Klementinus Kennyvito Salim

Forum Based learning : Malware in network analysis

Malware is short for malicious software. It is a software that is made to create destruction or gain valuable information from a computer system or a server.

There are a lot of ways to identify malware using network forensics methodology. One way is using SIEM, security information and event management. This method combines the functions of two approaches : security information management (SIM) and security event manager (SEM), into a singular security management system.

Examples of malware :

First example : worms. A worm is self-replicating type of malware. Hence, worms would spread out really quickly. Worms make other programs and files do the dangerous things. For example, if a person opens an email containing worms, the whole organisation can be infected. There are a lot of ways to solve this problem and prevent worms, such as virus remover.

Second Example : viruses. A computer virus modifies host files and stick to the host file, so when a file is executed, the virus will also execute. Virus is the type of malware to stick to other files, so it is difficult to be solved. There are a lot of antivirus programs that may have trouble getting to detect these viruses. In that case, antivirus ends up blocking the file to be executed or suggest deleting the infected file.

A web proxy acts as a gateway between users and the internet. It has a very high level of privacy as it can deliver anonymous service. Web proxy can also be used for content filtering and caching.

There are three types of web proxies: tunneling, forward , and reverse proxy.

Tunneling proxy: use SSH, HTTPS, or VPN tunnel to evade any outbound filtering or cover up activities. The data transferred here will be encrypted

Forward proxy: processes all outbound web requests from internal server. It has support for content inspection and filtering and also caching.

Reverse proxy: opposite of forward proxy. It hides the identities of the servers. It is for cache static content, content compression, and load balancing, which is to distribute out the load of the server

• Some examples of storage media include ROM, DRAM, Hard Drive, NVRAM
• Switches has the ability to map MAC addresses to switch ports. It can locate physical location of MAC addresses. The switch has a CAM and an ARP table.
• CAM table : storing MAC addresses available on physical ports. It maps mac addresses to physical switch ports and also helps in identifying attackers who are sniffing local traffic, which will appear in the table and thus is volatile
• ARP table : contains information of each MAC address and its IP address.
• Router is used to route network packets, based on the addressed, to other devices or network.
• Firewall is a network security device that monitors traffic going in and out of the network that is place a firewall. It can filter traffic by a set of security rules. The logs contain important information such as connection attempts, applications, and etc.