Section 17: Malware

Based on Dion Training Study Guide

Virus

Malicious code that infects systems when executed and requires user action to spread

Virus (Propagation Method)

Typically spreads through infected files or applications, such as opening a malicious attachment or installing compromised software

Boot Sector Virus

Resides in the first sector of a hard drive and loads during system boot-up

Macro Virus

Embedded in document files like Word or Excel and executes when the document is opened

Program Virus

Infects executable programs or applications, spreading when they are launched

Multipartite Virus

Combines both boot sector and program infection methods to enhance persistence

Encrypted Virus

Uses encryption to hide its code, making it harder for antivirus tools to detect

Polymorphic Virus

Changes its code slightly each time it runs to evade detection mechanisms

Metamorphic Virus

Rewrites its own code entirely, making each instance unique and harder to trace

Stealth Virus

Hides its activity using various evasion tactics, often combining encryption and code mutation

Armored Virus

Obfuscates itself to resist analysis by security tools or researchers

Hoax Virus

A social engineering trick that scares users into installing real malware disguised as a fake warning

Worm

A self-replicating piece of malware that spreads automatically without user interaction

Worm (Infection Method)

Exploits system or network vulnerabilities to spread across devices

Worm Example (Nimda 2001)

Spread worldwide in 22 minutes using multiple attack vectors

Worm Example (Conficker 2009)

Infected millions of machines through unpatched Windows systems

Trojan (Trojan Horse)

Malware that pretends to be legitimate software but performs hidden malicious actions

Trojan (Operation)

Delivers the expected functionality while secretly compromising the system

Remote Access Trojan (RAT)

A type of Trojan that gives attackers full remote control over an infected system

Virus Summary

Requires user action to execute and spread between systems

Worm Summary

Spreads on its own through networks by exploiting vulnerabilities

Trojan Summary

Relies on deception, tricking users into installing what appears to be safe software

Malware Defense Summary

Keeping systems updated, applying patches, and running regular malware scans are critical for protection

Traditional Malware Techniques

Modify executable files or embed malicious macros into documents to activate malware when files are opened or executed

Traditional Malware (Example)

Worms that exploit system memory and spread via remote procedure calls

Fileless Malware

Malicious code that runs directly in system memory without relying on stored files, making it difficult to detect

Fileless Malware (Detection Evasion)

Bypasses traditional signature-based antivirus systems and erases traces after execution

Two-Stage Deployment Model

A layered approach where malware is deployed in phases to avoid detection and increase control

Stage One (Dropper)

Executes embedded malware immediately after being activated by user interaction

Stage One (Downloader)

Connects to external sources to retrieve additional malicious tools

Shell Code

Lightweight, low-level code that initiates the exploit and sets up the next stage

Stage Two

Installs advanced malware such as Remote Access Trojans and enables command and control of the infected system

Stage Two (Targets)

Focuses on infiltrating high-value assets like domain controllers or enterprise servers

Action on Objectives Phase

The attacker’s goals after system compromise, including data theft, ransomware deployment, and lateral movement

Action on Objectives (Examples)

Exfiltration of sensitive data, encryption of files for ransom, or spreading malware across the network

Concealment Techniques

Methods used to hide malicious activity and maintain access without detection

Concealment Methods

Includes deleting logs, modifying file timestamps, and hiding executable traces

Code Injection

Technique that inserts malicious code into legitimate processes to blend in with normal operations

Masquerading

Malware pretends to be trusted software to deceive users and security systems

DLL Injection

Malicious code inserted into dynamic link library files to execute within legitimate programs

DLL Sideloading

Loads a malicious DLL instead of a legitimate one to hijack software execution

Process Hollowing

Replaces the memory of a legitimate running process with malicious code while keeping its appearance intact

Anti-Forensic Techniques

Strategies used to avoid detection and make analysis more difficult

Anti-Forensics (Encryption)

Encrypts malware to hide its contents from security tools

Anti-Forensics (Compression)

Stores malware in compressed formats to reduce visibility

Anti-Forensics (Obfuscation)

Alters code appearance and structure to confuse static analysis

Living off the Land (LotL) Techniques

Uses legitimate system tools (like PowerShell) to carry out attacks without installing new malware

LotL (Example)

PowerShell used to download, execute, or exfiltrate data without triggering antivirus alerts

Modern Malware Awareness

Staying informed on advanced techniques is crucial to effective cyber defense

Malware Monitoring Strategy

Watch for unusual use of legitimate tools like PowerShell or WMI to detect threats

Malware Mitigation Summary

Apply regular security updates, train employees, and monitor system behavior for early detection and prevention

