4.5 Malware

Malware

7 - Malware

Types of Malware

Virus

• Definition: A self-replicating computer program that spreads without permission or knowledge of the owner.

• Sub-types:

  • Resident Type: Becomes memory resident, waits for triggers, infects other programs.

  • Non-Resident Type: Infects files and quits, repeating when infected program is run.

  • Boot-Sector Virus: Spreads via boot sectors, activated during boot-up.

  • Multi-Partite Type: Has multiple infection mechanisms.

Trojan Horse

• Definition: Appears to perform a function but facilitates unauthorized access.

Rootkit

• Definition: Malware designed to hide a compromise or perform a compromise at a deeper level.

• Levels:

  • Application Level

  • Library Level

  • Kernel Level

  • Hypervisor Level

  • Firmware Level

Bootkit

• Definition: Rootkit that grabs the OS during the boot process, violating OS security.

Backdoor

• Definition: Software facilitating unauthorized access, bypassing authentication, often hidden.

Adware

• Definition: Advertising-supported software displaying ads during use; may install other software without user consent.

Spyware

• Definition: Software spying on user activities, collecting information without consent.

Greyware

• Definition: Collective term for spyware and adware.

Dialer

• Definition: Software connecting to premium-rate numbers, generating revenue.

Key-logger

• Definition: Malware logging keystrokes without user consent.

• Types:

  • Software Keylogger

  • Hardware Keylogger (firmware-based, PS/2 and USB, Wireless, Acoustic, Optical)

Botnet

• Definition: Collection of compromised computers running commands autonomously under the control of a bot master.

• Creation: Usually via drive-by-downloads.

Ransomware

• Definition: Software encrypting files, demanding payment for decryption.

Data-stealing Malware

• Definition: Steals sensitive data, encryption keys, credit card data, etc.

Worm

• Definition: Software using network/system vulnerabilities to spread, often part of other malware.

Techniques Used by Malware

Streams

• Definition: Streams are a feature of NTFS file system, also known as Alternate Data Streams.

• Usage: Used to store file metadata or any other data. Can be used for hiding data.

• Example:

  echo This data is hidden in the stream. Can you read it? >> sample.txt:hstream

  This command hides data in an alternate data stream in the "sample.txt" file.

Hooking Native API/SSDT

• Definition: Hooking involves redirecting the execution of a function. SSDT (System Service Descriptor Table) is used for communication between user mode and kernel mode.

• Purpose: Malware can replace actual functions with malicious ones.

• Example:

  // Hooking NtQueryDictionaryFile
  Hook SSDT table entry for NtQueryDictionaryFile
  When the hooked function is called, the malware's function is executed
  The original function is then called, and results are modified or hidden

Hooking IRP

• Definition: IRP (I/O Request Packet) is used in the Windows kernel for communication between components.

• Purpose: Malware can manipulate data transmission between drivers.

• Methods: Filter drivers, attaching as a device, modifying function pointers.

• Example:

  // Hooking the function pointer in a driver
  old_power_irp = DriverObject->MajorFunction[IRP_MJ_OWER];
  DriverObject->MajorFunction[IRP_MJ_OWER] = my_new_irp;

  This code hooks the IRP handler for power-related operations.

Hiding a Process

• Approach: Requires hooking NtOpenProcess, hiding the process from EPROCESS list.

• Techniques: Unlinking process structure from the list, modifying EPROCESS list entries.

• Detection Evasion: Essential for avoiding detection by security tools.

API Hooking

• Definition: Intercepting an API function call and modifying its functionality.

• Types: IAT Hooking, EAT Hooking, Inline Hooking.

• Purpose: Used for modifying behavior, logging requests, or evading detection.

Anti-Debugging Methods

• Objective: Increase the time required for code analysis by security analysts.

• Example: INT 2D trick to detect debugger presence.

• Anti-Debugging Techniques: Employed to hinder debugging and analysis.

Anti-Virtual Machine

• Objective: Detect whether the OS is running in a virtualized environment.

• Method: Using abnormal behavior in SIDT (System IDT) instruction.

• Detection Evasion: Designed to identify if the code is running in a real or virtualized system.

Obfuscation

• Purpose: Transforming code to make it more difficult to analyze while preserving functionality.

• Usage: Both by malware and legal software for protection.

• Drawback for Detectors: Existing malware detectors based on signature matching can be fooled.

Packers

• Definition: Software that compresses executable files.

• Purpose: Decrease file size and increase chances of going undetected.

