Skip to main content
Top

Hint

Swipe to navigate through the chapters of this book

2017 | OriginalPaper | Chapter

7. Malware Forensics

Author : Prof. Dr. rer. nat. Christian Hummert

Published in: Forensik in der digitalen Welt

Publisher: Springer Berlin Heidelberg

share
SHARE

Zusammenfassung

Straftaten aus dem Phänomenbereich Computerkriminalität stellen eine wachsende Herausforderung für unsere Gesellschaft dar. Hierbei spielt bösartige Software eine herausragende Rolle. Dazu gehören insbesondere Phishing-Trojaner, im Bereich Onlinebanking, aber auch digitale Erpressung durch sogenannte Ransomware. Bei der Aufklärung von solchen Straftaten spielt die forensische Untersuchung von Malware eine besondere Rolle. Das vorliegende Kapitel ordnet die verschiedenen Formen von Schadprogrammen und gibt eine praktische Einführung in die Malware Analyse. Es werden sowohl auf Strategien beschrieben, um die Kommunikation von Malware mitzuschneiden, als auch die inhaltliche Analyse und Code-Analyse dargestellt. Dabei wird sowohl auf Antiforensik Strategien eingegangen als auch ein Leitfaden für die Untersuchung aufgezeigt.
Literature
1.
go back to reference Andriesse, D., Rossow, C., Stone-Gross, B., Plohmann, D., Bos, H.: Highly resilient peer-to-peer botnets are here: An analysis of Gameover Zeus. In: 8th International Conference on Malicious and Unwanted Software, IEEE, S. 116–123 (2013) Andriesse, D., Rossow, C., Stone-Gross, B., Plohmann, D., Bos, H.: Highly resilient peer-to-peer botnets are here: An analysis of Gameover Zeus. In: 8th International Conference on Malicious and Unwanted Software, IEEE, S. 116–123 (2013)
2.
go back to reference Aycock, John: Computer Viruses and Malware. Springer, New York (2006) Aycock, John: Computer Viruses and Malware. Springer, New York (2006)
3.
go back to reference Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: A View on Current Malware Behaviors. In: LEET (2009) Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: A View on Current Malware Behaviors. In: LEET (2009)
4.
go back to reference Benford, G.: The Scarred Man. In: Ferman, E.L. (Hrsg.) Venture Science Fiction, Bd.(4/2) S. 122–132. Mercury Press, Cornwall, CT (1970) Benford, G.: The Scarred Man. In: Ferman, E.L. (Hrsg.) Venture Science Fiction, Bd.(4/2) S. 122–132. Mercury Press, Cornwall, CT (1970)
5.
go back to reference Benford, Gregory: Catch Me If You Can. Communications of the ACM, 54(3), 112 (2011) CrossRef Benford, Gregory: Catch Me If You Can. Communications of the ACM, 54(3), 112 (2011) CrossRef
6.
go back to reference Bertelsons, B., Rasch, M.: PC Underground. Data Becker, Düsseldorf (1994) Bertelsons, B., Rasch, M.: PC Underground. Data Becker, Düsseldorf (1994)
7.
go back to reference Brand, M., Valli, C., Woodward, A.: Malware Forensics: Discovery of the intent of Deception. The Journal of Digital Forensics, Security and Law: JDFSL, 5(4), 31–41 (2010) Brand, M., Valli, C., Woodward, A.: Malware Forensics: Discovery of the intent of Deception. The Journal of Digital Forensics, Security and Law: JDFSL, 5(4), 31–41 (2010)
8.
go back to reference Bundeskriminalamt (Hrsg.): Cybercrime Bundeslagebild 2013. Wiesbaden (2013) Bundeskriminalamt (Hrsg.): Cybercrime Bundeslagebild 2013. Wiesbaden (2013)
9.
go back to reference Canto, J., Dacier, M., Kirda, E., Leita, C.: Large scale malware collection: lessons learned. In: IEEE SRDS Workshop on Sharing Field Data and Experiment Measurements on Resilience of Distributed Computing Systems (2008) Canto, J., Dacier, M., Kirda, E., Leita, C.: Large scale malware collection: lessons learned. In: IEEE SRDS Workshop on Sharing Field Data and Experiment Measurements on Resilience of Distributed Computing Systems (2008)
10.
