Malware Types

• Malware

  • is software designed to harm or secretly access a computer system without the owner's informed consent

  • based on the intent of the creator rather than specific features

• Overt channels - legitimate communication channels used by programs across a system or a network

• Cover channels - used to transport data in unintended ways

• Wrappers

  • programs that allow you to bind an executable of your choice

  • They have their own signatures and can show up on AV scans

• Crypters - use a combination of encryption and code manipulation to make malware undetectable to AV and other security monitoring products

• Packers - use compression to pack the malware executable into a smaller size

• Exploit Kits - platforms from which you can deliver exploits and payloads

  • Examples:

    • Infinity

    • Bleeding Life

    • Crimepack

    • Blackhole Exploit Kit

Trojans

• Software that seems to perform a desirable function for the user before running or installing but instead steals information or harms the system

  • a method to gain and maintain access to a target machine

  • they are the means of delivery and the backdoor provides the open access

• Types

  • Defacement Trojan

  • Proxy server Trojan - allows an attacker to use the target system as a proxy

  • Botnet Trojan - (Chewbacca and Skynet)

  • Remote Access Trojan - (RAT, MoSucker, Optix Pro and Blackhole)

    • Covert Channel Tunneling Trojan (CCTT) - form of remote access Trojan that uses a variety of exploitation techniques to create data transfer channels in previously authorized streams

      • provides an external shell from within an internal environment

      • e-banking Trojan (Zeus and Spyeye)

  • Command shell Trojan

    • provide a backdoor to the system that you connect via cli

  • Common Trojan Ports

Monitoring Tools

• Fport - reports all open TCP/IP and UDP ports and maps them to the owning applications

• What'sRunning

  • TCPView

  • IceSword

  • Process Explorer

  • SysAnalyzer

  • Tiny Watcher

  • Active Registry Monitor

  • Regshot

  • Tripwire

  • SIGVERIF

Viruses and Worms

• Viruses

  • program that creates copies of themselves in other programs and activate on some sort of trigger event

  • they usually get installed on a system via file attachments, user clicks on embedded e-mails, or the installation of pirated software

  • virus hoax or fake antivirus lets a target know about a terrible virus running and provides them an antivirus program to protect themselves with.

• Ransomware

  • Type of malicious software designed to deny access to a computer system or data until a ransom is paid

  • Typically spreads through phishing emails or visiting infected websites

  • Examples

    • WannaCry

    • Eternal Blue

    • Cryptobit

    • CryptoLocker

    • CryptoDefense

    • police-themed

      • Locky

      • Petya

• Worms

  • A self-replicating malware program that uses a computer network to send copies of itself to other systems without human intervention

  • resides in active memory and duplicates itself, eating resources and wreaking havoc along the way

  • Often used in the creation of botnets

  • Examples

    • Conficker

      • disabled services

      • denied access to administrator shared drives

      • locked users out of directories

      • restricted access to security-related sites

    • Ghost Eye Worm - tool that uses random messaging on Facebook and other sites to perform a host of malicious effort.

    • Code Red

      • exploited indexing software on IIS servers in 2001

      • used a buffer overflow and defaced hundreds of thousands of servers

    • Darlloz

      • Linux based worm that targets running ARM, MIPS and PowerPC architectures (usually routers, set-top boxes and security cameras)

    • Slammer

      • Also known as SQL Slammer, Sapphire, SQL_HEL and Helkern

      • A denial-of-service worm attacking buffer overflow weaknesses in Microsoft SQL services

      • Spreads quickly using UDP and can bypass sensors because of its small size (entire worm fits in a single packet)

    • Nimda

      • File infection virus that modified and touched nearly all web content on a machine

      • Spreads through e-mail, open network shares, and websites

      • Takes advantage of backdoors left on machines infected by the Code Red Worm

    • Bug Bear

      • Propagates over open network shares and e-mail

      • Often sets up a backdoor for later use and has keylogging capabilities

    • Pretty Park

      • Spreads via e-mail

      • Takes advantage of IRC to propagate stolen passwords

Related Notes

• Malware Analysis

• Denial of Service