Section 6: Malware

malware

malicious software that is designed to infiltrate a computer systems without the user’s knowledge

• threat vector and attack vector

threat vector

specific method used by an attacker to infiltrate a victim’s machine

ex. unpatched software

attack vector

means by which the attacker gaines access and infects the system

threat vs attack vector

plan to break into the system vs the plan and the execution to infect the system

types of malware

1. virus

2. worms

3. trojans

4. ransomware

5. zombies and botnets

6. rootkits

7. backdoors and logic bombs

virus

malicious code that attaches to clean files and spreads into a computer system

worms

malicious software that can replicate inself without any user interaction

trojans

malicious programs that appear to be legitimate software that allow unauthorized access to a victim’s system when executed

ransomware

encrypts a user’s data and holds it hostage until a ransom is paid to the attacker for decryption

zombies

compromised computers that are remotely controlled by attackers and using in coordination to form a botnes

botnet

network of zombies used for DDoS attacks, spam, or cryptocurrency mining

rootkits

malicious tools that hide their activities and operate at the OS level (admin level) to allow for ongoing privileged access

backdoors

malicious means of bypassing normal authentications processes to gain unauthorized access to a system

logic bomb

embedded code place in legitimate programs that executes a malicious action when a specific condition/trigger occurs

keylogger

record a user’s keystrokes and are used to capture passwords or other sensitive info

spyware

secretly monitors and gathers user info or activities and sends data to third parties

bloatware

unnecessary or preinstalled software that consumes system resources and space without offering anu value to the user

types of virus

1. boot sector

2. macro

3. program

4. multipartite

5. encrypted

6. polymorphic

7. metamorphic

8. stealth

9. armor

10. hoax

boot sector virus

stored in the first sector of a hard drive and is then loaded into memory whenever the computer boots up

macro virus

a form of code that allows a virus to be embedded inside another document so that when that document is opened by the user, the virus executes

program virus

try to find executables or application files to infect with their malicious code

multipartite virus

combo of boot sector and program virus

• virus places itself in the boot sector and be loaded every time the computer boots

encrypted virus

designed to hide itself from being detected by encrypting its malicious code or payloads to avoid detection by any antivirus software

polymorphic virus

advanced version of an encrypted virus, but instead of just encrypting the content, it will change the virus’s code each time it is executed by altering the decryption module in order for it to evade detection

metamorphic virus

able to rewrite itself entirely before it attempts to infect a given file

stealth virus

technique used to prevent the virus from detection by the anti-virus software

armored virus

have a layer of protection to confuse a program or person who’s trying to analyze it

virus hoax

make users think their device is infected in order to get them to install a virus

worm vs virus

can replicate itself vs needs user interaction

remote access trojan (RAT)

widely used by modern attackers because it provides the attacker with remote control of a victim machine

command and control node

computer responsible for managing and corrdinating the activities of other nodes or devices within a network

rings of permission

• ring 3

• ring 0

• ring 1

ring 3 permissions

outermost rink where user level permissions are used

ring 0

innermost ring wuth highest permission levels

kernel mode

operating in ring 0 that allows a system to control access to things likd drivers, video display, etc

• the closer the code is to the kernel, the more permissions it with have and the more damage it can cause

ring 1 permissions

if you log in as the admin on a system, you will have root permission and operate at ring 1 in the OS

DLL injection

used to run arbitrary code within the address space of another process bu forcing it to load a dynamic-link library (DLL)

dynamic-link library (DLL)

collection of code and data that coan be used by multiople programs simultaneously to allow for code reuse and modularization in software

shim

software code that is placed between two components and intercepts the calles between those components to redirect them

vulnerabilities of easter eggs

they do not go through the same rigorous forms of security testing compared to the rest of the application, making them vulnerable

• makes way for logic bombs

software vs hardware keylogger

malicious programs installed on a computer often bundled with other software vs physical devices plugged into a computer

fileless malware

used to create a process in the system memory without relying on the local file system of the infected host

• harder to detect due to less traces left behind

2 stage malware deployment model

1. stage 1—dropper or downloader: user clicks on malicious link/file, malware is installed

2. stage 2—downloader: download and install a RAT to conduct command and control on the victimized system

dropper

intitiaties or runs other malware forms within a payload on an infected host

downloader

retrieves additional tools post the intial infection facilitated by a dropper

shellcode

encompasses lightweight code meant to execute an exploit on a given target

“actions on objectives” phase

threat actors will execute primary objectives

• data exfiltration

• file encryption

concealment

used to help the threat actor prolong unauthorized access to a system by hiding tracks, erasing log files, and hiding evidence of malicious activity

“living off the land”

threat actors try to exploit the standard tools to perform intrusions

• strategy used by APTs and criminal orgs