go back to reference Cardoso, D.S.E.: Linux Based Mobile Operating Systems (Dissertation). Instituto Superior de Engenharia de Lisboa (2015) Cardoso, D.S.E.: Linux Based Mobile Operating Systems (Dissertation). Instituto Superior de Engenharia de Lisboa (2015)
11.
go back to reference Chen, Thomas M., Robert, J.-M.: The evolution of viruses and worms. In: Statistical methods in computer security, S. 265–282 (2004) Chen, Thomas M., Robert, J.-M.: The evolution of viruses and worms. In: Statistical methods in computer security, S. 265–282 (2004)
12.
go back to reference Cheng W.J.P., Rongcai Z., Xiaoxian L.: Using API Sequence and Byase Algorithm to Detect Suspicious Behavior. International Conference on Communications and Networking in China, Information and Coding Theory Symposium Xi’an, China, S. 26–29 (2009) Cheng W.J.P., Rongcai Z., Xiaoxian L.: Using API Sequence and Byase Algorithm to Detect Suspicious Behavior. International Conference on Communications and Networking in China, Information and Coding Theory Symposium Xi’an, China, S. 26–29 (2009)
13.
go back to reference Choo, Kim-Kwang Raymond, Smith, R.G.: Criminal exploitation of online systems by organised crime groups. Asian Journal of Criminology 3.1, 37–59 (2008) Choo, Kim-Kwang Raymond, Smith, R.G.: Criminal exploitation of online systems by organised crime groups. Asian Journal of Criminology 3.1, 37–59 (2008)
14.
go back to reference Cohen, Fred: Computer Viruses – Theory and Experiments. Computers & Security, 6(1), 22–35 (1987) CrossRef Cohen, Fred: Computer Viruses – Theory and Experiments. Computers & Security, 6(1), 22–35 (1987) CrossRef
15.
go back to reference Dady K.: Sniff ethernet with a throwing star. HackaDay (2011) Dady K.: Sniff ethernet with a throwing star. HackaDay (2011)
17.
go back to reference Dewdey, A.K.: Computer Recreations, A Core War Bestiary of Virus, Worms and other Threats to Computer Memories. Scientific American 252, 14 (1985) CrossRef Dewdey, A.K.: Computer Recreations, A Core War Bestiary of Virus, Worms and other Threats to Computer Memories. Scientific American 252, 14 (1985) CrossRef
18.
go back to reference Eagle, C.: The IDA PRO Book. No Starch Press, San Francisco (2008) Eagle, C.: The IDA PRO Book. No Starch Press, San Francisco (2008)
19.
go back to reference Farwell, James P., Rafal Rohozinski: Stuxnet and the future of cyber war. Survival 53.1, 23–40 (2011) CrossRef Farwell, James P., Rafal Rohozinski: Stuxnet and the future of cyber war. Survival 53.1, 23–40 (2011) CrossRef
20.
go back to reference Ferrie, P., Ször, P.: Hunting for metamorphic. Virus, 123–143 (2001) Ferrie, P., Ször, P.: Hunting for metamorphic. Virus, 123–143 (2001)
21.
go back to reference Gharibi, Wajeb: Studying and Classification of the Most Significant Malicious Software. arXiv preprint arXiv:1106.0853 (2011) Gharibi, Wajeb: Studying and Classification of the Most Significant Malicious Software. arXiv preprint arXiv:1106.0853 (2011)
22.
go back to reference Grier, C., Ballard, L., Caballero, J., et. al.: Manufacturing compromise: the emergence of exploit-as-a-service. In: Proceedings of the 2012 ACM conference on Computer and communications security, S. 821–832 (2012) Grier, C., Ballard, L., Caballero, J., et. al.: Manufacturing compromise: the emergence of exploit-as-a-service. In: Proceedings of the 2012 ACM conference on Computer and communications security, S. 821–832 (2012)
23.
go back to reference Janbeglou, M., Zamani, M., Ibrahim, S.: Redirecting network traffic toward a fake DNS server on a LAN. In: 3rd IEEE International Conference on Computer Science and Information Technology, S. 429–433 (2010) Janbeglou, M., Zamani, M., Ibrahim, S.: Redirecting network traffic toward a fake DNS server on a LAN. In: 3rd IEEE International Conference on Computer Science and Information Technology, S. 429–433 (2010)
25.
