Characteristics of Malware+
Awareness is Key
Hello again, all. This post will discuss everything you need to know about malware, including its types, behaviors, and mannerisms. It’s important to know what to look for in malware (its patterns). It could either save your ass one day, or help you with that SOC analyst job.
As a bonus, the majority of what will be discussed is a part of the malware section of the Security+ certification curriculum. See below:
Password attacks and Physical attacks can/will be discussed in a later post.
Overview of Malware
Let’s start with the basics. Malware stands for “malicious software”. It is a program on a computer/machine that performs some sort of malicious action. These actions range from displaying ads on your screen to taking complete control of your machine.
How do you get malware?
Malware, as mentioned before, is a software program. It has to come from somewhere. You aren’t going to open your laptop one day and go “oh shit” then have to reimage your machine minus a few extremely rare cases such as the recent Log4j Remote Code Execution (RCE) and this one, obvious, and hilarious instance. These extremely rare cases are called “zero-days”, meaning that there is an exploit within currently written programs that should be fixed right now i.e. today, hence the name “zero-day”.
Zero-day exploits are not only extremely rare, but often exist as points of entry/escalation on machines that are open to the internet (which is to say, not the laptop you’re reading this on right now). I linked EternalBlue above as that was a rare instance where there was literally nothing that you could do to protect your personal machine from infection (minus turning it off) (LINK).
Zero-day exploits are usually patched quickly (most of the patches come from Microsoft). 99% of malware is written for Windows machines since it is the most common OS. Only the absolute champion malware authors write Unix-based malware which are built to take on company networks.
90% of people use Windows for day-to-day internet surfing. Some companies run on Windows servers, yet many run Linux for their main server machines.
After a patch is released, you are prompted to update your machine. If you don’t consistently update your machines, you are missing out on key security protections. Also, if you’re still running Windows 7 in 2022, you’re NGMI.
Malware is often called a “virus”. Viruses are a subset of malware that can replicate itself to infect more machines (just like a real virus infects more hosts). Nowadays, the use of the terms virus and malware are often interchangeable.
Malware is usually captured through the use of phishing campaigns, which are a form of social engineering where a victim is convinced to either give up their personal information (PII or PHI) to an attacker who is posing as an authority figure or to install malicious software on their machine which an attacker instructs them to do. I could do an entire post on just the forms of phishing, but what you should know about it for the time being is that someone (attacker) is convincing someone else (victim) to do something that the attacker wants for his or her benefit.
AVs
You can be protected from malware at the last second through the use of anti-virus software (AV). AVs scan programs as you run/download them and detect if they contain malware through the use of signatures and predetermined hash calculations. If you want to learn more about AVs, BowTiedCyber has an excellent post regarding them.
Personally, I am “anti-anti-virus”. Unless you are torrenting programs often, you don’t need an antivirus. VirusTotal does a decent job if you’re suspicious about something. I usually turn off Windows AV since I perform malware analysis and write basic malware to test myself with. This is my opinion, so please DYOR, anon.
Malware Types
Malware usually falls under multiple classifications. These types are determined by the behavior and actions of the malware sample.
Trojans
One form of malware infection is through the use of what are called Trojans. Trojan viruses are an obvious reflection on the infamous Trojan Horse. They accomplish what you would they think would. They pose as a legitimate program, but once run, they perform their predetermined malicious actions. These actions are called a payload. These “legitimate” programs are usually something silly like free Steam cards or free Robux. One popular ransomware virus whose name I’ve forgotten posed as a tax return calculator.
Some Trojans execute their desired task normally (or spew some kind of bogus error, frustrating the user). This can trick the user into thinking that nothing is wrong with the program while the malicious action is working in the background.
Note that simply having the Trojan on your machine will not prompt it to execute aka detonate. You can only infect your machine with malware if you execute a malicious program. The only exception to this is an attack through an exploitable vector e.g. zero-day.
