What is malware?
Program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity or availability of the victims data, applications or operating system or otherwise annoying or disrupting the victim
Motivation to write Malware
Fame, Fighting authority, Pen-testing, Financial gain (Sell data, sell attack kits), Cyber-war, Corporate espionage
What is a Trojan horse?
Program with overt purpose (known to user) and a covert purpose (unknown to user).
What are covert purposes of trojan?
Keylogger, System backdoor, DDOS engine, Web clicker
What is the Thompson compiler hack?
Using a modified compiler to compile a trojan and publishing the original source code with the modified executable. Proves that open source code does not solve the trust issue
What is a virus?
A software fragment that attaches itself to some existing executable. The virus can replicate itself and pass on malicious code to other non-malicious executable by modifying them
How do trojans spread?
Usually the user installs them e.g.: Hacker tools, Website widgets that make your website prettier, Thumbnails of adult videos
How do viruses propagate?
By users exchanging infected executables or files e.g. by E-Mail, file-sharing or USB Sticks
What are the parts of a virus?
- Infection mechanism/ vector: The means by which a virus spreads or propagates, enabling it to replicate
- Trigger: The event or condition that determines when the payload is activated or delivered
- Payload: What the virus does, besides spreading. The payload may involve damage or may involve benign but noticeable activity.
Whats the typical lifetime phases of a virus?
- Dormant phase: Sleep
- Propagation phase: Place a copy of itself (or mutation) into other programs
- Triggering phase: Virus is activated (e.g. by Timer)
- Execution phase: Malicious payload is executed
Virus classification by source
- Boot sector infector: Infects a boot record and spreads when a system is booted from the disk containing the virus
- File infector / Executable infector: Infects files that the operating system or shell consider as executable
- Macro virus: Infects files with macro or scripting code that is interpreted by an application
- Multipartite virus: Infects files in multiples ways. Typically, the multipartite virus is capable of infecting multiple types of files, so that virus eradication must deal with all the
possible sites of infection
Virus classification by concealment
- Polymorphic virus: Encrypts its own code
- Metamorphic virus: Able to edit, rewrite and translate its own code
How are viruses detected?
- Signature detection: Scan for known virus signatures
- Emulation: Emulate CPU execution for a couple hundred instructions and check for known signatures after decryption
What are obfuscation and anti-debugging techniques?
-Obfuscation: Insert garbage opcodes and change control structure. Different signature on each instance makes it difficult to detect
-Anti-Debugging: Detect virtual machines and debuggers. Terminate process
What is a worm?
A program which actively seeks to infect other machines by exploiting software vulnerabilities
How do worms typically spread?
- Shared Media (CDs)
- Network connection (e.g. E-Mail attachments, direct messaging)
What are the lifetime phases of a worm?
Same as virus:
1. Dormant phase: Sleep
2. Propagation phase: Search for appropriate access mechanisms to other systems to infect (Host tables, removable media, buddy lists)
3. Triggering phase: Worm is activated (e.g. by Timer)
4. Execution phase: Malicious payload is executed
What are the target identification strategies of a worm?
- Random: Pick random IP addresses. Easy to detect due to high volume
- Hit-list: Compile list of possible targets. Try to infect targets and pass part of the list to infected targets
- Topological: Use information on other hosts present in infected machine
- Local subnet: Host behind a firewall tries to infect hosts on same subnet
What is ransomware? How does it work? Takedown example?
-Ransomware: A program which encrypts user data and demands money for decryption key:
-How it works: E.g. spread via worm. Encrypt all files using AES key and encrypt key with RSA keypair and send private key to C&C server. When money is transferred, send the key for decryption
-Takedown: WannaCry: Primes to generate RSA were still in memory. Thus private key could be computed
Malware classification by payload
-Non-Destructive: E.g. displaying funny messages, flashing an
image on the screen
-Destructive: Corrupt files, delete files, damage software,… with no reason other then to harm the victim
-Commercial or criminal intent: Stealing information such as
credentials, corporate plans, personal data, gain remote
control of the victim’s machine to distribute spam or conduct
distributed denial of service attacks
Examples for System corruption, Information theft, Stealthing, Bots
-System corruption: Data Destruction, Ransomware, Physical-World Damage, Logic Bomb
-Information theft: Keyloggers and spyware, Phishing and identity theft, Espionage and data exfiltration
-Stealthing: Backdoors and rootkits
-Bots: DDOS
