Malware Analysis Plan - Research Paper Example

Table of Content: Introduction Keywords…………………………………………………………………….: Spy wares and antivirus applications…………………………………………: Analysis based assessment…………………………………………………….: Malware type…………………………………………………………………: Creating an understanding…………………………………………………….: Creating a virtualization software…………………………………………….: Laboratory System Procedure………………………………………………..: Behavioral Analysis Based tools and techniques…………………………….: Other techniques………………………………………………………………….: Coding based techniques…………………………………………………………: Online malicious content detectors………………………………………..: No Obfuscation enabled techniques…………………………………………….: Reverse Engineering Technique…………………………………………………: Model checking techniques………………………………………………………….: Other commercial checking techniques…………………………………………………: PE View………………………………………………………………………….: Policies and procedures……………………………………………………………..: Patch Option……………………………………………………………: Conclusion……………………………………………………….: References………………………………………………………….: Introduction: Malware constitute all those malicious content that harms the overall network, or back end system across the digital medium of internet or computer. The malware is a designated computer program in its own created for the sole purpose of negatively impacting the program, network, system, firewall, or other security encrypted sources. As a result of the attacks of malware, large amount of losses are incurred every year. In order to overcome the challenge and threat of malware various techniques, tools, programs, applications, security based measures and other knowledge based techniques are used that enable overcoming the challenges of malware. This paper looks into the possible methods, techniques, skills, and knowledge through which the malware are handled and computing experiences are made safe. Keywords: Malware, program, domain based attacks, tools and techniques, policies, analysis. Spy wares and antivirus applications: Malware handling comes in a set of procedures, methods and techniques. The following are few of the commonly engaged methods, steps and procedures through which the malware menace is handled. Virus detecting software and malware scanners are few of the commonly used applications. However they have been found to be relatively ineffective with regard to overcome the large scaled threats and problems that may be faced by the operating systems and domains at large in the global e governance and business environments. For this purpose, various tools and techniques are used that allow for a more comprehensive approach towards overcoming the menace of malware and making the global digital operations more effective and less insecure. Analysis based assessment: As a general rule, before undertaking the challenge of overcoming the malware, it is important to know the nature and the particular area and domain in which the malware may have damaged the operating system, program or any particular part of the system. This enables knowing how to go about afterwards with the desired step. Malware types: Malwares may show up in various forms. Ranging from internal bug that repeatedly shows on the computing desktop screen to the invisible ones that only slow down the computers to the others that would simply restart the computers to the serious ones in the form of Trojan horses, spam, bots, logic bomb, back door to root kit to many more similar applications based program. Creating an understanding: Before operating along any given set of lines, it is highly necessary to understand the nature and the operational function of a given task. This is done so through the inducting and appointment of the right people at the right place within the organization in general. The personnel employed must be aware of the nature of work they pull off and they should have the basic understanding of the types of threats and challenges that come about in the form of malware in the digital domain. While understanding creation is a continuous process, the overall process of malware handling can be divided into the following sections: Pre incident phase based activity Incident phase based activity Post incident phase based activity Establishing the intelligence, developing internal tools, techniques and software that may generate alarm, and working and establishing a Research and Development based department within the organization serves as few of the basic elementary steps that are necessary to be taken into account while handling the overall scenario of malware in the modern digital world. Building upon functions such as assembler, virtualization based applications, de bugging applications and encrypted tools along with other concepts and practical methods execution makes up for the overall concepts and necessary steps that need to be taken with regard to the malware handling and malware threat mitigation. Creating a virtualization software: This process serves as a laboratory test. In this particular method the potential damaged file along with the extension files and extra content are shifted over to investigate against their nature and determine their actual capacity. Commercially available virtual software can solve this problem and enable reaching to the core purpose of identifying the malware that infects the system. The commonly available and largely used virtual software for this purpose include VM Ware V Sphere hyper Visor and Virtual Box. Each allows for a virtual operating system like atmosphere creation within the physical operating system and makes it easy identifying the malignant content from the original data on the operating system. Laboratory system procedure: The laboratory specified for the purpose of virtualization and malware detection need to have a specific environment along with the individuals and experts who have the ability to separate