Skip to main content

Malware

Vectors

  • Vectors are the mechanism through which malware infects a machine
  • Usually the vector will be a software vulnerability
  • Or someone clicked something they shouldn't have!

Payloads

  • Actual malware deposited on the machine, or the harmful results
  • Range in severity

Viruses

  • Piece of self-replicating code
  • Propagates by attaching itself to a disk, file or document
  • When the file is run, the virus runs and attempts to proliferate
  • Installs without the users knowledge or consent

Notable

  • 1981: Elk Cloner, the first known “in the wild” outbreak affects Apple II computers
  • 1986: Brain, the first DOS computer virus
  • 1989: Ghostball, the first multipartite virus – affects both exes and the boot sector
  • 1995: First macro virus, Concept, affects MS Word documents
  • 1996: First linux virus, Staog, uses bugs in the Linux kernel

Worms

  • Viruses traditionally require a human to spread
  • Worms are self-replicating and stand-alone programs
  • Exploit know software vulnerabilities in order to spread

Notable

  • 1988: The Morris Worm, affects BSD unix machines. One of the first known buffer overruns
  • 2000: The ILOVEYOU worm, one of the most damaging worms ever, shows how powerful social engineering can be
  • Worms were everywhere between 2003-2004

MS Blaster

  • Windows XP, crashes RPC and reboots your machine
  • Spread between machines on an internal network easily - no port filtering
  • Used a buffer overflow in a windows Remote Procedure Call (RPC) service - spreads without user clicking
  • Compromised machines performed DDOS on windowsupdate.com

Sasser

  • From author of Netsky, attacks windows LSASS
  • Spread 17 days after a patch to the vulnerability was released by microsoft
  • Buffer overflow in the Local Security Authority Subsystem Service
  • Scans IP addresses and infects via port 445
  • Many exploits are reverse engineered from patches, or developed simultaneously to patches
  • One which that is previously unknown (Zero-Day Exploits) are by far the most dangerous

Stuxnet

Believed to be an American-Israeli cyber weapon

  1. Uses four zero-day flaws to infect Windows
  2. Seeks out any instance of Siemens Step7
  3. Finds programmable logic controllers (PLC)
  4. Detects attached centrifuges and spins them to destruction
  5. Reports that the centrifuge are fine

Trojans

  • Malicious program pretending to be a legitimate application
  • Often obtained in email attachments or at malicious websites
  • Don't replicate themselves - user error
  • Ransomware is the most common form of Trojan now

Notable

  • 1989: The AIDS Trojan, encrypts all filenames on the system and requests a ransom
  • 2002: Beast, affects windows machines from 95 – XP and provides the attacker with a remote admin tool (RAT) – there are a lot of these types
  • 2013: Cryptolocker, massive ransomware

Ransomware

  • Usually encrypt or block access to files and demand a random
  • A clever solution, because if an AV system removes it, is often too late
  • Usually distributed from malicious websites, or from already infected machines
  • File decryption keys are protected by encrypting using the public key of a C&C server

Variants

  • Most of the challenge is successfully using ransomware is tricking a user into running it, and bypassing AV and browser protections