Malware (Sec 6)

Malicious software designed to infiltrate computer systems and potentially damage them without
user consent.

● Categories:
○ Viruses
○ Worms
○ Trojans
○ Ransomware
○ Spyware
○ Rootkits
○ Spam

Threat Vector vs. Attack Vector

● Threat Vector: Method used to infiltrate a victim's machine. Examples include
unpatched software, USB drive installation, and phishing campaigns.
● Attack Vector: Means by which the attacker gains access and infects the system.
Combines both infiltration method and infection process.

Types of Malware Attacks

● Viruses: Attach to clean files, spread, and corrupt host files.
● Worms: Standalone programs replicating and spreading to other computers.
● Trojans: Disguise as legitimate software, grant unauthorized access.
● Ransomware: Encrypts user data, demands ransom for decryption.
● Zombies and Botnets: Compromised computers remotely controlled in a network for
malicious purposes.
● Rootkits: Hide presence and activities on a computer, operate at the OS level.
● Backdoors and Logic Bombs: Backdoors allow unauthorized access, logic bombs
execute malicious actions.
● Keyloggers: Record keystrokes, capture passwords or sensitive information.
● Spyware and Bloatware: Spyware monitors and gathers user/system information,
bloatware consumes resources without value.
● Malware Techniques and Infection Vectors: Evolving from file-based tactics to
modern fileless techniques. Multi-stage deployment, leveraging system tools, and
obfuscation techniques.

Indications of Malware Attack

Recognizing signs like the following:

● Account lockouts
● Concurrent session utilization
● Blocked content
● Impossible travel
● Resource consumption
 ● Inaccessibility
● Out-of-cycle logging
● Missing logs
● Documented attacks

Viruses
Computer Virus: Made up of malicious code that's run on a machine without the user's
knowledge, infecting the computer whenever it's run.

10 Different Types of Viruses

● Boot Sector: Stored in the first sector of a hard drive, loaded into memory during boot.
● Macro: Embedded inside another document to execute when opened by the user.
● Program: Infect executables or application files with malicious code.
● Multipartite: Combination of a boot sector virus and a program virus.
● Encrypted: Hides itself by encrypting its code.
● Polymorphic: Changes its code to evade detection.
● Metamorphic: Rewrites itself entirely before infecting a file.
● Stealth: Prevents detection by antivirus software.
● Armored: Has protection layers to confuse analysis.
● Hoax: Attempts to scare users into undesirable actions.

Worms
Worm: Malicious software that can replicate itself without user interaction, spreading throughout
a network.

● Worms are dangerous as they:

○ Infect workstations and other computing assets.
○ Disrupt normal network traffic by constantly replicating and spreading.

Trojans
Trojan: Disguised as harmless software, it performs malicious activities when executed.

● Remote Access Trojan (RAT): Provides remote control of victim machines, commonly
used for data exfiltration and maintaining persistence.

Ransomware
Ransomware: Blocks access to computer systems or data by encrypting it until a ransom is
paid.

Protection Measures
● Regular backups
 ● Software updates
● Security awareness training
● Multi-Factor Authentication (MFA)

Actions if Affected
● Never pay the ransom.
● Disconnect infected machines from the network.
● Notify authorities.
● Restore data and systems from known good backups.

Zombies and Botnets

● Botnet: Network of compromised computers or devices controlled remotely by malicious
actors.
● Zombie: Name of a compromised computer or device that is part of a botnet, used to
perform tasks using remote commands from the attacker without the user's knowledge.
● Command and Control Node: Computer responsible for managing and coordinating the
activities of other nodes or devices within a network.
● Botnets are used:
○ As pivot points.
○ To disguise the real attacker.
○ To host illegal activities.
○ To spam others by sending out phishing campaigns and other malware.
● Most common use for a botnet is to conduct a DDoS (Distributed Denial-of-Service)
attack.
○ Distributed Denial-of-Service (DDoS) Attack: Occurs when many machines target
a single victim and attack them at the exact same time.
○ Botnets are used by attackers to combine processing power to break through
different types of encryption schemes.
○ Attackers usually only use about 20-25% of any zombie’s power.

Rootkits
Rootkit: Designed to gain administrative-level control over a given computer system without
being detected.

