Malware: a Crash Course

What is malware

  • Any malicious software
  • Worms, viruses, trojans, etc

Who makes malware

  • Russians
  • teenagers from US, CA, UK, and AU

Overview of terms

  • Terms are not mutually exclusive
  • malware can leverage different features and be labeled different ways


  • Malware hidden in legitimate software
  • Usually done by binding or backdooring legitimate software
  • Usually found in torrents


  • Malware that automatically spreads without user interaction
  • Usually exploits network vulnerabilities
  • Not common anymore, although Wannacry was an exception


  • Spyware is malware that is often legitimate in some respect
  • but will steal and siphon data away


  • Self replicating malware
  • The term is not often used outside of pop culture as it’s ill defined

Major types of malware


  • Complicated methods of hiding aspects of malware
  • Usually hiding files, registry keys, and network connections from the system
  • Usually Ring3 (userland) based
  • Sometimes Ring0 (kernal) based
  • Very occasionally a bootkit (bios rootkit)


  • Rings are the level of access
  • there’s usually two major ones
    • Ring 3 - The userland where most applications will run
    • Ring 0 - The kernel where most drivers and the operating system will run
  • Having a lower ring means you can hook System calls first

System calls

  • System calls are what applications use to communicate with the OS and hardware
  • there are system calls for reading files, making network connections, etc
  • All abstracted to be non-hardware specific


  • Rootkits work by hooking system calls and intercepting the data between the OS and the application
  • There are a LOT of ways to do this
  • They often go down the chain, where the first hook will be called first
  • Thus getting the first hook is crucial in correctly intercepting data
  • Anti-viruses will also hook system calls to check for rootkits and suspicious behavior


  • Malware specifically designed to provide strong persistence on a compromised system
  • It’s job is to make sure no Anti-Virus or User can remove it
  • It often utilizes rootkits to achieve it’s goal
  • It only exists to provide baseline persistence and load more specialized malware onto a system
  • a Prominent example is Smoke Loader


  • Remote Administration Trojans
  • Truely the most prolific malware type
  • Used by teenagers to dip their toe into cybercrime
  • They provide intimate access to a compromised computer as opposed to more sophisticated malware such as botnets
  • Allowing remote desktop, access to the webcam, keylogger, chats, and even functions to troll the user (ejecting CD drive)
  • Relatively cheap $20 a license with the ability to generate new payloads at will
  • Most prominent RATs are:
    • Blackshades
    • DarkComet
    • jRAT


  • Botnet is an umbrella term for malware that is designed to collect a large amount of compromised hosts and create a network of bots
  • They’re often another type of malware in conjunction with this
  • They’re designed for controlling thousands if not millions of compromised hosts
  • Very expensive, $100s of dollars for a payload to be generated by the author
  • This is in stark contrast to RATs
  • Prominent examples are:
    • Betabot
    • Andromeda

Banking Trojans

  • Banking trojans are unique and powerful
  • They’re specifically designed to defeat all verifications banks put in their web pages
  • They can defeat encryption by hooking browser networking functions
  • intercept HTTP(S) POST requests skimming data (logins, credit card numbers, etc)
  • intercept incoming HTTP(S) traffic and inject malicious javascript
  • They can then automatically siphon money from the account and hide the transactions
  • All generally cloned from zeus’s leaked source code
  • Absurdly expensive, usually upwards of $1000 for a single payload generated by sellers
  • Prominent examples:
    • Zeus
    • SpyEye
    • Citadel
    • Kronus

POS malware

  • Attacks Point of sales machines
  • Constantly scans memory for credit card numbers
  • Where most credit cards are stolen from


  • Also known as Cryptolockers
  • Restrict access to the system and demand a payment
  • Usually this is done by encrypting files
  • Very common these days

Design choices

OS Choice

  • Malware is often only made for windows as it represents the largest market share
  • This is not to say there isn’t malware for Linux/MacOS/BSD, they are just much less common

Language choice

  • Malware is often written in C, C++, Delphi, and VB6
  • This is to avoid depending on libraries having being installed on the system (.NET or Java)

Compactness and modularity

  • Malware is often designed to be compact and small to allow it to be downloaded remotely over slow connections
  • This leads to modularization, lots of complicated malware will segment it’s capabilities into modules that will be loaded when needed

Side note: Crypters

  • Crypters encrypt payloads to avoid anti-virus detection
  • Relatively cheap
  • When no Anti-virus detects it it’s called FUD
  • Protection only lasts a few weeks, so older files are safer.

Infection Vectors

  • There are a lot of ways people look to infect victims with a malicious payload
  • Each type of malware usually has a specific method of infection designed to target specific demographics

Pirated software

  • Pirated software is commonly infected, usually a malicious payload is binded to existing torrents, crypted to avoid detection, and uploaded.
  • Sites like the pirate bay are pretty good at taking down infected uploads
  • KAT is not so great
  • This is mainly used by owners of RAT networks, as it’s easy and low cost.

Drive bys

  • A common method botnet owners use to gain a large number of infected hosts
  • Has 3 major components
    • Exploit kit
    • Compromised sites
    • Payload
  • Often used to target 3rd world countries

Exploit Kit

  • An exploit kit is a piece of software designed to select an exploit that will be effective against an unpatched piece of software (IE 8, old flash, etc)
  • They are usually rented on a daily basis for $300+/day
  • RIG Exploit Kit is the most common used

Legitimate Compromised site

  • You need to get traffic to an exploit kit
  • This is usually done through exploiting legit sites and placing iframes to the exploit kit
  • Sometimes done through malicious advertisements as well

The payload

  • Often the space to run code after an exploit is small
  • Often just enough to download and execute an additional stage

Malicious mail attachments

  • Saw a dip in popularity during the early 2000s
  • On the rise with cryptolockers
  • Usually abuse Word macros to execute payloads
  • Often targeting business specifically