1.5 Malware
Last updated
Last updated
Definition: A self-replicating computer program that spreads without permission or knowledge of the owner.
Sub-types:
Resident Type: Becomes memory resident, waits for triggers, infects other programs.
Non-Resident Type: Infects files and quits, repeating when infected program is run.
Boot-Sector Virus: Spreads via boot sectors, activated during boot-up.
Multi-Partite Type: Has multiple infection mechanisms.
Definition: Appears to perform a function but facilitates unauthorized access.
Definition: Malware designed to hide a compromise or perform a compromise at a deeper level.
Levels:
Application Level
Library Level
Kernel Level
Hypervisor Level
Firmware Level
Definition: Rootkit that grabs the OS during the boot process, violating OS security.
Definition: Software facilitating unauthorized access, bypassing authentication, often hidden.
Definition: Advertising-supported software displaying ads during use; may install other software without user consent.
Definition: Software spying on user activities, collecting information without consent.
Definition: Collective term for spyware and adware.
Definition: Software connecting to premium-rate numbers, generating revenue.
Definition: Malware logging keystrokes without user consent.
Types:
Software Keylogger
Hardware Keylogger (firmware-based, PS/2 and USB, Wireless, Acoustic, Optical)
Definition: Collection of compromised computers running commands autonomously under the control of a bot master.
Creation: Usually via drive-by-downloads.
Definition: Software encrypting files, demanding payment for decryption.
Definition: Steals sensitive data, encryption keys, credit card data, etc.
Definition: Software using network/system vulnerabilities to spread, often part of other malware.
Definition: Streams are a feature of NTFS file system, also known as Alternate Data Streams.
Usage: Used to store file metadata or any other data. Can be used for hiding data.
Example:
This command hides data in an alternate data stream in the "sample.txt" file.
Definition: Hooking involves redirecting the execution of a function. SSDT (System Service Descriptor Table) is used for communication between user mode and kernel mode.
Purpose: Malware can replace actual functions with malicious ones.
Example:
Definition: IRP (I/O Request Packet) is used in the Windows kernel for communication between components.
Purpose: Malware can manipulate data transmission between drivers.
Methods: Filter drivers, attaching as a device, modifying function pointers.
Example:
This code hooks the IRP handler for power-related operations.
Approach: Requires hooking NtOpenProcess, hiding the process from EPROCESS list.
Techniques: Unlinking process structure from the list, modifying EPROCESS list entries.
Detection Evasion: Essential for avoiding detection by security tools.
Definition: Intercepting an API function call and modifying its functionality.
Types: IAT Hooking, EAT Hooking, Inline Hooking.
Purpose: Used for modifying behavior, logging requests, or evading detection.
Objective: Increase the time required for code analysis by security analysts.
Example: INT 2D trick to detect debugger presence.
Anti-Debugging Techniques: Employed to hinder debugging and analysis.
Objective: Detect whether the OS is running in a virtualized environment.
Method: Using abnormal behavior in SIDT (System IDT) instruction.
Detection Evasion: Designed to identify if the code is running in a real or virtualized system.
Purpose: Transforming code to make it more difficult to analyze while preserving functionality.
Usage: Both by malware and legal software for protection.
Drawback for Detectors: Existing malware detectors based on signature matching can be fooled.
Definition: Software that compresses executable files.
Purpose: Decrease file size and increase chances of going undetected.
Functionality: Compresses, encrypts, and adds a loader to decompress and execute the binary in memory.
Definition: Code that mutates and changes with each execution, making it difficult to detect.
Challenge for Antiviruses: Polymorphic viruses are still not detected 100% by most antivirus programs.
Implementation: Constant encoding with a variable decryptor, ensuring different encryption with each variant.
Definition: Polymorphism applied not only to the code but also to the decryptor/header.
Implementation: Garbage insertion, register exchange, permutation of code blocks, insertion of jump instructions, instruction substitution, code integration with the host.
Technique: Inserting garbage data or instructions into the code, such as NOP instructions.
Technique: Exchanging registers in instructions to obfuscate the code.
Technique: Randomly shuffling and fixing code blocks to maintain the same execution logic.
Technique: Inserting jumps after instructions to alter the code flow without changing the logic.
Technique: Replacing one set of instructions with functionally equivalent instructions.
Technique: Modifying the target executable by integrating code into its regions.
Anti-Analysis Methods: Methods like anti-debugging and anti-virtual machine to hinder analysis.
Obfuscation and Encryption: Use of various techniques to hide the true intent of the code.
Packing and Compression: Use of packers to compress and encrypt executable files.
Dynamic Behavior: Code that exhibits different behaviors based on the environment or conditions.
These techniques collectively make malware resilient, difficult to detect, and challenging to analyze.
Method: Changing file extensions (e.g., from .exe to .jpg) to deceive users.
Deception: Users might be tricked into thinking the file is an image, leading to inadvertent execution.
Scenario: After being infected, a virus may have spread to numerous files, making removal challenging.
Persistence: Re-infection kind viruses can activate again when an infected file is accessed or executed.
Statistics: Around 30%-40% of files in file-sharing networks may be infected.
Risk: Clients may come pre-bundled with malware or contain hidden backdoors.
Attack Type: Drive-by-downloads exploit browsers to download the remaining part of the malware.
Trigger: Visiting a webpage containing malicious HTML can initiate the download.
Exploitation: Malware exploits glitches in networking stacks (e.g., RPC-DCOM vulnerability).
Prevention: Properly configured firewalls and timely application of patches can prevent such attacks.
Type: User mode CPU-intensive keylogger.
API Used: GetAsyncKeyState to obtain the state of keys asynchronously.
Implementation:
Features:
Open/Close CD-ROM
Display BMP/JPG image
Swap mouse buttons
Execute optional applications
Play music file
Control mouse
Shutdown Windows
Display messages to the user
Download/Upload/Delete files
Visit an optional URL
Send keystrokes and disable keys
Listen for and send keystrokes
Take a screen-dump
Removal:
Identify NetBus-server name (e.g., Patch.exe) from registry key.
Search for the suspicious entry on the system.
Run: [Name of the bus server].exe /remove.
Detection Method: Signature matching within a virus code database.
Spread Method:
Adds its code to PE files.
Changes the entry-point to the virus body.
Steps:
Get delta offset and save starting location.
Save registers for the host program.
Get the location of kernel32.dll in memory.
Use GetFunctionAddresses to get kernel32 API function addresses.
Find a valid PE file to infect.
Add code to host by updating headers.
Write updated PE Header to the host.
Add infected file to the registry.
Restore registers for the host program.
Tip: Modify the virus file and compile it to check the antivirus's ability to detect variations.
Example:
These methods showcase the diverse ways malware spreads, emphasizing the importance of user awareness, updated security measures, and robust antivirus solutions.