Malware Types

Malware
- is software designed to harm or secretly access a computer system without the owner's informed consent
- based on the intent of the creator rather than specific features
Overt channels - legitimate communication channels used by programs across a system or a network
Cover channels - used to transport data in unintended ways
Wrappers
- programs that allow you to bind an executable of your choice
- They have their own signatures and can show up on AV scans
Crypters - use a combination of encryption and code manipulation to make malware undetectable to AV and other security monitoring products
Packers - use compression to pack the malware executable into a smaller size
Exploit Kits - platforms from which you can deliver exploits and payloads
- Examples:
  - Infinity
  - Bleeding Life
  - Crimepack
  - Blackhole Exploit Kit

Trojans

Software that seems to perform a desirable function for the user before running or installing but instead steals information or harms the system
- a method to gain and maintain access to a target machine
- they are the means of delivery and the backdoor provides the open access
Types
- Defacement Trojan
- Proxy server Trojan - allows an attacker to use the target system as a proxy
- Botnet Trojan - (Chewbacca and Skynet)
- Remote Access Trojan - (RAT, MoSucker, Optix Pro and Blackhole)
  - Covert Channel Tunneling Trojan (CCTT) - form of remote access Trojan that uses a variety of exploitation techniques to create data transfer channels in previously authorized streams
    provides an external shell from within an internal environment
    e-banking Trojan (Zeus and Spyeye)
- Command shell Trojan
  - provide a backdoor to the system that you connect via cli
- Common Trojan Ports

Monitoring Tools

Fport - reports all open TCP/IP and UDP ports and maps them to the owning applications
What'sRunning
- TCPView
- IceSword
- Process Explorer
- SysAnalyzer
- Tiny Watcher
- Active Registry Monitor
- Regshot
- Tripwire
- SIGVERIF

Viruses and Worms

Viruses
- program that creates copies of themselves in other programs and activate on some sort of trigger event
- they usually get installed on a system via file attachments, user clicks on embedded e-mails, or the installation of pirated software
- virus hoax or fake antivirus lets a target know about a terrible virus running and provides them an antivirus program to protect themselves with.
Ransomware
- Type of malicious software designed to deny access to a computer system or data until a ransom is paid
- Typically spreads through phishing emails or visiting infected websites
- Examples
  - WannaCry
  - Eternal Blue
  - Cryptobit
  - CryptoLocker
  - CryptoDefense
  - police-themed
    Locky
    Petya
Worms
- A self-replicating malware program that uses a computer network to send copies of itself to other systems without human intervention
- resides in active memory and duplicates itself, eating resources and wreaking havoc along the way
- Often used in the creation of botnets
- Examples
  - Conficker
    disabled services
    denied access to administrator shared drives
    locked users out of directories
    restricted access to security-related sites
  - Ghost Eye Worm - tool that uses random messaging on Facebook and other sites to perform a host of malicious effort.
  - Code Red
    exploited indexing software on IIS servers in 2001
    used a buffer overflow and defaced hundreds of thousands of servers
  - Darlloz
    Linux based worm that targets running ARM, MIPS and PowerPC architectures (usually routers, set-top boxes and security cameras)
  - Slammer
    Also known as SQL Slammer, Sapphire, SQL_HEL and Helkern
    A denial-of-service worm attacking buffer overflow weaknesses in Microsoft SQL services
    Spreads quickly using UDP and can bypass sensors because of its small size (entire worm fits in a single packet)
  - Nimda
    File infection virus that modified and touched nearly all web content on a machine
    Spreads through e-mail, open network shares, and websites
    Takes advantage of backdoors left on machines infected by the Code Red Worm
  - Bug Bear
    Propagates over open network shares and e-mail
    Often sets up a backdoor for later use and has keylogging capabilities
  - Pretty Park
    Spreads via e-mail
    Takes advantage of IRC to propagate stolen passwords

