The index of this series of articles can be found here.
The term malware is a contraction of malicious software. Put simply, malware is any piece of software that was written with the intent of damaging devices, stealing data, and generally causing a mess.
Malware is often created by teams of hackers: usually, they’re just looking to make money, either by spreading the malware themselves or selling it to the highest bidder on the Dark Web. However, there can be other reasons for creating malware too — it can be used as a tool for protest, a way to test security, or even as weapons of war between governments. But no matter why or how malware comes to be, it is always bad news when it winds up on your PC.
Malware is the collective name for several malicious software variants, including viruses, ransomware and spyware. Malware is typically delivered in the form of a link or file over email and requires the user to click on the link or open the file to execute the malware.
Each type of malware has its own unique way of causing havoc, and, as it has been said before, most rely on user action of some kind. Some strains are delivered over email via a link or executable file. Others are delivered via instant messaging or social media. Even mobile phones are vulnerable to attack. It is essential that organizations are aware of all vulnerabilities so they can lay down an effective line of defence.
Some of the methods that are popularly used for the propagation of malware are:
- Free Software: The term free software refers to all the licensed software that can be found for free usually cracked or with some extra files to crack it. Usually, it is going to contain malicious software or, sometimes, it just contains the malware.
- File-Sharing Services: Torrent server or Peer-to-peer file-sharing services are flooding with malware, legitimate files can be infected and re-uploaded trying to capture innocent people and their systems.
- Removable Media: Malware can also propagate through removable media like USBs. Any media device can contain hidden malware, especially is its origin is unknown.
- Email Communication: Nowadays, emails are one of the most popular ways of communication, especially in organisations. Malware can be sent via email in the form of an attachment or a link.
- Not Using a Firewall or Anti-virus: Not exactly ways to deliver malware but, systems that can prevent known malware to be downloaded or installed in the target’s machines.
Types of Malware
Malware is a very broad category, and what malware does or how malware works changes from file to file. The following is a list of common types of malware, but it is hardly exhaustive:
This kind of malware disguises itself as legitimate software or is hidden in legitimate software that has been tampered with. It tends to act discreetly and create backdoors in your security to let other malware in. But there some other uses for trojans:
- Gaining unauthorised access
- Steal information
- Infect connected devices
- Ransomware attacks
- Using victim for spamming
- Using victim as botnet
- Download other malicious software
- Disabling firewalls
The infection process using trojans is comprised of some steps. This combination of steps is taken by attackers to infect target systems.
- Creation of a trojan using some kind of construction kit: A construction kit allows attackers to create customised trojans tailored to the target. Besides, construction kits help to avoid detection from protection tools. Some of these kits use crypters to encrypt, obfuscate and manipulate the malware making more difficult the detection.
- Create a dropper: A dropper is a software or program that is specially designed to deliver a payload on the target machine. Its main objective is to install malware code on to the victim’s machine without alerting or been detected.
- Create a wrapper: A wrapper is a non-malicious file that binds the malicious file to propagate the trojan and try to avoid detection. Usually, executable files like games, music or video files.
- Propagate the trojan: Attackers just need to upload their trojans to servers where they will be downloaded when the victims click in a link.
- Execute the dropper: Once the trojan has been downloaded, it will install itself and execute any procedure for what it has been prepared.
Types of Trojans
There a multiple types of trojans, some of them are:
- Command Shell Trojans: They provide a remote shell on the target’s computer. Netcat is a very well know in this category.
- Defacement Trojans: This type of trojan changes the appearance of the existing software, usually text and images, to leave their mark. The most well-known cases are web defacements.
- HTTP/HTTPS Trojans: This kind of trojan bypasses the firewall and open a tunnel to communicate with the attacker.
- Botnet Trojans: These are trojans designed to create a large-scale group of infected machines that can work together to achieve future objectives. In this category falls the DoS/DDoS Trojans. These trojans run attacks that bring networks to their knees by flooding them with useless traffic. Many Do/DDoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols.
- Proxy Trojans: This kind of trojan is designed to use the victim’s computer as a proxy server. This lets the attacker do anything from your computer, including credit card fraud and other illegal activities and even use your system to launch malicious attacks against other networks.
- Remote Access Trojans: Abbreviated as RATs. This type of trojan is designed to provide attackers with complete control of the victim’s system. Attackers usually hide them in games and other small programs that unsuspecting users then execute on their systems.
- Data Sending Trojans: This type of trojan is designed to provide the attacker with sensitive data such as passwords, credit card information, log files, e-mail address or IM contact lists. These Trojans can look for specific pre-defined data (e.g., just credit card information or passwords), or they install a keylogger and send all recorded keystrokes back to the attacker.
And, much more.
