malware can leverage different features and be labeled different ways
Trojans
Malware hidden in legitimate software
Usually done by binding or backdooring legitimate software
Usually found in torrents
Worms
Malware that automatically spreads without user interaction
Usually exploits network vulnerabilities
Not common anymore, although Wannacry was an exception
Spyware
Spyware is malware that is often legitimate in some respect
but will steal and siphon data away
Viruses
Self replicating malware
The term is not often used outside of pop culture as it’s ill defined
Major types of malware
Rootkits
Complicated methods of hiding aspects of malware
Usually hiding files, registry keys, and network connections from the system
Usually Ring3 (userland) based
Sometimes Ring0 (kernal) based
Very occasionally a bootkit (bios rootkit)
Rings
Rings are the level of access
there’s usually two major ones
Ring 3 - The userland where most applications will run
Ring 0 - The kernel where most drivers and the operating system will run
Having a lower ring means you can hook System calls first
System calls
System calls are what applications use to communicate with the OS and hardware
there are system calls for reading files, making network connections, etc
All abstracted to be non-hardware specific
Hooking
Rootkits work by hooking system calls and intercepting the data between the OS
and the application
There are a LOT of ways to do this
They often go down the chain, where the first hook will be called first
Thus getting the first hook is crucial in correctly intercepting data
Anti-viruses will also hook system calls to check for rootkits and suspicious behavior
Loaders
Malware specifically designed to provide strong persistence on a compromised system
It’s job is to make sure no Anti-Virus or User can remove it
It often utilizes rootkits to achieve it’s goal
It only exists to provide baseline persistence and load more specialized
malware onto a system
a Prominent example is Smoke Loader
RATs
Remote Administration Trojans
Truely the most prolific malware type
Used by teenagers to dip their toe into cybercrime
They provide intimate access to a compromised computer as opposed to more
sophisticated malware such as botnets
Allowing remote desktop, access to the webcam, keylogger, chats, and even
functions to troll the user (ejecting CD drive)
Relatively cheap $20 a license with the ability to generate new payloads at will
Most prominent RATs are:
Blackshades
DarkComet
jRAT
Botnets
Botnet is an umbrella term for malware that is designed to collect a large
amount of compromised hosts and create a network of bots
They’re often another type of malware in conjunction with this
They’re designed for controlling thousands if not millions of compromised hosts
Very expensive, $100s of dollars for a payload to be generated by the author
This is in stark contrast to RATs
Prominent examples are:
Betabot
Andromeda
Banking Trojans
Banking trojans are unique and powerful
They’re specifically designed to defeat all verifications banks put in their
web pages
They can defeat encryption by hooking browser networking functions
intercept HTTP(S) POST requests skimming data (logins, credit
card numbers, etc)
intercept incoming HTTP(S) traffic and inject malicious javascript
They can then automatically siphon money from the account and hide the transactions
All generally cloned from zeus’s leaked source code
Absurdly expensive, usually upwards of $1000 for a single payload generated by sellers
Prominent examples:
Zeus
SpyEye
Citadel
Kronus
POS malware
Attacks Point of sales machines
Constantly scans memory for credit card numbers
Where most credit cards are stolen from
Ransomware
Also known as Cryptolockers
Restrict access to the system and demand a payment
Usually this is done by encrypting files
Very common these days
Design choices
OS Choice
Malware is often only made for windows as it represents the largest market share
This is not to say there isn’t malware for Linux/MacOS/BSD, they are just much
less common
Language choice
Malware is often written in C, C++, Delphi, and VB6
This is to avoid depending on libraries having being installed on the system
(.NET or Java)
Compactness and modularity
Malware is often designed to be compact and small to allow it to be downloaded
remotely over slow connections
This leads to modularization, lots of complicated malware will segment it’s
capabilities into modules that will be loaded when needed
Side note: Crypters
Crypters encrypt payloads to avoid anti-virus detection
Relatively cheap
When no Anti-virus detects it it’s called FUD
Protection only lasts a few weeks, so older files are safer.
Infection Vectors
There are a lot of ways people look to infect victims with a malicious payload
Each type of malware usually has a specific method of infection designed to
target specific demographics
Pirated software
Pirated software is commonly infected, usually a malicious payload is
binded to existing torrents, crypted to avoid detection, and uploaded.
Sites like the pirate bay are pretty good at taking down infected uploads
KAT is not so great
This is mainly used by owners of RAT networks, as it’s easy and low cost.
Drive bys
A common method botnet owners use to gain a large number of infected hosts
Has 3 major components
Exploit kit
Compromised sites
Payload
Often used to target 3rd world countries
Exploit Kit
An exploit kit is a piece of software designed to select an exploit that will
be effective against an unpatched piece of software (IE 8, old flash, etc)
They are usually rented on a daily basis for $300+/day
RIG Exploit Kit is the most common used
Legitimate Compromised site
You need to get traffic to an exploit kit
This is usually done through exploiting legit sites and placing iframes to the
exploit kit
Sometimes done through malicious advertisements as well
The payload
Often the space to run code after an exploit is small
Often just enough to download and execute an additional stage