Wähle die Ordner aus, zu welchen Du "Bangeter 04-malware_identification_v50.pdf" hinzufügen oder entfernen möchtest
Why is malware identification important?
How can malware identification help us in our analysis of the malware?
What is an IOC (Indicator of Compromise)?
An indicator of compromise (IOC) is an a priori known characteristic artefact of attacks, malware samples / families.
IOCs can be used for detection and identification purposes.
Name some host based IOCs (Indicator of Compromise)
Host based IOCs
Name some network based IOCs.
Network based IOCs
What is Yara?
Yara is a language to check for IOCs
How difficult is it for an attacker to change the IOCs of following components:
What is an advantage of yarea rules and for what purposes can they be used?
In contrast to AV engine rules, Yara rules can be written and shared by anybody, which allows security teams to act independently of vendors.
Yara rules ca be used in different places of an organiyation's detection / security technologies:
Why does the manual malware analysis not scale well, what can be doen?
Malware analysis can be very time consuming and expensive. Shortage of skilled analysts and an abundant number of malware samples does not scale well
Solution: Analysis automation
AV vendors and threat intelligence companies automatically process and analyze feeds of 100'000s of malware samples per day to generate, better av signatures IOCs or threat intelligence.
What are malware sandboxes and what are they used for?
Malware sandboxes automate malware (binaries, documents, URLs) analysis, and typically allow to quickly:
Malsware sandboxes are dynamic analysis systems:
How can dynamic analysis techniques be defeated by malware (Anti analysis)
what is the differnce of PE files on disk vs. in memory, and what are the implications of that?
In general it is impossible to recontruct the original PE file from memory since some modifications cannot be undone:
Don't expect the recovered PE files to be runnable
Recovered PE files are sufficent for analysis with IDA Pro or to upload to Virustotal.
Malware sometimes modifies /destructs the PE header in memory to make reconstruction hard/impossible
PE files in memory contains more information than PE files on disk:
What is packing and why is it done by malware?
Packing is an ovfuscation technique used by malware, with two goals:
How can you unpack malware?
To unpack malware it is often sufficient to dump memory of the unpacked process, recieving memory injections.
What volatility commands can be used for memory extraction?
General limitation: Memory that is paged out cannot be dumped, which can result in corruption when dumping PE files
What can virustotal be used for?
we can upload dll and executables that we extracted with dlldump and procdump to malfind for automatic analysis.
Why is it important to extract and analyze strings from processes / binaries?
The dumped strings may contain:
In some cases, the strings may be sufficient to identify a sample, or at least to develop a first understanding of a samples capabilities.
How can strings be extracted from processes and binaries?
Simply run strings on dumped (and unpacked) process memory, DLLs ,etc..
Under linux two invocations of strings needs to be made for ASCII and unicode strings
strings -el memory.bin
Lernen bei den Erfolgreichsten
Das Angebot von PostFinance zum Umgang mit Geld
9. Schuljahr - 10. Schuljahr - Handelsschule/KV