Malware

Basics

  • Types
    • Virus
      • Can copy itself to infect a computer
      • Infects files on USBs, CDs, network drives, etc to spread
    • Worm
      • Primarily replicate on networks
      • Typically do not require any user interaction
    • Trojan
      • Embedded in other applications
      • Not self-replicating
      • Requires a user to execute infected program
    • User-mode Rootkit
      • Unix: Modified executables or wrapper scripts are used to hide malicious activity from the output of certain commands, such as netstat
      • Windows: Intercept a user’s system calls and modify the information returned
    • Kernel-mode Rootkit
      • Often a driver or kernel library
      • Can hide processes, files, directories, and network connections
    • Backdoor
      • Allow for remote access to infected system
      • 2 types
        • Listening
        • Beacon (reverse connection)
    • Dropper
      • Install malware on a target
      • Typically self-delete upon completion
      • 2 types
        • Single-stage: Contains the malware to be installed in the same package as the dropper
        • Stager: The dropper downloads the malware from somewhere else
    • Keylogger
      • Captures all typed input
    • Flooders (DDoS)
      • Generates massive amounts of network traffic to cause a DoS
      • Distributed Reflective Denial of Service (DRDoS)
        • SYN packets are sent with a spoofed source IP to legitimate servers
    • Logic Bomb
      • Performs malicious function after certain conditions are met
      • Non-malicious versions are “Easter Eggs”
    • Network Sniffer
      • Allow capturing and examination of network traffic
    • Spyware
      • Collects information about a user and transmits it somewhere on the Internet
    • Adware
      • Popup ads
    • Scareware
      • Attempts to get a user to perform some action by convincing them their computer is infected
    • Browser Malware
      • Installed as plugins or extensions, aka Browser Helper Objects
      • May be installed by surfing to an infected website or included with a 3rd-party program installation
    • Spam
      • Unsolicited email
  • Phishing
    • The process of attempting to fraudulently obtain sensitive user information
    • Typically use legitimate looking emails to get a user to click a malicious link
  • Botnets
    • Collection of bots (zombies)
    • Spread with worm functionality
    • Communication
      • IRC
        • Bots contact a central chat server to receive commands
      • HTTP
        • Bots check specific web pages for embedded commands
        • May also use FB, Twitter, etc
      • P2P
        • Decentralized
  • Windows Malware Analysis
    • Research (Internet)
    • Look into suspicious files names
    • Use a sandbox environment
    • Download executables
    • Find DLLs
    • Inspect open file handles
    • Check common registry locations
    • Find ports listening for network communications
    • Inspect suspicious timestamps
    • Check for unsigned files
    • Verify file hashes
    • Check for promiscuous mode
    • Use a hex editor
    • Dump the memory
    • Report your findings

Analyzing

Useful commands

strings
handle
hexeditor <output_file>

Unpack an exe

upx -d <executable> -o <output_file>

Find trojanized UNIX commands

while IFS=: read -d: -r path; do echo $path; ls -lAtrc --time-style=long-iso $path | uniq -c -f 5 -w 17; done <<< "${PATH:+"${PATH}:"}"

Finding ctime anomalies

for path in /etc/init.d /etc/rc*; do echo $path; ls -lHAtrc --time-style=long-iso $path | uniq -c -f 5 -w 11; done
find / -name '*.service' | (while read -r path; do ls -lHAtrcd --time-style=long-iso $path; done) | uniq -c -f 5 -w 16

Service files

find / -name '*.service' | (while read -r path; do ls -lHAtrcd --time-style=long-iso $path; done) | sort -k 6 | uniq -c -f 5 -w 16

Hash a file in Windows

certutil -hashfile <file>