the potentially affected file or component of the operating system. Using a firewall is taken for a safe step in the initial phases which enables separating the overall traffic and data from the potentially damaged component of the operating system. Usage of removable data is another option in this regard which can be done so through a U.S. B flash drive or a portable hard disk. Behavioral Analysis Based tools and techniques: The behavior analysis consists of observing number of steps that are part of the routine activity of an operating system. These may come in the form of network monitoring and data analysis techniques. The network analysis enables indentifying the various methods and patterns such as the overall traffic of the network, the requests being sent, the potential spamming threat, and the I.P addresses identification. It also looks into the D.N.S requests and traffic monitoring as a whole. Commercially available network analysis based tools include Wire shark which allows monitoring the network traffic and allowing to show an alarm if incase any uneven activity is detected, it enables notifying the user against any such activity (Yin & Song, 2012,p. 27). Process monitoring is another behavior observation based method to detect the malware. Commonly there were built in applications in the operating systems that were used for this purpose with aims of overcoming the malware, but due to the fast changing nature of the malware and the advancements as a whole, new customized process monitoring applications are available. These include Process hacker to name one. Other techniques: Code Analysis based techniques: The code analysis based technique is commonly used in the situations where the behavioral analysis based techniques may not be as useful as need be. It enables dealing with the source code which in turn enables overcoming the malware format patterned programs. Commercially available code analysis based applications are commonly used for this purpose. Few of these are OllyDbg and Pro freeware software based applications to name a few. These applications work along with the patterns that may be collected from the lab in the initial phases of malware detection and tools assessment techniques. This particular method finds its applications in scenarios where the run time testing and potential detection of malware is checked on the remote memory files on the operating system (Swimmer, 2005,p. 86). Online malicious content detectors: Apart from the domestic users or the end users, the online websites can fall victim to the malware. There are number of techniques through which the websites can protected and checked for any potential presence of any malware. This comes along in the form of various websites specially created for detecting any particular website or database that may serve to damage other online applications. They detect and verify the URLs in order to assess if there is any malicious content present in the given website or any other part of the website may have been damaged by the infiltration of the malware. The common websites that are present in this regard include the likes of threatexpert.com. It is given with the option of entering the URL which checks it for potential presence of any malware. No Obfuscation enabled techniques: This is another commonly applied method towards resolving the overall menace of malware. This includes set of steps and procedures which are driven along the lines of going against the conventional techniques and they do not target through a distorted program file creation. The sole purpose of such a virus and malware is to remain under the radar against the commonly used methods and techniques. These techniques may include the sample test, the behavioral analysis, the encryption techniques and various other commonly used methods. Tunneling is another method through which the malware is aimed at staying under the radar and avoiding any detection against potential anti malware application installed. They may even code the malware in a method that is not easily detectable and would go unnoticed unless decoded. Oligomorphism and Polymorphism are two other commonly based methods of malware attack in which the particular malware and virus create a specific patterned signature through the incorporation of designated routines. Similarly the polymorphism based virus techniques include the methods of alias and changing the nature and appearance of the malicious content (Moser & Kruegel, 2007). This enables overcoming the obstacle against the possible database identification based system which may obstruct the virus based on the previous entry identification. Source: Threatexpert.com Reverse engineering technique: other commercially advisable and practiced methods of detecting and doing away with the malware includes the reverse engineering method. In this particular method, the reverse steps are taken with regard to assessing the particular point where the malware may have entered the network and may have damaged the file, network or the operating system. This consists of the number of steps that are aforementioned by these steps are taken in a proper manner starting from the basic. The following are few of the methods and steps undertaken in this regard which enable overcoming the malware within the system. These include: Laboratory establishment Isolation of the particular drive, domain, file, or program that is suspected for presence of any kind of malware Undergoing the behavioral method Further, assessing the drives and target areas through the coding techniques Undergoing the static code analysis determination Recurring processes in a cycle in order to assess the performance and ensure that no area is left unchecked in the entire process of detecting the malware. Model checking techniques: Model checking