Reference no: EM132828689 , Length: 10 pages
Malware Analysis
TASKS:
For the purpose of this project you are expected to carry out an investigation into a botnet. Mainly, the investigation should be done by carrying out a literature review of research papers, industry reports and any other resources you may find related to that botnet. In addition, you may identify, download and analyse pcap file(s) and/or dataset(s) associated with that botnet.
Please note that you are NOT required to download and analyse the malware bot component of the botnet. If you decide to download it for further analysis, you should only do this once you have comprehensively researched and have a very good understanding of its behaviour and possible consequences. You are responsible for any damage you may cause as a result of your actions.
The final task will be to document potential defences to protect against future attacks by this botnet on organisations/individuals. Students will have to submit a report documenting their work.
The report should be concise, with the main part of the report (excluding references and appendix), limited at 10 pages in a typical 1 column format with paragraph font size of 12 pt.
REPORT STRUCTURE:
1. Executive Summary: Description of the objectives and key findings of the investigation.
2. Methodology: Details and justifications (with references) of the botnet investigation methods that were used, which can include but may not be limited to:
• Detail your strategy to search for and select the academic papers, industry reports, and other references.
• Detail the pcap files and/or dataset that you identified and analysed (if any).
• If you decide to download and analyse the bots, provide details and justifications (with references) of the malware analysis methods that were used (e.g., static analysis, dynamic analysis, Internet investigation, etc.),
• Provide description of the test environment setup (e.g., OS version, configuration, precaution and sandboxing measures, etc.), description of the software tools and online tools used for the analysis of the pcap files / datasets / bots, and justification of their choice (i.e., vis-à-vis alternative tools).
3. Botnet Investigation & Findings: Detailed description of the botnet, interpretation and critical analysis of the findings. This section must be broken down into multiple subsections with meaningful headings for each aspect considered, which can include but may not be limited to:
• Bots Identification: Description of the bot sample, such as: type of the file, its name, size, hashes, current anti-virus detection capabilities, etc.
• Botnet Size and Damage: Provide estimates (with references) of the botnet size, as well as details about reported damage caused by the botnet (e.g., monetary cost for institutions, number of affected users / systems, etc.).
• Target Devices: details about the target devices (e.g., PCs, mobile devices, IoT devices, etc.).
• Botnet Architecture: Details and diagram of the architecture/ topology used by the botnet, number and type of C&C server(s), etc.
• Botnet Behaviour: Detail the behaviour of the botnet (e.g., interaction with registry, files, network, etc.), its main purpose / use cases (e.g., steal credit card information, carry out DDoS attacks), etc.
• Botnet Resilience: Detail if the botnet uses any C&C protection and resilience techniques (e.g., bulletproof hosting, DGAs, fast-flux, etc.), detail if the bots use any hiding techniques, persistence mechanisms (e.g., surviving reboots), etc.
• Botnet Takedown: Detail any efforts by law enforcement and/or other organisations / individuals to identify who created and/or operated the botnet (if known), any efforts to deactivate the botnet and how successful these were, etc.
• Botnet Evolution: Details on how the botnet evolved, new variants of the botnet showing up, etc.
4. Recommendations: Provide recommendations on how organisations/individuals can protect themselves against future attacks by this botnet (e.g., best practices, firewall rules, IDS, anti-virus, etc.).
5. Conclusions: Include an overall discussion of the main findings, limitations and implications, detail next steps (i.e., what else would you do if you had more time).
6. References: Include references to all the resources you consulted when preparing this CA (e.g., research papers, industry reports, web resources, etc.).
7. Appendix: Include screenshots and any additional details required to evidence how you conducted thee practical tasks (the use of screenshots should be kept to a minimum in the main part of the document).
TASKS:
For the purpose of this CA you are expected to setup a malware analysis lab (please note that you are not allowed to just download an existing sandbox, but you can include a critical analysis discussing how looking at such sandboxes you learned good practices on creating your lab). In addition, you should carry out a research-based investigation into a piece of malware. The students will have to document the work carried in the form of a report and include clear evidence (descriptions and screenshots).
REPORT STRUCTURE:
1. Malware Lab
a) VM Setup: Description and justifications of the VM setup (i.e., guest Windows OS version and configuration details, VM settings. etc.).
b) Software Toots: Description of the software tools installed and justifications of their selection (i.e., vis-a-vis alternative tools).
c) Gateway: Description of the virtual gateway setup and/or other network components (if any).
d) Lab 'Testing: Description d justification of the testing activities carried out to ensure that the lab is properly configured and isolated from the production environment (i.e.. host, net
2. Research-based Malware Analysis
a) Executive Summary: Brief description the objective and key findings of the analysis.
b) Identification: Description of the malware sample, and any information available in the public domain or that can be obtained using an online tool: e.g., type of the file, its name, size, hashes, malware names (if known), current anti-virus detection capabilities, etc.
c) Analysis: detailed descriptions of the malware capabilities, behaviour, etc. This analysis should be conducted without downloading the malware using only online resources such as research papers (i.e., check Google Scholar), malware analysis reports previously done by companies/ bloggers, online tools and sandboxes (e.g., VirusTotal, ThreatMiner, Joe Sandbox). etc.
Attachment:- VM Lab Setup.rar