March 11th, 2021
Ori Or-Meir, Nir Nissim, Yuval Elovici, and Lior Rokach. 2019. Dynamic Malware Analysis in the Modern Era—A State of the Art Survey. ACM Comput. Surv. 52, 5, Article 88 (October 2019), 48 pages. “Survey”: Read sections 1-4 (pages 1-18) open access
Wenke Lee Georgia Institute of Technology, Malware and Attack Technologies Knowledge Area, Issue 1.0, October 2019 PDF
Amir Afianian, Salman Niksefat, Babak Sadeghiyan, and David Baptiste. 2019. Malware Dynamic Analysis Evasion Techniques: A Survey. ACM Comput. Surv. 52, 6, Article 126 (January 2020), 28 pages.
Hamidreza Alimardani and Mohammed Nazeh. 2018. A Taxonomy on Recent Mobile Malware: Features, Analysis Methods, and Detection Techniques. In Proceedings of the 2018 International Conference on E-business and Mobile Commerce (ICEMC ’18). Association for Computing Machinery, New York, NY, USA, 44–49.
Alexei Bulazel and Bülent Yener. 2017. A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web. In Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium (ROOTS). Association for Computing Machinery, New York, NY, USA, Article 2, 1–21.
From Wikipedia: Malware
Malware (a portmanteau for malicious software) is any software intentionally designed to cause damage to a computer, server, client, or computer network (by contrast, software that causes unintentional harm due to some deficiency is typically described as a software bug).
Malware is code running on a computerized system whose presence or behavior the system administrators are unaware of; were the system administrators aware of the code and its behavior, they would not permit it to run.
Malware compromises the confidentiality, integrity or the availability of the system by exploiting existing vulnerabilities in a system or by creating new ones.
These are common designations of malware with links to Wikipedia:
A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be “infected” with a computer virus. Computer viruses generally require a host program. The virus writes its own code into the host program. When the program runs, the written virus program is executed first, causing infection and damage.
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behavior will continue.
Infection mechanism (also called ‘infection vector’): This is how the virus spreads or propagates. A virus typically has a search routine, which locates new files or new disks for infection.
Trigger: Also known as a logic bomb, this determines the event or condition for the malicious “payload” to be activated or delivered
Payload : The “payload” is the actual body or data which carries out the malicious purpose of the virus.
Dormant phase: The virus program is idle during this stage. The virus program has managed to access the target user’s computer or software, but during this stage, the virus does not take any action.
Propagation phase: The virus starts propagating, which is multiplying and replicating itself. The virus places a copy of itself into other programs or into certain system areas on the disk. The copy may not be identical to the propagating version; viruses often “morph” or change to evade detection by IT professionals and anti-virus software.
Triggering phase: A dormant virus moves into this phase when it is activated, and will now perform the function for which it was intended.
Execution phase: This is the actual work of the virus, where the “payload” will be released.
From Trojan horse
In computing, a Trojan horse is any malware which misleads users of its true intent. Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an email attachment disguised to appear not suspicious, or by clicking on some fake advertisement on social media or anywhere else. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer.
From Trojan horse
Trojans may allow an attacker to access users’ personal information such as banking information, passwords, or personal identity. It can also delete a user’s files or infect other devices connected to the network. Ransomwares attacks are often carried out using a trojan.
Unlike computer viruses, worms, and rogue security software, trojanss generally do not attempt to inject themselves into other files or otherwise propagate themselves.
From Wikipedia: Dropper
A dropper is a kind of Trojan that has been designed to “install” some sort of malware (virus, backdoor, etc.) to a target system. The malware code can be contained within the dropper (single-stage) in such a way as to avoid detection by virus scanners or the dropper may download the malware to the target machine once activated (two stage).
See also Malware spotlight: Droppers
From Wikipedia: Backdoors
A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device (e.g. a home router), etc. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information.