technique is another effective and most commonly used technique for the purpose of overcoming the malware. Android operating systems, both in the desktop utility function and the handheld devices find the usage of model checking technique with regard to overcoming the threat of malware (Song & Touili, 2006). Within the model checking concept, the Push Down system phenomena is a more comprehensive method. This method has been incorporated commercially at large scale owing to the global threats that are faced in the routine environments. The Push down System looks through the stack and investigates the elements and variables within enabling a more comprehensive study and assessment of the system. The incorporation of different technical methods such as the Finite State graph is another method used within this model checking technique. The Push Down system feature enables the system to be on guard and return any query if made against any notification or alarm that may go off against the potential detection of malware within the system. Over the period of time numbers of advancements and developments have been made within the model checking techniques. One of these include the SCTPL which checks against any uneven or unnoticed activity which may come about to identify any malware within the system (Song & Touili, 2006). Other various commercially available applications: PE view: PE View is a commercial success with regard to the malware detection. They work along one particular line by detecting and aiming to identify the Portable and Executable Files ( also expressed as P.E in short). This particular executable file gives information about the address table, the name pointer, export directory and various other important parts of a file and directory within the network which allows protecting and possibly resolving the threat of any malware that may be operational within the network as a whole. Policies and procedures: The policies and procedures would constitute set of actions and activities through which the overall assessment and understanding of the scenario and malware attacks can be comprehended. The policies include strict measures such as zero tolerance towards malware handling and ensuring that it is eradicated straight away. This also includes the fact that the employees and individuals who operate the machines and grant access must have the common understanding and must not ignore the messages, lessons, training and guidelines provided to them with regard to the safe operations handling. The following steps may be taken in this regard. Preparation in form of ever readiness Identification of the case at hand and potential malware threat Containing the area which is also explained above in the form of analysis and isolating the particular file, domain name, part of operating system that is suspected of any potential malware presence. Once the malware is contained, the next step would include the elimination of the contaminated file or part of system that is vulnerable to the external threats. Source: ( Hardikar, 2008) Identification process: Apart from the various tools and techniques usage, the identification process is an integral part to the overall process of malware handling. The identification comes along in the form of Classification and identification based on memory Classification and identification based on the address Policy statement should be made part of the overall organizational objectives. The information technology and web applications based department should have these points on their finger prints in order to ensure that the overall processes are performed smoothly without any negligence as such. Broad line policy based measures include the following steps and procedures: Defining the rules and regulations with regard to how to address and assess the policies relevant to the interaction with the outside world and trusting their content. Ensuring that the .exe files, the executable files do not get sent via email or must be ensured that they are not downloaded from any source without proper authentication at first. Ensure that the administrative usage is limited to the restricted members and that the administrator users accounts are sufficiently protected against any kind of security breach. Firewalls should be updated and advanced enough at the same time to allow for detecting the kind of viruses and malwares that may come in a disguised form and some of the disguised methods are defined above in the literature part of the paper as well. Finally, a general awareness creating campaign, informing the employees about the benefits of the safe operations and how the insecure and causal activities lead to damaging the overall systems and machines as a whole. The general awareness can be imparted through formal and informal means of engagement within the organizational operational routines. Patch options: Many operating systems come along with the various patches of same operating systems. These versions enable overcoming the possible loopholes that may have been left in the previous versions, thereby making the newer ones more secure. Conclusion: Malware handling constitutes set of hardcore steps as well the basic understanding of computing technology and prevention based measures. All these if applied in set of pattern would enable making the global world of digital communications far more secure than it is today. References: Hardikar, A. (2008). Malware 101 - Viruses. SANS INstitute Moser, A., & Kruegel, C. (2007). Limits of Static Analysis for Malware Detection. IEEE Song, F., & Touili, T. (2006). LTL Model-Checking for Malware Detection. Univ. Paris Swimmer, M. G. (2005). Malware Intrusion Detection. Lulu.com Yin, H., & Song, D. (2012). Automatic Malware Analysis: An Emulator Based Approach. Springer Science & Business Media Read More