Malware Overview Chapter 1 PDF

Chapter 1 Malware Overview Mohd Zaki Mas’ud Oct 2024 Topic – General classification of computer attack – Malware definition – Malware evolution – Type of Malware – Target – How malware embedding itself to program. DEFINITION Classification of Computer Attack Most of the time Hacker do it manually(info gathering, exploit, launch malicious application, covering attack)……eventually the entire activity can be done automatically using MALWARE…. Kind of automate attack…. Attack Methodology BITS2413(MZM2015) Recognizing External Threats Denial-of-Service Attacks Distributed Denial-of-Service Attacks Viruses,Worms, and Trojan Horses BotNet Software Vulnerabilities Nontechnical Attacks BITS2413(MZM2015) Motivation of Network Attack BITS2413(MZM2015) Malware Definition Any Code that “perform evil Thingy” software such as a virus on a computer or computer network that the user does not know about or want. (oxford dictionary) Any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems(wikipedia) A Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do General Definition Malicious software, or malware, is used by cybercriminals, hacktivists and nation states to disrupt computer operations, steal personal or professional data, bypass access controls and otherwise cause harm to the host system. Appearing in the form of executable code, scripts, active content or other software variants, there are many different classes of malware which possess varying means of infecting machines and propagating themselves EFFECT & EVALUATION https://threatmap.checkpoint.com/ https://cybermap.kaspersky.com/ Malware Evolution Almost 30 years of Malware Some well known malware ### 1980s email attachments. 1. Elk Cloner (1982)– One of the first known viruses, spread 11. Code Red (2001) – Targeted Microsoft IIS web servers, via floppy disks on Apple II computers. infecting hundreds of thousands of machines. 2. Brain (1986)– The first PC virus, originating from Pakistan, 12. Nimda (2001) – A fast-spreading worm using multiple which infected the boot sector of MS-DOS systems. attack vectors, including email and network shares. 3. Jerusalem (1987) – A DOS virus that infected.exe and.com 13. Klez (2001) – A worm that infected Windows machines files, triggering every Friday the 13th. and spread through email, known for spoofing email 4. Morris Worm (1988) – Although from the late '80s, this is addresses. often mentioned as the first major internet-based worm. 14. SQL Slammer (2003) – A worm that spread across the internet in minutes, causing widespread service disruptions. ### 1990s 15. Blaster (2003) – Exploited a Windows vulnerability to 5. Michelangelo Virus (1992) – Boot sector virus that spread, causing infected computers to repeatedly reboot. activated on March 6, damaging computers' data. 16. Sobig (2003) – A fast-spreading email worm that caused 6. AIDS Trojan (1990) – One of the first ransomware attacks, widespread email traffic issues. which encrypted filenames and demanded payment to 17. Mydoom (2004) – The fastest-spreading email worm at restore access. the time, disrupting internet services globally. 7. Tequila (1994) – One of the early polymorphic viruses, 18. Zeus (2007) – A Trojan targeting banking credentials, making it harder to detect. becoming one of the most notorious forms of financial 8. CIH (Chernobyl) (1998) – A highly destructive virus that malware. overwrote BIOS, rendering machines unusable. 19. Conficker (2008) – Spread through network vulnerabilities 9. Melissa (1999) – A mass-mailing macro virus that caused and weak passwords, creating a massive botnet. significant disruptions by spreading through email systems. ### 2000s 10. ILOVEYOU (2000) – A highly destructive email worm that caused over $10 billion in damages by spreading through Some well known malware ### 2010s ### 2020s 20. Stuxnet (2010) – A sophisticated worm targeting Iran’s 29. Ryuk (2020) – A highly profitable ransomware targeting nuclear program, designed to sabotage industrial control large organizations, demanding significant ransom payments. systems. 30. SolarWinds (2020) – A sophisticated supply chain attack 21. Duqu (2011) – Similar to Stuxnet but used for espionage, that affected numerous government agencies and private focusing on gathering intelligence from industrial systems. companies. 22. Flame (2012) – Cyber-espionage malware designed for 31. Hafnium (2021) – A group associated with cyber- large-scale data collection, believed to be state-sponsored. espionage, exploiting Microsoft Exchange vulnerabilities to 23. CryptoLocker (2013) – One of the first major ransomware steal data. threats, encrypting user files and demanding Bitcoin ransom 32. Pegasus (2021) – Spyware developed by NSO Group, used payments. for surveillance on mobile phones, targeting journalists, 24. GameOver Zeus (2014) – An advanced version of the Zeus activists, and political leaders. Trojan, used to steal banking credentials and form a botnet. 