Security
Reader small image

You're reading from  Learning Network Forensics

Product typeBook
Published inFeb 2016
Publisher
ISBN-139781782174905
Edition1st Edition
Tools
WiresharkSplunk
Concepts
Forensics
Right arrow
Author (1)
Samir Datt
Samir Datt
author image
Samir Datt

Samir Datt has been dabbling with digital investigations since 1988, which was around the time he solved his first case with the help of an old PC and Lotus 123. He is the Founder CEO of Foundation Futuristic Technologies (P) Ltd, better known as ForensicsGuru.com. He is widely credited with evangelizing computer forensics in the Indian subcontinent and has personally trained thousands of law enforcement officers in the area. He has the distinction of starting the computer forensics industry in South Asia and setting up India's first computer forensic lab in the private sector. He is consulted by law enforcement agencies and private sector on various technology-related investigative issues. He has extensive experience in training thousands of investigators as well as examining a large number of digital sources of evidence in both private and government investigations.
Read more about Samir Datt

Right arrow

Chapter 9. Investigating Malware – Cyber Weapons of the Internet

 

"Malware are the cyber weapons of the information age"

 
 --Samir Datt

Our information age lives are driven by technology. Day in, day out, we live with technology from morning to evening. Technology drives our lives, governs our behavior, manages our finances, enables our work, facilitates our communications, and even enhances our relationships. Hence, it should not come as a surprise that technology also drives the crimes of today. A whole new industry has come up around technology-driven crimes. Organized criminals have taken to cyber crime in a big way. Even countries and states have gone in for cyber warfare. Where there is crime and war, weapons cannot be far behind. Weaponization of the Internet is a multibillion-dollar industry and malware, as we know it, is the weapon of choice.

In this chapter, we will work towards understanding malware, its different types, the various indicators of compromise, and the forensic methods...

Knowing malware

The word "mal" has its origin in Latin and means "bad" in English. "Ware", on the other hand, carries the meaning of "products". Hence, when we put these two together, we get the sense of having bad products or goods made with a bad intent.

As per NIST publication SP800-83, malware, also known as malicious code or malicious software, is meant to signify a program that is inserted (usually covertly) in a system with the intent of compromising or disrupting the confidentiality, integrity, or availability of the victim's data, applications, or operating system. Over the past few years, malware has emerged as an all encompassing term that includes all sorts of malicious programs, including viruses, worms, Trojans, rootkits, and so on.

Today, malware is considered the most significant external threat to computers and networks. Malware causes considerable losses to organizations in terms of the widespread damage caused, disruption of functioning, and huge recovery efforts required...

Trends in the evolution of malware

Malware has a very interesting history.

In 1949, an American scientist of Hungarian origin, John von Neumann, wrote Theory of Self-Reproducing Automata. In 1971, this theory formed the basis of an experiment on the creation of the first self-replicating computer program. This program was called the Creeper system, where it gained access to the target computers via the Advanced Research Projects Agency Network (ARPANET) and copied itself with the I'm the creeper, catch me if you can message.

An additional piece of interesting information about John von Neumann is that he later on went on to be a part of the Manhattan Project and helped in the design of atom bombs that ended the Second World War and directed the world towards Nuclearization.

While a nuclear war is a sure way to head towards mutual assured destruction (MAD), the cyber war of malware has just been escalating since it began. With no means of MAD or even attribution in a lot of cases, the attackers...

Malware types and their impact

As we had discussed earlier, malware is a malicious software that comes in a variety of names. Some of the names that it has acquired over a period of time include scamware, scareware, spamware, spyware, and so on.

Malware is all that and more. Let's take a look at the different types of malware and their impact.

Adware

Adware, as the name suggests, is an advertising-supported malware that affects your computer with the objective of serving up advertisements. This is quite a money earner for the author as they get paid based on the number of advertisements they serve up. Adware is designed to be persistent and may not be easy to remove by simply uninstalling it. Adware can be annoying at the least and it can also be part of a blended threat, as shown in the following image:

Adware reaches a victim by either downloading a supposedly useful software or visiting a site designed to affect the browser, operating system, or both.

Spyware

Spyware is a malicious software...

