Malware Types

Malware
- is software designed to harm or secretly access a computer system without the owner's informed consent
- based on the intent of the creator rather than specific features
Overt channels - legitimate communication channels used by programs across a system or a network
Cover channels - used to transport data in unintended ways
Wrappers
- programs that allow you to bind an executable of your choice
- They have their own signatures and can show up on AV scans
Crypters - use a combination of encryption and code manipulation to make malware undetectable to AV and other security monitoring products
Packers - use compression to pack the malware executable into a smaller size
Exploit Kits - platforms from which you can deliver exploits and payloads
- Examples:
  - Infinity
  - Bleeding Life
  - Crimepack
  - Blackhole Exploit Kit

Trojans

Software that seems to perform a desirable function for the user before running or installing but instead steals information or harms the system
- a method to gain and maintain access to a target machine
- they are the means of delivery and the backdoor provides the open access
Types
- Defacement Trojan
- Proxy server Trojan - allows an attacker to use the target system as a proxy
- Botnet Trojan - (Chewbacca and Skynet)
- Remote Access Trojan - (RAT, MoSucker, Optix Pro and Blackhole)
  - Covert Channel Tunneling Trojan (CCTT) - form of remote access Trojan that uses a variety of exploitation techniques to create data transfer channels in previously authorized streams
    provides an external shell from within an internal environment
    e-banking Trojan (Zeus and Spyeye)
- Command shell Trojan
  - provide a backdoor to the system that you connect via cli
- Common Trojan Ports

Monitoring Tools

Fport - reports all open TCP/IP and UDP ports and maps them to the owning applications
What'sRunning
- TCPView
- IceSword
- Process Explorer
- SysAnalyzer
- Tiny Watcher
- Active Registry Monitor
- Regshot
- Tripwire
- SIGVERIF

Viruses and Worms

Viruses
- program that creates copies of themselves in other programs and activate on some sort of trigger event
- they usually get installed on a system via file attachments, user clicks on embedded e-mails, or the installation of pirated software
- virus hoax or fake antivirus lets a target know about a terrible virus running and provides them an antivirus program to protect themselves with.
Ransomware
- Type of malicious software designed to deny access to a computer system or data until a ransom is paid
- Typically spreads through phishing emails or visiting infected websites
- Examples
  - WannaCry
  - Eternal Blue
  - Cryptobit
  - CryptoLocker
  - CryptoDefense
  - police-themed
    Locky
    Petya
Worms
- A self-replicating malware program that uses a computer network to send copies of itself to other systems without human intervention
- resides in active memory and duplicates itself, eating resources and wreaking havoc along the way
- Often used in the creation of botnets
- Examples
  - Conficker
    disabled services
    denied access to administrator shared drives
    locked users out of directories
    restricted access to security-related sites
  - Ghost Eye Worm - tool that uses random messaging on Facebook and other sites to perform a host of malicious effort.
  - Code Red
    exploited indexing software on IIS servers in 2001
    used a buffer overflow and defaced hundreds of thousands of servers
  - Darlloz
    Linux based worm that targets running ARM, MIPS and PowerPC architectures (usually routers, set-top boxes and security cameras)
  - Slammer
    Also known as SQL Slammer, Sapphire, SQL_HEL and Helkern
    A denial-of-service worm attacking buffer overflow weaknesses in Microsoft SQL services
    Spreads quickly using UDP and can bypass sensors because of its small size (entire worm fits in a single packet)
  - Nimda
    File infection virus that modified and touched nearly all web content on a machine
    Spreads through e-mail, open network shares, and websites
    Takes advantage of backdoors left on machines infected by the Code Red Worm
  - Bug Bear
    Propagates over open network shares and e-mail
    Often sets up a backdoor for later use and has keylogging capabilities
  - Pretty Park
    Spreads via e-mail
    Takes advantage of IRC to propagate stolen passwords

Malware Analysis
Denial of Service

PreviousMalware Analysis Primer NextRootkits

Last updated 1 year ago

Malware Types

Malware
- is software designed to harm or secretly access a computer system without the owner's informed consent
- based on the intent of the creator rather than specific features
Overt channels - legitimate communication channels used by programs across a system or a network
Cover channels - used to transport data in unintended ways
Wrappers
- programs that allow you to bind an executable of your choice
- They have their own signatures and can show up on AV scans
Crypters - use a combination of encryption and code manipulation to make malware undetectable to AV and other security monitoring products
Packers - use compression to pack the malware executable into a smaller size
Exploit Kits - platforms from which you can deliver exploits and payloads
- Examples:
  - Infinity
  - Bleeding Life
  - Crimepack
  - Blackhole Exploit Kit

Trojans

Software that seems to perform a desirable function for the user before running or installing but instead steals information or harms the system
- a method to gain and maintain access to a target machine
- they are the means of delivery and the backdoor provides the open access
Types
- Defacement Trojan
- Proxy server Trojan - allows an attacker to use the target system as a proxy
- Botnet Trojan - (Chewbacca and Skynet)
- Remote Access Trojan - (RAT, MoSucker, Optix Pro and Blackhole)
  - Covert Channel Tunneling Trojan (CCTT) - form of remote access Trojan that uses a variety of exploitation techniques to create data transfer channels in previously authorized streams
    provides an external shell from within an internal environment
    e-banking Trojan (Zeus and Spyeye)
- Command shell Trojan
  - provide a backdoor to the system that you connect via cli
- Common Trojan Ports

Monitoring Tools

Fport - reports all open TCP/IP and UDP ports and maps them to the owning applications
What'sRunning
- TCPView
- IceSword
- Process Explorer
- SysAnalyzer
- Tiny Watcher
- Active Registry Monitor
- Regshot
- Tripwire
- SIGVERIF

Viruses and Worms

Viruses
- program that creates copies of themselves in other programs and activate on some sort of trigger event
- they usually get installed on a system via file attachments, user clicks on embedded e-mails, or the installation of pirated software
- virus hoax or fake antivirus lets a target know about a terrible virus running and provides them an antivirus program to protect themselves with.
Ransomware
- Type of malicious software designed to deny access to a computer system or data until a ransom is paid
- Typically spreads through phishing emails or visiting infected websites
- Examples
  - WannaCry
  - Eternal Blue
  - Cryptobit
  - CryptoLocker
  - CryptoDefense
  - police-themed
    Locky
    Petya
Worms
- A self-replicating malware program that uses a computer network to send copies of itself to other systems without human intervention
- resides in active memory and duplicates itself, eating resources and wreaking havoc along the way
- Often used in the creation of botnets
- Examples
  - Conficker
    disabled services
    denied access to administrator shared drives
    locked users out of directories
    restricted access to security-related sites
  - Ghost Eye Worm - tool that uses random messaging on Facebook and other sites to perform a host of malicious effort.
  - Code Red
    exploited indexing software on IIS servers in 2001
    used a buffer overflow and defaced hundreds of thousands of servers
  - Darlloz
    Linux based worm that targets running ARM, MIPS and PowerPC architectures (usually routers, set-top boxes and security cameras)
  - Slammer
    Also known as SQL Slammer, Sapphire, SQL_HEL and Helkern
    A denial-of-service worm attacking buffer overflow weaknesses in Microsoft SQL services
    Spreads quickly using UDP and can bypass sensors because of its small size (entire worm fits in a single packet)
  - Nimda
    File infection virus that modified and touched nearly all web content on a machine
    Spreads through e-mail, open network shares, and websites
    Takes advantage of backdoors left on machines infected by the Code Red Worm
  - Bug Bear
    Propagates over open network shares and e-mail
    Often sets up a backdoor for later use and has keylogging capabilities
  - Pretty Park
    Spreads via e-mail
    Takes advantage of IRC to propagate stolen passwords

Malware Analysis
Denial of Service

PreviousMalware Analysis Primer NextRootkits

Last updated 1 year ago

Trojans

Monitoring Tools

Viruses and Worms

Related Notes

Trojans

Monitoring Tools

Viruses and Worms

Related Notes