CS671 Fall 2021 Homework 9

Malware

Dr. Greg M. Bernstein

Due Wednesday, November 3rd, 2021 by 11:59PM, 50 points.

General Instructions

The goals of this assignment are to get familiar with Malware, Malware Analysis, and Malware Detection.

Create and Use a new Branch hw9

We will create a new git branch called hw9 for use in this assignment. The branch you create must exactly match the one I’ve given you for you to receive any credit for this homework.

Prior to creating this new branch make sure your working directory is “clean”, i.e., consistent with the last commit you did when you turned in homework 8. Follow the procedures in GitHub for Classroom Use to create the new branch, i.e., git checkout -b hw9. Review the section on submission for using push with a new branch.

Use README.md for Answers

You will modify the README.md file in your repo to contain the answers to this homework.

Questions

Question 1. (10 pts) Malware

(a) CyBOK Malware Dimensions

Read section 1 of Malware & Attack Technologies. What are the “six dimensions” of Malware that they discuss?

(b) Malware Analysis Techniques

What are the two main categories of malware analysis? Which is potential more dangerous?

(c) Malware Analysis

Review Malware Analysis 101 and answer the following questions:

  1. What is an obfuscated program?
  2. What is a packed program?
  3. What is the PE file format used for?
  4. Why do we care about “linked libraries” that malware uses?

Question 2. (15 pts) Malware Case Study

Read the A Deep Dive into Lokibot Infection Chain from January 2021 and answer the following questions.

(a) What is the malicious goal of Lokibot?

(b) What is the prime attack vector, i.e., how does it first get into a system?

(c) What language do the current targets speak?

(d) What techniques does the Malware use to hide itself?

(e) What is a dropper?

(f) What is UAC and why is Lokibot trying to bypass it?

Question 3 (10 pts) Testing AntiVirus Software

Go to the Anti Malware Testing Standards Organization (AMTSO) security features check and run the following tests and report how your system did.

(a) Detects Manually Downloaded Malware

(b) Detects drive-by downloads of malware

(c) Detects compressed malware

(d) Enhanced Security

If your system did not automatically detect all these threats what safeguards could you take to enhance your security?

Question 4. (15 pts)

In this question we are going to get hands on with YARA. You will need to install the simple YARA command on your system per the instructions. Note: you do not need to build it. The YARA Zip with executables for Windows was around 2MB, i.e., pretty small.

We are going to use YARA to detect some file formats from their contents and not their file extension. See the page File signatures for information on many file types.

(a) Detect JPEG files

Write a YARA rule to detect JPEG files. Show that rule here.

(b) Detect PNG files

Write a YARA rule to detect PNG files. Show that rule here.

(c) Detect Zip files

Many email systems prevent the sending of Zip files so users give the file a different extension. Write a YARA rule to detect Zip files. Show that rule here.