Understanding malware payload behavior

Every malware out there in the jungle has a job to do. Whether it is to choke up your network or steal your money, malware is designed with an objective. This objective is known as its payload. This is the damage the malware causes to our systems or network. From a network forensic investigation perspective, it is very important for us to understand what the payload of the malware is. This helps us in identifying the extent of damage caused by the malware and figuring out how to contain, counter, or prevent the damage caused.

These payloads can be any of the following:

  • Destructive

  • Theft of identity

  • Espionage

  • Financial fraud

  • Theft of data

  • Misuse of resources

Let's take a brief look at each of these.

Destructive

While most payloads are destructive in one way or another, some malware specialize in carrying out focused destructive activity.

In a number of cases, destructive payloads can be easy to identify and can include crashing the infected system or device. This...

Malware attack architecture

Let's take a look at the following five pillars (stages) in the architecture of a malware attack:

  1. Entry Stage: This is the point from where the malware attempts to enter the victim's system. This could be done via a drive by downloading or clicking a link in an e-mail, which could result in a browser hijack that directs the victim to where the attacker wants them to go.

  2. Distribution Stage: The moment the victim connects to a malicious website, the site directs the victim seamlessly to a Traffic Distribution Server (TDS). This determines the victim's OS and browser. A TDS can be quite sophisticated and can filter out connection requests based on the browser type, OS, IP addresses, and other criteria. At this stage, the TDS can be set to drop or redirect requests to decoy sites from known IP addresses of security researchers, antivirus, or malware firms. These IP addresses that meet the preset criteria are directed to the third stage.

  3. Exploit Stage: At this stage...

Indicators of Compromise

Indicators of Compromise (IOC) as they are commonly known are the symptoms that confirm the presence of the malware malady. Essentially, from a network forensics' perspective, these are artifacts (or a remnant from an intrusion) that, when discovered on a system or network, indicate a compromise with a high degree of confidence. There are malware-specific IOC and specialized tools such as YARA (http://plusvic.github.io/yara/) that help in identifying the existence of malware based on searches for these IOC.

Typically, IOC include known rogue IP addresses, virus signatures, MD5 hashes of malware, known bad URLs or domain names, and so on.

To promote standardization, a number of open frameworks are available. However, no framework can claim to be the de facto standard. The two most important frameworks are as follows:

  • Open IOC: This stands for Open Indicators of Compromise. This framework is promoted by Mandiant and is available at http://www.openioc.org/. This is...

Performing malware forensics

Now that we have the fundamentals in place, it is important to understand that malware forensics is different from malware analysis. Malware analysis involves capturing a sample of the malware and performing a static or dynamic analysis on it. Here, the compiled and obfuscated code is reversed in order to try and determine what the malware was programmed to do.

Malware forensics, on other hand, attempts to locate and examine the forensic artifacts that exist on system media, RAM, and network to help answer whether the system was compromised, how was it done, what was the infection vector, which particular malware was involved, what data is exfiltrated, and so on.

In the previous section, we looked at the IOC and how they help in identifying whether a system or network has been compromised. While this helps in cases where the compromise has been caused by known malware; for zero day or yet unknown malware or its variants, a malware forensic investigation needs to...

Summary

This chapter focused on building our understanding of malware, what it is, how it works, what is the kind of damage it can do is, as well as how to go about identifying it. You learned about the IOC and understood how to about identifying compromised systems and networks. You also learned about the process of malware forensics and the different steps that we follow in the investigation along with their relevance.

Moving forward in our journey of understanding network forensics, we will look at how to put our knowledge that we gained so far to good use and work together to solve the case in the next chapter.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 15 of 17
Next Chapter
You have been reading a chapter from
Learning Network Forensics
Published in: Feb 2016Publisher: ISBN-13: 9781782174905
© 2016 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Samir Datt

Samir Datt has been dabbling with digital investigations since 1988, which was around the time he solved his first case with the help of an old PC and Lotus 123. He is the Founder CEO of Foundation Futuristic Technologies (P) Ltd, better known as ForensicsGuru.com. He is widely credited with evangelizing computer forensics in the Indian subcontinent and has personally trained thousands of law enforcement officers in the area. He has the distinction of starting the computer forensics industry in South Asia and setting up India's first computer forensic lab in the private sector. He is consulted by law enforcement agencies and private sector on various technology-related investigative issues. He has extensive experience in training thousands of investigators as well as examining a large number of digital sources of evidence in both private and government investigations.
Read more about Samir Datt

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages