The goals of this assignment are to get familiar with Malware, Malware Analysis, and Malware Detection.
Create and Use a new Branch
We will create a new git branch called
hw9 for use in this assignment. The branch you create must exactly match the one I’ve given you for you to receive any credit for this homework.
Prior to creating this new branch make sure your working directory is “clean”, i.e., consistent with the last commit you did when you turned in homework 8. Follow the procedures in GitHub for Classroom Use to create the new branch, i.e.,
git checkout -b hw9. Review the section on submission for using push with a new branch.
README.md for Answers
You will modify the
README.md file in your repo to contain the answers to this homework.
Question 1. (10 pts) Malware
(a) CyBOK Malware Dimensions
Read section 1 of Malware & Attack Technologies. What are the “six dimensions” of Malware that they discuss?
(b) Malware Analysis Techniques
What are the two main categories of malware analysis? Which is potential more dangerous?
(c) Malware Analysis
Review Malware Analysis 101 and answer the following questions:
- What is an obfuscated program?
- What is a packed program?
- What is the PE file format used for?
- Why do we care about “linked libraries” that malware uses?
Question 2. (15 pts) Malware Case Study
Read the A Deep Dive into Lokibot Infection Chain from January 2021 and answer the following questions.
(a) What is the malicious goal of Lokibot?
(b) What is the prime attack vector, i.e., how does it first get into a system?
(c) What language do the current targets speak?
(d) What techniques does the Malware use to hide itself?
(e) What is a dropper?
(f) What is UAC and why is Lokibot trying to bypass it?
Question 3 (10 pts) Testing AntiVirus Software
Go to the Anti Malware Testing Standards Organization (AMTSO) security features check and run the following tests and report how your system did.
(a) Detects Manually Downloaded Malware
(b) Detects drive-by downloads of malware
(c) Detects compressed malware
(d) Enhanced Security
If your system did not automatically detect all these threats what safeguards could you take to enhance your security?
Question 4. (15 pts)
In this question we are going to get hands on with YARA. You will need to install the simple YARA command on your system per the instructions. Note: you do not need to build it. The YARA Zip with executables for Windows was around 2MB, i.e., pretty small.
We are going to use YARA to detect some file formats from their contents and not their file extension. See the page File signatures for information on many file types.
(a) Detect JPEG files
Write a YARA rule to detect JPEG files. Show that rule here.
(b) Detect PNG files
Write a YARA rule to detect PNG files. Show that rule here.
(c) Detect Zip files
Many email systems prevent the sending of Zip files so users give the file a different extension. Write a YARA rule to detect Zip files. Show that rule here.