Ransomware

Malware that prevents access to a victim's system or files until a ransom is paid

Ransomware (Mechanism)

Encrypts files, locks users out of systems, or changes login credentials to block access

Ransomware (Example)

A screen displays "Your computer has been locked. Pay $200 via Bitcoin to regain access"

Ransomware (Risks)

Paying the ransom does not guarantee recovery of data and often results in financial loss

Ransomware (Additional Risk)

Victims may be targeted again or face data leaks even after payment

Ransomware Prevention (Backups)

Maintain regular, secure backups that are disconnected from the network

Ransomware Prevention (Updates)

Keep all software and operating systems patched to reduce exploitable vulnerabilities

Ransomware Real-World Example

In 2018, the City of Atlanta was attacked by SamSam ransomware

SamSam Attack (Cost)

Caused 17 million in total recovery costs, including 6 million in emergency services and 11 million in system upgrades

SamSam Attack (Recovery Decision)

The city chose not to pay the ransom and instead rebuilt its systems from scratch

Ransomware Summary

Malware that holds systems or files hostage in exchange for payment, often through encryption

Ransomware Risk Summary

Even if the ransom is paid, recovery is not guaranteed and further damage may occur

Ransomware Defense Summary

Regular offline backups and timely software updates are the most effective preventative measures

Spyware

Malicious software that secretly monitors user activity and gathers data without the user's knowledge or consent

Spyware (Access Points)

Can be installed through compromised websites, malicious downloads, or bundled third-party software

Spyware (Targets)

Monitors files, emails, browsing history, calendar events, and other private data

Keylogger

A type of spyware that records every keystroke made by a user

Keylogger (Data Captured)

Captures sensitive information such as usernames, passwords, and credit card numbers

Keylogger (Extra Capabilities)

May take screenshots and transmit stolen data to remote attackers

Stalkerware

Spyware intentionally installed by someone with physical or remote access to a device to track or control another person

Stalkerware (Capabilities)

Tracks location, reads texts and emails, monitors calls, and accesses the camera or microphone

Stalkerware (Common Uses)

Often used in abusive relationships for harassment or surveillance without the victim’s knowledge

Stalkerware Protection

Use strong passwords, keep devices updated, and monitor for suspicious or unfamiliar apps

Adware

Software that tracks online behavior to serve targeted advertisements

Adware (Impact)

Interrupts user experience with pop-ups or banner ads, slows device performance, and may expose users to further threats

Potentially Unwanted Programs (PUPs)

Unwanted software often bundled with legitimate installations, usually installed without clear user consent

PUPs (Behaviors)

Modify browser settings, show persistent ads, add toolbars, and degrade system performance

PUP Prevention

Always choose custom or advanced options during software installation and carefully review each step

Spyware Summary

Malicious surveillance software that invades privacy by secretly collecting sensitive information

Keylogger Summary

Records all keystrokes to steal credentials and other personal data

Stalkerware Summary

Spyware used for personal tracking, often involving abuse or harassment

Adware Summary

Tracks activity for targeted advertising and may degrade performance or open security gaps

PUP Summary

Bundled programs that often come with free software and negatively affect system functionality

Spyware Defense Summary

Use secure passwords, keep systems updated, and monitor for unfamiliar apps or system changes

Rootkit

Software designed to gain and maintain unauthorized administrative (root) control over a system while remaining undetected

Rootkit (Privilege Levels)

Targets high-level privileges such as Administrator on Windows or Root on Linux/Unix/macOS

Rootkit (System Permissions)

Granted full control to install or remove programs, open/close network ports, and modify critical configurations

Permission Rings

A hierarchy of privilege levels used by operating systems to separate user and system processes

Ring 3

Standard user access with limited permissions

Ring 1

Elevated access, typically administrative or root level

Ring 0 (Kernel Mode)

Full system-level control with access to core hardware and OS functions

Rootkit Placement

Often installed at Ring 0 or Ring 1 to gain deep access and evade detection from the OS or security software

Rootkit (Stealth Function)

Operates without the awareness of users, administrators, or even the operating system itself

DLL Injection

A technique where malicious code is inserted into running processes using dynamic link libraries during runtime

DLL Injection (Purpose)

Allows persistent control while blending in with legitimate system processes

Driver Manipulation

Involves modifying or exploiting system drivers that operate in kernel mode

Driver Manipulation (Effect)

Enables rootkits to perform malicious actions with full system access

Shim Use

Places a software layer between system components to intercept and alter system calls

Shim Use (Purpose)

Facilitates DLL injection and driver manipulation while making detection more difficult