Malware Detection

Dr. Greg Bernstein

March 16th, 2021

Malware Detection


Indicators of Compromise (IOC) 1

Wikipedia: Indicator of Compromise

Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.

Indicators of Compromise (IOC) 2

Wikipedia: Indicator of Compromise

Typical IoCs are virus signatures and IP addresses, MD5 hashes of malware files, or URLs or domain names of botnet command and control servers. After IoCs have been identified via a process of incident response and computer forensics, they can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

IOC Example 1

From AlienVault: Ad blocker with miner included, IOCs – File Hashes and domains

IOCs from AlienVault Pulse

Cyber Observable Objects 1

Summarized from STIX Version 2.1

  • 6.1 Artifact Object: permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload.

  • 6.2 Autonomous System (AS) Object

  • 6.3 Directory Object

  • 6.4 Domain Name Object

  • 6.5 Email Address Object

Cyber Observable Objects 2

Summarized from STIX Version 2.1

  • 6.6 Email Message Object
  • 6.7 File Object
  • 6.8 IPv4 Address
  • 6.9 IPv6 Address Object
  • 6.10 MAC Address Object

Cyber Observable Objects 3

Summarized from STIX Version 2.1

  • 6.11 Mutex Object

  • 6.12 Network Traffic Object: represents arbitrary network traffic that originates from a source and is addressed to a destination. The network traffic MAY or MAY NOT constitute a valid unicast, multicast, or broadcast network connection. This MAY also include traffic that is not established, such as a SYN flood.

  • 6.13 Process Object

  • 6.14 Software Object

Cyber Observable Objects 4

Summarized from STIX Version 2.1

  • 6.15 URL Object
  • 6.16 User Account Object
  • 6.17 Windows™ Registry Key Object
  • 6.18 X.509 Certificate Object

IOC Example 2

From AlienVault: All That for a Coinminer?, IOCs – File Hashes, IP, and YARA rules

IOCs from AlienVault Pulse

Cyber Threat Intelligence (CTI)

From What is Cyber Threat Intelligence?

(Cyber) Threat intelligence is data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors.

Uses for Cyber Threat Information

From STIX version 1 Whitepaper

Standardizing CTI: STIX

From Cyber Threat Intelligence

Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI).

STIX Architecture

From the STIX 1.0 white paper


Trusted Automated Exchange of Intelligence Information (TAXII™) is an application layer protocol for the communication of cyber threat information in a simple and scalable manner.

TAXII is a protocol used to exchange cyber threat intelligence (CTI) over HTTPS. TAXII enables organizations to share CTI by defining an API that aligns with common sharing models.

Example STIX Indicators

From AlienVault: Ad blocker with miner included, IOCs – File Hashes and domains

    "type": "indicator",
    "spec_version": "2.1",
    "id": "indicator--9b3c4ff1-726d-4657-92b5-a7a2a3d147ff",
    "created": "2021-03-11T16:08:58.000Z",
    "modified": "2021-03-11T16:08:58.000Z",
    "name": "stack_string",
    "description": "SHA1 of 9e989ef2a8d4bc5ba1421143aad59a47\nSHA1 of 9e989ef2a8d4bc5ba1421143aad59a47",
    "pattern": "[file:hashes.'SHA-1' = '30e655842366700f7387e1dc2e7d9c2fbfda7fe0']",
    "pattern_type": "stix",
    "pattern_version": "2.1",
    "valid_from": "2021-03-11T16:08:58Z",
    "labels": [
    "type": "indicator",
    "spec_version": "2.1",
    "id": "indicator--285e6318-8fe3-422d-822c-bd5d11a93182",
    "created": "2021-03-11T16:08:58.000Z",
    "modified": "2021-03-11T16:08:58.000Z",
    "name": "",
    "description": "",
    "pattern": "[domain_name:value = '']",
    "pattern_type": "stix",
    "pattern_version": "2.1",
    "valid_from": "2021-03-11T16:08:58Z",
    "labels": [

Anti-Virus Software

Definition: Anti-Virus Software

From Wikipedia: Antivirus Software

Antivirus software, or anti-virus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

Antivirus software was originally developed to detect and remove computer viruses, hence the name. However, with the proliferation of other kinds of malware, antivirus software started to provide protection from other computer threats.

