Malware

Question 1

What is a definition for Malware?

Answer 1

Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.

Question 2

How to make money with malware?

Answer 2

• Adware
• Ransomware
• Bot-nets for hire
• Crypting: encrypt the code of malware to evade detection

Question 3

Name and describe the 10 types of malware

Answer 3

Viruses: a malicious executable code attached to another executable file
Worms: can run by themselves, spread over the network
Trojans: malware that carries out malicious operations under the appearance of a desired operation
Spyware: steals private information from a computer system
Ransomware: encrypts data, prompts user to pay ransom to retrieve data
Backdoors: grant the cyber criminals future access to the system
Rootkits: modifies the OS to make a backdoor
Keyloggers: records everything the user types
Adware: displays advertisements to the user to generate profit
Riskware: apps that perform sensitive operations that can pose threats if they are compromised

Question 4

What are the main components of antiviral programs (conventional malware detection)?

Answer 4

• scanning logic
• engine: contains other components
• database: contains information about how previously analyzed malware looks like / behaves

Question 5

Name 7 typical components of conventional malware detection systems

Answer 5

Fingerprint scanning, File type recognition / parsing, archive uncompressed, unpacker for runtime packers, emulator, file disinfection and system cleanup, database and database update logic

Question 6

What is the typical flow of conventional malware detection?

Answer 6

Unarchive, recognize file type, parse file type, unpack, fingerprint scanning + heuristics

Question 7

What is string scanning?

Answer 7

Search for pattern p in text s

Question 8

What is hash scanning?

Answer 8

Match string hashes to db of previously-analyzed and detected malware
Use fuzzy hash functions such as SSDeep for robustness

Question 9

What are the properties of fuzzy hashing algorithms?

Answer 9

• minimal or no diffusion at all: small changes lead to minimal changes
• no confusion at all relationship between key and fuzzy hash is easy to identify
• good collision rate

Question 10

What are Malware-Specific Detection Algorithms?

Answer 10

Custom malware detection logic for a single malware family or variant

Question 11

Name 5 techniques conventional malware detection uses to detect malware

Answer 11

• string scanning
• hash scanning
• malware-specific detection algorithms
• heuristics
• emulation

Question 12

What are Heuristics?

Answer 12

Properties that generalize beyond previously seen malware instances

Question 13

What is emulation?

Answer 13

Run a program within a virtual environment and monitor what it does

Question 14

How does NextGen Malware Detection work?

Answer 14

Use machine learning for classification

Question 15

What are some problems of NextGen Malware Detection?

Answer 15

• labelling of data inconsistent or nonexistent
• concept drift: malware evolves -> detection must continuously evolve
• adversarial ML