Malware analysis

Analyzing Malware Network Behavior

Types of malware analysis

Analysis is a process of inspecting samples of a piece of malware to find out more about its nature, functionality and purpose. This in turn will create a signature that can be put in a database to protect other users from being infected. Purposes of malware analysis include:

• Threat alerts and triage
• Incident response
• Threat hunting
• Malware research 

Analyzing malware can be “static” or “dynamic.” Static analysis does not involve actually executing the malware, while dynamic analysis carries out such an action in a controlled environment. Dynamic analysis is all about behavior and actions that may attract suspicion like opening a network socket, writing registry keys and writing files to a disk. Often, debugging is done by means of putting malware through a debugger to analyze its behavior (API calls, function calls and so on) to reveal its functions.

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Start Learning

Malware detection based on signatures is used to identify malware that has already been “known.” New versions or mutations of malware are generally not recognized by the signature-based methodology. 

That may prove to be problematic, because according to the Cisco 2017 Annual Cybersecurity Report, 95% of analyzed malware files evolved within the 24-hour window or less. The advanced malware of today have the ability to change their signatures to avoid detection via a number of transformation techniques such as code permutation, register renaming, expanding and shrinking code and the insertion of garbage code or other ways to disguise themselves.

On the other hand, behavior-based detection analyzes suspicious actions and activities related to a malware of some kind. Usually, network behavior analysis solutions do not rely on signatures of known threats. Instead, they watch for hosts that behave in an unusual way. Illustrations of potentially harmful behavior are scanning machine-to-machine, credentials being used from multiple machines and various locations, disabling of antivirus/firewall/other security measures, searching for a sandbox, installing rootkits and so on.

As one can see, network behavior can mean a lot of things, but at the same time it revolves almost always around malicious network activities that go beyond what is deemed normal. Despite this explanation being a bit general, such behavior will appear to display more distinctive traits depending on the vulnerability exploited or the type of malware found.

The good news is that this approach is comprehensive enough to cope with threats that have not manifested yet — the so-called zero-day attacks. Indeed, everything from spam and botnets to reconnaissance incursions and zero-day attacks can be brought to light.

Analyzing network traffic that flows from switchers and routers would allow you to identify abnormal behavior of any kind. Behavior-based algorithms specialize in monitoring, reporting and identifying threats by analyzing both host and application behavior.

How is this working in practice?

Being part of the IDS suite, Network Behavior Anomaly Detection’s (NBAD) goal is to monitor the whole subnet at the network level. Before it begins to inspect the traffic in real time, the NBAD should create a baseline of what is considered “normal.” Once you have this norm, everything that deviates from it is an anomaly, irrespective of whether that is unusual activities, events or trends, which should be treated with caution.

Beacon-based analysis

A technology called beacon analysis is recommended by some security experts as an indispensable tool for malware-hunting on the hunting grounds called networks. “Beaconing” is a notion within the information security industry that denotes calling home at regular intervals. One thing all types of malware have in common is their need for communication with their author.

Intermediary servers known as “Command and Control” (C&C) servers play a supporting role, as they allow attackers to establish a communication path with the infected machine. Such a connection will typically seek to mimic normal network traffic through the use of HTTP, HTTPS or DNS.

A compromised system would periodically check with the C&C server for orders to execute. Most of the time the malware receives a command to do nothing, which results in an identical amount of data being relayed. This activity is revealing, regardless of whether obfuscation is used as a smoke screen; this is because most network activity creates random sizes of data exchanged in each session.

As a side note, Network Time Protocol (NTP) is the most common false positive. On the positive side, eliminating false positives is not impossible. Your system should set up pre-determined NTP servers to sync time and then create a “whitelist” of these known servers, thereby disallowing all kinds of detected beacon activity.

Examples of malware network behavior traits

Behavior-based detection has the edge, since it can discover unknown threats in real time. Not only that, but it can help you obtain an in-depth analysis about the malware; more specifically, its modus operandi. 

Every type of malware has a specific behavior that is typical of its kind:

• Worms (e.g., Wipper)

• A lot of scanning
• Noisy traffic
• Attempts to move laterally through local ports

• Cryptominers

• Remain hidden to use computational resources
• At the time of its initial execution, the malware communicates join requests to a “mining pool”
• The network signature of miners is HTTP traffic mostly transmitted to blacklisted domains
• A marked increase in the use of computational resources

• Ransomware

• The encryption activity is visible if we look at the memory fingerprint on affected devices
• In terms of propagation, its network signature is subtle
• Obfuscation of C&C architecture to protect it from takedowns by law enforcement

• Remote Access Trojans

• Maintain an effective C&C infrastructure for regular communication/execution
• A distinctive network trace related to a continued communication between the infected system and a number of IP addresses
• Bulletproof hosting (occasionally)

Conclusion

It is confirmed: drinking bleach will not save you from any viruses, at not least computer ones.

Unless you’re coming across completely asymptomatic strains, which would be an astonishing event in cybersecurity, it seems to be highly advisable for every organization that deals with sensitive data or critical operations to have instead technologies that can analyze the behavior of malware.

Sources

1. 10+ Warning Signs That Your Computer is Malware Infected, Tech Viral
2. A Complete Malware Analysis Tutorials, Cheatsheet & Tools list for Security Professionals, GBHackers on Security
3. Advanced Malware Detection - Signatures vs. Behavior Analysis, Infosecurity Magazine
4. Beacon Analysis – The Key to Cyber Threat Hunting, Active Countermeasures, Inc.
5. Behavioural Analysis of Malware via Network Forensics, Dionach
6. Detecting Suspicious and Malicious Activity on Your Network, Alert Logic, Inc.
7. Malware in a view of Network Behavior Analysis, Flowmon Networks
8. Malware Analysis Primer, Medium
9. Malware Analysis, CrowdStrike
10. McAfee Network Threat Behavior Analysis, McAfee
11. Startup analyzes behavior to stop malware threats, Network World
12. Understanding Malware’s Network Behaviors using Fantasm, Information Sciences Institute