This document provides an overview of malware topics that will be covered in a 4-week lecture series. It defines malware and describes common types including viruses, worms, trojans, ransomware, bots/botnets, adware, spyware, rootkits, and fileless malware. It explains how malware spreads and signs of infection. Methods of malware analysis, detection techniques, and creating a safe analysis environment are outlined. Potential malware sources and 5 cyber threat trends for 2022 are also summarized. The document concludes with 5 case studies examining real-world incidents involving supply chain attacks, account takeovers, out-of-hours attacks, lower barriers to entry for criminals, and new ransomware approaches.
2. Lecture : 24 & 31 March,7 &14 April
• Pertemuan ke-4 : Kamis, 24 Maret 2022 : Malware
• Pertemuan ke-5 : Kamis, 31 Maret 2022 : Mobile Device Security
• Pertemuan ke-6 : Kamis, 07 April 2022 : Access Control Fundamentals
Pertemuan ke-7 : Kamis, 14 April 2022 : Basic Cryptography
3. CONTENTS
• Malware Definition
• Types of Malware
• How Malware Spreads?
• Signs of Malware Infection
• Prevent Malware Infection
• Malware Analysis
• Malware Detection Techniques
• Safe Lab Environment for Malware Analysis
• Malware Sources
• Case Study
4. MALWARE DEFINITION
• Short for malicious software.
• Software used or created >
• disrupt computer operation
• gather sensitive information (bank
/ credit card numbers, etc)
• gain access to private computer
systems.
5. TYPES OF MALWARE
• Viruses
• Program/piece of code >loaded onto
victim computer> without their
knowledge & runs against their
wishes.
• Can replicate themselves
• Worms
• self-replicating computer program
• Does not need to attach itself to a
software program in order to cause
damage.
6. TYPES OF MALWARE
• Trojans
• A type of malware that downloads
onto a computer > disguised as a
legitimate program.
• Often used to capture your logins &
passwords.
• Ransomware
• malware that employs encryption to
hold a victim's information at ransom
• Often spread through phishing
emails that contain malicious
attachments or through drive-by
downloading
• Bots or Botnets
• The term “botnet” is formed from
the word’s “robot” & “network
• Botnets are networks of hijacked
computer devices used to carry out
various scams & cyberattacks.
• Adware
• Short for advertising-supported
software
• A type of malware that
automatically delivers
advertisements
7. TYPES OF MALWARE
• Spyware
• Defined as malicious software
designed to enter your computer
device, gather data, & forward it to
a third-party without your consent.
• Rootkit
• A set of programs that allow a
hacker to maintain access to a
computer after cracking it & that
prevent the hacker being detected.
• Fileless malware
• a type of malicious software that uses
legitimate programs to infect a
computer.
• It does not rely on files & leaves no
footprint, making it challenging to
detect & remove.
• Malvertising
• Malicious advertising
• Criminally controlled advertisements
within Internet connected programs >
usually web browsers > intentionally
harm people & businesses with
assorted malware, potentially
unwanted programs & assorted
scams.
10. PREVENT MALWARE INFECTION
10
Use firewall, anti-
malware, anti-
ransomware, & anti-
exploit technology.
01
Update your
operating system,
browsers, &
plugins
02
Enable click-to-
play plugins
03
Remove software
you don’t use
(especially legacy
programs
04
Read emails with
an eagle eye.
05
Do not call fake
tech support
numbers
06
Do not believe
the cold callers
07
Use strong
passwords &/or
password managers
08
Make sure you’re on
a secure connection
09
Log out of websites
after you’re done
Protect vulnerabilities
Social engineering
Practice safe browsing
Layer security
11. MALWARE ANALYSIS
The study of
malware's behavior
To understand the
working of malware,
how to detect &
eliminate it
Involves analyzing the
suspect binary in a
safe environment to
identify its
characteristics &
functionalities
12. To determine the
attacker's intention &
motive
5.
4.
1.
2.
3.
WHY
MALWARE
ANALYSIS?
To extract host-based
indicators such as
filenames, & registry
keys, etc
To identify the network
indicators associated with
the malware
To determine the
nature & purpose of
the malware.
To gain an understanding
of how the system was
compromised & its
impact
13. MALWARE DETECTION TECHNIQUES
Factors Static Analysis Dynamic Analysis Hybrid Analysis
Time required Less More More
Input Binary files, scripting language
file, etc
Memory snapshots, runtime
API data
Data obtained from both analysis
Code obfuscation Yes No No
Resource Consumption
(Power & Memory)
Less More More
Effectiveness & Accuracy Lower than dynamic analysis Medium High, more accurate (combining both
analyses)
Target Code Execution Not possible Possible Possible
Advantages Low cost & requires less time
for analysis
Provides deep analysis &
higher detection rate
Extracts features of static & dynamic
analysis both, provide more accurate
results
Limitations Limited signature database More time & power
consumption
High cost
14. SCANNING THE SUSPECT BINARY
WITH VIRUSTOTAL
• Popular web-based malware
scanning service.