From Meterpreter backdoor
A remote access trojan (RAT, sometimes called creepware) is a type of malware that controls a system through a remote network connection. While desktop sharing and remote administration have many legal uses, “RAT” connotes criminal or malicious activity.
Spy Functions: Webcam Capture, Sound Capture, Remote Desktop, Keylogger
Network Functions: Active Ports, Network Shares, Server Socks5, LAN Computers, Net Gateway, IP Scanner, Url Download, Browse Page, Redirect IP/Port, WiFi Access Points
Computer Power: Poweroff, Shutdown, Restart, Logoff
Server Actions: Lock Computer, Restart Server, Close Server, Uninstall Server, Upload and Execute, Remote Edit Service
PoetRAT: Malware targeting public and private sector in Azerbaijan evolves, October 2020, “leverages malicious Microsoft Word documents alleged to be from the Azerbaijan government”
CRAT wants to plunder your endpoints, November 2020, “The RAT consists of multiple obfuscation techniques to hide strings, API names, command and control (C2) URLs and instrumental functions, along with static detection evasion. The attack also employs a multitude of anti-infection checks to evade sandbox based detection systems.”
ObliqueRAT returns with new campaign using hijacked websites, March 2021, “utilizes malicious Microsoft Office documents (maldocs) to spread the remote access trojan (RAT) ObliqueRAT”
Spyware describes software with malicious behavior that aims to gather information about a person or organization and send such information to another entity in a way that harms the user; for example by violating their privacy or endangering their device’s security. This behavior may be present in malware as well as in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected
TALOS: Masslogger, February, 2021, “designed to retrieve and exfiltrate user credentials from multiple sources such as Microsoft Outlook, Google Chrome and instant messengers”
From Wikipedia: Rootkit
A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. The term rootkit is a compound of “root” (the traditional name of the privileged account on Unix-like operating systems) and the word “kit” (which refers to the software components that implement the tool). The term “rootkit” has negative connotations through its association with malware.
From Wikipedia: Adware
Adware is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process. The software may generate two types of revenue: one is for the display of the advertisement and another on a “pay-per-click” basis, if the user clicks on the advertisement. Some advertisements also act as spyware, collecting and reporting data about the user, to be sold or used for targeted advertising or user profiling.
Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. It encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. Recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
See also Cryptovirology
Ransomware Statistics, Trends and Facts for 2020 and BeyondUpdated November 2020
Ransomware 2020: Attack Trends Affecting Organizations Worldwide Updated October 2020
Ransomware Facts, Trends & Statistics for 2021 February 2021
From Wikipedia: Scareware
Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for software to remove it. Usually the virus isn’t real and the software is non-functional or malware itself.
Cryptominers use any available computing power of the victim to mine cryptocurrencies for the attacker. The victims bear the brunt of the increased electricity costs and performance deterioration, while the attacker makes all the profit. This is a fairly new attack that has been on the rise since 2017; reportedly, almost 90% of recent malware attacks are cryptominers. This trend is explained by the fact that mining cryptocurrencies yields great profits to attackers while requiring minimal effort.
Lemon Duck brings cryptocurrency miners back into the spotlight, October 2020, “has a cryptocurrency mining payload that steals computer resources to mine the Monero virtual currency. The actor employs various methods to spread across the network, like sending infected RTF files using email, psexec, WMI and SMB exploits”
Since there seem to be so many “types” of malware with new varieties emerging relatively frequently we need alternative ways to look at the problem. This way we can come up with more general methods for detection, prevention and removal.
The most common malicious activity is information theft, whether it’s banking information, classified information, passwords, or access credentials. Such information can be used to access other systems or accounts, steal money or other goods, or damage a company financially, and when it comes to hospitals and governmental agencies, it can even risk lives. In terms of the CIA triad, information theft compromises the confidentiality of data and is mostly associated with RATs and spyware.
Stealing Credentials: Passwords, as well as other credential types, such as biometric information and authentication certificates.
Keylogging: keylogger malware records every keystroke entered by the user and sends it to its C&C. Keyloggers are primarily used to extract passwords and other types of sensitive information.