go back to reference Konstantinou E.: Metamorphic Virus: Analysis and Detection. RHUL-MA-2008-02, Technical Report of University of London (2008) Konstantinou E.: Metamorphic Virus: Analysis and Detection. RHUL-MA-2008-02, Technical Report of University of London (2008)
26.
go back to reference Lehner, M., Hermann, E.: Auffinden von verschleierter Malware. In: Datenschutz und Datensicherheit-DuD, 30(12), S. 768–772. (2006) CrossRef Lehner, M., Hermann, E.: Auffinden von verschleierter Malware. In: Datenschutz und Datensicherheit-DuD, 30(12), S. 768–772. (2006) CrossRef
27.
go back to reference Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., Van Der Veen, V., Platzer, C.: Andrubis-1,000,000 apps later: A view on current android malware behaviors. Proceedings of the the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) (2014) Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., Van Der Veen, V., Platzer, C.: Andrubis-1,000,000 apps later: A view on current android malware behaviors. Proceedings of the the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) (2014)
28.
go back to reference Maggi, F., Bellini, A., Salvaneschi, G., Zanero, S.: Finding non-trivial malware naming inconsistencies. In: Information Systems Security, S. 144–159. Springer, Berlin Heidelberg (2011) Maggi, F., Bellini, A., Salvaneschi, G., Zanero, S.: Finding non-trivial malware naming inconsistencies. In: Information Systems Security, S. 144–159. Springer, Berlin Heidelberg (2011)
29.
go back to reference Mas’ud, M.Z., Sahib, S., Abdollah, M.F., Selamat, S.R., Yusof, R.: Android Malware Detection System Classification. Research Journal of Information Technology, 6(4), 325–341 (2014) Mas’ud, M.Z., Sahib, S., Abdollah, M.F., Selamat, S.R., Yusof, R.: Android Malware Detection System Classification. Research Journal of Information Technology, 6(4), 325–341 (2014)
30.
go back to reference McMaster, J.: Issues with FLIRT aware malware (2011) McMaster, J.: Issues with FLIRT aware malware (2011)
31.
go back to reference Mokbel, M.F.: On the Intractability of Designing an Efficient Entropy Brute Forcer (2012) Mokbel, M.F.: On the Intractability of Designing an Efficient Entropy Brute Forcer (2012)
32.
go back to reference Munir, R., Pagna Disso, J.F., Awan, I., Mufti, M.R.: Quantitative Enterprise Network Security Risk Assessment. In: UK Performance Engineering Workshop (2013) Munir, R., Pagna Disso, J.F., Awan, I., Mufti, M.R.: Quantitative Enterprise Network Security Risk Assessment. In: UK Performance Engineering Workshop (2013)
33.
go back to reference Nguyen, A.M., Schear, N., Jung, H., Godiyal, A., King, S.T., Nguyen, H.D.: Mavmm: Lightweight and purpose built vmm for malware analysis. Computer Security Applications Conference, 2009. ACSAC’09, S. 441–450 (2009) Nguyen, A.M., Schear, N., Jung, H., Godiyal, A., King, S.T., Nguyen, H.D.: Mavmm: Lightweight and purpose built vmm for malware analysis. Computer Security Applications Conference, 2009. ACSAC’09, S. 441–450 (2009)
34.
go back to reference Oberhumer, M.F.X.J., Molnár, L., Reiser, J.F.: UPX: Ultimate packer for executables (2004) Oberhumer, M.F.X.J., Molnár, L., Reiser, J.F.: UPX: Ultimate packer for executables (2004)
35.
go back to reference Oktavianto, D., Muhardianto, I.: Cuckoo Malware Analysis. Packt Publishing Ltd (2013) Oktavianto, D., Muhardianto, I.: Cuckoo Malware Analysis. Packt Publishing Ltd (2013)
36.
go back to reference Orebaugh, A., Ramirez, G., Beale, J.: Wireshark & Ethereal network protocol analyzer toolkit. Syngress (2006) Orebaugh, A., Ramirez, G., Beale, J.: Wireshark & Ethereal network protocol analyzer toolkit. Syngress (2006)
37.
go back to reference Panda Security (Hrsg.): Malware: Unglaublicher Anstieg von 25.000 % seit 2000. PresseBox, Duisburg (13.07.2007) Panda Security (Hrsg.): Malware: Unglaublicher Anstieg von 25.000 % seit 2000. PresseBox, Duisburg (13.07.2007)