Ransomware
Ransomware is “ransom software”. Upon detonation, ransomware encrypts certain files and demands a ransom for you to pay in Bitcoin or some other cryptocurrency. Upon paying the ransom, you (hopefully) retrieve the key to decrypt your files.
If you ever find yourself infected with ransomware, it is recommended to pay the ransom. Odds are, you’ll get your files back as the APT/Hacktivist group behind the ransomware doesn’t want to ruin their reputation and have fewer victims pay their ransom. They just want the cash. Personally, you should weigh your options and decide if you are better off paying, or if your lost files are worth less than the ransom.
BowTiedCyber once again has an excellent post concerning ransomware.
Worms
Think of worms as… worms. Worms burrow through the earth in search of nutrients. Malware worms burrow through networks in search of exploitable machines. An infamous worm+ransomware virus was WannaCry. When it infected a machine, it duplicated itself and attempted to search through the local network for more machines to infect. It is said that WannaCry infected over 230,000 machines in 150 countries in a single day. My high school was hit with a worm my senior year (everyone thought it was me). Our IT guy (basketball coach) said that it got through the AC units… he’s NGMI.
I joke about the AC unit thing, but it is absolutely possible for malware to infect industrial control systems (ICSs). There is an entire job market just for blue-team ICS analysts. If you’re curious about this, see SCADA.
Potentially Unwanted Programs (PUPs)
PUPs are programs, usually bundled with software installations, that perform actions that most people would think to be “unwanted”. This includes displaying advertisements, logging user data (and possibly sending it elsewhere), and browser hijacking. Many PUPs can possibly lower the security level of a machine, and malicious authors can use them to escalate further within a system/network.
Fileless Virus
Fileless viruses are dynamically loaded programs that do not live on a hard disk/drive. These programs reside strictly in memory (RAM) and will disappear after either restarting your machine or by ending the process. However, usually by the time they are removed, their malicious actions have already taken place (data scraping, password dumping, etc.).
Fileless viruses are usually bundled into Trojans. Upon executing, a new program (the virus) is forked and run. The Trojan may perform the action desired by the user or display some bogus error. Fileless viruses can also be used through the use of loaders (discussed below). The key feature of fileless viruses is that they will not usually be found by a virus scan.
Fileless viruses are not completely hidden from the disk. They have to come from an executed process that was downloaded to your machine. Even if the executable deletes itself, it will leave remnants that can be tracked down via forensic analysis.
Command & Control (C&C)
C&C viruses are responsible for opening up parts of a machine for remote access, commonly through the use of socket connections. These parts are usually ports opened in a system’s firewall which allow a malicious actor to send commands to the malware which is living on the system.
Firewalls are a piece of software that monitors the inbound/outbound connections sent to/from a machine. Programs (multiplayer games for example) can create openings in the firewall (called rules) which allow communication with outside sources. Your average personal computer has a very locked-down firewall, allowing very few outside connections. This is contrary to a company’s network which may host publicly facing services such as a website.
C&C viruses are usually used as a payload with Trojans, yet they can also be used with exploitation. The Metasploit pentesting framework is heavily reliant on C&C functionality. Once a C&C virus is up and running, there is almost nothing that the attacker can’t do with your computer. Here are some examples.
Bots
Bots are a proto-AI system that attacks machines with simple, brainless exploitation techniques. Bots can’t do much on their own, but a collectivized system of bots (called a botnet) can wreak havoc on a machine or network with attacks such as distributed denial of service (DDOS). Imagine fending off a 10 year-old. Seems easy enough. Now try to fend off 100 10 year-olds, at once. Not so easy now, is it?
Cryptomalware
Cryptomalware is a form of malware that involves the unauthorized mining of cryptocurrencies. These are commonly called “crypto miners” or “Bitcoin miners”. These types of malware infect a machine, and then use its computing resources to mine a cryptocurrency. This action is called “cryptojacking”.
