In the continuation of our interview questions series, here we present the next part of our interview questions,
Lets begin:
Q1. Name some malware identification tools.
Some of the mostly used tools in identification of malware is:
- CrowdStrike Falcon Insight EDITOR’S CHOICE This EDR analyzes malware on two levels and also identifies intruder activity. The system is cloud-based with endpoint modules for Windows, macOS, and Linux.
- Cuckoo Sandbox Provides a balance between automated and manual malware analysis tools, complete with multiple sandbox environments
- IDA Pro A highly technical tool designed with forensic and cybersecurity pros in mind
- it Simple web-based tool, ideal for researchers looking to perform malware searches
- Limon Developed to detect Linux-based malware
- VirusTotal A massive repository of malware signatures available online for both end-users and researchers alike
- Wireshark Provides deep packet inspection to uncover malware communicating across a network
- PeStudio Designed to streamline the analysis process for malware researchers
- Fiddler Identifies malicious activity by monitoring HTTP/S traffic via proxy
- Process Monitor Uncovers the relationship between executables and procedures to help identify malware and its behavior.
Q2. How do you analyze a malware sample.
A sandbox is used which is a secure virtual environment segmented from the network to test and analyze malware samples specifically. Sandboxes a flexible and customizable way to see how malware reacts to different antivirus programs, operating systems, and countermeasures. Using a sandbox protects your entire network and operating system from infection while studying the impacts of malware. Many malware analysis tools come with a sandbox environment or support sandbox environments. A good sandbox environment is indistinguishable from a natural operating system, so intelligent malware won’t act differently when observed.
Q3. What is an Indicator Of Compromise?
An IOC is the digital equivalent of a trail of breadcrumbs left behind by malware. IOCs help investigators identify a problem on the network or operating system and aid in tracking down malware or analysis and remediation. By proactively monitoring IOCs, organizations can detect attacks in progress and shut them down swiftly by malware detection tools.
Malware analysis tools look for IOCs while a suspicious file is being executed and after it has run. By measuring changes made during the file execution and examining the context of those changes, researchers can better understand how malware works and develop better prevention techniques.
Q4. Explain the manual process of identification of trojan horse.
Here are effective ways that will help you find the trojan horse in your computer.
Step 1. Safe Mode
Many cybersecurity experts recommend safe mode for detecting malware on the computer because in safe mode, Windows only loads the minimum programs necessary to operate. If there’s a trojan horse, you can easily spot it. So, here’s how to find trojans in safe mode:
Click on “Start.”
Type in “MSCONFIG.”
In the System Configuration box, click on the “Boot” tab.
Tick “Safe Mode.”
Click “Apply,” then “OK,”
*Windows will then restart in safe mode.
Re-open the System Configuration box.
Click on the “Startup” tab.
Check for any suspicious files in the list.
Search for information about the file on the internet if necessary.
Once a file is confirmed as a virus, disable it.
Click “Apply,” then “OK.”
Exit without restarting the computer.
That’s how to find trojans on your computer in safe mode. We are now ready to uninstall the trojan horse from your computer.
Step 2. Programs and Features
In this step, you will remove the program that you found in safe mode. A trojan virus may reinstall itself if the program is still installed on the computer. So, here’s how to find trojans on your computer in Programs and Features:
Click on “Start.”
Go to Control Panel.
Click on “Programs and Features.”
Look for the same application.
Right click on it and uninstall it.
Once the program is uninstalled, exit without restarting the computer.
Step 3. Temp Folder
Even though the malicious software is already uninstalled, its residuals might still be in the TEMP folder, which may cause a trojan infection again.
You may not necessarily spot the malicious file in the TEMP folder because there are likely numerous files stored in there. To make it easier, just delete all the temporary files. This will get rid of the malware immediately.
To access the temp folder, type”%temp%” in the Windows search bar.
Once the temp folder opens, delete all the files stored in there.
That should have eliminated the trojan horse from the computer.
Step 4. Task Manager
Now that we have eliminated the trojan horse virus from the computer, it is important to ensure that the computer is completely virus free. You can check in Task Manager. If any malicious software is active, you will see it there.
Press Ctrl+Alt+Del.
When the Task Manager is open, click on the “Processes” tab.
Check for any suspicious file running any applications without verified publishers.
Click on it and end its process.
That’s how to find trojans on your computer in task manager.
Q4. Describe a signature based identification of malware.
Signature-based detection — when referenced in regards to cybersecurity — is the use of footprints to identify malware. All programs, apps, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are typically unique to the respective property. With signature-based detection, antivirus products are able to scan a computer for the footprints of known malware.
Q5. How are malware signature are created?
In order to create a signature for a particular malware file or family of files, a security analyst needs one or more (the more the better) samples of the file to work from. Such samples may be gathered ‘in the wild’ from infected computers, sourced from the darknet and other places malware authors trade their work, or from shared malware repositories where security researchers (and in some cases the public) can share known malware files. Some popular malware repositories available to security professionals include VirusTotal, Malpedia and MalShare.
Once a vendor has a set or ‘corpus’ of files to work with, they begin to examine the files for common characteristics. These characteristics can involve factors such as file size, imported or exported functions, data bytes at certain positions (‘offsets’), sectional or whole-file hashes, printable strings and more.
The process of generating signatures can be automated, but it is often initially done manually by specialist malware analysts and reverse engineers, particularly when an entirely new family of malware is found.