33. Log4Shell (2021) – A critical vulnerability in the Log4j 25. Emotet (2014-2019) – A powerful banking Trojan that library that allowed remote code execution, affecting millions evolved into a botnet, known for spreading through phishing of systems worldwide. emails. 34. BlackCat (2022) – A new strain of ransomware targeting 26. WannaCry (2017) – A ransomware worm that caused enterprises, using sophisticated encryption techniques. global chaos by exploiting a vulnerability in Windows systems, 35. LockBit (2023) – An advanced ransomware operation affecting over 200,000 computers in 150 countries. responsible for numerous high-profile attacks on 27. NotPetya (2017) – Initially thought to be ransomware, it organizations globally. was later discovered to be a destructive malware that wiped data rather than encrypting it. These malware attacks demonstrate how threats evolved 28. Mirai (2016) – A botnet that targeted IoT devices, from simple viruses on floppy disks to sophisticated launching massive DDoS attacks. ransomware and state-sponsored cyber-attacks targeting critical infrastructure, financial institutions, and individuals. New trend Some trends for 2024 could include: Ransomware continuing to evolve, with groups adopting more sophisticated techniques, such as data exfiltration and double-extortion models. Supply chain attacks, similar to SolarWinds, increasing in frequency as cybercriminals target third- party software and service providers to reach their victims. AI-powered malware leveraging advancements in artificial intelligence to improve stealth and persistence in infected systems. Zero-day exploits becoming a bigger threat as state- sponsored and criminal organizations continue to target vulnerabilities in widely used software. Well-known Mobile Malware image of Rick Astley (from the "Rickrolling" meme). ### 2000s 10. Android.Pjapps (2011) – A Trojan that enabled attackers 1. Cabir (2004) – The first known mobile worm, targeting to control Android devices remotely, sending SMS Symbian OS on Nokia devices. It spread via Bluetooth, messages and accessing data. displaying "Caribe" on infected phones' screens. 11. NotCompatible (2012) – A sophisticated Android Trojan 2. CommWarrior (2005) – One of the first worms to spread that used infected devices as proxies for malicious web via both MMS and Bluetooth on Symbian devices. traffic. 3. Skulls (2004) – A Trojan horse that replaced icons on 12. MasterKey (2013) – An Android vulnerability that Symbian phones with skull images, rendering apps allowed attackers to modify legitimate apps without unusable. invalidating the app’s signature, effectively bypassing 4. Duts (2004) – The first known virus to infect Windows security checks. Mobile operating systems. 13. HummingBad (2016) – An ad fraud malware that 5. RedBrowser (2006) – A Java-based Trojan that tricked infected millions of Android devices, generating fraudulent users into sending premium-rate SMS messages. ad revenue for its creators. 14. XcodeGhost (2015) – A malware strain that infected iOS apps by targeting developers using a compromised version ### 2010s of Apple’s Xcode IDE. 6. DroidDream (2010) – One of the first widespread 15. Pegasus (2016) – A highly sophisticated iOS and Android malware, found in apps on the official Google Play Android spyware, capable of fully taking over a phone and Store, capable of stealing personal data and installing more used in targeted surveillance operations against journalists, malicious apps. activists, and government officials. 7. Geinimi (2010) – A sophisticated Android Trojan that 16. Triada (2016) – A modular Android Trojan with root repackaged legitimate apps and sent sensitive data to privileges, capable of installing additional malware and remote servers. conducting financial fraud. 8. Zitmo (2011) – An extension of the Zeus banking Trojan, 17. Judy (2017) – A massive malware campaign that targeting Android and BlackBerry devices to intercept SMS infected 36 million Android devices, using apps to messages and defeat two-factor authentication for online fraudulently generate ad clicks and revenue. banking. 18. Agent Smith (2019) – Malware that infected Android 9. Ikee (2011) – The first iPhone worm, which targeted devices by disguising itself as a Google-related app, jailbroken devices, replacing the home screen with an replacing legitimate apps with malicious versions. Well-known Mobile Malware ### 2020s 19. EventBot (2020) – A mobile banking Trojan targeting Android devices, stealing financial data and intercepting SMS messages for two-factor authentication. 20. BlackRock (2020) – An Android Trojan that targeted 337 different apps, including social media, financial apps, and dating platforms, to steal credentials. 21. FluBot (2021) – A rapidly spreading Android spyware that used SMS to trick users into downloading a fake app, which then stole sensitive information. 22. TangleBot (2021) – An Android malware that spread via SMS messages, allowing attackers to take full control of infected devices, including microphone and camera access. 