IoC & Malware

Types of Malware

  • Viruses

  • Crypto-malware

  • Ransomware

  • Worm

  • Trojan

  • Rootkit

  • Keylogger

  • Adware

  • Spyware

  • Bots

  • RAT

  • Logic Bomb

  • Backdoor

Malware Attacks

  • Delivery - How it gets to the target.

  • Propagation - How malware spreads.

  • Payload - What malware does once it's delivered.

  • Indicators of Compromise (IoC) - An artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.

Viruses

  • Definition: A program intended to damage a computer system.

  • Types:

    • Armored Virus: A virus that is protected in a way that makes disassembling it difficult. The difficulty makes it "armored" against antivirus programs that have trouble getting to and understanding its code.

    • Companion Virus: A virus that creates a new program that runs in the place of an expected program of the same name.

    • Macro Virus: A software exploitation virus that works by using the macro feature included in many applications such as Microsoft Office.

    • Multipartite/Multipart Virus: A virus that attacks a system in more than one way.

      • Can infect both executable files and boot sectors of a hard disk drives.

      • Resides in the memory and then infects boot sectors and executable files of the system.

    • Phage Virus: A virus that modifies and alters other programs and databases.

    • Polymorphic Virus: A virus that changes form or mutates in order to avoid detection.

    • Retrovirus: A virus that attacks or bypasses the antivirus software installed on a client.

    • Stealth Virus: A virus that attempts to avoid detection by antivirus software and from the operating system by remaining in memory.

Crypto-Malware & Ransomware

  • Malware that uses cryptography as part of the attack.

  • Prevents users from accessing their system or personal files through encryption and demands ransom payment in order to regain access.

  • Ransomware authors order that payment be sent via cryptocurrency, online payment systems, or credit card.

  • Examples: CryptoLocker, WannaCry, Locky, zCrypt, NotPetya.

Rootkit

  • A clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence.

  • Software program that has the ability to obtain admin or root-level access and hid from the operating system.

  • Examples: NTRootkit, Zeus, Stuxnet, Knark, Adore.

Trojan Horse

  • A harmful piece of software that looks legit or is included with legit apps.

  • Any apps that masquerades as one thing in order to get past scrutiny and then does something malicious.

    • One of the major differences between trojans and viruses is that trojans tend not to replicate themselves.

  • Examples: BackOrifice, Stuxnet, Zeus

Worms

  • Use the network to replicate copies of themselves to systems or devices automatically and without user intervention.

  • To spread, worms either exploit a vulnerability on the target system or use social engineering to trick users into executing.

  • A worm takes advantage of the file-transport or information-transport features on the system, allowing it to travel unaided.

  • Examples: ILoveYou, MyDoom, StormWorm, Anna Kournikova, Slammer

Logic or Time Bomb

  • Any code that is hidden within an application and causes something unexpected to happen based on some criteria being met.

  • For example:

    • A programmer could create a program that always makes sure her name appears on the payroll roster; if it doesn't, then key files begin to be erased.

    • Backdoor is created during certain times.

Keylogger

  • Software programs or hardware devices that track the activities from input devices.

    • Keys pressed of a keyboard.

    • Mouse clicks.

    • Screen recorders or scrapers.

  • Keyloggers are a form of spyware where users are unaware their actions are being tracked.

  • Keylogger software typically stores your keystrokes in a small file, which is either accessed later or automatically emailed to the person monitoring your actions.

Bots / Botnets

  • Bot: An automated software program (network robot) that collects info on the web. In its malicious form, a bot is compromised computer being controlled remotely.

  • Bots are also known as "zombie computers" due to their ability to operate under remote direction without their owners' knowledge.

  • Botnet: A network of compromised computers under the control of a malicious actor.

  • The attackers that control botnets are referred to as "bot herders" or "bot masters".

Backdoor

  • An undocumented way of accessing a system, bypassing the normal authentication mechanisms.

  • An opening left in a program appp (usually by the developer) that allows additional access to systems or data. These should be closed when the system is moved to production.

RATs (Remove Access Trojans or Remote Administration Tools)

  • Software that remotely gives a person full control of a tech device.

  • Programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC.

  • Provide the capability for an attacker to gain unauthorized remote access to the victim machine via specifially configured communication protocols or backdoors created upon infection.

    • Often mimic similar behaviors of keylogger apps by allowing the automated collection of input data.

  • Examples: SubSeven, BackOrifice, ProRat, Turkojan, and Poison-Ivy.

Spyware / Adware

  • Applications that covertly monitors online behavior without the user's knowledge or permission.

  • Collected data is relayed to outside parties, often for use in advertising.

  • Otherwise, does not harm the infected computer, user or data.

  • There is a line between illegal spyware and legitimate data collection.

Advanced Persistent Threat (APT)

  • A set of stealthy and continuous computer hacking processes, often orchestrated by a person or persons targeting a specific entity.

  • Usually targets either private organizations, states, or both for business or political motives.

  • APT processes require a high degree of covertness over a long period of time.

    • The "advanced" process signifies sophiscated techniques using malware to exploit vulnerabilities in systems.

    • The "persistent" process suggests that an external command and control (CnC or C&C) system is continuously monitoring and extracting data from a specific target.

    • The "threat" process indicates human involvement in orchestrating the attack.