Malware Analysis
Denial of Service

PreviousMalware Analysis Primer NextRootkits

Last updated 11 months ago

Malware Types

Malware
- is software designed to harm or secretly access a computer system without the owner's informed consent
- based on the intent of the creator rather than specific features
Overt channels - legitimate communication channels used by programs across a system or a network
Cover channels - used to transport data in unintended ways
Wrappers
- programs that allow you to bind an executable of your choice
- They have their own signatures and can show up on AV scans
Crypters - use a combination of encryption and code manipulation to make malware undetectable to AV and other security monitoring products
Packers - use compression to pack the malware executable into a smaller size
Exploit Kits - platforms from which you can deliver exploits and payloads
- Examples:
  - Infinity
  - Bleeding Life
  - Crimepack
  - Blackhole Exploit Kit

Trojans

Software that seems to perform a desirable function for the user before running or installing but instead steals information or harms the system
- a method to gain and maintain access to a target machine
- they are the means of delivery and the backdoor provides the open access
Types
- Defacement Trojan
- Proxy server Trojan - allows an attacker to use the target system as a proxy
- Botnet Trojan - (Chewbacca and Skynet)
- Remote Access Trojan - (RAT, MoSucker, Optix Pro and Blackhole)
  - Covert Channel Tunneling Trojan (CCTT) - form of remote access Trojan that uses a variety of exploitation techniques to create data transfer channels in previously authorized streams
    provides an external shell from within an internal environment
    e-banking Trojan (Zeus and Spyeye)
- Command shell Trojan
  - provide a backdoor to the system that you connect via cli
- Common Trojan Ports

Monitoring Tools

Fport - reports all open TCP/IP and UDP ports and maps them to the owning applications
What'sRunning
- TCPView
- IceSword
- Process Explorer
- SysAnalyzer
- Tiny Watcher
- Active Registry Monitor
- Regshot
- Tripwire
- SIGVERIF

Viruses and Worms

Viruses
- program that creates copies of themselves in other programs and activate on some sort of trigger event
- they usually get installed on a system via file attachments, user clicks on embedded e-mails, or the installation of pirated software
- virus hoax or fake antivirus lets a target know about a terrible virus running and provides them an antivirus program to protect themselves with.
Ransomware
- Type of malicious software designed to deny access to a computer system or data until a ransom is paid
- Typically spreads through phishing emails or visiting infected websites
- Examples
  - WannaCry
  - Eternal Blue
  - Cryptobit
  - CryptoLocker
  - CryptoDefense
  - police-themed
    Locky
    Petya
Worms
- A self-replicating malware program that uses a computer network to send copies of itself to other systems without human intervention
- resides in active memory and duplicates itself, eating resources and wreaking havoc along the way
- Often used in the creation of botnets
- Examples
  - Conficker
    disabled services
    denied access to administrator shared drives
    locked users out of directories
    restricted access to security-related sites
  - Ghost Eye Worm - tool that uses random messaging on Facebook and other sites to perform a host of malicious effort.
  - Code Red
    exploited indexing software on IIS servers in 2001
    used a buffer overflow and defaced hundreds of thousands of servers
  - Darlloz
    Linux based worm that targets running ARM, MIPS and PowerPC architectures (usually routers, set-top boxes and security cameras)
  - Slammer
    Also known as SQL Slammer, Sapphire, SQL_HEL and Helkern
    A denial-of-service worm attacking buffer overflow weaknesses in Microsoft SQL services
    Spreads quickly using UDP and can bypass sensors because of its small size (entire worm fits in a single packet)
  - Nimda
    File infection virus that modified and touched nearly all web content on a machine
    Spreads through e-mail, open network shares, and websites
    Takes advantage of backdoors left on machines infected by the Code Red Worm
  - Bug Bear
    Propagates over open network shares and e-mail
    Often sets up a backdoor for later use and has keylogging capabilities
  - Pretty Park
    Spreads via e-mail
    Takes advantage of IRC to propagate stolen passwords

Malware Analysis
Denial of Service

PreviousMalware Analysis Primer NextRootkits

Last updated 11 months ago

Trojans

Monitoring Tools

Viruses and Worms

Related Notes

Trojans

Monitoring Tools

Viruses and Worms

Related Notes