23. TeaBot (2021) – A mobile banking Trojan designed to steal login credentials and SMS messages, with a focus on banking apps. 24. Mozi (2021) – A botnet malware capable of infecting Android devices and turning them into part of a larger botnet to launch DDoS attacks or facilitate network breaches. 25. BRATA (2022) – A banking Trojan for Android, capable of performing keylogging, screen recording, and even performing factory resets to erase traces of its activity. 26. Octo (2022) – A sophisticated Android banking malware that can record device screens and perform actions in real-time without the user knowing. 27. Hermit (2022) – A spyware used for targeted surveillance of mobile users, capable of eavesdropping on communications, intercepting SMS, and accessing media files. 28. Predator (2022) – Advanced mobile spyware similar to Pegasus, targeting Android and iOS users for espionage purposes. 29. Godfather (2023) – An Android banking Trojan targeting financial apps worldwide, designed to steal login credentials and intercept SMS-based two-factor authentication. This list shows the progression of mobile malware as smartphones became essential in everyday life. Initially, mobile threats were relatively simple, but as the platform matured, so did the malware, which has evolved into highly sophisticated spyware, banking Trojans, and ransomware campaigns. Malware remains a dangerous and consistent threat and its success has spawned a host of improved detection and prevention technologies. The resulting arms race means that the technologies of attackers continue to evolve in order to remain ahead of security vendors This has resulted in the constant invention of new fraud mechanics to evade existing security solutions, and commoditization in which cutting- edge limited circulation techniques are turned into mainstream capabilities. What its do Steal personal information Delete files Click fraud Steal software serial numbers Use your computer as relay The Symptom Blue Screen Increased CPU usage Slow computer or web browser speeds Problems connecting to networks Freezing or crashing Modified or deleted files Appearance of strange files, programs, or desktop icons Programs running, turning off, or reconfiguring themselves (malware will often reconfigure or turn off antivirus and firewall programs) Strange computer behaviour Emails/messages being sent automatically and without user’s knowledge (a friend receives a strange email from you that you did not send) Mobile symptom While these types of mobile malware differ greatly in how they spread and infect devices, they all can produce similar symptoms. Signs of a malware infection can include unwanted behaviours and degradation of device performance. Stability issues such as frozen apps, failure to reboot and difficulty connecting to the network are also common. Mobile malware can eat up battery or processing power, hijack the browser, send unauthorized SMS messages, freeze or brick the device entirely. TYPE OF MALWARE Taxonomy of Malware Host Independent Program Logic Trojan Trapdoors Bombs Horses Viruses Bacteria Worms The Malware Type Virus Backdoor/Rootkit Bot/Zombie Trojan horse Scareware Adware Worm Ransomware Malware Vector Infection MALWARE 31 Malware Vector Infection MALWARE 32 Malware Vector Infection + Payload MALWARE 33 Virus A tiny program that able to exploit and negatively alters the way a computer works It have the ability to automatically replicating itself Done without user knowledge or intervention but still needs to be activated initially by the user. either time based or activity based Viruses often spread to other computers by attaching themselves to various programs and executing code when a Viruses can also spread through script files, documents, and cross-site scripting vulnerabilities in web apps. Viruses can be used to steal information, harm host computers and networks, create botnets, steal money, render advertisements, and more. a program that can infect other programs by modifying them to include a, possibly evolved, version of itself Fred Cohen 1983 Type of Virus Polymorphic : uses a polymorphic engine to mutate while keeping the original algorithm intact (packer) Metamorphic : Change after each infection Rootkit/Backdoor A rootkit is a type of malicious software designed to remotely access or control a computer without being detected by users or security programs. Once a rootkit has been installed it is possible for the malicious party behind the rootkit to remotely execute files, access/steal information, modify system configurations, alter software (especially any security software that could detect the rootkit), install concealed malware, or control the computer as part of a botnet. Rootkit prevention, detection, and removal can be difficult due to their stealthy operation. Because a rootkit continually hides its presence, typical security products are not effective in detecting