Skip to content

Latest commit

 

History

History
199 lines (168 loc) · 11.4 KB

Section 6: Malware.md

File metadata and controls

199 lines (168 loc) · 11.4 KB
Raw

Malware

Objective 2.4: Given a scenario, analyze indicators of malicious activity

Table of Contents

  1. Malware
  2. Viruses
  3. Worms
  4. Trojans
  5. Ransomware
  6. Zombies and Botnets
  7. Rootkits
  8. Backdoors and Logic Bombs
  9. Keylogger
  10. Spyware and Bloatware
  11. Malware Attack Techniques
  12. 9 Common Indicators of Malware Attacks

Malware

Malicious software designed to infiltrate computer systems and potentially damage them without user consent.

  • Categories:
    • Viruses
    • Worms
    • Trojans
    • Ransomware
    • Spyware
    • Rootkits
    • Spam

Threat Vector vs. Attack Vector:

  • Threat Vector: Method used to infiltrate a victim's machine. Examples include unpatched software, USB drive installation, and phishing campaigns.
  • Attack Vector: Means by which the attacker gains access and infects the system. Combines both infiltration method and infection process.

Types of Malware Attacks:

Viruses: Attach to clean files, spread, and corrupt host files.

  • Worms: Standalone programs replicating and spreading to other computers.
  • Trojans: Disguise as legitimate software, grant unauthorized access.
  • Ransomware: Encrypts user data, demands ransom for decryption.
  • Zombies and Botnets: Compromised computers remotely controlled in a network for malicious purposes.
  • Rootkits: Hide presence and activities on a computer, operate at the OS level.
  • Backdoors and Logic Bombs: Backdoors allow unauthorized access, logic bombs execute malicious actions.
  • Keyloggers: Record keystrokes, capture passwords or sensitive information.
  • Spyware and Bloatware: Spyware monitors and gathers user/system information, bloatware consumes resources without value.
  • Malware Techniques and Infection Vectors: Evolving from file-based tactics to modern fileless techniques. Multi-stage deployment, leveraging system tools, and obfuscation techniques.

Indications of Malware Attack: Recognizing signs like the following:

- Account lockouts
- Concurrent session utilization
- Blocked content
- Impossible travel
- Resource consumption
- Inaccessibility
- Out-of-cycle logging
- Missing logs
- Documented attacks

Viruses

Computer Virus: Made up of malicious code that's run on a machine without the user's knowledge, infecting the computer whenever it's run.

10 Different Types of Viruses:

  • Boot Sector: Stored in the first sector of a hard drive, loaded into memory during boot.
  • Macro: Embedded inside another document to execute when opened by the user.
  • Program: Infect executables or application files with malicious code.
  • Multipartite: Combination of a boot sector virus and a program virus.
  • Encrypted: Hides itself by encrypting its code.
  • Polymorphic: Changes its code to evade detection.
  • Metamorphic: Rewrites itself entirely before infecting a file.
  • Stealth: Prevents detection by antivirus software.
  • Armored: Has protection layers to confuse analysis.
  • Hoax: Attempts to scare users into undesirable actions.

Worms

Worm: Malicious software that can replicate itself without user interaction, spreading throughout a network.

  • Worms are dangerous as they:
    • Infect workstations and other computing assets.
    • Disrupt normal network traffic by constantly replicating and spreading.

Trojans

Trojan: Disguised as harmless software, it performs malicious activities when executed.

  • Remote Access Trojan (RAT): Provides remote control of victim machines, commonly used for data exfiltration and maintaining persistence.

Ransomware

Ransomware: Blocks access to computer systems or data by encrypting it until a ransom is paid.

Protection Measures:

  • Regular backups
  • Software updates
  • Security awareness training
  • Multi-Factor Authentication (MFA)

Actions if Affected:

  • Never pay the ransom.
  • Disconnect infected machines from the network.
  • Notify authorities.
  • Restore data and systems from known good backups.

Zombies and Botnets

  • Botnet: Network of compromised computers or devices controlled remotely by malicious actors.
  • Zombie: Name of a compromised computer or device that is part of a botnet, used to perform tasks using remote commands from the attacker without the user's knowledge.
  • Command and Control Node: Computer responsible for managing and coordinating the activities of other nodes or devices within a network.
  • Botnets are used:
    • As pivot points.
    • To disguise the real attacker.
    • To host illegal activities.
    • To spam others by sending out phishing campaigns and other malware.
  • Most common use for a botnet is to conduct a DDoS (Distributed Denial-of-Service) attack.
    • Distributed Denial-of-Service (DDoS) Attack: Occurs when many machines target a single victim and attack them at the exact same time.
    • Botnets are used by attackers to combine processing power to break through different types of encryption schemes.
    • Attackers usually only use about 20-25% of any zombie’s power.

Rootkits

Rootkit: Designed to gain administrative-level control over a given computer system without being detected.