Logic Bombs
Logic bombs are malicious payloads injected into programs which only detonate when certain conditions are met. For example, let’s say you have a cronjob that executes a program every Tuesday evening. A hacker could replace that program with a malicious one that he or she has written, and come Tuesday evening, your NAS is encrypted. Logic bombs are used when a hacker wants to cover his/her tracks and confuse incident responders as to how the malware was activated and when/how it entered into the system.
Spyware
Spyware is simply malware that captures data on the machine. Spyware actively monitors machine data (GPS location, websites visited, and in some cases, what you’re saying!).
Recently, one of the most sophisticated examples of spyware, Pegasus, was decompiled and leaked (LINK).
Keylogger
Keyloggers actively monitor keystrokes sent on a victim computer. These monitor every keystroke, meaning that your login credentials to websites are susceptible to being captured and sent elsewhere.
It’s fortunately easy to classify keyloggers since they import Windows API functions that capture keys (GetAsyncKeyState for example). Not very many programs use these functions, so an analysis tool like PEStudio should yell at you.
Remote Access Trojan (RAT)
RATs are Trojan viruses that insert a backdoor for remote access. Backdoors are what they sound like, another way into a machine. C&C viruses supersede RATs as RATs are limited to strictly to Trojan viruses that open up a backdoor for remote access whereas C&C gives an attacker a remote pathway to execute malicious commands.
Rootkit
Rootkits are viruses that allow attackers access parts of a machine that they are not authorized to. This is known as privilege escalation. The keyword of rootkit is “root”, which is the highest position of authority on a machine (Windows calls it “SYSTEM” but “systemkit” doesn’t sound cool).
Do not misunderstand rootkits as they do not actively escalate the user to a higher position. They are usually installed as root/administrator through the use of social engineering or by exploiting a vulnerability. Afterwards, they are used as a channel for outside attackers to gain root access. Rootkits can embed themselves nearly anywhere on a machine/network, in files, the registry, even in firmware. Rootkits are not necessarily the “virus”. The payload that goes through them is regarded as the virus.
LoJax is an example of a rootkit which embeds itself into Unified Extensible Firmware Interface (UEFI) firmware. UEFI is dubbed as the successor of the Basic Input/Output System (BIOS) and also regarded as more secure, but alas.
Backdoor
Backdoor was already mentioned above. They can vary from opening ports on a machine to injecting executables to allow outside access. RATs and C&C viruses use backdoors for outside attacker access to a victim machine.
Other Types of Malware
Scareware
Scareware is malware that “scares” you into downloading actual malware. Scareware is harmless, but the loud noises and flashing screen effects will scare unknowing victims into either downloading malware or paying their hard earned cash to whom they think is an authority figure. Scareware is a form of social engineering.
Adware
Adware is also harmless, but can reduce the security of a system. Adware is a form of PUP that often hijacks browsers into displaying advertisements (for Viagra or something ridiculous) so that the adware author receives ad revenue.
Bloatware
Bloatware is also, also harmless. Bloatware programs are unnecessary programs that do nothing but take up space. Many laptops or prebuilt machines come with bloatware that you should probably delete to save that sweet, sweet hard drive space.
Loaders
Loaders are stealthy, lightweight forms of malware than sneak past network IDS/IPSs (either through social engineering or vulnerability exploitation) and then manually download the actual malware payload into the system.
How Do I Protect Myself?
Firstly, you should know that malware has to get onto a machine somehow. Social engineering is an evergreen method of convincing people to download malware. Once again, I could do an entire post on phishing. Essentially, what you need to know is that nothing is free. Anything that is too good to be true, is too good to be true. No, you didn’t win a free iPad, nor did you win that 6-day cruise to the Bahamas. If you didn’t order a package, you didn’t order a package. Don’t click that link.
Secondly, always keep your machines updated. Yes, it usually prompts you at a bad time. You’ll have to just suck it up.
Don’t ever root/jailbreak your phone. Those devices are locked down for a reason. Should you be infected with malware on a rooted device, then all of your data on your phone could be exposed to an attacker.
This concludes this free post. Thanks for reading!