and removing rootkits. As a result, rootkit detection relies on manual methods such as monitoring computer behaviour for irregular activity, signature scanning, and storage dump analysis. Organizations and users can protect themselves from rootkits by regularly patching vulnerabilities in software, applications, and operating systems, updating virus definitions, avoiding suspicious downloads, and performing static analysis scans. Trojan Horse type of malware that disguises itself as a normal file or program to trick users into downloading and installing malware. give a malicious party remote access to an infected computer. Once an attacker has access to an infected computer, it is possible for the attacker to steal data (logins, financial data, even electronic money), install more malware, modify files, monitor user activity (screen watching, keylogging, etc), use the computer in botnets, and anonymize internet activity by the attacker. Trojan is taken from…. Like the gift horse left outside the gates of Troy by the Greeks, Trojan Horses appear to be useful or interesting to an unsuspecting user, but are actually harmful Types of Trojans erasing or overwriting data on a computer corrupting files in a subtle way spreading other malware, such as viruses. In this case the Trojan horse is called a 'dropper'. setting up networks of zombie computers in order to launch DDoS attacks or send Spam. logging keystrokes to steal information such as passwords and credit card numbers (known as a key logger) phish for bank or other account details, which can be used for criminal activities. installing a backdoor on a computer system. How can you be infected Websites: You can be infected by visiting a rogue website. Internet Explorer is most often targeted by makers of Trojans and other pests. Even using a secure web browser, such as Mozilla's Firefox, if Java is enabled, your computer has the potential of receiving a Trojan horse. Instant message: Many get infected through files sent through various messengers. This is due to an extreme lack of security in some instant messengers, such of AOL's instant messenger. E-mail: Attachments on e-mail messages may contain Trojans. Trojan horses via SMTP. Sample Delivery Attacker will attach the Trojan to an e-mail with an enticing header The Trojan horse is typically a Windows executable program file, and must have an executable file extension such as.exe,.com,.scr,.bat, or.pif. Since Windows is configured by default to hide extensions from a user, the Trojan horse's extension might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file. Where They Live Autostart Folder The Autostart folder is located in C:\Windows\Start Menu\Programs\startup and as its name suggests, automatically starts everything placed there. Win.ini Windows system file using load=Trojan.exe and run=Trojan.exe to execute the Trojan System.ini Using Shell=Explorer.exe trojan.exe results in execution of every file after Explorer.exe Wininit.ini Setup-Programs use it mostly; once run, it's being auto-deleted, which is very handy for trojans to restart Where They Live(con’t) Winstart.bat Acting as a normal bat file trojan is added as @trojan.exe to hide its execution from the user Autoexec.bat It's a DOS auto-starting file and it's used as auto-starting method like this - > c:\Trojan.exe Config.sys Could also be used as an auto-starting method for trojans Explorer Startup Is an auto-starting method for Windows95, 98, ME, XP and if c:\explorer.exe exists, it will be started instead of the usual c:\Windows\Explorer.exe, which is the common path to the file. What the attacker wants? Credit Card Information (often used for domain registration, shopping with your credit card) Any accounting data (E-mail passwords, Dial-Up passwords, WebServices passwords, etc.) Email Addresses (Might be used for spamming, as explained above) Work Projects (Steal your presentations and work related papers) Children's names/pictures, Ages (pedophile attacker?!) School work (steal your papers and publish them with his/her name on it) Well Know Trojans The Secup Trojan displays fake security related messages. When the user clicks on such a message the Trojan opens malicious web site that quietly installs potentially harmful software. Secup also serves undesirable commercial advertisements. Dmsys is a dangerous Trojan that specializes in infecting various instant messengers and stealing user confidential information. By using its keystroke logging technique, Dmsys easily steals user passwords and captures private conversations. This information is written into a log file, which is then sent to the hacker. VNC Remote desktop program freely distributed Server executable attached to e-mail and unknowingly installed on your system Attacker can use client to uses your system as if he was sitting at the terminal Bot/Zombie Bots are software programs created to automatically perform specific operations. While some bots are created for relatively harmless