38.
go back to reference Pietrek, M.: Inside windows-an in-depth look into the Win32 portable executable file format. MSDN magazine, 17(2)(2002) Pietrek, M.: Inside windows-an in-depth look into the Win32 portable executable file format. MSDN magazine, 17(2)(2002)
39.
go back to reference Raber, J., Laspe, E.: Deobfuscator: An automated approach to the identification and removal of code obfuscation. In: wcre, S. 275–276 (2007) Raber, J., Laspe, E.: Deobfuscator: An automated approach to the identification and removal of code obfuscation. In: wcre, S. 275–276 (2007)
41.
go back to reference Rao, Siddharth Prakash: Turning Bitcoins into the Best-coins. arXiv preprint arXiv:1412.7424 (2014) Rao, Siddharth Prakash: Turning Bitcoins into the Best-coins. arXiv preprint arXiv:1412.7424 (2014)
42.
go back to reference Russinovich, Mark, Bryce Cogswell: Windows sysinternals (2008) Russinovich, Mark, Bryce Cogswell: Windows sysinternals (2008)
43.
go back to reference Shin, D., Lee, K., Won, D.: Advanced malware variant detection algorithm using structural characteristic of executable file. In: FGIT’11 Proceedings of the third International Conferencence on Future Generation Information Technology. S. 301–308, Springer, Berlin Heidelberg (2011) Shin, D., Lee, K., Won, D.: Advanced malware variant detection algorithm using structural characteristic of executable file. In: FGIT’11 Proceedings of the third International Conferencence on Future Generation Information Technology. S. 301–308, Springer, Berlin Heidelberg (2011)
44.
go back to reference Shoch, J.F., Hupp, J.A.: The Worm Programs early Experience with a Distributed Computation. Communications of the ACM, 25(3) (1982) Shoch, J.F., Hupp, J.A.: The Worm Programs early Experience with a Distributed Computation. Communications of the ACM, 25(3) (1982)
45.
go back to reference Sun, L., Versteeg, S., Boztaş, S., Yann, T.: Pattern recognition techniques for the classification of malware packers. In: Information security and privacy, S. 370–390. Springer, Berlin Heidelberg (2010) Sun, L., Versteeg, S., Boztaş, S., Yann, T.: Pattern recognition techniques for the classification of malware packers. In: Information security and privacy, S. 370–390. Springer, Berlin Heidelberg (2010)
46.
go back to reference Tarakanov, D.: ZeuS on the Hunt. In: SecureList (2012) Tarakanov, D.: ZeuS on the Hunt. In: SecureList (2012)
47.
go back to reference Thompson, K.: Reflections on trusting trust. Communications of the ACM, 27(8), 761–763 (1984) CrossRef Thompson, K.: Reflections on trusting trust. Communications of the ACM, 27(8), 761–763 (1984) CrossRef
48.
go back to reference Wong, W., Stamp, M.: Hunting for metamorphic engines. Journal in Computer Virology, 2(3), 211–229 (2006) CrossRef Wong, W., Stamp, M.: Hunting for metamorphic engines. Journal in Computer Virology, 2(3), 211–229 (2006) CrossRef
49.
go back to reference Wright, J.L.: Finding cryptography in object code. In: Security Education Conference Toronto (SecTOR) (2008) Wright, J.L.: Finding cryptography in object code. In: Security Education Conference Toronto (SecTOR) (2008)
50.
go back to reference You, I., Yim, K.: Malware obfuscation techniques: A brief survey. In: 2010 International conference on broadband, wireless computing, communication and applications, S. 297–300 (2010). You, I., Yim, K.: Malware obfuscation techniques: A brief survey. In: 2010 International conference on broadband, wireless computing, communication and applications, S. 297–300 (2010).
Metadata
Title
Malware Forensics
Author
Prof. Dr. rer. nat. Christian Hummert
Copyright Year
2017
Publisher
Springer Berlin Heidelberg
DOI
https://doi.org/10.1007/978-3-662-53801-2_7

Premium Partner