you do download and pay for antivirus software that doesn't actually work. It's usually also another piece of malware. So they've tricked you into paying for installing more malware on your system. So scaring the user into doing some action. And of course, spyware, so just data or not data, programs that attempt to collect information on the user, on the computer, on the network, and send that information out for use by the attacker. So there's lots of different types of malware. These include backdoors. Like I said, Trojan viruses are a backdoor. Once they infect your system, then that gives access to the system from whoever the attacker was so they can get back into your computer relatively easily later. Botnet allows the attacker to access the system. The difference with a botnet and a backdoor is that backdoors normally focus on one computer or a group of computers, whereas botnets try to attack as many computers as possible. And then whenever I want to control the computers, one command and every computer does that command very basically. A downloader is a malicious code that only downloads other malicious codes. So once a hacker or an attacker gets access to a system, they'll normally install a downloader. And that downloader's responsibility is to basically download and install other pieces of malware that do specific functions. Rather than installing the virus or whatever directly, the hacker can just install one piece of malware, and it will go out and get many other pieces of malware to install in the system. Information stealing malware basically collects information from a victim's computer, and these are things like sniffers, passwords, password loggers, key loggers. This software basically just monitors the system, monitors the network, looking for specific pieces of information. These are normally things like email addresses, user names, passwords, but they could also be things like credit card numbers, dates, chat messages, anything that could potentially be interesting to an attacker. Launchers are malicious programs used to launch other malicious programs. So very similar to a downloader, a launcher is responsible for starting up other pieces of malware, and usually the job of the launcher is to start the other pieces of malware in a hidden way, in a way that will not be detected by other systems, or won't be detected whenever you are looking at the system. It'll be harder to detect. Rootkits are code designed to conceal the existence of other codes, so if a rootkit infects the system, then essentially it takes control of the system, and it can also try to hide malware that's running. Spam sending malware, attackers make a lot of money off sending spam emails to people, so they need a lot of resources, they need to distribute that load, and they also want to hide where they're located, so they infect many different computers and then use those computers to send spam emails out. So this malware essentially infects your computer, and its whole responsibility is to send spam messages. Worms are viruses, malicious code that can copy itself and infect additional computers. Like I said, there's a lot of different types of viruses and worms, but basically their job is to take over systems and do some action on the system. A worm is more focused on replication, whereas a virus normally has some activity that it needs to execute. So a little bit about malware analysis. Malware analysis is the art of dissecting malware to understand how it works, how to identify it, and how to defeat and eliminate it. So we analyze malware to be able to understand how is this piece of software working and what can we do to stop it from taking over other systems or doing bad things with our computer. The goals of malware analysis usually provide information needed to respond to a network intrusion. Once our network has been compromised, once we have malware in our network, then we likely have some sort of intrusion situation where an attacker could gain access to our resources. So we need to figure out how to best respond, and we can figure out how to respond if we understand how the malware actually works and what it's designed to do. We also want to determine what happened. We want to know, was information already leaked? What kind of information was it looking for? Do we have any of that information? Is that information important to us or not? To determine how bad the situation is. And we want to find all infected machines and files. Obviously we want to find out what resources on our network have been compromised. That way we can clean them up and make sure that they're not reinfecting systems or leaking information to the outside. Analysis, of course, supports prevention. So we also do malware analysis to provide and get information that lets us prevent the attack from happening again or prevent further attacks from spreading through the network. Once malware has been analyzed, we say signatures can be created. These signatures let us identify what malware patterns look like, and once we can detect those patterns, we can remove all of the traces that we know the malware creates. Host-based signatures detect malicious code on computers themselves, whereas network signatures detect malicious code by monitoring network traffic. So we basically have a couple different layers that we can do malware analysis on, looking for signatures of malware, mostly through either on the computer, the files that exist on the computer, or the way that the files are running on the computer, or the data that's sent out over the network. What do those data patterns look like? Do they represent anything that looks like it might be malicious? There are two fundamental approaches to malware analysis. First off is static analysis, and this is examining malware without running it. Very, very basically examining malware without running it. Dynamic analysis examines malware while running it. So static and dynamic analysis, two quite different approaches. One, we do not run the malware. One, for dynamic analysis, we do run the malware. Now, of course, each of those have their own basic and advanced versions. So basic static analysis examines the executable without viewing the actual instructions. What I mean by that is we don't actually go into the program. We just have an executable or a piece of code, and we look at it without trying to find out exactly the structure of the program code underneath. We can look at things like the file name, like metadata attached to it, like strings inside the binary file itself. But we don't really get a lot of information. It can help us to start, and for kind of naive pieces of malware, we might be able to do a full analysis like that. But for most of malware nowadays, it's so advanced that a basic analysis alone is not enough to give us full information about what this malware actually does. But it is a good starting point. It's very, very easy to do. Basic dynamic analysis, basically we're running the malware and we're observing its effect on a system. So we have some sort of test system, a Windows computer, a Linux computer, whatever. We run the malware on that system and find out what changed in the system. So this is a very system-based approach. We're just monitoring what changes are happening in the system whenever the malware runs. And if we see those changes in any other systems, then we kind of have an idea of what's going on. This is a little bit more of a functional analysis. Advanced static analysis is whenever we're actually decompiling the codes. We have the binary and we're trying to split it apart and look inside of it to look at the actual instructions of the program. We're essentially trying to get the program code out of the binary to find out exactly what does this piece of malware do. And we use reverse engineering for that. And advanced dynamic analysis uses a debugger. Again, in a test system, we're running the malware, but we also use a debugger to analyze the internal state of the malware while we're running it and monitoring changes in the system. So again, beginning types of analysis can tell us quite a bit, but advanced types of analysis can give us basically the whole picture. And depending on how sophisticated the malware is, we normally have to do advanced analysis of some type. So general rules for malware analysis. First off, don't get caught up in the details. Malware is kind of like a puzzle. There's lots of different parts to it, and some parts you might not be able to figure out. Try to answer the easy questions first and then build your way up and come back to difficult problems. Most malware is very large and complex. They have lots of different pieces. So focus on the key features. What is the key feature of this particular piece of malware? When we want to go from very general to specific malware analysis. Different tools and approaches are available. There's lots of different ways to do a malware analysis. There's lots of tools available for different types of malware analysis. So don't think that you're stuck with one type of investigation, basically, into these things. If you choose a basic analysis and you don't find anything, well, there's lots of other ways to do the analysis as well. So always be very flexible whenever you're doing an analysis and know what options you have, basically. And of course, malware changes rapidly. It's very, very easy to produce, especially kind of modifications to current types of malware and release those. So malware changes often. Usually the basic structures stay the same and then sometimes there's a new kind of species of malware that comes out. But for the most part, malware changes very, very quickly, which means that hackers, once we find out how to decompile a certain type of virus or malware, hackers will figure out how to stop us from compiling it or from decompiling it. So there's always kind of this catch-up phase where investigators have to figure out some new problem once we figure it out and the hackers figure out how to get around what we did and back and forth. So malware analysis changes very, very quickly. Stay up to date on it and realize you have a bunch of different options. A lot of these techniques work for most types of malware, but just realize that you have options and don't focus on the specifics whenever you're doing your investigation until you need to. So that's it for malware. We will do a little bit of a malware analysis this week, just a very basic executable analysis. And that's what we'll cover in the assignment today. So thank you very much.