purposes (video gaming, internet auctions, online contests, etc), it is becoming increasingly common to see bots being used maliciously. Bots can be used in botnets (collections of computers to be controlled by third parties) for DDoS attacks, as spambots that render advertisements on websites, as web spiders that scrape server data, and for distributing malware disguised as popular search items on download sites. Websites can guard against bots with CAPTCHA tests that verify users as human. The Estonian case In April 2007, Estonia which is one of the Baltic States has become one of the victims of such attack, the communication and the online activities of the country were put to a standstill Economic losses incurred as online based transactions were disrupted What Cause it ? The attack was cause by a massive distributed denial-of service (DDoS) attack that originated from around the world. Those attack origin are coming from thousand of computers that are remotely controlled by a perpetrator that can be located anywhere across the globe The computer has been compromised and called as BOTNET or zombies What Botnet do? It is part of malware that exploit and recruit Computer to become army for cyber attack. It can be used for :- – DDoS attack – Distribute Malware – Spamming – phishing – Stealing credential Information – Proxies – ClickThrough Fraud In Malaysia Incidents report by CyberSecurity Malaysia show an increase in Botnet drones from 2009 to 2010 MyCERT Incidence Report Botnet Drones 2009 Botnet Drones 2023 Worms Computer worms are among the most common types of malware. They spread over computer networks by exploiting operating system vulnerabilities. Worms typically cause harm to their host networks by consuming bandwidth and overloading web servers. Computer worms can also contain “payloads” that damage host computers. Payloads are pieces of code written to perform actions on affected computers beyond simply spreading the worm. Payloads are commonly designed to steal data, delete files, or create botnets. Computer worms can be classified as a type of computer virus, but there are several characteristics that distinguish computer worms from regular viruses. A major difference is that computer worms have the ability to self-replicate and spread independently while viruses rely on human activity to spread (running a program, opening a file, etc). Worms often spread by sending mass emails with infected attachments to users’ contacts. Worm A worm is self-replicating software designed to spread through the network Typically, exploit security flaws in widely used services Can cause enormous damage  Launch DDOS attacks, install bot networks  Access sensitive information  Cause confusion by corrupting the sensitive information Worm vs Virus vs Trojan horse A virus is code embedded in a file or program Viruses and Trojan horses rely on human intervention Worms are self-contained and may spread autonomously 55 Cost of worm attacks Morris worm, 1988 Infected approximately 6,000 machines  10% of computers connected to the Internet cost ~ $10 million in downtime and cleanup Code Red worm, July 16 2001 Direct descendant of Morris’ worm Infected more than 500,000 servers  Programmed to go into infinite sleep mode July 28 Caused ~ $2.6 Billion in damages, Love Bug worm: $8.75 billion – Statistics: Computer Economics Inc., Carlsbad, California 56 Internet Worm (First major attack) Released November 1988 Program spread through Digital, Sun workstations Exploited Unix security vulnerabilities VAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX code Consequences No immediate damage from program itself Replication and threat of damage Load on network, systems used in attack Many systems shut down to prevent further attack 57 Some historical worms of note Worm Date Distinction Morris 11/88 Used multiple vulnerabilities, propagate to “nearby” sys ADM 5/98 Random scanning of IP address space Ramen 1/01 Exploited three vulnerabilities Lion 3/01 Stealthy, rootkit worm Cheese 6/01 Vigilante worm that secured vulnerable systems Code Red 7/01 First sig Windows worm; Completely memory resident Walk 8/01 Recompiled source code locally Nimda 9/01 Windows worm: client-to-server, c-to-c, s-to-s, … 11 days after announcement of vulnerability; peer-to-peer Scalper 6/02 network of compromised systems Slammer 1/03 Used a single UDP packet for explosive growth 58 Kienzle and Elder Increasing propagation speed Code Red, July 2001 Affects Microsoft Index Server 2.0,  Windows 2000 Indexing service on Windows NT 4.0.  