Malware Types

Malware Types #

Understand what differentiates them

Ransomware - Take over computer and demand ransom #

  • Crypto - Encrypts files and holds those hostage until payment made
  • Threaten to report the user un return for money.
  • Delivery Methods - Often via phising, Remote Desktop Protocal, etc..
  • Indicators Of Compromise (IoCs)
    • Command & Control (C&C) traffic to known malicious IP addresses.
    • Use of legitmate tools in abnormal ways to retain control of compromised system.
    • Lateral movement processes that seek to attack/gain info about other systems in same trust boundary.
    • Encryption of files
  • Data exfiltration behaviors
    • Notices to end user of the encryptoion process with demands for ransom
  • Defense - Effective backup system in another location

Trojans - Software often disguised as legitimate software, require user action #

  • Rely on unexpected victims to run them
  • Sometimes further content is downloaded to extend the malicious code
  • Connects to a control server and then waits for instructions, allows for local instructions and such
  • Example: Triada Trojan which was a enhanced version of Whatsapp
  • RAT: Remote Access Trojans - give attackers with remote access to systems
  • Indicators Of Compromise (IoCs)
    • Signatures for specifc applications and downloadable files
    • Command and control system hostnames and IP addresses
    • Folders or files created on target devices
    • Frequently connecting to changing remote unknown hosts
  • Defense
    • Awareness training
    • Control software that (can) be installed
    • Verify hashes
    • Anti-malware
    • Endpoint detection and Response (EDR)

Worms - Spread themselves #

  • Spread via vulnerable services, email attachments, network file share, IoT, phones, …
  • They self install
  • Example: Stuxnet
  • Indicators Of Compromise (IoCs)
    • Known malicious files
    • Download of additional components from remote systems
    • Command and control contact to remote systems
    • Malicious behaviors using system commadns for injection and other activies
    • Hands-on-keyboard attacker activity
  • Defense
    • Pre infection
      • Network-level controls
      • Fire-walls
      • Network segmentation
    • Post infection
      • antimalware
      • EDR
      • Reset hardware

Spyware - designed to obtain information about individual/organization/system #

  • Track installed software, browsing behavior, web camers, … and report back to central server.
  • Stalkerware -> for monitor partners in relationship
  • It looks like many other malicious code, so the key is the “INTENT” of it’s usage.
  • Defense
    • Antimalware
    • User awareness
    • Control software that (can) be installed
  • Indicators Of Compromise (IoCs)
    • Remove-access and remote-control-related indicators
    • Known software file fingerprints
    • Malicious processes, often disguised as system processes
    • Injection attack against browsers

Bloatware - Preinstalled applications (that you don’t want), just unwanted #

  • Usually not intentionally malicious
  • May call home with information about your system and expose a vulnerbability to be exploited
  • Defense
    • Uninstall
    • Clean OS image
  • No IoCs

Viruses - self-copy and self-replicate, but don’t spread via vulnerable services and networks (unlike worms) #

  • Require user action to spread, only runs when infected file is run
  • Usually have a trigger that decides when a virus will execute and a payload (what it will do)
  • Fileless virus - Shell code that runs command line and script to run malicious code and it will redo that after reboot, while booted, lives in memory often.
  • Defense
    • Network controls
    • Intrusion Prevention Systems (IPS)
  • Indicators Of Compromise (IoCs)
    • See threat feeds
    • User awareness
    • Antimalware
    • Best: Wipe it, and restart from clean image or safe backip

Keyloggers - Captures keystrokes from keyboard (and mouse, credit swipes, and any other input) #

  • Goal is for the attack to analyze these inputs
  • Exists as Sofware and hardware
  • Defenses
    • Usere Awareness
    • antimalware
    • Patching and updates
  • Indicators Of Compromise (IoCs)
    • File hashes and signatures
    • Extrafiltration activity to command and control systems
    • Process banes
    • Known reference URLS

Logic Bombs - Functions or code placed inside other programs that will activate when set conditions #

  • Either by insider or by OSS supply chain hack
  • Once it triggers, payload executes, so activites/actions happen then.
  • No IoC as it’s in the code
  • Doesn’t care to replicate
  • Defenses
    • Code reviews & Integrity checks
    • File integrity

Rootkits - specificly designed for attackers to get a backdoor to the root of a system #

  • Many have capabilities to hide , they use various layers to make them “not appear to be there”.

  • Persistent, stealth access is the goal

  • Defenses

    • Clean rebuilt or trustworthy backup
    • Good security practices, patching, …
    • Secure Boot
    • Remove the HDD and connect to other system without booting from that HDD, now no code will trigger.

  • Indicators Of Compromise (IoCs)

    • Files hashes and signatures
    • Command and control domains, IP addrewss and systems
    • Behavior based identification like creation of services, executables, configuration changes, file access and command invocation
    • Opening ports or creation of reverse proxy tunnels

  • Notes

  • Different vendors might name the same malware different which makes it difficult

  • Remote access is usually via a backdoor, rootkit

Previous Identity and Access Management Monitoring and Incident Response Next