Signature Based Virus Detection

From Wikipedia:Signature Based Virus Detection

Traditional antivirus software relies heavily upon signatures to identify malware.

When malware arrives in the hands of an antivirus firm, it is analysed by malware researchers or by dynamic analysis systems. Then, once it is determined to be a malware, a proper signature of the file is extracted and added to the signatures database of the antivirus software.

Open Source AV


“ClamAV® is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.”

ClamAV Features 1

From ClamAV Features

  • Command-line scanner
  • Milter interface for sendmail
  • Advanced database updater with support for scripted updates and digital signatures
  • Virus database updated multiple times per day
  • Built-in support for all standard mail file formats

ClamAV Features 2

From ClamAV Features

  • Built-in support for various archive formats, including Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others
  • Built-in support for ELF executables and Portable Executable files packed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others
  • Built-in support for popular document formats including MS Office and MacOffice files, HTML, Flash, RTF and PDF

Example Scan

greg@greg-desktop:~/Downloads$ sudo clamscan -v .
Scanning /home/greg/Downloads/
/home/greg/Downloads/ Win.Test.EICAR_HDB-1 FOUND
Scanning /home/greg/Downloads/gpg
/home/greg/Downloads/gpg: OK
Scanning /home/greg/Downloads/en_windows_7_professional_with_sp1_vl_build_x64_dvd_u_677791.iso
/home/greg/Downloads/en_windows_7_professional_with_sp1_vl_build_x64_dvd_u_677791.iso: OK
Scanning /home/greg/Downloads/digikam.pdf
/home/greg/Downloads/digikam.pdf: OK
Scanning /home/greg/Downloads/ubuntu-20.04-desktop-amd64.iso
/home/greg/Downloads/ubuntu-20.04-desktop-amd64.iso: OK
Scanning /home/greg/Downloads/kali-linux-2020.4-vbox-amd64.ova
/home/greg/Downloads/kali-linux-2020.4-vbox-amd64.ova: OK
Scanning /home/greg/Downloads/rsync.deb
/home/greg/Downloads/rsync.deb: OK
Scanning /home/greg/Downloads/digikam-5.3.0-01-x86-64.appimage
/home/greg/Downloads/digikam-5.3.0-01-x86-64.appimage: OK
Scanning /home/greg/Downloads/
/home/greg/Downloads/ Win.Trojan.Mimikatz-6466236-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8508298
Engine version: 0.102.4
Scanned directories: 1
Scanned files: 13
Infected files: 2
Data scanned: 40.23 MB
Data read: 9524.38 MB (ratio 0.00:1)
Time: 21.028 sec (0 m 21 s)

Virus Signatures

  • Proprietary AV signature formats

  • Clam AV multiple types of signatures: Body-based Signature Content Format, Bytecode Signatures, Signatures based on container metadata, Extended signature format, File hash signatures, Logical signatures, PhishSigs

  • YARA rules: open source “The pattern matching swiss knife for malware researchers”


From YARA’s Documentation

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns.

YARA Example 1 PE file

// Detect a Portable Executable file
rule is_PE_File
        $a = "MZ"
        $a and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550

Portable Executable Files

From Wikipedia: Portable Executable

The Portable Executable (PE) format is a file format for executables, object code, DLLs and others used in 32-bit and 64-bit versions of Windows operating systems. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data. On NT operating systems, the PE format is used for EXE, DLL, SYS (device driver), MUI and other file types.

