Malware Types and Countermeasures

Overview of Malware

  • Definition (NIST05): A program inserted covertly into a system with intent to compromise confidentiality, integrity, or availability (CIA) of data or applications.

  • Advanced Persistent Threat (APT): Sophisticated, multi-stage attacks directed at business or political targets, often state-sponsored.

  • Common Terminology:

    • Adware: Integrated advertising (pop-ups/redirections).

    • Logic Bomb: Dormant code triggered by specific conditions.

    • Rootkit: Tools providing root-level access after a breach.

    • Spyware: Collects system info, keystrokes, and network traffic.

    • Zombie/Bot: Infected machine used to launch attacks on others.

Viruses and Trojans

  • Virus: Replicating software that modifies other programs. It is operating system and hardware specific.

    • Components: Infection mechanism (spread), Trigger (activation event), and Payload (action/damage).

    • Phases: Dormant, Propagation, Triggering, and Execution.

  • Virus Classifications:

    • By Target: Boot sector infector (e.g., Michelangelo, Stoned), File infector (e.g., Jerusalem, Cascade), and Macro virus (e.g., W97M.Melissa).

    • By Concealment: Stealth (hides from scanners), Polymorphic (mutates signature), and Metamorphic (mutates behavior and code).

  • Trojan Horse: A program appearing useful but containing hidden malicious functions; it does not self-replicate.

Worms

  • Mechanism: Independent programs that propagate across networks by exploiting software vulnerabilities.

  • State of Worm Technology:

    • Multiplatform and Multiexploit: Attacks various OS (e.g., UNIX) and network-based applications.

    • Ultrafast Spreading: Uses pre-scanned Internet addresses.

    • Zero-day Exploit: Targets unknown vulnerabilities for maximum impact.

Ransomware and Advanced Persistent Threats

  • Ransomware Types:

    • Scareware: Fake threats/authority.

    • Locky-ransomware: Locks the computer.

    • Crypto-ransomware: Encrypts files; most dangerous as damage is often irreversible without a key.

  • Advanced Persistent Threat (APT): Highly sophisticated attacks by criminal syndicates or nation-states using custom tools for long-term data theft or damage.

Malware Countermeasures

  • Antivirus (AV) Approaches: Detection, Identification, and Removal.

  • AV Generations:

    • 1st1^{st} Gen: Signature-based scanners.

    • 2nd2^{nd} Gen: Heuristic scanners (general code signs).

    • 3rd3^{rd} Gen: Activity traps (real-time behavior monitoring).

    • 4th4^{th} Gen: Full-featured (combined techniques).

  • Advanced Techniques:

    • Generic Decryption (GD): Uses a CPU emulator to safely run and scan polymorphic code.

    • Digital Immune System: Automated virus analysis and prescription delivery.

    • Behavior-blocking: Real-time OS integration to block malicious actions like unauthorized disk formatting.

  • Quarantine: Encrypted, protected storage where suspected files are isolated to prevent further infection.