Creating a Malware Analysis Lab and Basic Malware Analysis

In tying together information learned in the Information Assurance program at Iowa State this paper goes over an introduction to malware, basic malware analysis, and setting up a manual malware analysis lab. Malware is malicious software that causes harm. The average malware will have 125 lines of code. Generally, malware consists of 3 components: a concealer, a replicator, and a bomb. Malware is classified based on its nature and functionality. The 3 most common we see are viruses, worms, and Trojans. Malware generally falls into two categories based on its target: mass malware and targeted malware. Four general stages of malware analysis are manual code reversing, interactive behavior analysis, static properties analysis, and automated analysis. The paper goes over basic static and basic dynamic analysis. It briefly touches on advanced static and advanced dynamic analysis to cover 3 of the stages above. Sandboxes are covered and Cuckoo is talked about to cover automated analysis. Setting up a malware analysis lab is talked about as a physical lab or a virtual lab can be set up. Steps are given to use VMWare Workstation Pro to set up a manual malware analysis lab, getting a Microsoft Windows virtual machine, and installing Fireeye’s flare-vm on it. In closing, some work that can be expanded on and done in the future is discussed

A Quantum Algorithm To Locate Unknown Hashes For Known N-Grams Within A Large Malware Corpus

Quantum computing has evolved quickly in recent years and is showing significant benefits in a variety of fields. Malware analysis is one of those fields that could also take advantage of quantum computing. The combination of software used to locate the most frequent hashes and $n$-grams between benign and malicious software (KiloGram) and a quantum search algorithm could be beneficial, by loading the table of hashes and $n$-grams into a quantum computer, and thereby speeding up the process of mapping $n$-grams to their hashes. The first phase will be to use KiloGram to find the top-$k$ hashes and $n$-grams for a large malware corpus. From here, the resulting hash table is then loaded into a quantum machine. A quantum search algorithm is then used search among every permutation of the entangled key and value pairs to find the desired hash value. This prevents one from having to re-compute hashes for a set of $n$-grams, which can take on average $O(MN)$ time, whereas the quantum algorithm could take $O(\sqrt{N})$ in the number of table lookups to find the desired hash values.Comment: IEEE Quantum Week 2020 Conferenc

Security source code analysis of applications in Android OS

It is a known fact that Android mobile phones' security has room for improvement. Many malicious app developers have targeted android mobile phones, mainly because android as an open operating system provides great flexibility to developers and there are many android phones which do not have the latest security updates. With the update of marshmallow in android, applications request permission only during runtime, but not all users have this update. This is important because user permission is required to perform certain actions. The permissions may be irrelevant to the features provided by an application. The purpose of this research is to investigate the use and security risk of seeming irrelevant permissions in applications available from Google store. Two different applications which seem to ask irrelevant permissions during installation were selected from Google store. To test these applications, static analysis, dynamic analysis and reverse engineering tools were used. Findings show potentially malicious behavior, demonstrating that downloading apps from Google play store do not guarantee security

On the Reverse Engineering of the Citadel Botnet

Citadel is an advanced information-stealing malware which targets financial information. This malware poses a real threat against the confidentiality and integrity of personal and business data. A joint operation was recently conducted by the FBI and the Microsoft Digital Crimes Unit in order to take down Citadel command-and-control servers. The operation caused some disruption in the botnet but has not stopped it completely. Due to the complex structure and advanced anti-reverse engineering techniques, the Citadel malware analysis process is both challenging and time-consuming. This allows cyber criminals to carry on with their attacks while the analysis is still in progress. In this paper, we present the results of the Citadel reverse engineering and provide additional insight into the functionality, inner workings, and open source components of the malware. In order to accelerate the reverse engineering process, we propose a clone-based analysis methodology. Citadel is an offspring of a previously analyzed malware called Zeus; thus, using the former as a reference, we can measure and quantify the similarities and differences of the new variant. Two types of code analysis techniques are provided in the methodology, namely assembly to source code matching and binary clone detection. The methodology can help reduce the number of functions requiring manual analysis. The analysis results prove that the approach is promising in Citadel malware analysis. Furthermore, the same approach is applicable to similar malware analysis scenarios.Comment: 10 pages, 17 figures. This is an updated / edited version of a paper appeared in FPS 201