CHAPTER ONE
1.1
INTRODUCTION
Malware which is an
acronym for Malicious Software has become a worldwide epidemic in the
information and communication technology world. Advancement in technology has
been negatively used by the black-minds for development of more dangerous and
sophisticated malicious software, hence the numbers of computer systems
attacked daily is on the increase and malware’s impact is getting worse daily.
There is a shift from the normal malware to the advanced malware, and the rise
of the advanced malware is reshaping the threat scene and compelling computer
security experts and researchers to reassessment. This led to a great war among
the malware developers and anti-malware developers.
An important task
in cybersecurity today is the protection of computer systems and resources
against malwares irrespective of usage of the computer system. This is because
a single attack can result in compromise of data and sufficient losses. These
massive attacks and sufficient losses therefore call and emphasize the core
need for accurate and timely detection approaches. For malware to be detected,
there must be a comprehensive and extensive analysis of data both on the internet
and otherwise. This analysis classifies data into normal data and malicious
data and the malicious data are called malwares.
Computer security
and cybersecurity experts are confronted with a greater challenge these days
than the yester years due to the rise in using internet and networks. Malwares
are developed for negative reasons either to destroy the computer resource or
to breach data integrity. Some malware are created not for destruction or
breach purposes but with a financial intention, that is to make money. Examples
of this kind of malwares are Adware and Ransomware. There are three techniques
for malware detection namely signature based, behaviour based and heuristic.
Traditionally, malware detection is done using signature based technique but not
all malwares can be detected using signature based and behaviour based
techniques (Zahra et al, 2013; Saja and Omar, 2016; Allan, 2016). Advanced
malwares such as polymorphic and metamorphic, are responsible for advanced
persistent threats (APTs), hence good at bypassing signature based and
behaviour based anti-malware programs. The downsides of signature and
behavioural detection techniques made researchers to develop another technique
for malware detection. This uses either machine learning algorithms or data
mining algorithms to detect malwares. This technique is called Heuristics.
Heuristics malware detection overcame the downsides of both signature based and
behaviour based detection techniques, but it also came with its own downside
which has to do with the high rate of false positives.
The essence of this paper is to
compare these three malware detection techniques with a view to isolating their
strengths and weaknesses and equally suggest the way forward to mitigating the
prevalent threats in our cyberspace.
1.2 BACKGROUND OF THE STUDY
With the escalating growth of
communication and information systems, a new term and acronym invaded the
digital world called as malware. It is a general term, which stands for
malicious software and has many shapes (codes, scripts, active content and
others). It has been designed to achieve some targets such as, collecting
sensitive data, accessing private computer systems, even sometimes harming the
systems. The malware can reach the systems in different ways and through
multiple media; the most common way is the downloading process from the
internet, once the malware finds its way to the systems, based on the functions
of the malware the drama will begin. In some cases, the malware will not
totally harm the system, instead affect the performance and creates overload
process; in case of spying, the malware hides itself in the system, which
cannot be detected by the anti-virus software, these hidden malware send
critical information about the computer to the source. Based on the above
challenges, it is critical to carry out an in-depth analysis to understand the
malware for better detection
and removal chance. This paper is organized as follows: Section two has covered
the recent state of the malware security and threats through results obtained
from different journals. Section three discusses about the types of malware,
section four presents the malware analysis techniques. Section five studies the
propagation of malware in different applications and environment, and finally
section six explains malware detection techniques.
Now day malware threats were
assessed by IT security organizations has been growing more than ten thousand
every day. Symantec Internet Security Threat Report (2011) reveals that the
total number unique variants of malware in the world in 2011 around 403 million
compared to 286 million variants in 2010. By using many avoidance techniques
such as self-defending code, packing, anti-debugging and anti-Virtualization
techniques has a leading a problems on computer network especially cause of
bottlenecks in the network and increased threat of criminal for corporate and
individual data. The most challenging for antivirus organization and researcher
is about the threat that occurs in computer applications because of the unknown
vulnerability or known as a zero-day attack. This attack will take advantage of
an application that has issue of security vulnerability. Thus, this research
endeavours to discover the best solution by conducting malware analysis. The malware
analysis can conduct in many environments or platform such as using the virtual
machine environment such as Virtual PC, VMware and QEMU. The online analysis
tools like Sandbox or use traditional way with using real machine environment
in a secure environment. Choose the right malware analysis environment is very
import to make sure the result from analysis can get the accuracy of
information about the malware threat.
The problem
to be examined involves the high spreading rate of computer malware (viruses,
worms, Trojan horses, rootkits, botnets, backdoors, and other malicious
software) and conventional signature matching-based antivirus systems fail to
detect polymorphic and new, previously unseen malicious executables. Malware
are spreading all over the world through the Internet and are increasing day by
day, thus becoming a serious threat. The manual heuristic inspection of static
malware analysis is no longer considered effective and efficient compared
against the high spreading rate of malware.
Nevertheless,
researches are trying to develop various alternative approaches in combating
and detecting malware. One proposed approach (solution) is by using automatic
dynamic (behavior) malware analysis combined with data mining tasks, such as,
machine learning (classification) techniques to achieve effectiveness and
efficiency in detecting malware.
