Analysis of Malware

Abstract

Many APT groups are best known for their professionally developed malware. Sure enough, backdoors and trojans play a central role in attacks. But they also contain a wealth of information that is useful for attribution. Therefore, this chapter looks at how malware is developed and employed, and how analysts find clues about the perpetrators. The first section discusses the attackers’ perspective in terms of their working environments and trade-offs they have to make. Which type of malware do attackers need for what purposes and how can they acquire it? What is the advantage of investing the effort to develop their own framework when they could also use publicly available tools? The other sections of the chapter cover the work of the analysts. Their data sources are explained and discussed, such as public databases like VirusTotal, telemetry data, and on-site incident response. How does the source of malware samples affect or limit attribution? What kind of evidence comes from the development environment and from functional aspects? How are language resources, timestamps, debug information, crypto implementations, and code similarities used for attribution? Throughout the chapter is becomes clear that information from malware is essential in all phases of attribution—from clustering to country attribution and attribution to organizations and persons.