Malware and Cybercrime

Malware

• Malware is a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system.
• Types of malware:
  • Virus: a piece of software that infects programs, modifies them to include a copy of the virus, and replicates itself.
  • Worm: a computer program that can run independently and propagate a complete working version of itself onto other hosts on a network, usually by exploiting software vulnerabilities.
  • Trojan: a program that appears to be legitimate but is actually malicious, allowing unauthorized access to a system or data.
  • Bot: a malware that allows remote control of a compromised system.

Virus

• Components:
  • Infection mechanism: means by which a virus spreads or propagates.
  • Trigger: event or condition that determines when the payload is activated or delivered.
  • Payload: what the virus does (besides spreading).
• Phases:
  • Dormant phase: virus is idle and will eventually be activated by some event.
  • Triggering phase: virus is activated to perform the function for which it was intended.
  • Propagation phase: virus places a copy of itself into other programs or into certain system areas on the disk.
  • Execution phase: function is performed.

Worm

• Exploits software vulnerabilities in client or server programs to spread from system to system.
• Can use network connections to spread from system to system.
• Can spread through shared media (USB drives, CD, DVD data disks).
• Types of worms:
  • E-mail worms: spread through email attachments or instant messaging.
  • Instant messaging worms: spread through instant messaging services.

Malware Propagation

• Mechanisms:
  • Infection of existing content by viruses.
  • Exploit of software vulnerabilities by worms.
  • Social engineering attacks.
• Target discovery:
  • Scanning: searching for other systems to infect.
  • Hit-list: using a list of potential vulnerable machines.
  • Topological: using information contained on an infected victim machine to find more hosts to scan.

Advanced Persistent Threats (APTs)

• Well-resourced, persistent application of a wide variety of intrusion technologies and malware to selected targets.
• Typically attributed to state-sponsored organizations and criminal enterprises.
• Characteristics:
  • Advanced: using a wide variety of intrusion technologies and malware.
  • Persistent: determined application of the attacks over an extended period.
  • Targeted: careful target selection and stealthy intrusion efforts.

Malware Countermeasures

• Approaches:
  • Prevention: policy, awareness, vulnerability mitigation, and threat mitigation.
  • Detection: identifying malware through various techniques (e.g., signature-based, behavior-based).
  • Removal: removing malware from a system.
  • Sandbox analysis: running potentially malicious code in an emulated sandbox or on a virtual machine.
  • Host-based behavior-blocking software: integrates with the operating system and monitors program behavior in real-time for malicious action.### Types of Malware
• Exploits: Code specific to a single vulnerability or set of vulnerabilities
• Flooders (DoS client): Used to generate a large volume of data to attack networked computer systems, carrying out a denial-of-service (DoS) attack
• Keyloggers: Capture keystrokes on a compromised system
• Logic bomb: Code inserted into malware by an intruder, lying dormant until a predefined condition is met, triggering an unauthorized act
• Macro Virus: A type of virus that uses macro or scripting code, typically embedded in a document, triggered when the document is viewed or edited, to run and replicate itself into other documents

Malware Categories

• Mobile Code: Software (e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics
• Rootkit: Set of hacker tools used after attacker has broken into a computer system and gained root-level access
• Spammer: Programs used to send large volumes of unwanted e-mail
• Spyware: Software that collects information from a computer and transmits it to another system by monitoring keystrokes, screen data, and/or network traffic; or by scanning files on the system for sensitive information

Malware Behavior

• Zombie, bot: A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms
• Worms: Penetrate systems in various ways, using exploits against Web servers, browsers, e-mail, file sharing, and other network-based applications; or via shared media
• Worm propagation: Optimize rate of spread to maximize likelihood of locating vulnerable machines in a short time period
• Worm evasion: Use virus polymorphic technique to evade detection, skip past filters, and foil real-time analysis
• Metamorphic worms: Have a repertoire of behavior patterns that are unleashed at different stages of propagation

Worm Technologies

• Transport vehicles: Worms can rapidly compromise a large number of systems, making them ideal for spreading malicious payloads
• Zero-day exploit: Exploit an unknown vulnerability, achieving maximum surprise and distribution, with 54 zero-day exploits discovered and exploited in 2015