Windows 2000 that run IIS 4.0 and 5.0 Web servers Exploits known buffer overflow in Idq.dll Vulnerable population (360,000 servers) infected in 14 hours SQL Slammer, January 2003 Affects in Microsoft SQL 2000 Exploits known buffer overflow vulnerability  Server Resolution service vulnerability reported June 2002  Patched released in July 2002 Bulletin MS02-39 Vulnerable population infected in less than 10 minutes 59 Spyware/Adware spyware is a type of malware that functions by spying on user activity without their knowledge. These spying capabilities can include activity monitoring, collecting keystrokes, data harvesting (account information, logins, financial data), and more. Spyware often has additional capabilities as well, ranging from modifying security settings of software or browsers to interfering with network connections. Spyware spreads by exploiting software vulnerabilities, bundling itself with legitimate software, or in Trojans. Adware (short for advertising-supported software) is a type of malware that automatically delivers advertisements. common examples of adware include pop- up ads on websites and advertisements that are displayed by software. Often times software and applications offer “free” versions that come bundled with adware. Most adware is sponsored or authored by advertisers and serves as a revenue generating tool. While some adware is solely designed to deliver advertisements, it is not uncommon for adware to come bundled with spyware (see below) that is capable of tracking user activity and stealing information. Due to the added capabilities of spyware, adware/spyware bundles are significantly more dangerous than adware on its own. Adware Browser Toolbar... Toolbar again Ransomware Ransomware is a form of malware that essentially holds a computer system captive while demanding a ransom. The malware restricts user access to the computer either by encrypting files on the hard drive or locking down the system and displaying messages that are intended to force the user to pay the malware creator to remove Ransomware typically spreads like a normal computer worm (see below) ending up on a computer via a downloaded file or through some other vulnerability in a network service. e.g Trj/SMSlock.A Russian ransomware April 2009 To unlock you need to send an SMS with the text4121800286to the number3649Enter the resulting code:Any attempt to reinstall the system may lead to loss of important information and computer damage from pandalab blog Although ransomware that locks files until victims pay to restore them has existed for many years, it became more prevalent after the Gameover Zeus botnet operators introduced the once widespread but now-defunct CryptoLocker malware in early February 2015. An early TeslaCrypt sample was uploaded to the VirusTotal analysis service on November 11, 2014, but TeslaCrypt was not widely distributed until early March 2015. The TeslaCrypt operators mimicked CryptoLocker in the warning screen SPAM spam is the electronic sending of mass unsolicited messages. The most common medium for spam is email, but it is not uncommon for spammers to use instant messages, texting, blogs, web forums, search engines, and social media. While spam is not actually a type of malware, it is very common for malware to spread through spamming. This happens when computers that are infected with viruses, worms, or other malware are used to distribute spam messages containing more malware. Users can prevent getting spammed by avoiding unfamiliar emails and keeping their email addresses as private as possible. Fileless Malware Fileless malware doesn’t install traditional files on the system, making it difficult for antivirus programs to detect. It operates directly in memory (RAM) or leverages legitimate system tools like PowerShell or Windows Management Instrumentation (WMI). Leaves minimal to no traces on the hard drive, allowing it to evade file-based scanning. Attack Methods: – Often delivered via phishing emails, exploit kits, drive-by downloads, or malvertising. – Uses legitimate system tools to execute malicious payloads, avoiding the need for executable files. – Exploits software vulnerabilities to inject malicious code directly into memory. Common Techniques: – Memory-only operation: Malware runs in RAM, disappearing after a reboot. – Registry modification: Malware stores code in the registry for persistence. – Reflective DLL injection: Injects malicious code into legitimate processes. Impacts: – Can steal data, execute unauthorized commands, or mine cryptocurrency. – Difficult to detect, with a low system footprint, allowing attackers to avoid traditional security measures. Mobile spyware & adware Spyware secretly gathers confidential information about the mobile user and then relays this data to a third party. In some cases these may be advertisers or marketing data firms, which is why spyware is sometimes referred to as “adware”. It is typically installed without user consent by disguising itself as a legitimate app (say, a simple game) or by infecting its payload on a legitimate app. Spyware uses the victim’s mobile connection to relay personal information such as contacts, location, messaging habits, browser history and user preferences or downloads. Spyware that gathers device information such as OS version, product ID, International Mobile Equipment Identitiy (IMEI) number, and International Mobile Subscriber Identity (IMSI) number can be used for future attacks. Mobile trojan Mobile Trojans infect user devices by attaching themselves to seemingly harmless or legitimate programs, are installed with the app and then carry out malicious actions. Such programs have been known to hijack the browser, cause the device to automatically send unauthorized premium rate texts, or capture user login information from other apps such as mobile banking. Trojans are closely related to mobile viruses, which can become installed on the device any number of ways and cause effects that range from simply annoying to highly-destructive and irreparable. Malicious parties can potentially use mobile viruses to root the device and gain access to files and flash memory. Mobile phishing Mobile browsing of the internet is growing with smartphone and tablet penetration. Just as with desktop computing, fraudsters are creating mobile phishing sites that may look like a legitimate service but may steal user credentials or worse. The smaller screen of mobile devices is making malicious phishing techniques easier to hide from users less sophisticated on mobile devices than PCs. Some phishing schemes use rogue mobile apps, programs which can be considered “trojanized”, disguising their true intent as a system update, marketing offer or game. Others infect legitimate apps with malicious code that’s only discovered by the user after installing. Mobile bot Mobile malware is getting more sophisticated with programs can operate in the background on the user device, concealing themselves and lying in wait for certain behaviors like an online banking session to strike. Hidden processes can execute completely invisible to the user, run executables or contact botmasters for new instructions. The next wave is expected to be even more advanced, with botnet tendencies to actually hijack and control infected devices. MALWARE TARGET What is Malware Targeting Executable Interpreted file Kernel Service MBR Hypervisor HOW MALWARE HIDE IN CODE Overwriting malware Targeted Malware Malware Executable prepending malware Malware Infected Targeted Malware host Executable Executable appending malware Infected Targeted Malware host Executable Executable Malware Cavity malware Malware Targeted Malware Infected Executable host Executable Multi-Cavity malware Malware Targeted Malware Executable Malware Malware Packers Payload Packer Infected host Malware Executable Packer functionalities Compress Encrypt Randomize (polymorphism) Anti-debug technique (int / fake jmp) Add-junk Anti-VM Virtualization Auto start Folder auto-start : C:\Documents and Settings\[user_name]\Start Menu\Programs\Startup Win.ini : run=[backdoor]" or "load=[backdoor]". System.ini : shell=”myexplorer.exe” Wininit Config.sys Auto start cont. Assign know extension (.doc) to the malware Add a Registry key such as HKCU\SOFTWARE\Microsoft\Windows \CurrentVersion\Run Add a task in the task scheduler Run as service Unix autostart Init.d /etc/rc.local.login.xsession crontab – crontab -e – /etc/crontab Macro virus Use the builtin script engine Example of call back used (word) – AutoExec() – AutoClose() – AutoOpen() – AutoNew() Document based malware MS Office Open Office Acrobat Userland root kit – Perform login sshd passwd – Hide activity ps netstat ls find du Subverting the Kernel Kernel task Process management What to hide File access Memory management ➡Process Network management ➡Files ➡Network traffic Kernel rootkit P1 P2 PS P3 P3 rootkit KERNEL Hardware : HD, keyboard, mouse, NIC, GPU Subverting techniques Kernel patch Loadable Kernel Module Kernel memory patching (/dev/kmem) Windows Kernel Csrss.e P1 P2 Pn xe Win32 subsystem DLLs Other Subsytems User32.dll, Gdi32.dll and Kernel32.dll (OS/2 Posix) Ntdll.dll Executive ntoskrnl.exe Underlying kernel Hardware Abstraction Layer (HAL.dll) Hardware Kernel Device driver P2 Win32 subsystem DLLs Ntdll.dll C Interrupt Hook System service System service dispatch table dispatcher ntoskrnl.exe New pointer B A Driver Overwriting functions Driver Replacing Functions MBR/Bootkit Bootkits can be used to avoid all protections of an OS, because OS consider that the system was in trusted stated at the moment the OS boot loader took control. BIOS MBR VBS NT Boot Sector WINLOAD.EXE BOOTMGR.EXE Windows 7 kernel HAL.DLL Vboot Work on every Windows (vista,7) 3ko Bypass checks by letting them run and then do inflight patching Communicate via ping Hypervisor rootkit App App Target OS Hardware Hypervisor rootkit App App Rogue app Target OS Host OS Virtual machine monitor Hardware Summary Malware stand as Malicious Software, a program that is purposely written for the destruction of the target. The evolution of malware is rapid. Nowadays it is more complex and sophisticated Virus, Trojan, Rootkit, Botnet, Adware, Ransomware, Spam and worm are types of malware. Malware can embed itself to the program in several ways.

Malware Overview Chapter 1 PDF

Document Details

Tags

Related

Summary

Full Transcript