• Functionality: Compresses, encrypts, and adds a loader to decompress and execute the binary in memory.

Polymorphism

• Definition: Code that mutates and changes with each execution, making it difficult to detect.

• Challenge for Antiviruses: Polymorphic viruses are still not detected 100% by most antivirus programs.

• Implementation: Constant encoding with a variable decryptor, ensuring different encryption with each variant.

Metamorphism

• Definition: Polymorphism applied not only to the code but also to the decryptor/header.

• Implementation: Garbage insertion, register exchange, permutation of code blocks, insertion of jump instructions, instruction substitution, code integration with the host.

Garbage Insertion

• Technique: Inserting garbage data or instructions into the code, such as NOP instructions.

Register Exchange

• Technique: Exchanging registers in instructions to obfuscate the code.

Permutation of Code Blocks

• Technique: Randomly shuffling and fixing code blocks to maintain the same execution logic.

Insertion of Jump Instructions

• Technique: Inserting jumps after instructions to alter the code flow without changing the logic.

Instruction Substitution

• Technique: Replacing one set of instructions with functionally equivalent instructions.

Code Integration with Host

• Technique: Modifying the target executable by integrating code into its regions.

Other Techniques

• Anti-Analysis Methods: Methods like anti-debugging and anti-virtual machine to hinder analysis.

• Obfuscation and Encryption: Use of various techniques to hide the true intent of the code.

• Packing and Compression: Use of packers to compress and encrypt executable files.

• Dynamic Behavior: Code that exhibits different behaviors based on the environment or conditions.

These techniques collectively make malware resilient, difficult to detect, and challenging to analyze.

How Malware Spreads

Email Attachments

• Method: Changing file extensions (e.g., from .exe to .jpg) to deceive users.

• Deception: Users might be tricked into thinking the file is an image, leading to inadvertent execution.

Already Infected Files

• Scenario: After being infected, a virus may have spread to numerous files, making removal challenging.

• Persistence: Re-infection kind viruses can activate again when an infected file is accessed or executed.

Peer-2-Peer File Sharing

• Statistics: Around 30%-40% of files in file-sharing networks may be infected.

• Risk: Clients may come pre-bundled with malware or contain hidden backdoors.

Websites (Drive-by-Downloads)

• Attack Type: Drive-by-downloads exploit browsers to download the remaining part of the malware.

• Trigger: Visiting a webpage containing malicious HTML can initiate the download.

Internet Connection/Local Network

• Exploitation: Malware exploits glitches in networking stacks (e.g., RPC-DCOM vulnerability).

• Prevention: Properly configured firewalls and timely application of patches can prevent such attacks.

Malware Samples

Keyloggers

• Type: User mode CPU-intensive keylogger.

• API Used: GetAsyncKeyState to obtain the state of keys asynchronously.

• Implementation:

  while(1){
    for(i=8;i<=190;i++){
      if (GetAsyncKeyState(i) == -32767){
        print_key(i);
      }
    }
  }

Trojan (NetBus Trojan ver 1.7)

• Features:

  • Open/Close CD-ROM

  • Display BMP/JPG image

  • Swap mouse buttons

  • Execute optional applications

  • Play music file

  • Control mouse

  • Shutdown Windows

  • Display messages to the user

  • Download/Upload/Delete files

  • Visit an optional URL

  • Send keystrokes and disable keys

  • Listen for and send keystrokes

  • Take a screen-dump

• Removal:

  • Identify NetBus-server name (e.g., Patch.exe) from registry key.

  • Search for the suspicious entry on the system.

  • Run: [Name of the bus server].exe /remove.

Virus (Win32.Dissolution)

• Detection Method: Signature matching within a virus code database.

• Spread Method:

  • Adds its code to PE files.

  • Changes the entry-point to the virus body.

• Steps:

  • Get delta offset and save starting location.

  • Save registers for the host program.

  • Get the location of kernel32.dll in memory.

  • Use GetFunctionAddresses to get kernel32 API function addresses.

  • Find a valid PE file to infect.

  • Add code to host by updating headers.

  • Write updated PE Header to the host.

  • Add infected file to the registry.

  • Restore registers for the host program.

Testing Antivirus Strength

• Tip: Modify the virus file and compile it to check the antivirus's ability to detect variations.

• Example:

  RegistryName db 'Start-up Program', 0
  Db 'Vorgon, Canada, 2003'          ; Signature

These methods showcase the diverse ways malware spreads, emphasizing the importance of user awareness, updated security measures, and robust antivirus solutions.