This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Malwares are the programs intended to harm the computer. These are malicious program that can cause many problems like loss of files, loss of confidential information like bank account details, important accounts. Malwares also are the threats to integrity of data. Even though there are many antimalware technologies available many people suffer due to malware.
In this assignment we have given a scenario of a company. The company has been attacked by malware. One of the colleagues is able to detect the malware & successful in isolating the malware in a virtual machine where it can't be any harm to rest of company network. Our assignment is to study the malware & find a suitable technique for removing malware which should be simple & easily replicable on larger scale.
In this assignment we are going to study different types of malware available. Different techniques those are available for removing malware & a simple technique to remove the malware from given system.
Malware is the term used to cover all forms of malicious software or code deposited fraudulently onto your pc. It is 'malevolent' software, and includes the terms virus, trojan, worm, rootkit, dialer, keylogger, spyware, and adware . Malware can get onto your pc by exploiting security vulnerabilities in your operating system and the software you use, but more usually it is installed by the user because they have been tricked into running it. Â
Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term meaning a variety of forms of hostile, intrusive, or annoying software or program code. Simply put, Malware is software designed to make a computer do something an attacker wants it to do. It is not always designed to destroy a computer. It may, for example, just sit on a computer, using processor cycles to crack the encryption of a certain file.
1.1 Malware Problem:
Nowadays, Malware has become so prevalent in our computer systems that most people do not take it seriously. Malware infects the average user at least once, yet we continue to operate the recently infected machine to perform personal confidential transactions, such as online banking or shopping. Once on your system malware can do everything from stealing your passwords, credit card details and identity information to using your pc to email spam, act as a server for illegal files, and hack into other pcs and networks for the purposes of corporate espionage and Denial of Service attacks.
Malware poses a serious threat to an enterprise and can do anything the attacker can envision. It can use system resources such as CPU cycles or bandwidth, or it can send official and confidential corporate data offsite to the attacker. Most corporations have antivirus systems in place, and some even have antispyware capabilities.
1.2 Malware Types:
There are different types of malwares are available. The types are malware are as follows :
1. Worm: Prevalent in networked environments, such as the Internet, Spafford  defines a worm as "a program that can run independently and can propagate a fully working version of itself to other machines." This reproduction is the characteristic behavior of a worm. The Morris Worm [Spafford 1989] is the first publicly known instance of a program that exposes worm-like behavior on the Internet. More recently, in July 2001, the Code Red worm infected thousands (359,000) of hosts on the Internet during the first day after its release [Moore et al. 2002]. Today, the Storm worm and others are used to create botnets that are rented out by the bot masters to send spam emails or perform distributed denial of service attacks (DDOS) [Kanich et al. 2008], where multiple worm infected computers try to exhaust the system resources or the available network bandwith of a target in a coordinated manner.
2. Virus: "A virus is a piece of code that adds itself to other programs, including operating systems. It cannot run independently - it requires that its "host" program be run to activate it." [Spafford 1989] As with worms, viruses usually propagate themselves by infecting every vulnerable host they can find. By infecting not only local files but also files on a shared file server, viruses can spread to other computers as well.
3. Trojan Horse: Software that pretends to be useful, but performs malicious actions in the background, is called a Trojan horse. While a Trojan horse can disguise itself as any legitimate program, frequently, they pretend to be useful screen-savers, browser plug-ins, or downloadable games. Once installed, their malicious part might download additional malware, modify system settings, or infect other files on the system.
4. Spyware: Software that retrieves sensitive information from a victim's system and transfers this information to the attacker is denoted as spyware. Information that might be interesting for the attacker include accounts for computer systems or bank account credentials, a history of visited web pages, and contents of documents and emails.
5. Bot: A bot is a piece of malware that allows its author (i.e., the bot master) to remotely control the infected system. The set of bots collectively controlled by one bot master is denoted a botnet. Bots are commonly instructed to send spam emails or perform spyware activities.
6. Rootkit: The main characteristic of a rootkit is its ability to hide certain information (i.e., its presence) from a user of a computer system. Rootkit techniques can be applied at different system levels, for example, by instrumenting API calls in user-mode or tampering with operating system structures if implemented as a kernel module or device driver. Manipulating the respective information allows a rootkit to hide processes, files, or network connections on an infected system. Moreover, virtual machine based rootkits [King et al. 2006; Rutkowska 2006; Zovi 2006] conceal their presence by migrating an infected operating system into a virtual machine. The hiding techniques of rootkits are not bad per se, but the fact that many malware samples apply rootkit techniques to hide their presence in the system, justifies mentioning them here.
1.3 Malware Removal Techniques:
Today, signatures for anti-virus toolkits are created manually. Prior to writing a signature, an analyst must know if an unknown sample poses a threat to the users. Different analysis techniques help to analyst to quickly & in details understand the risk & intention of a given sample. This insight allows analyst to react to new trends of the malware development & refine the existing detection technique . The opposite intentions of both analyst and the creator of the malware give rise to conflict between them. As the analyst come up with more refined detection & removal techniques, the attacker also come up with different evasion techniques. The malware analysis techniques used by analyst can be categorised into two types, viz. Static analysis & dynamic analysis. The process of analyzing a given program during execution is called dynamic analysis, while static analysis refers to all techniques that analyze a program by inspecting it.
