Section F0 Introduction to Malware Analysis

Question 1

Goals of malware analysis

Answer 1

1 determine if file is malicious
2 extract indicators of compromise
3 create host based signatures
4 create network signatures
5 determine capabilities of malicious code
6 update existing signatures if required

Question 2

Indicators of compromise

Answer 2

File hashes (e.g. MD5)
•
Fuzzy hashes (e.g. SSDeep
•
Filenames and folder locations
•
Registry keys
•
Strings
•
IP addresses
•
Domains and URLs
•
Network traffic patterns

Question 3

Systems that can use the IOC data

Answer 3

Anti virus (AV) signatures
•
Intrusion Detection System (IDS) signatures (e.g. Snort and Suricata)
•
File hash databases
•
Fuzzy hash databases
•
YARA signatures
•
Host Intrusion Detection System (HIDS) signatures
•
Security Information and Event Management (SIEM) signatures
Network firewalls
•
Network IDS/IPS
•
Anti virus
•
Host IDS
•
Web proxies
•
Email filters
•
SIEM logs
•
Forensic tools

Question 4

OPSEC is a five

step iterative process

Answer 4

Identification of Critical information
•
Analysis of Threats
•
Analysis of Vulnerabilities
•
Assessment of Risk
•
Application of Appropriate OPSEC Measures

Question 5

OPSEC don’ts

Answer 5

do not allow malware to connect back to the attacker
do not attempt to manually connect to attacker infrastructure
do not perfom port or vulnerability scans on attacker infrastructure
do not use discovered credentials (FTP username/passwords) to access services

Question 6

OPSEC do’s

Answer 6

• neuter bad file extensions (bad.exe to bad.exe_)
• password protect zip files containing malware with password ‘infected’
• label portable media containing malicious code