● The account with the highest level of permissions is called the Administrator account.
○ Allows the person to install programs, delete programs, open ports, shut ports,
and do whatever they want on that system.
● A computer system has several different rings of permissions throughout the system.
○ Ring 3 (Outermost Ring): Where user level permissions are used.
○ Ring 0 (Innermost or Highest Permission Levels): Operating in Ring 0 is called
“kernel mode”, allows control over device drivers, sound card, video display, etc.
● When a rootkit is installed on a system, it tries to move from Ring 1 to Ring 0 to hide
from other functions of the operating system to avoid detection.
● One technique used by rootkits to gain deeper access is DLL injection.
○ DLL Injection: Technique used to run arbitrary code within the address space of
another process by forcing it to load a dynamic-link library.
 ○ Dynamic Link Library (DLL): Collection of code and data used by multiple
programs simultaneously for code reuse and modularization.
● Shim: A piece of software code placed between two components to intercept and
redirect calls between them.
○ Rootkits are powerful and difficult to detect because the operating system is
essentially blinded to them.
○ To detect them, boot from an external device and scan the internal hard drive
using a good anti-malware scanning solution from a live boot Linux distribution.

Backdoors and Logic Bombs

Backdoor
Originally placed in computer programs to bypass normal security and authentication functions,
often by designers and programmers.

● Remote Access Trojan (RAT): Acts like a backdoor in modern networks, placed by threat
actors to maintain persistent access to a system.
● Easter egg: Hidden feature or novelty within a program, often inserted by developers as
an inside joke, but may contain significant vulnerabilities.

Logic Bombs
Malicious code inserted into a program, which executes only when certain conditions are met.

Keylogger
Keylogger: Software or hardware that records every keystroke made on a computer or mobile
device.

● Can be software-based or hardware-based.

○ Software Keyloggers: Malicious programs installed on a victim's computer, often
bundled with other software or delivered through social engineering attacks.
○ Hardware Keyloggers: Physical devices plugged into a computer, resembling a
USB drive or embedded within a keyboard cable.

Protection Measures
● Regular updates and patches.
● Quality antivirus and antimalware solutions.
● Phishing awareness training.
● Multi-factor authentication.
● Encryption of keystrokes.
● Physical checks of desktops, laptops, and servers.

Spyware and Bloatware

Spyware
Malicious software designed to gather and send information about a user or organization
without their knowledge.

● Installed through various methods such as bundling with other software or deceptive
pop-up ads.
● Protection: Use reputable antivirus and anti-spyware tools regularly updated.

Bloatware
Pre-installed software on new computers or smartphones that users did not request or need.

● Can waste storage space, slow down performance, and introduce security
vulnerabilities.
● Removal methods: Manual removal, bloatware removal tools, or clean OS installation.

Malware Attack Techniques

Malware Exploitation Technique: Method by which malware penetrates and infects a system.

● Some malware focuses on infecting system memory to leverage remote procedure calls
over the network.
● Modern malware often uses fileless techniques to avoid detection.
○ Stage 1 Dropper or Downloader: Lightweight shellcode executed on a system to
retrieve additional portions of malware code.
■ Dropper: Initiates or runs other malware forms within a payload.
■ Downloader: Retrieves additional tools post-initial infection.
■ Shellcode: Lightweight code meant to execute an exploit on a target.
● Stage 2: Downloader: Installs remote access Trojan for command and control on the
victimized system.
● Actions on Objectives: Execute primary objectives like data exfiltration or file encryption.
● Concealment: Helps threat actors prolong unauthorized access by hiding tracks and
erasing log files.
● “Living off the Land”: Exploits standard tools for intrusions.

9 Common Indicators of Malware Attacks

● Account Lockouts
○ Malware, especially those designed for credential theft or brute force attacks, can
trigger multiple failed login attempts that would result in a user’s account being
locked out.
● Concurrent Session Utilization
○ If you notice that a single user account has multiple simultaneous or concurrent
sessions open, especially from various geographic locations.
● Blocked Content
○ If there is a sudden increase in the amount of blocked content alerts you are
seeing from your security tools.
● Impossible Travel
 ○ Refers to a scenario where a user's account is accessed from two or more
geographically separated locations in an impossibly short period of time.
● Resource Consumption
○ If you are observing any unusual spikes in CPU, memory, or network bandwidth
utilization that cannot be linked back to a legitimate task.
● Resource Inaccessibility
○ Ransomware
■ Form of malware that encrypts user files to make them inaccessible to the
user.
■ If a large number of files or critical systems suddenly become
inaccessible or if users receive messages demanding payment to decrypt
their data.
● Out-of-Cycle Logging
○ If you are noticing that your logs are being generated at odd hours or during
times when no legitimate activities should be taking place (such as in the middle
of the night when no employees are actively working).
● Missing Logs
○ If you are conducting a log review as a cybersecurity analyst and you see that
there are gaps in your logs or if the logs have been cleared without any
authorized reason.
● Published or Documented Attacks
○ If a cybersecurity research or reporter published a report that shows that your
organization’s network has been infected as part of a botnet or other malware-
based attack.