Skip to main content
Version: 1.0.2

Malware overview

  • Malicious program designed
    • to cause damage to systems
    • give system access to its creators
  • Includes viruses, worms, trojans, ransomware, rootkits, spyware, adware, scareware, crapware, roughware, crypters, keyloggers, botnets etc.

Malware sources

  • Instant messenger applications
    • E.g. WhatsApp, LinkedIn, Google Hangout etc.
  • Portable hardware media / removable devices
    • E.g. flash drives, CDs/DVDs etc.
    • AutoRun (Autostart)
      • Windows Windows to run executable when a device is plugged in
      • Exploited by malware to run malicious code
      • 💡 Best practice to disable
  • Browser and email software bugs
    • Older software has known vulnerabilities, always use latest versions.
  • Insecure patch management
  • Rogue / decoy applications
    • By luring victim into downloading free software
    • 💡 Webmaster should do antivirus / anti-trojan scans of distributed files
  • Untrusted sites and freeware web applications/software
    • Many hack tools may include trojans
    • 💡 Users should scan the files before executing
  • Downloading files from Internet
    • Trojans can be distributed through e.g. music players, games, screensavers, Word/Excel macros, audio/video files, and video subtitles.
  • Email attachments
    • Most common way to transmit malware
    • E.g. invoice, job letter, loan approval letter etc.
    • 💡 Always confirm sender's email address
  • Network propagation
    • E.g. mistakenly allowing Internet traffic into private networks when replacing firewalls.
    • Blaster worm infects sequential IP addresses.
  • File sharing services
    • Open ports for file sharing or remote execution can be used by others to access systems
    • E.g. NetBIOS on port 139, FTP on port 21 and SMB on port 445
    • Turn off file and printer sharing
  • Installation by other malware
  • Bluetooth and wireless networks
    • Attackers set-up open Bluetooth and Wi-Fi networks to attract users
    • Allows attackers to inspect network traffic and find e.g. username and passwords

Malware distribution techniques

  • Blackhat SEO
    • Also known as spamdexing, search engine spam, search engine poisoning, black-hat search engine optimization, search spam or web spam.
    • Methods to make malware websites rank higher in search engine results
  • Clickjacking
    • Tricking users into downloading malware with seemingly innocuous objects.
  • Spear phishing
    • Spear phishing is phishing directed at specific individuals or organizations.
    • E.g. can mimic government institutions
  • Malvertising
    • Injecting malicious advertisements into legitimate online advertising networks
  • Compromised websites
    • Distributing malware through a compromised website
  • Drive-by downloads
    • Downloads that happens without users knowledge or understanding of consequences
    • Can be done e.g. by exploiting vulnerabilities in browsers, email clients.

Spam emails

  • 📝 Relaying
    • When email is accepted and then delivered to a non-local email address
  • 📝 Open relay
    • Allows anyone to send an e-mail without authentication
    • Allows e-mail spoofing (email messages with a forged sender address)
    • Was the default configuration in old internet but got abused by spammers/worms
    • Usually blacklisted

Malware components

  • Payload
    • Core component of malware, designed to execute its actual motive
  • Command and control (C&C)
    • Remote control center for the malware
  • Crypter
    • Software that makes malware harder to detect by security programs
    • It encrypts, obfuscates, and manipulates the malware
    • E.g. BitCrypter
  • Downloader
    • Requires network resource to get malware from internet
  • Dropper
    • Has malware embedded and drops it to the system
  • Exploit
    • Takes advantage of a software vulnerability
    • May be used to deliver malware
  • Injector
    • Malware that injects itself (or other malware) into other processes or files
  • Malicious code
    • Code that gives malicious functionality to the malware
  • Protectors
    • Prevents tampering and reverse engineering of programs.
    • Usually includes packing and encrypting

Obfuscator

  • Usually a packer or protector for encrypting or compressing the malware
  • Goal is
    • to make reverse engineering difficult
    • to make malware undetectable from antivirus scans

Packer

  • Short for runtime packers which are also known as self-extracting archives.
  • Software that unpacks itself in memory when the "packed file" is executed
  • Smaller footprint on infected machine
  • Make reverse engineering more difficult

Exploit kit

  • Collection of pre-written exploits in a simple one-in-all tool for managing exploits together.
  • Automates 5 steps of hacking
    1. Reconnaissance: Gathers information on the victim machine
    2. Scanning: Find vulnerabilities and determines the appropriate exploit
    3. Gaining access: Executes malware typically through silent drive-by download
    4. Maintaining Access: Run post-exploitation scripts to maintain further access
    5. Covering Tracks by e.g. erasing logs
  • E.g. RIG Exploit Kit
    • Has been used to deliver many types of malware
    • Monthly subscription fee, sold in cybercriminal circles
    • spread via suspicious advertisements that have been inserted into legitimate websites

Malware types

Virus

  • Designed to replicate itself to other programs and documents on the infected machine.
  • Spread to other computers with the transfer of the infected files or programs.
  • Transmitted through file transfers, infected flash drives, and email attachments.
  • See also viruses

Worm

  • Replicates itself across network connections, e.g. bluetooth, wireless.
  • Exploits vulnerabilities on the victim machines
  • E.g. Broadpwn where the worm could run code on Android iOS that has WiFi turned on.

Ransomware

  • Hackers restrict access to files and folders on the target system until a payment is made.
  • Victims are usually required to pay money to access their files.
  • Often encrypts own files and sells decryption key.
  • An indicator is that your CPU runs on higher frequencies.
  • 💡 Best practices
    • Do not pay as there's no guarantee that you'll get the key
    • Keep back-ups somewhere offsite e.g. in cloud
  • E.g. • Cryptobit • Cryptolocker • Cryptodefense • Cryptowall • police-themed

Backdoor

  • Also known as trapdoor, trap door, back door, back-door, trap-door.
  • 📝 Provides access to a computer program that bypasses security mechanisms
  • Sometimes installed by developers for e.g. troubleshooting purposes or just by mistake.
  • Often created by e.g. trojans and worms as means of delivery