PE File Layout

From Wikipedia: Portable Executable

PE file layout

YARA Example 2 Mimikatz

// Obtained from
import "pe"
rule mimikatz_1014 {   
   description = "exe - file mimikatz.exe"   
   author = "The DFIR Report"   
   reference = ""   
   date = "2021-01-18"   
   hash1 = "99d8d56435e780352a8362dd5cb3857949c6ff5585e81b287527cd6e52a092c1"   
   $x1 = "ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x%08x)" fullword wide   
   $x2 = "ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx user (%s)" fullword wide   
   $x3 = "ERROR kuhl_m_lsadump_lsa ; kull_m_process_getVeryBasicModuleInformationsForName (0x%08x)" fullword wide   
   $x4 = "ERROR kuhl_m_lsadump_getComputerAndSyskey ; kull_m_registry_RegOpenKeyEx LSA KO" fullword wide   
   $x5 = "ERROR kuhl_m_lsadump_dcsync ; kull_m_rpc_drsr_ProcessGetNCChangesReply" fullword wide   
   $x6 = "ERROR kuhl_m_lsadump_trust ; kull_m_process_getVeryBasicModuleInformationsForName (0x%08x)" fullword wide   
   $x7 = "ERROR kuhl_m_lsadump_getUsersAndSamKey ; kuhl_m_lsadump_getSamKey KO" fullword wide   
   $x8 = "ERROR kuhl_m_lsadump_lsa_getHandle ; OpenProcess (0x%08x)" fullword wide   
   $x9 = "ERROR kuhl_m_lsadump_netsync ; I_NetServerTrustPasswordsGet (0x%08x)" fullword wide   
   $x10 = "ERROR kuhl_m_dpapi_chrome ; Input 'Login Data' file needed (/in:\"%%localappdata%%\\Google\\Chrome\\User Data\\Default\\Login Da" wide   
   $x11 = "ERROR kuhl_m_kernel_processProtect ; Argument /process:program.exe or /pid:processid needed" fullword wide   
   $x12 = "ERROR kuhl_m_lsadump_getHash ; Unknow SAM_HASH revision (%hu)" fullword wide   
   $x13 = "ERROR kuhl_m_lsadump_sam ; kull_m_registry_RegOpenKeyEx (SAM) (0x%08x)" fullword wide   
   $x14 = "ERROR kull_m_rpc_drsr_ProcessGetNCChangesReply_decrypt ; Checksums don't match (C:0x%08x - R:0x%08x)" fullword wide   
   $x15 = "ERROR kuhl_m_lsadump_enumdomains_users ; /user or /rid is needed" fullword wide   
   $x16 = "ERROR kuhl_m_lsadump_changentlm ; Argument /oldpassword: or /oldntlm: is needed" fullword wide   
   $x17 = "livessp.dll" fullword wide /* reversed goodware string 'lld.pssevil' */   
   $x18 = "ERROR kuhl_m_lsadump_enumdomains_users ; SamLookupNamesInDomain: %08x" fullword wide   
   $x19 = "ERROR kuhl_m_lsadump_getComputerAndSyskey ; kuhl_m_lsadump_getSyskey KO" fullword wide   
   $x20 = "ERROR kuhl_m_lsadump_getKeyFromGUID ; kuhl_m_lsadump_LsaRetrievePrivateData: 0x%08x" fullword wide   
   uint16(0) == 0x5a4d and filesize < 3000KB and   
   ( pe.imphash() == "a0444dc502edb626311492eb9abac8ec" or 1 of ($x*) )   

Testing AV Software 1

  • AMTSO is the Anti-Malware Testing Standards Organization "We create objective standards and best practices for testing of anti-malware and related products.

  • AV-Test “The AV-TEST GmbH is the independent research institute for IT security from Germany.”, “… the AV-TEST Institute regularly makes its latest tests and current research findings available to the public free of charge on its website.”

Principle 1: (AV) Testing must not endanger the public

From AMTSO: The Fundamental Principles of Testing

The public has the right to expect that the development and sale of anti‐malware products, the review of such products and publication of those reviews are all done, fundamentally, to protect them. Thus, the foremost principle of testing anti‐malware products is that neither the products nor the related testing should endanger the public.

Principle 1: (AV) Testing must not endanger the public (cont)

From AMTSO: The Fundamental Principles of Testing

In furtherance of this principle, testers must follow appropriate procedures to avoid accidental release of samples at all times. In addition, new malware must not be created for testing purposes.
// reveal.js plugins