1.2 OBJECTIVE OF THE
STUDY
The main objective of carrying out malware analysis is to gain an
understanding of the mode of operation of a given piece of malware to come up
with an appropriate defence to protect all the vulnerable systems.
1.3 STATEMENT OF
PROBLEM
Many studies, surveys, experiments, brainstorming,
statistical analysis and modeling methods have been done to gain deeper
knowledge and valuable information about malware because the attackers are
continually developing their abilities, attacking skills and techniques. In
order to make the tracking and detection processes difficult, and to pose new
challenges to inspectors, all these studies and works are not sufficient enough
to cover the rapid increase in malware evolution. Based on our understanding
Virus Bulletin (1988) was the first dedicated Journal to study the malware, while,
now there are a lot of Journals available that are dedicated to the security
issues, especially malware issues. This paper has been presented to gain
understanding about the various issues related to malware. We have used much
recourse to form different papers and journals, the details of the recourses
that we used, will be shown in data collection part in more details.
1.4 SIGNIFICANCE OF THE
STUDY
The need exists to better understand
malware by performing malware analysis. This work is primarily
relegated to the antivirus vendors. However, the details of how the malware
behaves are often hidden, primarily because exposing the details in
the code can provide others hints on how they could start and improve that
code for future malware. This is, of course, happening already in the
malware development community.
1.5 SCOPE OF THE
STUDY
Malware have capabilities to hide themselves and even manipulate the
registry keys available in system. So in order to see those changes a proper
environment or lab is required. Creating a proper lab for analysis of a malware
is very important to understand the behaviour. We will use VMware workstation
or oracle virtual box for creating a lab in which will have certain set of
operating systems, basic forensic tools, local network connection and snapshot
availability. Ability to manipulate network settings so that our lab should not
affect our actual networks is very important. Basic use of Wireshark networking
monitoring packet sniffer to learn how a malware tries to infect other system
present in the network. In the end will be talk about counter measures and
certain steps to take while performing dynamic malware analysis. Incident
response, basic forensics, Malware discovery and basic reverse engineering will
be benefit from this research paper.
1.6 METHODOLOGY
The method we have followed to collect data was based on
journals reviewing and analyzing. Then we have moved to gather the similar topics
and ideas, and group them in specific structure as required, for instance, we
categorized all topics related to malware and its propagation in different
networks and environments such as, LANs, Bluetooth, and Wireless Networks under
one main category called malware propagation. Another category is malware
detection techniques, where we have gathered all techniques such as,
anomaly-based detection, specification-based detection and signature-based
detection. We have applied this method on the remaining topics covered in our
resources, but we categorized all the topics that do not belong to any main
category, as separate category named as, other.
During the categorization process some topics fitted into
more than one category, while other topics did not overlap. Some of the
overlapped topics were categorized into a category called as Other, for example
in the case of virtualization, it has been categorized once as malware
detection technique, and once as environment for malware propagation, the
reason behind this was, going deeply into the details of keywords and abstract
on virtualization papers gave us clear picture how to categorize it in the
right manner. So we simply consider the keywords and abstract of the paper as
the base of categorization process and if still unclear, we investigated the
discussion and conclusion part to differentiate the topics.
1.7
LIMITATIONS
OF THE STUDY
The publications related to this
paper are more common in university libraries than in the offices of chief
security officers and companies specialized in information security service
such as, Norton and McAfee. Another point related to the publications of this
study is, how the publications are distributed in many topics related to
malware, and this will not help to dig enough for solutions and defense
mechanisms, against malware attacks. It may help to clarify the picture of
malware issues, but not enough for enhancement process and additional
contributions. The authors were looking to the malware from different angles and
viewpoints, which are great, but will confuse the readers. On the other hand
the numbers of statistics provided and details analyzed are also few, to
adequately sustain very significant research value. In this case, where most of
the papers are too specific in their corresponding research field and purpose,
it is difficult to generalize the specimen into statistical data with higher
accuracy. We have also realized that most papers are from IEEE publications,
and thus also acknowledged this as a form of limitation on availability of more
related research publications in other sources.
1.8 DEFINITION OF TERMS
1. Malware: Malware, or malicious software, is any program or file that is harmful to
a computer user. Types of malware can include computer viruses, worms, Trojan
horses and spyware.
2. Cybersecurity:
Cybersecurity is the protection of
internet-connected systems, including hardware, software and data, from
cyberattacks. In a computing context, security comprises cybersecurity and
physical security -- both are used by enterprises to protect against
unauthorized access to data centers and other computerized systems.
3. Hacking: Hacking is an attempt to exploit a computer system or a private network
inside a computer. Simply put, it is the unauthorised access to or control over
computer network security systems for some illicit purpose. Description: To
better describe hacking, one needs to first understand hackers.
4. Heuristics: A heuristic technique, or a heuristic for short, is any approach to
problem solving or self-discovery that employs a practical method that is not
guaranteed to be optimal, perfect or rational, but which is nevertheless
sufficient for reaching an immediate, short-term goal.
5.
Software: Computer
software, or simply software, is a collection of data or computer instructions
that tell the computer how to work. This is in contrast to physical hardware,
from which the system is built and actually performs the work.