There are actually two areas to consider where protection is concerned: protective tools and user vigilance. The first is often the easiest to implement, simply because some best-in-class protective software that manages and updates itself can often set and forget. Users, on the other hand, can be prone to temptation (“check out this cool website!“) or easily led by other emotions such as fear (“install this anti-virus software immediately“). Education is key to ensure users are aware of the risk of malware and what they can do to prevent an attack.
With good user policies in place and the right anti-malware solutions constantly monitoring the network, email, web requests and other activities that could put an organization at risk, malware stands less of a chance of delivering its payload.
Some specific actions can be:
- Avoid clicking on suspicious emails
- Block unused ports
- Monitor network traffic
- Avoid downloads from untrusted sources
- Install updated security software and anti-viruses
- Scan removable media before using it
- File integrity
- Enable auditing
- Configured host-based firewall
- Intrusion detection software
Possibly the most common type of malware, viruses attach their malicious code to clean code and wait for an unsuspecting user or an automated process to execute them. Like a biological virus, they can spread quickly and widely, causing damage to the core functionality of systems, corrupting files and locking users out of their computers. They are usually contained within an executable file.
Stages of a Virus Life
The process of developing a virus until its detection is divided into the next following six stages. These stages include the whole lifecycle of a virus:
- Design: In the design phase, the virus is created. This can be done completely from scratch or using one of the existing construction kits.
- Replication: In this phase, the virus is deployed and it starts replicating itself on the target systems for a certain period of time.
- Launch: In this stage, when a user non-intentionally runs the virus, this, performs the task for what it was built.
- Detection: In this phase, the behaviour of the virus is observed and identified as a potential threat to the system.
- Incorporation: After identification, the signature of the virus is added to anti-virus software to be able to detect it in the future. And some defensive code is created to be able to deal with it.
- Elimination: Once anti-virus software has been updated it can detect the virus and eliminate it.
Working with Viruses
Working with a virus has two differentiated phases:
- Infection phase: This is the phase were, once the virus has been planted in a system, starts to replicate itself. This replication or reproduction is done infecting legitimate files and programs on the target’s machines, waiting for users to execute them. During this reproduction they will try to spread as much as possible using whatever means necessary, emails, shared file systems, media devices, everything is fair play.
- Attack phase: This phase starts when an unprevented user executes the virus clicking in one of the infected files. Usually, a triggering action is necessary to execute them. Once they have been executed, they will carry on with any task they have been developed for.
- File virus: This type of virus infects the system by appending itself to the end of a file. It changes the start of a program so that the control jumps to its code. After the execution of its code, the control returns back to the main program. Its execution is not even noticed. It is also called Parasitic virus because it leaves no file intact but also leaves the host functional.
- Boot sector virus: It infects the boot sector of the system, executing every time system is booted and before an operating system is loaded. It infects other bootable media like floppy disks. These are also known as memory virus as they do not infect file systems.
- Macro virus: Unlike most virus which are written in a low-level language (like C or assembly language), these are written in a high-level language like Visual Basic. These viruses are triggered when a program capable of executing a macro is run. For example, a macro virus can be contained in spreadsheet files.
- Source code virus: It looks for source code and modifies it to include virus and to help spread it.
- Polymorphic virus: A virus signature is a pattern that can identify a virus (a series of bytes that make up virus code). So in order to avoid detection by anti-virus a polymorphic virus changes each time it is installed. The functionality of the virus remains the same but its signature is changed.
- Encrypted virus: In order to avoid detection by anti-virus, this type of virus exists in encrypted form. It carries a decryption algorithm along with it. So the virus first decrypts and then executes.
- Stealth virus: It is a very tricky virus as it changes the code that can be used to detect it. Hence, the detection of the virus becomes very difficult. For example, it can change the read system call such that whenever the user asks to read a code modified by the virus, the original form of code is shown rather than infected code.
- Tunneling virus: This virus attempts to bypass detection by anti-virus scanner by installing itself in the interrupt handler chain. Interception programs, which remain in the background of an operating system and catch viruses, become disabled during the course of a tunnelling virus. Similar viruses install themselves in device drivers.
- Multipartite virus: This type of virus is able to infect multiple parts of a system including boot sector, memory and files. This makes it difficult to detect and contain.
- Armored virus: An armoured virus is coded to make it difficult for antivirus to unravel and understand. It uses a variety of techniques to do so like fooling antivirus to believe that it lies somewhere else than its real location or using compression to complicate its code.
Obviously, there are more types of virus, this is just a short list of them.
Also known as scareware, ransomware comes with a heavy price. Able to lock down networks and lockout users until a ransom is paid, ransomware has targeted some of the biggest organizations in the world today — with expensive results.