• It allows users
• upload a file > scanned with
various anti-virus scanners &
results are presented in real
time on the web page.
• VirusTotal web interface
provides the ability to search
their database using hash,
URL, domain, or IP address
15. DYNAMIC ANALYSIS STEPS
Reverting to the
clean snapshot
Running the
monitoring/dynamic
analysis tools
Executing the
malware specimen
Stopping the
monitoring tools
Analyzing the results
16. SAFE LAB ENVIRONMENT FOR MALWARE
ANALYSIS
• Keep your virtualization software up to date.
• Install a fresh copy of the operating system inside the
virtual machine (VM).
• Do not keep any sensitive information in the virtual
machine.
• Consider using host-only network configuration mode
for restrict malware to reach Internet.
• Do not connect any removable media that might later be
used on the physical machines.
• Recommended to choose a base operating system such
as Linux or macOS X for host machine instead of
Windows.
19. CASE STUDY 1: Technology Supply Chain Attacks
Real-World Case Study:
Log4Shell attack stopped by Autonomous Response
• December 2021> discovered an Internet-facing server
that had been compromised via the Log4Shell
vulnerability.
• The server connected to anomalous external IP for C2 &
malware delivery, using HTTP over port 88 – which was
highly unusual for that device, its peer group, & the
organization as a whole.
• This targeted response meant that the server could
continue functioning as normal – but all the highly
anomalous actions were interrupted in real time.
• Attackers can embed malicious software
throughout supply chains through
proprietary source code, developer
repositories or open-source libraries >
traditional security tools struggle to identify
them
• An effective response to supply chain attacks
requires technology that can identify subtle
deviations in activity that point to an
emerging compromise, without relying on
pre-defined rules & binary ‘block’ or ‘allow’
response mechanisms.
Figure 1: Antigena responds, blocking connections to the malicious IP address
20. CASE STUDY 2: Account Takeovers
• Attackers continue to capitalize on
organizations’ widespread
adoption of cloud applications
such as Microsoft Teams,
SharePoint & Zoom.
• Account credentials can be
obtained via brute forcing
methods, phishing attacks,
exchanges on the Dark Web, or by
exploiting password reuse
between personal & corporate
accounts
Figure 2: Antigena
Email detects
anomalous emails
from the
compromised
account. The red hold
icon indicates that
these were held back
from the recipient.
Real-World Case Study:
Business Email Compromise leads to fraudulent payment request.
• The attacker then logged into their account & sent out over
30 emails to the employee’s colleagues, repeating the
approach & hoping to gain new victims.
• They also sent a request to the accounts department to pay
an overdue invoice for $78,000 – copying a legitimate invoice
but changing the bank details.
21. CASE STUDY 3: Out-of-Hours Attacks
• Increase in attacks striking at
nights, weekends & holidays,
with 76% of ransomware
attacks conducted outside of
normal business hours
Figure 3: Darktrace detects encryption from the infected device & takes
action with Autonomous Response.
Real-World Case Study:
Autonomous Response stops an REvil July 4th Attack
• In 2021 > US prepared holiday weekend > July 4th- the
ransomware group REvil leveraged a vulnerability in
Kaseya software to attack over 1,500 companies
22. • The barrier to entry for cyber-
crime is at an all-time low.
There are now numerous
tutorials, affiliate schemes, &
Ransomware as a Service
(RaaS) models that allow
unskilled attackers to access &
deploy sophisticated tools &
methods.
CASE STUDY 4: Lower Barrier to Entry for
Cyber Criminals
Real-World Case Study:
AI neutralizes Hafnium copycat attacks
• In 2021, the advanced cyber espionage group Hafnium
used a ProxyLogon vulnerability to target Microsoft
Exchange Servers.
• After being publicly disclosed, however, the vulnerability
was rapidly exploited by numerous other threat actors.
• This new wave of attacks came from amateur attackers
for whom Threat Intelligence did not yet exist, & so
these ‘copycat’ intrusions regularly circumvented rule &
signature-based security solutions
Figure 4: Autonomous Response takes action in one of Darktrace’s
customer environments, neutralizing a Hafnium copycat attack
23. CASE STUDY 5: New Approaches to
Ransomware
• Ransomware attacks expand
beyond encryption
• Smaller businesses make
easier targets
• Fighting Ransomware with
Autonomous Response
Figure 5: Cyber AI Analyst identifies a device attempting to spread a malicious
payload using SMBv1
Real-World Case Study:
Autonomous Response Stops Advanced Ransomware
• Darktrace was deployed in a pre-infected public sector
organization, where it soon detected malicious lateral
movement indicative of a Trickbot attack.
• The malware spread to 280 devices, 160 of which began
to download disguised executable files likely containing
Ryuk ransomware.
• Autonomous Response was initially being trialed in
active mode, but at this stage, the organization switched
it to autonomous mode to help contain the attack.