Malware overview
- Malicious program designed
- to cause damage to systems
- give system access to its creators
- Includes viruses, worms, trojans, ransomware, rootkits, spyware, adware, scareware, crapware, roughware, crypters, keyloggers, botnets etc.
Malware sources
- Instant messenger applications
- E.g. WhatsApp, LinkedIn, Google Hangout etc.
- Portable hardware media / removable devices
- E.g. flash drives, CDs/DVDs etc.
- AutoRun (Autostart)
- Windows Windows to run executable when a device is plugged in
- Exploited by malware to run malicious code
- 💡 Best practice to disable
- Browser and email software bugs
- Older software has known vulnerabilities, always use latest versions.
- Insecure patch management
- Unpatched software are risky and has vulnerabilities e.g. MS Word, Excel, Adobe Acrobat Reader
- Rogue / decoy applications
- By luring victim into downloading free software
- 💡 Webmaster should do antivirus / anti-trojan scans of distributed files
- Untrusted sites and freeware web applications/software
- Many hack tools may include trojans
- 💡 Users should scan the files before executing
- Downloading files from Internet
- Trojans can be distributed through e.g. music players, games, screensavers, Word/Excel macros, audio/video files, and video subtitles.
- Email attachments
- Most common way to transmit malware
- E.g. invoice, job letter, loan approval letter etc.
- 💡 Always confirm sender's email address
- Network propagation
- E.g. mistakenly allowing Internet traffic into private networks when replacing firewalls.
- Blaster worm infects sequential IP addresses.
- File sharing services
- Open ports for file sharing or remote execution can be used by others to access systems
- E.g. NetBIOS on port 139, FTP on port 21 and SMB on port 445
- Turn off file and printer sharing
- Installation by other malware
- Bluetooth and wireless networks
- Attackers set-up open Bluetooth and Wi-Fi networks to attract users
- Allows attackers to inspect network traffic and find e.g. username and passwords
Malware distribution techniques
- Blackhat SEO
- Also known as spamdexing, search engine spam, search engine poisoning, black-hat search engine optimization, search spam or web spam.
- Methods to make malware websites rank higher in search engine results
- Clickjacking
- Tricking users into downloading malware with seemingly innocuous objects.
- Spear phishing
- Spear phishing is phishing directed at specific individuals or organizations.
- E.g. can mimic government institutions
- Malvertising
- Injecting malicious advertisements into legitimate online advertising networks
- Compromised websites
- Distributing malware through a compromised website
- Drive-by downloads
- Downloads that happens without users knowledge or understanding of consequences
- Can be done e.g. by exploiting vulnerabilities in browsers, email clients.
Spam emails
- 📝 Relaying
- When email is accepted and then delivered to a non-local email address
- 📝 Open relay
- Allows anyone to send an e-mail without authentication
- Allows e-mail spoofing (email messages with a forged sender address)
- Was the default configuration in old internet but got abused by spammers/worms
- Usually blacklisted
Malware components
- Payload
- Core component of malware, designed to execute its actual motive
- Command and control (C&C)
- Remote control center for the malware
- Crypter
- Software that makes malware harder to detect by security programs
- It encrypts, obfuscates, and manipulates the malware
- E.g. BitCrypter
- Downloader
- Requires network resource to get malware from internet
- Dropper
- Has malware embedded and drops it to the system
- Exploit
- Takes advantage of a software vulnerability
- May be used to deliver malware
- Injector
- Malware that injects itself (or other malware) into other processes or files
- Malicious code
- Code that gives malicious functionality to the malware
- Protectors
- Prevents tampering and reverse engineering of programs.
- Usually includes packing and encrypting
Obfuscator
- Usually a packer or protector for encrypting or compressing the malware
- Goal is
- to make reverse engineering difficult
- to make malware undetectable from antivirus scans
Packer
- Short for runtime packers which are also known as self-extracting archives.
- Software that unpacks itself in memory when the "packed file" is executed
- Smaller footprint on infected machine
- Make reverse engineering more difficult
Exploit kit
- Collection of pre-written exploits in a simple one-in-all tool for managing exploits together.
- Automates 5 steps of hacking
- Reconnaissance: Gathers information on the victim machine
- Scanning: Find vulnerabilities and determines the appropriate exploit
- Gaining access: Executes malware typically through silent drive-by download
- Maintaining Access: Run post-exploitation scripts to maintain further access
- Covering Tracks by e.g. erasing logs
- E.g. RIG Exploit Kit
- Has been used to deliver many types of malware
- Monthly subscription fee, sold in cybercriminal circles
- spread via suspicious advertisements that have been inserted into legitimate websites
Malware types
Virus
- Designed to replicate itself to other programs and documents on the infected machine.
- Spread to other computers with the transfer of the infected files or programs.
- Transmitted through file transfers, infected flash drives, and email attachments.
- See also viruses
Worm
- Replicates itself across network connections, e.g. bluetooth, wireless.
- Exploits vulnerabilities on the victim machines
- E.g. Broadpwn where the worm could run code on Android iOS that has WiFi turned on.
Ransomware
- Hackers restrict access to files and folders on the target system until a payment is made.
- Victims are usually required to pay money to access their files.
- Often encrypts own files and sells decryption key.
- An indicator is that your CPU runs on higher frequencies.
- 💡 Best practices
- Do not pay as there's no guarantee that you'll get the key
- Keep back-ups somewhere offsite e.g. in cloud
- E.g. • Cryptobit • Cryptolocker • Cryptodefense • Cryptowall • police-themed
Backdoor
- Also known as trapdoor, trap door, back door, back-door, trap-door.
- 📝 Provides access to a computer program that bypasses security mechanisms
- Sometimes installed by developers for e.g. troubleshooting purposes or just by mistake.
- Often created by e.g. trojans and worms as means of delivery