Invesitigation of Malware and Forensic Tools on Internet

Malware is an application that is harmful to your forensic information. Basically, malware analyses is the process of analysing the behaviours of malicious code and then create signatures to detect and defend against it.Malware, such as Trojan horse, Worms and Spyware severely threatens the forensic security. This research observed that although malware and its variants may vary a lot from content signatures, they share some behaviour features at a higher level which are more precise in revealing the real intent of malware. This paper investigates the various techniques of malware behaviour extraction and analysis. In addition, we discuss the implications of malware analysis tools for malware detection based on various techniques

Challenges faced when forcing malware execution down hidden paths

Dynamic Malware Analysis involves the observation of a malware sample at runtime, usually inside a sandbox, whereby probes are used to detect different actions performed by the malware in order to categorize its behaviour. However, Dynamic Analysis is limited in that it can only observe a single run of the malware at a time, and there is no way of telling whether the run demonstrated the complete set of behaviours contained in the malware. Exploitation of this drawback is on the increase by malware authors as the presence of hidden and trigger-based behaviours has become more widespread.peer-reviewe

Analisis Deteksi Malware Remote Access Trojan Menggunakan Dynamic Malware Analysis Detection Tools Berbasis Behaviour

Semakin berkembangnya suatu teknologi, semakin besar pula peluang terjadinya cybercrime melalui penyerangan malware. Malicious software (malware) merupakan sebuah software berbahaya sengaja dirancang untuk menjalankan muatan asing yang merugikan atau merusak sistem korban tanpa sepengetahuannya. Dengan banyak kategori malware yang tersebar, membuat semua sistem rentan terhadap serangan malware. Salah satu kategori malware yang paling berbahaya adalah Remote Access Trojan (RAT) yang dapat mengendalikan sistem secara menyeluruh untuk mencuri informasi pribadi, menghapus file, memodifikasi file, mengganggu kinerja user, dan memasang malware atau backdoor di dalam sistem. Terbukti dengan adanya 557 serangan malware RAT yang terjadi atau terdeteksi antara 1 September 2017 hingga 31 Agustus 2018 di beberapa instansi atau individu di United Kingdom. Oleh karena itu, diperlukan malware analysis berbasis behaviour untuk mengetahui dan menganalisis malware behaviour yang unik berupa Windows API dan Registry dari malware RAT. Penelitian ini menggunakan 3 dari 10 sampel malware RAT yang telah didapatkan yaitu DarkComet-RAT, njRAT, dan QuassarRAT untuk diuji dan dianalisis malware behaviour-nya Malware behaviour yang dianalisis adalah Windows API dan Windows Registry ketika malware RAT diinisiasi, dan mengeksekusi Keylogger, File Transfer dan Remote. Desktop menggunakan dynamic malware analysis detection tools berbasis behaviour. Penelitian ini juga membandingkan behaviour inisiasi antara remote access software yaitu AeroAdmin dan malware RAT untuk mengetahui perbedaan Windows API dan Windows Registry yang digunakan. Hasil malware behaviour yang didapatkan menjelaskan bahwa malware RAT akan menggunakan Windows API dan Registry yang berkaitan dengan RPC dan OLE untuk membuat koneksi dengan sistem yang ditarget, lalu menggunakan Windows API dan Windows Registry yang berhubungan dengan Keyboard Input, Data Access and Storage, Graphic and Gaming ketika beberapa fitur dieksekusi. Malware RAT tidak akan memvalidasi segala aktivitas yang dilakukan dan segala fitur malware RAT dapat dijalankan secara manual oleh attacker-nya. Kata Kunci: malware, malware rat, malware analysis, dynamic malware analysis, malware behaviour

Mobile Malware Behaviour through Opcode Analysis

As the popularity of mobile devices are on the rise, millions of users are now exposed to mobile malware threats. Malware is known for its ability in causing damage to mobile devices. Attackers often use it as a way to use the resources available and for other cybercriminal benefits such stealing users’ data, credentials and credit card number. Various detection techniques have been introduced in mitigating mobile malware, yet the malware author has its own method to overcome the detection method. This paper presents mobile malware analysis approaches through opcode analysis. Opcode analysis on mobile malware reveals the behaviour of malicious application in the binary level. The comparison made between the numbers of opcode occurrence from a malicious application and benign shows a significance traits. These differences can be used in classifying the malicious and benign mobile application

ANANAS - A Framework For Analyzing Android Applications

Android is an open software platform for mobile devices with a large market share in the smartphone sector. The openness of the system as well as its wide adoption lead to an increasing amount of malware developed for this platform. ANANAS is an expandable and modular framework for analyzing Android applications. It takes care of common needs for dynamic malware analysis and provides an interface for the development of plugins. Adaptability and expandability have been main design goals during the development process. An abstraction layer for simple user interaction and phone event simulation is also part of the framework. It allows an analyst to script the required user simulation or phone events on demand or adjust the simulation to his needs. Six plugins have been developed for ANANAS. They represent well known techniques for malware analysis, such as system call hooking and network traffic analysis. The focus clearly lies on dynamic analysis, as five of the six plugins are dynamic analysis methods.Comment: Paper accepted at First Int. Workshop on Emerging Cyberthreats and Countermeasures ECTCM 201

Deep learning guided Android malware and anomaly detection

In the past decade, the cyber-crime related to mobile devices has increased. Mobile devices, especially the ones running on Android operating system are particularly interesting to malware creators, as the users often keep the biggest amount of personal information on their mobile devices, such as their contacts, social media profiles, emails, and bank accounts. Both dynamic and static malware analysis is necessary to prevent and detect malware, as both techniques have their benefits and shortcomings. In this paper, we propose a deep learning technique that relies on LSTM and encoder-decoder neural network architectures for dynamic malware analysis based on CPU, memory and battery usage. The proposed system is able to detect and notify users about anomalies in system that is likely consequence of malware behaviour. The method was implemented as a part of OWASP Seraphimdroids anti-malware mechanism and notifies users about anomalies on their devices. The method proved to perform with an F1-score of 79.2%.Comment: First (draft) version of the pape