1.3.1 Static Analysis:
Static analysis is conducted without running the malware. It is basically just checking of programming of malware & reverse engineering it. Hence static analysis is also called as code analysis. Static analysis is comparatively safer than dynamic analysis. As we are not actually running the program, the chances of deleting files or stolen information are very low. It is safe as long as we don't accidently double click the file or somehow run it accidently. The static analysis consists of only learning the logic used in creating the malware program. It is just running through the code & looking for its possible effect on system. The accidental activation of malware can be avoided with using the different operating system for analysis than the operating system for which the malware is targeted.
1.3.2 Dynamic Analysis:
As the static analysis of the malware involves not running of the malware, the dynamic analysis requires the executing malware. Dynamic analysis studies the behaviour of the malware when it is installed. Hence it is also called as behaviour analysis. There are many automated tools are available which are used for studying the behaviour of malware. These tools can determine the security relevant behaviour of malware & create a readable report for further analysis.
1.4 Tools used for Malware Analysis:
1.4.1 Tools for Dynamic Analysis:
The Process Manager and Process Explorer are used for insight of current processes running on windows XP machine. TCPView and Wireshark tools are used to find what effect malware has on network. Regshot tool is used to take the baseline image of the system. Autorun tool can also be used for monitoring processes. Snort tool is used to check the network traffic on linux platform.
1.4.2 Tools for Static Analysis:
IDA Pro, Hex Editor are tools for static analysis in windows. Olludbg, Bintext are tools used for static analysis in Linux.
Procedure and Results
In the company network a malware has been found. It is isolated by one of the colleagues on a separate virtual machine. Our task is to run malware on this machine to check its effect on the virtual machine. Our goal is to develop a procedure to remove this malware. The implemented procedure for detection and removal of the malware is as given below:
2.1 Process Monitoring:
Process Explorer is used for doing process monitoring. We first run the Process Explorer before installing the malware to acquire image of the processes running before installation of the malware. Process explorer can be downloaded from the link http://technet.microsoft.com/en-us/sysinternals/bb896653. The acquired Image is as follows:
Figure 2.1: Process image before installation of malware.
After double clicking on the malware file we observed some files have appeared at the time of installation of the malware. These files are circled in following screenshot. Full.exe and the processes in the green colour are appeared when the malware was being installed on the system.
Figure 2.2: Process image while installing the malware.
After installing the malware the process image is acquired there are certain files are shown in the process explorer like Audio.exe, Vmsvc,exe, Tskmamgr.exe are appeared after installing the malware. The screenshot showing that is given below.
Figure 2.3: Process image after installation of Malware.
2.2 Registry Monitoring:
For monitoring the changes in the registry files due to malware we used the software Regshot. The software can be downloaded from the link http://sourceforge.net/projects/regshot . First we took the image of registry before installing the malware by clicking on "1st shot" button. The screenshot showing it is as given below.
Figure 2.4: First shot using Regshot.
Then Malware is installed. The image of registry is obtained using the Regshot again by clicking on "2nd shot" button. This is second shot. It is as shown below:
Figure 2.5: Second shot using Regshot.
Then Both shots are compared to find the changes in the registry due to installation of malware. We can compare both the files by clicking on "cOmpare" button as shown in figure 2.6. The result of the comparison is saved in the text file at the path given in Output path. The resule is stored in the text file. It contains the changes in the registry files along with the paths of fies changed & total numbers of changes occurred.
Figure 2.6: Comparison between two images of registry.
The changes in the registry files can be summarised as follows:
Keys added: 57 Values added: 202
Values modified: 12 Files added: 52
Files deleted: 1 Files [attr] modified: 17
Folders added: 2 Total changes: 343
Figure 2.7: Output file of comparison of registry images.
2.3 Code Analysis:
The tool we used for code analysis is HxD Hex Editor. It can be used to see the coding inside the Malware.exe. From that we can see which files might be affected by malware. Code analysis is static analysis so there is no need of installing the malware for it. The screenshots showing the Full.exe & dll files affected by malware are as follows.
Figure 2.8: Code analysis showing Full.exe & .dll files.
2.4 Malware Removal:
We used automated tool Combofix for removing the malware from the machine. Combofix can be download from link http://www.combofix.org/download.php. Combofix is freeware available freely on internet. It is very easy to use we just have to install the software and it removes the malware from the machine. The main reason we used combofix for removing the malware because it generates a complete report of all its operations after removing the malware. The following screenshots show that how combofix works once we started the process.
Figure 2.9: Operation of Combofix.
After completing all the steps shown in above screenshots, It generates a log report which contains all the files it fixed during the removal of malware.
Figure 2.10: Log report generated by Combofix.
The malware are harmful programs for computers. Malware poses a serious threat to an enterprise and can do anything the attacker can envision. It can use system resources such as CPU cycles or bandwidth, or it can send official and confidential corporate data offsite to the attacker. Most corporations have antivirus systems in place, and some even have antispyware capabilities.
There are different malware removal techniques available. The one we used in our assignment is one of the simple methods. It is very easy to replicate as most of the tools used are freeware & easily available on internet for the download. It is possible to go deeper in code analysis if there is more time available. We can find the loops available in the programming of available using different tools than we used here. Also manual removal of malware can be possible if significant amount of time spend on the task rather than automated tool.