While there are many different formats for creating signatures, one of the most popular formats widely in use today is YARA, which allows malware analysts to create signatures based on textual and binary patterns. For example, the following image shows a slice of code from a well-known malware family distributed by APT threat actor OceanLotus on the left, and a YARA signature to detect it on the right.
Note the signature condition, which states that the file must be of type ‘Macho’ (Mach-O), and have a file size of less than 200KB, while also containing all the strings defined in the rule.
In the YARA format, the strings may occur as regular human-readable characters set between quotation marks, or – as in the example above – as hexademical-encoded bytes set between curly brackets. Some signature writers exclusively use the latter, even when the string to be matched is a string of human readable characters. Thus, ‘hello, world’ might be encoded in the signature as { 68 65 6c 6c 6f 2c 20 77 6f 72 6c 64 }.
There are various programs available that allow you to easily translate back and forth between human readable strings and hexadecimal. On Mac and most Linux machines, the command line utility xxd is one such program.
Q6. What are the advantages of signature based detection?
Signature-based detection offers a number of advantages over simple file hash matching. First, by means of a signature that matches commonalities among samples, malware analysts can target whole families of malware rather than just a single sample.
Second, signatures are very versatile and can be used to detect many kinds of file-based malware. Signatures can easily include or exclude different file types, whether those be shell scripts, python files, Windows PE files, Linux ELF files or macOS Mach-O files. The same malware database, and even the same rule if it were appropriate, could potentially scan and match a signature across almost any file type.
Third, signature formats like YARA are very powerful and offer malware analysts both a wide variety of logic by which to define malicious behavior as well as a relatively simple format that is easy to write and test. Moreover, as signatures are text-based, a single database can contain many thousands, even millions, of signatures without itself being excessively large.
A common signature format like YARA is also easy to share among researchers and threat intelligence data feeds, ensuring that known malware is widely detected and the greatest number of computer users as possible are protected against known threats.
Q7. What Are the Disadvantages of Signature-Based Detection?
Signature-based detection has been the standard for most security products for many years and continues to play an important role in fighting known, file-based malware, but today an advanced solution cannot rely solely or even primarily on file signatures for detection. Some of the reasons for this are due to the way threat actors have adapted to evade signature detection and some are related to drawbacks inherent to the method of scanning a file for specific attributes.
The first major drawback of using signatures to detect malware is that signatures can only be written after a malware sample has already been seen. This means that any solution that relies solely on signatures is always going to be one step behind the latest attacks.
The second major problem resides in the fact that today unique malware samples are created at such a rapid rate that writing enough effective signatures is not a realistic goal. This is part of the reason why so many signature-based solutions fail to catch known malware.
Q8. Limitations of signature-based detection.
Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified in the future. In the case of a virus scanner, it may be a unique pattern of code that attaches to a file, or it may be as simple as the hash of a known bad file. If that specific pattern, or signature, is discovered again, the file can be flagged as being infected.
As malware became more sophisticated, malware authors began using new techniques, like polymorphism, to change the pattern each time the object spread from one system to the next. As such, a simple pattern match wouldn’t be useful beyond a small handful of discovered devices.
In network detection systems like IDS, signatures are defined to look for characteristics within network traffic. One of the more common definition methods are “Snort rules”. A Snort rule defines characteristics in one or a series of network packets to identify malicious behavior.
For example, a Snort rule can be written to identify command-and-control (C2) traffic between an infected device and the adversary, regardless of where the adversary’s servers are kept. While it is more difficult for adversaries to obfuscate network packets to evade the signature, it is relatively easy to encrypt the traffic, complicating the detection process.
One of the biggest limiting factors behind signatures is that these are always reactive in nature: You always have to start with an instance of a virus or an understanding of a network attack in order to write a signature to detect them. This means signatures can’t identify unknown and emerging threats. Signatures only identify threats that are already known.
Q9. What is Behavior based IDS ?
A behavior or anomaly-based IDS solution goes beyond identifying particular attack signatures to detect and analyze malicious or unusual patterns of behavior. This type of system applies Statistical, AI and machine learning to analyze giant amounts of data and network traffic and pinpoint anomalies.
Instead of searching for patterns linked to specific types of attacks, behavior-based IDS solutions monitor behaviors that may be linked to attacks, increasing the likelihood of identifying and mitigating a malicious action before the network is compromised.
By intelligently analyzing data using AI and machine learning, behavior-based IDS solutions offer the best line of defense against network breaches. They provide holistic views of today’s complex, sprawling networks from the premises to the data center and cloud. That means malicious and anomalous traffic will be detected across the entire physical and virtual network attack surfaces.
Q10. What is anomaly based intrusion detection system?
An anomaly-based intrusion detection system, is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.
In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and testing phase (where current traffic is compared with the profile created in the training phase). Anomalies are detected in several ways, most often with artificial intelligence type techniques. Systems using artificial neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection. Other techniques used to detect anomalies include data mining methods, grammar based methods, and Artificial Immune System.
Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Host-based anomalous intrusion detection systems are one of the last layers of defense and reside on computer end points. They allow for fine-tuned, granular protection of end points at the application level.
Anomaly-based Intrusion Detection at both the network and host levels have a few shortcomings; namely a high false-positive rate and the ability to be fooled by a correctly delivered attack. Attempts have been made to address these issues through techniques used by PAYL and MCPAD.
With these question we conclude part-3 here, but stay tuned for the next part (part-4) in our interval series. Till then stay connected with cybervie. Stay connected with us