  • The account with the highest level of permissions is called the Administrator account.
    • Allows the person to install programs, delete programs, open ports, shut ports, and do whatever they want on that system.
  • A computer system has several different rings of permissions throughout the system.
    • Ring 3 (Outermost Ring): Where user level permissions are used.
    • Ring 0 (Innermost or Highest Permission Levels): Operating in Ring 0 is called “kernel mode”, allows control over device drivers, sound card, video display, etc.
  • When a rootkit is installed on a system, it tries to move from Ring 1 to Ring 0 to hide from other functions of the operating system to avoid detection.
  • One technique used by rootkits to gain deeper access is DLL injection.
    • DLL Injection: Technique used to run arbitrary code within the address space of another process by forcing it to load a dynamic-link library.
    • Dynamic Link Library (DLL): Collection of code and data used by multiple programs simultaneously for code reuse and modularization.
  • Shim: A piece of software code placed between two components to intercept and redirect calls between them.
    • Rootkits are powerful and difficult to detect because the operating system is essentially blinded to them.
    • To detect them, boot from an external device and scan the internal hard drive using a good anti-malware scanning solution from a live boot Linux distribution.

Backdoors and Logic Bombs

Backdoor:

Originally placed in computer programs to bypass normal security and authentication functions, often by designers and programmers.

  • Remote Access Trojan (RAT): Acts like a backdoor in modern networks, placed by threat actors to maintain persistent access to a system.
  • Easter egg: Hidden feature or novelty within a program, often inserted by developers as an inside joke, but may contain significant vulnerabilities.

Logic Bombs:

Malicious code inserted into a program, which executes only when certain conditions are met.

Keylogger

Keylogger: Software or hardware that records every keystroke made on a computer or mobile device.

  • Can be software-based or hardware-based.
    • Software Keyloggers: Malicious programs installed on a victim's computer, often bundled with other software or delivered through social engineering attacks.
    • Hardware Keyloggers: Physical devices plugged into a computer, resembling a USB drive or embedded within a keyboard cable.

Protection measures:

  • Regular updates and patches.
  • Quality antivirus and antimalware solutions.
  • Phishing awareness training.
  • Multi-factor authentication.
  • Encryption of keystrokes.
  • Physical checks of desktops, laptops, and servers.

Spyware and Bloatware

Spyware: Malicious software designed to gather and send information about a user or organization without their knowledge.

  • Installed through various methods such as bundling with other software or deceptive pop-up ads.
  • Protection: Use reputable antivirus and anti-spyware tools regularly updated.

Bloatware: Pre-installed software on new computers or smartphones that users did not request or need.

  • Can waste storage space, slow down performance, and introduce security vulnerabilities.
  • Removal methods: Manual removal, bloatware removal tools, or clean OS installation.

Malware Attack Techniques

Malware Exploitation Technique: Method by which malware penetrates and infects a system.

  • Some malware focuses on infecting system memory to leverage remote procedure calls over the network.
  • Modern malware often uses fileless techniques to avoid detection.
    • Stage 1 Dropper or Downloader: Lightweight shellcode executed on a system to retrieve additional portions of malware code.
      • Dropper: Initiates or runs other malware forms within a payload.
      • Downloader: Retrieves additional tools post-initial infection.
      • Shellcode: Lightweight code meant to execute an exploit on a target.
  • Stage 2: Downloader: Installs remote access Trojan for command and control on the victimized system.
  • Actions on Objectives: Execute primary objectives like data exfiltration or file encryption.
  • Concealment: Helps threat actors prolong unauthorized access by hiding tracks and erasing log files.
  • “Living off the Land”: Exploits standard tools for intrusions.

9 Common Indicators of Malware Attacks

  • Account Lockouts: Malware, especially those designed for credential theft or brute force attacks, can trigger multiple failed login attempts that would result in a user’s account being locked out.

  • Concurrent Session Utilization: If you notice that a single user account has multiple simultaneous or concurrent sessions open, especially from various geographic locations.

  • Blocked Content: If there is a sudden increase in the amount of blocked content alerts you are seeing from your security tools.

  • Impossible Travel: Refers to a scenario where a user's account is accessed from two or more geographically separated locations in an impossibly short period of time.

  • Resource Consumption: If you are observing any unusual spikes in CPU, memory, or network bandwidth utilization that cannot be linked back to a legitimate task.

  • Resource Inaccessibility: Ransomware

    • Form of malware that encrypts user files to make them inaccessible to the user.
    • If a large number of files or critical systems suddenly become inaccessible or if users receive messages demanding payment to decrypt their data.

  • Out-of-Cycle Logging: If you are noticing that your logs are being generated at odd hours or during times when no legitimate activities should be taking place (such as in the middle of the night when no employees are actively working).

  • Missing Logs: If you are conducting a log review as a cybersecurity analyst and you see that there are gaps in your logs or if the logs have been cleared without any authorized reason.

  • Published or Documented Attacks: If a cybersecurity research or reporter published a report that shows that your organization’s network has been infected as part of a botnet or other malware-based attack.