Hillary Sanders - Malware Data Science

All data and code for this book are available for download at http://www.malwaredatascience.com/. Be warned: there is Windows malware in the data. If you unzip the data on a machine with an antivirus engine running on it, many of the malware examples will likely get deleted or quarantined.

NOTE

We have modified a few bytes in each malware executable so as to disable it from executing. That being said, you cant be too careful about where you store it. We recommend storing it on a non-Windows machine thats isolated from your home or business network.

Ideally, you should only experiment with the code and data within an isolated virtual machine. For convenience, weve provided a VirtualBox Ubuntu instance at http://www.malwaredatascience.com/ that has the data and code preloaded onto it, along with all the necessary open source libraries.

Now lets walk through the datasets that accompany each chapter of this book.

Recall that in we walk through basic static analysis of a malware binary called ircbot.exe. This malware is an implant, meaning it hides on users systems and waits for commands from an attacker, allowing the attacker to collect private data from a victims computer or achieve malicious ends like erasing the victims hard drive. This binary is available in the data accompanying this book at ch1/ircbot.exe.

We also use an example of fakepdfmalware.exe in this chapter (located at ch1/fakepdfmalware.exe). This is a malware program that has an Adobe Acrobat/PDF desktop icon to trick users into thinking theyre opening a PDF document when theyre actually running the malicious program and infecting their systems.

In this chapter we explore a deeper topic in malware reverse engineering: analyzing x86 disassembly. We reuse the ircbot.exe example from in this chapter.

For our discussion of dynamic malware analysis in s malware database for examples of ransomware.

introduces the application of network analysis and visualization to malware. To demonstrate these techniques, we use a set of high-quality malware samples used in high-profile attacks, focusing our analysis on a set of malware samples likely produced by a group within the Chinese military known to the security community as Advanced Persistent Threat 1 (or APT1 for short).

These samples and the APT1 group that generated them were discovered and made public by cybersecurity firm Mandiant. In its report (excerpted here) titled APT1: Exposing One of Chinas Cyber Espionage Units (https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf), Mandiant found the following:

• Since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20 major industries.
• APT1 has a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property.
• Once APT1 has established access, they periodically revisit the victims network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations leadership.
• APT1 uses some tools and techniques that we have not yet observed being used by other groups including two utilities designed to steal email: GETMAIL and MAPIGET.
• APT1 maintained access to victim networks for an average of 356 days.
• The longest time period APT1 maintained access to a victims network was 1,764 days, or four years and ten months.
• Among other large-scale thefts of intellectual property, we have observed APT1 stealing 6.5TB of compressed data from a single organization over a ten-month time period.
• In the first month of 2011, APT1 successfully compromised at least 17 new victims operating in 10 different industries.

As this excerpt of the report shows, the APT1 samples were used for high-stakes, nation statelevel espionage. These samples are available in the data accompanying this book at