Spying: Spyware collects information about the infected host, users, or the organization. Such information may include proprietary information, data about clients, or personal documents.
Sniffing attack: Sniffer malware steal information as it travels from one machine to another. This is usually done by monitoring the network traffic and extracting data from it.
Infecting a host with malware is done by exploiting a vulnerability. However, malware sometimes create new vulnerabilities by removing anti-viruses, installing backdoors, changing passwords, changing firewall settings, adding a new privileged user, downgrading software to an older version, and more. These new vulnerabilities can later be used by the attacker to gain access to the victim, even if the original malware was detected and removed. This behavior compromises the integrity of the system and associated with RATs and bots.
DDoS attacks: DDoS attacks use botnets to generate simultaneous requests from all over the globe.
Access denial attacks: Worms can spread and cause a denial-of-service attack against the network’s infrastructure. Ransomware encrypts files causing a DoS attack against the user’s file system.
Damaging the hardware: Although not common, it is real. Since electronic circuits often contain firmware, it is possible to overwrite it with garbage code and render the device unusable. Such an attack against the BIOS was demonstrated by Win9x.CIH, which prevents the computer from booting after overwriting the BIOS with buggy firmware code.
Executing commands from a command and control (C&C) server: Sometimes malware authors wish to have full control over the infected endpoint. For that purpose, they incorporate a command execution mechanism in the malware that executes commands it receives from the C&C. This behavior compromises the integrity of the system and is mostly associated with bots and RATs.
Malicious parties can use deception to gain access to restricted subsystems and/or manipulate data for their benefit. This type of behavior is common among financial malware performing phishing attacks to gain access to banking accounts. This behavior compromises the integrity and confidentiality of the system and associated with RATs and scareware. Common deception behaviors include the following: disguising as a benign software, phishing attacks, pretending to be a legitimate user, scaring the user, and man in- the-middle (MITM) attacks.
Malware might annoy the user by showing ads to the user (adware), changing the user’s homepage or default search engine, or defacing Web pages. This type of malware behavior might not be malicious per se, but it still falls within the definition in that it is unwanted by the user, and if the system administrators knew about its existence, they would not allow it to execute. Although this behavior does not compromise any component of the CIA triad it is unwanted by the user and disturbs normal workflow.
Cryptominers leverage their victims’ computer resources, causing the infected machines to run abnormally slow, for the sole purpose of generating revenue by selling the mined cryptocurrency. For the most part, cryptominers allow the system to run as normal and don’t interact with the system’s information, apart from performing the computations required to mine cryptocurrencies.
We will look into the behaviors associated with analysis evasion and detection avoidance in a separate slide set that discusses detection. Now we will look at some key supporting operations.
Communicating with the C&C
Malware needs to find a way to load itself after each reboot. The Windows registry can be used for this purpose, but other techniques are also used, including: shortcut modifications, DLL search order hijacking, subverting the boot process and loading a malicious kernel (such malware is called a bootkit), hardware infection, and others. One method malware use to gain persistency is by adding itself to an Auto-Start Extendibility Point (ASEP), such as the registry startup key inWindows. For example, adding a malicious command to the Run or RunOnce registry keys will cause the computer to execute that command when the system has finished the booting process.
Communication with the C&C includes getting commands from a handler, receiving updates, and sending extracted data. Malware communication is usually covert, enabling malware to bypass detection tools and firewalls.
Malware collect data from various sources, including: volatile memory (e.g., passwords, credentials, and cryptographic keys), the file system (e.g., documents), the operating system (e.g., registry values, active processes, system configuration, open windows), user activities (e.g., websites visited, open documents, keystrokes), and the network (e.g., connected printers, open ports on other hosts).
Spreading methods include sending infecting emails (via attachments or malicious scripts); exploiting vulnerabilities to allow remote execution; file sharing (e.g., P2P file sharing, torrent clients, shared folders); and the use of Bluetooth, USB, and other portable devices.