Malware (OBJ 2.4)

Introduction to Malware

  • Malware Defined
    • Malware is short for malicious software.
    • It is designed to infiltrate and potentially damage a computer system without the user’s knowledge or consent.
    • Represents a broad category of harmful software including:
    • Viruses
    • Worms
    • Trojans
    • Ransomware
    • Spyware
    • Rootkits
    • Spam
  • Key Terminology
    • Threat Vector: A specific method used by an attacker to infiltrate a victim's system.
    • Examples of Threat Vectors:
    • Unpatched software
    • Code installation through USB drives
    • Phishing campaigns
    • Other vulnerabilities and exploits
    • Attack Vector: The means by which an attacker gains access to a computer to infect it with malware.
    • Distinction between Threat Vector and Attack Vector:
    • Threat Vector focuses on how the attacker plans to breach a system.
    • Attack Vector refers to the way the attacker actually gain access and infect the system.

Illustrative Example of Malware Infection

  • Scenario:
    • Comparison of a house to a computer and a cupcake to malware.
    • As the attacker, the goal is to get the cupcake (malware) into your house (computer).
  • Threat Vector:
    • Example: An unguarded neighborhood represents an easy target for attackers.
  • Attack Vector:
    • Example Sequence:
    • Walk to the front door
    • Pick the lock to gain entry
    • Place the cupcake on the kitchen table (infecting the computer)
    • This sequence illustrates the actions involved in an attack vector.

Malware and Vulnerabilities

  • Example of Vulnerability Exploitation:
    • A computer running unpatched Windows 10, missing critical security updates (e.g., MS17-010 for the EternalBlue vulnerability).
  • The state of being unpatched represents a threat vector.
  • Attackers scan for unpatched systems to exploit them.
  • Exploit Process:
    • Identify vulnerable machines online.
    • Execute known exploits against vulnerabilities to gain access and install malware.
    • This process is referred to as the attack vector and was utilized in the WannaCry ransomware incident.

WannaCry Ransomware Case Study

  • Attack Methodology of WannaCry:
    • Automated scanning of unpatched Windows machines.
    • Exploiting the missing MS17-010 patch to gain administrative access.
    • Encrypting users’ files and demanding ransom (in Bitcoin) for decryption keys.

Malware Types and Attack Objectives

  • Course Objective Focus:
    • Focus on objective 2.4: Analyze indicators of malicious activity.
    • Types of malware to cover:
    • Viruses: Attach to clean files, spreading throughout systems, damaging host files.
    • Worms: Standalone malware that self-replicates, exploiting software vulnerabilities to spread.
    • Trojans: Malicious software disguised as legitimate, granting unauthorized access when executed.
    • Remote Access Trojans (RATs): Allow remote control over infected systems.
    • Ransomware: Encrypts user data, holding it hostage until ransom is paid.
    • Zombies: Compromised computers controlled by attackers, often forming a botnet.
      • Botnet Definition: A network of compromised computers used for attacks.
    • Rootkits: Malicious tools that conceal their presence, maintaining privileged access.
    • Backdoors: Means of bypassing authentication to access systems unauthorized.
    • Logic Bombs: Code embedded in legitimate programs executing malicious actions under specific conditions.
    • Keyloggers: Capture user keystrokes to gather sensitive information.
    • Spyware: Gathers user information in stealth, sending it to third parties.
    • Bloatware: Non-essential software consuming resources without value.

Malware Attack Techniques

  • Evolving Malware Techniques:
    • From file-based tactics to fireless techniques that leave minimal traces.
    • Use of multi-stage deployments leveraging built-in system tools and obfuscation techniques.
  • Indicators of Successful Malware Attacks:
    • Common signs of malware presence include:
    • Account lockouts
    • Concurrent session usage
    • Blocked content
    • Impossible travel incidents
    • Resource consumption or inaccessibility
    • Out-of-cycle logging
    • Missing logs
    • Documented attack records.

Conclusion and Assessment

  • Short quiz to assess learning outcomes from the malware section.
  • Review each quiz question thoroughly to ensure comprehension of the material covered in this course section on malware.