Worms get their name from the way they infect systems. Starting from one infected machine, they weave their way through the network, connecting to consecutive machines in order to continue the spread of infection. This type of malware can infect entire networks of devices very quickly.
Spyware, as its name suggests, is designed to spy on what a user is doing. Hiding in the background on a computer, this type of malware will collect information without the user knowing, such as credit card details, passwords and other sensitive information.
Malware analysis is necessary to develop effective malware detection technique. It is the process of analyzing the purpose and functionality of malware, so the goal of malware analysis is to understand how a specific piece of malware works so that defence can be built to protect the organization’s network. There are three types of malware analysis which achieve the same goal of explaining, how malware works, their effects on the system but the tools, time and skills required to perform the analysis are very different.
It is also called as code analysis. It is the process of analyzing the program by examining it i.e. software code of the malware is observed to gain the knowledge of how malware’s functions work. In this technique, reverse engineering is performed by using a disassemble tool, decompile tool, debugger, source code analyzer tools such as IDA Pro and Ollydbg in order to understand the structure of malware. Before the program is executed, static information is found in the executable including header data and the sequence of bytes is used to determine whether it is malicious. Disassembly technique is one of the techniques of static analysis. With static analysis, an executable file is disassembled using disassemble tools like XXD, Hexdump, NetWide command, to get the assembly language program file. From this file, the opcode is extracted as a feature to statically analyze the application behaviour to detect the malware.
It is also called behavioural analysis. Analysis of infected file during its execution is known as dynamic analysis. Infected files are analyzed in a simulated environment like a virtual machine, simulator, emulator, sandbox etc. After that malware researchers use SysAnalyzer, Process Explorer, ProcMon, RegShot, and other tools to identify the general behaviour of file. In a dynamic analysis, the file is detected after executing it in a real environment, during the execution, its system interaction, its behaviour and effects on the machine are monitored. The advantage of dynamic analysis is that it accurately analyzes the known as well as unknown, new malware. It is easy to detect unknown malware also it can analyze the obfuscated, polymorphic malware by observing their behaviour but this analysis technique is more time-consuming. It requires as much time as to prepare the environment for malware analysis such as virtual machine environment or sandboxes.
This technique is proposed to overcome the limitations of static and dynamic analysis techniques. It firstly analyses the signature specification of any malware code & then combines it with the other behavioural parameters for enhancement of complete malware analysis. Due to this approach hybrid analysis overcomes the limitations of both static and dynamic analysis.
Malware detection techniques are used to detect the malware and prevent the computer system from being infected, protecting it from potential information loss and system compromise. They can be categorized into signature-based detection, behaviour-based detection and specification-based detection.
It is also called as Misuse detection. It maintains the database of signature and detects malware by comparing pattern against the database. The general flow of signature-based malware detection and analysis is explained in detail in. Most of the antivirus tools are based on signature-based detection techniques. These signatures are created by examining the disassembled code of malware binary. Disassembled code is analyzed and features are extracted. These features are used in constructing the signature of a particular malware family. A library of known code signatures is updated and refreshed constantly by the antivirus software vendor so this technique can detect the known instances of malware accurately. The main advantages of this technique are that it can detect known instances of malware accurately, less amount of resources are required to detect the malware and it mainly focuses on the signature of the attack. The major drawback is that it can’t detect the new, unknown instances of malware as no signature is available for such type of malware.
It is also called as behaviour or anomaly-based detection. The main purpose is to analyze the behaviour of known or unknown malware. The behavioural parameter includes various factors such as source or destination address of malware, types of attachments, and other countable statistical features. It usually occurs in two-phase: The training phase and detection phase. During the training phase, the behaviour of the system is observed in the absence of attack and machine learning technique is used to create a profile of such normal behaviour. In the detection phase, this profile is compared against the current behaviour and differences are flagged as potential attacks.
The advantage of this technique is that it can detect known as well as new, unknown instances of malware and it focuses on the behaviour of the system to detect unknown attacks. The disadvantage of this technique is that it needs to update the data describing the system behaviour and the statistics in normal profile but it tends to be large. It needs more resources like CPU time, memory and disk space and level of false positive is high.
It is derivative of behaviour-based detection that tries to overcome the typical high false alarm rate associated with it. Specification-based detection relies on program specifications that describe the intended behaviour of security-critical programs. It involves monitoring program executions and detecting deviation of their behaviour from the specification, rather than detecting the occurrence of specific attack patterns. This technique is similar to anomaly detection but the difference is that instead of relying on machine learning techniques, it will be based on manually developed specifications that capture legitimate system behaviour. The advantage of this technique is that it can detect known and unknown instances of malware and level of false positive is low but the level of false negative is high and not as effective as behaviour-based detection in detecting new attacks; especially in network probing and denial of service attacks. Development of detailed specification is time-consuming.