Skip to main content
SpringerLink
Log in

Analysis of Malware

  • Chapter
  • First Online:
Attribution of Advanced Persistent Threats

  • 1543 Accesses

Abstract

Many APT groups are best known for their professionally developed malware. Sure enough, backdoors and trojans play a central role in attacks. But they also contain a wealth of information that is useful for attribution. Therefore, this chapter looks at how malware is developed and employed, and how analysts find clues about the perpetrators. The first section discusses the attackers’ perspective in terms of their working environments and trade-offs they have to make. Which type of malware do attackers need for what purposes and how can they acquire it? What is the advantage of investing the effort to develop their own framework when they could also use publicly available tools? The other sections of the chapter cover the work of the analysts. Their data sources are explained and discussed, such as public databases like VirusTotal, telemetry data, and on-site incident response. How does the source of malware samples affect or limit attribution? What kind of evidence comes from the development environment and from functional aspects? How are language resources, timestamps, debug information, crypto implementations, and code similarities used for attribution? Throughout the chapter is becomes clear that information from malware is essential in all phases of attribution—from clustering to country attribution and attribution to organizations and persons.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 16.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. WikiLeaks: Development Tradecraft DOs and DON’Ts. In: Vault 7: CIA Hacking Tools Revealed. http://web.archive.org/web/20170725092909/https://wikileaks.org/ciav7p1/cms/page_14587109.html (2017). Accessed 25 July 2017

  2. Pietrek, M.: Peering inside the PE: a tour of the Win32 portable executable file format. In: Microsoft Developer Network. https://msdn.microsoft.com/en-us/library/ms809762.aspx. Accessed 26 July 2017

  3. Symantec: Iran-based attackers use back door threats to spy on Middle Eastern targets. In: Symantec Connect. http://web.archive.org/web/20170726133140/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets (2015). Accessed 26 July 2017

  4. Pricewaterhouse Coopers: Operation Cloud Hopper. In: PwC UK Cyber security and data privacy. https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf (2017). Accessed 26 July 2017

  5. Drozhzhin, A.: Russian-speaking cyber spies exploit satellites. In: Kaspersky Lab Daily. http://web.archive.org/web/20170727075548/https://www.kaspersky.com/blog/turla-apt-exploiting-satellites/9771/ (2015). Accessed 27 July 2017

  6. Haq, T., Gomez, J.: LadyBoyle Comes to Town with a New Exploit. In: FireEye Blog. http://web.archive.org/web/20170727080716/https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html (2013). Accessed 27 July

  7. Fagerland, S., Kravik, M., Camp, J., Moran, S.: Operation Hangover-Unveiling an Indian Cyberattack Infrastructure. http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf (2013). Accessed 27 July 2017

  8. Schneier, B.: Major NSA/Equation Group Leak. In: Schneier on Security. http://web.archive.org/web/20170708101448/https://www.schneier.com/blog/archives/2016/08/major_nsaequati.html (2016). Accessed 28 July 2017

  9. WikiLeaks: What did Equation do wrong, and how can we avoid doing the same? In: Vault 7. http://web.archive.org/web/20170720152522/https://wikileaks.org/ciav7p1/cms/page_14588809.html (2017). Accessed 28 July 2017

  10. Marquis-Boire, M., Guarnieri, C., Gallagherm, R.: Secret Malware In European Union attack linked to U.S. and british intelligence. In: The Intercept. http://web.archive.org/web/20170719231033/https://theintercept.com/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/ (2014). Accessed 28 July 2017

  11. Kaspersky Labs: Equation Group-Questions and Answers. In: Securelist. https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf (2015). Accessed 28 July 2017

  12. Symantec security response: longhorn: tools used by cyberespionage group linked to vault 7. In: Symantec.Connect. http://web.archive.org/web/20170624183052/https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7 (2017). Accessed 4 Aug 2017

  13. Shabab, N.: Spring dragon-updated activity. In: SecureList. http://web.archive.org/web/20170812085701/https://securelist.com/spring-dragon-updated-activity/79067/ (2017). Accessed 12 Aug 2017

  14. Bytepointer: The Undocumented Microsoft ‘Rich’ Header. http://bytepointer.com/articles/the_microsoft_rich_header.htm (2017). Accessed 15 Nov 2019

  15. Kremez, V.: Here we go-crimeware virus & APT journey from ‘robbinhood’ to APT28. In: SentinelOne Blog. https://www.sentinelone.com/blog/here-we-go-crimeware-apt-journey-from-robbinhood-to-apt28/ (2019). Accessed 10 Dec 2019

  16. Webster, G., Kolosnjaji, B: Finding the needle: a study of the PE32 rich header and respective malware triage. In: Detection of Intrusions and Malware, and Vulnerability Assessment: 14th International Conference, DIMVA 2017, Bonn, Germany, July 6–7, 2017, Proceedings (pp. 119–138) https://www.researchgate.netpublication/318145388_Finding_the_Needle_A_Study_of_the_PE32_Rich_Header_and_Respective_Malware_Triage. Accessed 29 Jan 2020

Download references

Author information

Authors and Affiliations

  1. Bonn, Germany

    Timo Steffens

Authors
  1. Timo Steffens
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Timo Steffens .

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer-Verlag GmbH Germany, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Steffens, T. (2020). Analysis of Malware. In: Attribution of Advanced Persistent Threats. Springer Vieweg, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-61313-9_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-61313-9_3

  • Published:

  • Publisher Name: Springer Vieweg, Berlin, Heidelberg

  • Print ISBN: 978-3-662-61312-2

  • Online ISBN: 978-3-662-61313-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation