M7: Malware - C.7 Flashcards
To cement key concepts about Malware
Definition of Malware
Software purposefully designed to have effects that are not in the users best interest. P. 184
Definition of Harmful software
Software that causes some damage, either deliberately (Malware) or inadvertently due to poor design/implementation etc. P. 184
Malware vs Harmful software
Harmful software includes software, which inadvertently causes harm, while Malware only includes software that intentionally causes it. Thus Malware is a subcatagory of Harmful software P. 184
What makes Malware hard to detect? Big picture
It is often less about what it does and more about what the intent is. Such as a remote desktop connection. It also depends on ones definition of Malware, are adds Malicious or gathering data. P. 185
Definition of Virus
A program that can infect other programs or files by modifying them to include a copy of themselves. P. 186
How does a virus work
They inject themselves into other programs or files, in such a way that they are executed when the host program is executed. They can coexist or coopt the host depending on design. P. 186
Life cycle of a Virus
1) Dormant - waiting for host execution
2) Propagation - when host is executed virus attempts to propagate to other hosts (programs, devices etc)
3) Trigger condition - determines if the conditions are right for payload deployment
4) Payload - The malicious payload is executed. P. 187
Life cycle of a Worm
1) Propagation - automatic and continued propagation
3) Trigger condition - determines if the conditions are right for payload deployment
4) Payload - The malicious payload is executed. P. 187
Worm vs Virus
Worms propagate automatically - Viruses rely on user interaction
Worms propagate directly over the network - Viruses propagate on and through hosts
Worms exploit software vulnerabilities - Viruses abuse software features or rely on social engineering P. 187
Email-Based Malware
Spreads through the email attachments and email infrastructure. Often referred to as Email Virus, Email Worms or Mass-Mailing Worm-Virus. It spread rapidly often using the victims email and contact lists to find new targets. P. 187
Virus infected programs.
Viruses either:
1) Prepend virus before code. Retains program. Increasing file size
2) Append virus after code. Retains program. Increasing file size
3) Overwrite from top. Destroys program. Retains file size
4) Overwrite center. Destroys program. Retains file size
5) Other variants exists
P. 187-188
Virus infected Datafiles
Modern text files requires special processing to display and are thus vulnerable to virus and/or malware.
Can all viruses be detected by a single program?
No. A virus could simply not deploy if it detects an antivirus program.
Virus detection strategies
1) Malware signatures - Deny listing
2) Integrity checking - Allow listing
3) Behavioral Signatures
4) Sandboxing
Virus detection - Malware signatures
Short byte sequences that identify a program as a known malware. Candidates are compared to known Malware lists.
Virus detection - Integrity Checking
Program hash is compared against known valid hash of program.
Virus detection - Behavioral Signatures
Malware is detected by certain sequences of actions such as massive file deletion or use of system calls etc.
Virus detection - Sandboxing
Emulating a program usually briefly to detect suspicious behavior
Virus Anti-Detection - Code hiding/Obfuscation
1) Encryption
2) Polymorphism
3) Metamorphism
Virus Anti-Detection - Hiding tracks
Techniques aim to hide
1) Changes to filesystem attributes (length, timestamp etc)
2) Location of existing code
3) Processes
4) Resources used
Virus Anti-Detection - Encryption
Virus source code is encrypted to hide details from manual and automatic inspection. Virus must first decrypt itself before it can be executed.
Virus Anti-Detection - Polymorphism
Virus is encrypted and each new instance of the virus makes changes to its decryption portion using a mutation engine.
Virus Anti-Detection - Metamorphism
Virus is unencrypted. Each new instance makes extensive changes to itself using a mutation engine. Including body, payload and the mutation engine itself.
Malware - Auto-Rooters
Malicious program that scans networks looking for vulnerable targets, on which it can obtain a reverse shell and/or install a rootkit. Many are point and click and require no special skills to use.
Worms - Context aware spreading
Worms spread over networks. If a vulnerable machine exists in one part of a network, then computer topographically close to it are more likely to also exhibit the same vulnerabilities.
Worms - Optimized spreading
1) Hit-list scanning - list of high likelihood targets
2) Permutation scanning - methods to avoid contacting already contacted servers by other infected servers.
3) Internet-scale hit-lists - pre-scan of internet to detect devices potentially vulnerable
What is keylogger?
A malware that logs activity on the keyboard
Types of malware/Virus
- Virus
- Malware
- Trojan
- Backdoor
- Rootkit Bootkit
- Keylogger
- Wiper
- Ransomware
- RAT
- CrimeWare
- C2 Scripts
What is Crimeware?
Common description for maleware used by cyber criminals. Does not say what the malware does.
What layers can malware be found Malware in?
- OS - application
- Kernel
- Assembler
- Firmware
- Hardware
What are the advantages/disadvantages of malware in lower levels?
The lower the lever, the more limited tools, but easier to hide.
