101.school
CoursesAbout
Search...⌘K
Generate a course with AI...

    Introduction to Malware Analysis

    Receive aemail containing the next unit.
    • Introduction to Malware Analysis
      • 1.1Importance of Malware Analysis
      • 1.2Types of Malware
      • 1.3Basic Terminology
    • Preliminary Analysis Techniques
      • 2.1Fingerprinting
      • 2.2Static Properties Analysis
      • 2.3Code Identity Techniques
    • Environment for Malware Analysis
      • 3.1Safe Setup Guidelines
      • 3.2Virtual Machines and how to use them
      • 3.3Basic tools for analysis
    • Static Malware Analysis
      • 4.1PE File Basics
      • 4.2Viewing Files
      • 4.3Disassembling Programs
    • Dynamic Malware Analysis
      • 5.1Introduction
      • 5.2Dynamic Analysis Tools
      • 5.3Dynamic Analysis Techniques
    • Understanding Malware Behaviour
      • 6.1Memory Forensics
      • 6.2Registry Analysis
      • 6.3Network Analysis
    • Reverse Engineering
      • 7.1Introduction to Reverse Engineering
      • 7.2Methods of Reverse Engineering
      • 7.3Tools for Reverse Engineering
    • Advanced Static Analysis
      • 8.1Assembler Basics
      • 8.2Code Constructs
      • 8.3Data Encodings
    • Advanced Dynamic Analysis
      • 9.1Self-Defending Malware
      • 9.2Debugging and Debugger
      • 9.3Discovering Algorithms
    • Anti-Reverse Engineering
      • 10.1Packers, Crypters and Protectors
      • 10.2Rootkits
      • 10.3Anti-debugging Tricks
    • Malware and Network
      • 11.1Botnets
      • 11.2Traffic Analysis
      • 11.3Identification of Command and Control Servers
    • Malware Attribution
      • 12.1Threat Actors and Campaigns
      • 12.2Attribution Techniques
      • 12.3Case Study
    • Malware Mitigation and Prevention
      • 13.1Incident Response
      • 13.2Remediation
      • 13.3Future Trends in Malware

    Understanding Malware Behaviour

    Analyzing Malware Network Communication Patterns

    software that is intentionally hostile, intrusive, or damaging to a computer or network

    Software that is intentionally hostile, intrusive, or damaging to a computer or network.

    Introduction

    Network analysis is a critical aspect of malware analysis. It involves studying the communication patterns between a malware-infected system and external entities. This unit will provide an understanding of network protocols commonly abused by malware, tools for network analysis, and techniques to identify malware network communication patterns.

    Understanding Network Protocols Commonly Abused by Malware

    Malware often uses standard network protocols to communicate with command and control (C2) servers, exfiltrate data, or propagate to other systems. Some of the most commonly abused protocols include HTTP, HTTPS, DNS, and SMTP. Understanding these protocols and how they can be manipulated by malware is crucial for effective network analysis.

    Tools for Network Analysis

    Several tools can aid in the analysis of network traffic. Here are a few:

    • Wireshark: This is a widely used network protocol analyzer. It allows you to capture and interactively browse the traffic running on a computer network.

    • Network Miner: This is a network forensic analysis tool for Windows that can detect the hosts, protocols, ports, and sessions on a network.

    • Tcpdump: This powerful command-line packet analyzer allows you to intercept and display TCP/IP and other packets being transmitted or received over a network.

    Identifying Malware Network Communication Patterns

    Malware often exhibits unique network communication patterns. These can include:

    • Beaconing: This involves regular, automated communication between the infected host and the C2 server, often used to maintain a connection and receive commands.

    • Data Exfiltration: This is the unauthorized transfer of data from the infected host to the C2 server. It can occur at any time and may involve large amounts of data.

    • Fast Flux: This is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.

    • Domain Generation Algorithms (DGAs): These are used by malware to periodically generate a large number of domain names that the malware can use to communicate with the C2 server.

    Extracting Network-based Indicators of Compromise (IoCs)

    Network-based IoCs are artifacts observed on a network that indicate a potential security incident. They can include IP addresses, domain names, URLs, or any network traffic that exhibits signs of malicious activity. Tools like Wireshark and Network Miner can be used to extract these IoCs from network traffic.

    Analyzing Malware Command and Control (C2) Traffic

    C2 traffic involves communication between the infected host and the C2 server. Analyzing this traffic can provide valuable information about the malware's capabilities, its objectives, and the identity of the threat actor.

    In conclusion, network analysis is a vital part of malware analysis. It provides insights into the malware's communication patterns, which can help in its identification and mitigation. By understanding these patterns and using the right tools, you can effectively analyze network traffic and contribute to the fight against malicious software.

    Test me
    Practical exercise
    Further reading

    My dude, any questions for me?

    Sign in to chat
    Next up: Introduction to Reverse Engineering