Malware = Mal (malicious) + ware (software)
(Malware is an executable or a binary that is malicious in nature)
What is Malware?
Malware is a malicious software that damage or disable computer systems and gives limited or full Control of the system to the malware creator for the purpose of theft or fraud.
This software is specially designed for gaining access to target machines, stealing information and harm the system.
Some examples are :- virus , Backdoors, warms , Ransomware , spyware etc.
Purpose of malware :-
1. Spying on the target. = keep monitoring
2. Data Exfiltration = unauthorized transfer data
3.Data encryption and destruction = Ransomware
Exercise cyber hygiene
Malware Categorized based on its functionality, But common in this all is that they all are malicious in nature.
Types of Malware :-
1. Virus – It is self-replicating program, it is capable of producing multiple of copies of itself by attaching with another program of any format. These viruses can be executed as soon they are downloaded.
Characteristic of virus :-
a. Infecting other files.
2. Trojans – Malware hiding in other legitimate files. Legitimate files and software are bundled with malware so that when the software is installed the malware will also get installed and executed.
- Some types of Trojans :-
- Remote Access Trojans: Allows the hacker to take remote access of your system without your knowledge through covert channels.
- Data Sending Trojans: Steals data saved on your system and transmits it over to the attacker.
- Destructive Trojans: Destroys other files and services.
- Security software disabler Trojans: Disabled system firewall and antivirus so that other malicious files can be downloaded and run without getting detected.
Trojan infection process :-
- Creating of a trojan using trojan construction kit.
- Create a dropper
- Create a wrapper
- Propagate the trojan
- Execute the dropper
3. Worm– Similar to a virus but does not require any human intervention to run and propagate in the network. Its primary function is to infect other computers while remaining active on infected systems.
4. Ransomware– Encrypts the system completely and asks the user for ransom to decrypt the data. There is no surety whether the system will be decrypted even after ransom has been paid.
Use no ransomware if
The typical steps in a ransomware attack are:
1. Infection: After it has been delivered to the system via email attachment, phishing email, infected application or other method, the ransomware installs itself on the endpoint and any network devices it can access.
2. Secure Key Exchange: The ransomware contacts the command and control server operated by the cybercriminals behind the attack to generate the cryptographic keys to be used on the local system.
3. Encryption: The ransomware starts encrypting any files it can find on local machines and the network.
4. Extortion: With the encryption work done, the ransomware displays instructions for extortion and ransom payment, threatening destruction of data if payment is not made.
5. Unlocking: Organizations can either pay the ransom and hope for the cybercriminals to actually decrypt the affected files, or they can attempt recovery by removing infected files and systems from the network and restoring data from clean backups. Unfortunately, negotiating with cyber criminals is often a lost cause as a recent report found that 42% of organizations who paid a ransom did not get their files decrypted.
How to Defeat Ransomware
1. Isolate the Infection: Prevent the infection from spreading by separating all infected computers from each other, shared storage, and the network.
2. Identify the Infection: From messages, evidence on the computer, and identification tools, determine which malware strain you are dealing with.
3. Report: Report to the authorities to support and coordinate measures to counter attack.
4. Determine Your Options: You have a number of ways to deal with the infection. Determine which approach is best for you.
5. Restore and Refresh: Use safe backups and program and software sources to restore your computer or outfit a new platform.
6. Plan to Prevent Recurrence: Make an assessment of how the infection occurred and what you can do to put measures into place that will prevent it from happening again.
5. Rootkits- It is a malicious software that allows an unauthorized user to have privileged access to a computer and to restricted areas of its software. Extremely hard to detect and impossible to remove without formatting the system.
6. Adware– It generates unnecessary advertisements on your system and web pages.
7.Spywares– This sits on your system like a spy and monitors/records the activities.
8.Keyloggers– A keylogger is a tool that hackers use to monitor and record the keystrokes you make on your keyboard. Whether they’re installed on your operating system or embedded into the hardware, some keyloggers can be very difficult to detect.
An anti-keylogger is a piece of software specifically designed to detect keyloggers on a computer, typically comparing all files in the computer against a database of keyloggers looking for similarities which might signal the presence of a hidden keylogger. As anti-keyloggers have been designed specifically to detect keyloggers, they have the potential to be more effective than conventional antivirus software; some antivirus software do not consider keyloggers to be malware, as under some circumstances a keylogger can be considered a legitimate piece of software.
How to detect whether your system or network is infected by malware of any kind? Check out yourself:
- An extremely slow and unresponsive PC?
- Do you find random folders or shortcuts inside folders?
- Unable to delete certain types of files?
- Issues in shutting down due to certain files/programs running?
- Auto shutdown or reboot issues?
- Change in default settings of PC – like default search engine gets automatically changed without any notification?
- Unnecessary services/programs are running which are using the CPU’s processing power.
- Similar kind of malware alerts by antivirus in the network?
- Unnecessary traffic patterns or traffic to destinations you never targeted.
Malware analysis :-
It is the process of analyzing a malware sample/binary and extracting so much information as possible from it.
What are the objectives :-
- Understand types of malware and their functionality.
- How the system was infected with this malware.
- How malware is communicating with the attacker.
- To take out some useful indicator like registry / keys and file name for future detections.
Goals of malware analysis :-
- Diagnostics of threat severity or level of attack
- Diagnostic of type of Malware
- Scope of the attack
- Built a defense
- Finding root causes
- Develop Anti-malware
Types of Malware Analysis :-
1. static Analysis :- This is the process of analyzing malware without executing or running it.
2. Dynamic Analysis :- This is the process of analyzing malware by executing and monitor its functionality .
What is shell ?
Shell is a software that acts as an intermediary between user and kernel. It provides access to the services of kernel. This is also used to gain command execution on any devices.
We have two types of shell :-
A reverse shell is a shell initiated from the target host back to the attack box which is in a listening state to pick up the shell.
A bind shell is setup on the target host and binds to a specific port to listens for an incoming connection from the attack box.
Anti-virus software on user machines. Update anti-virus definition files as soon as they are released. Most anti-virus software automatically checks for updated definition files each time the system starts. Update checks should be made daily. Anti-virus software is the least effective protection against zero-day malicious code as the AV product will be unlikely to be able to detect the new malicious code. Only after the signature or pattern of malicious code is added to its database can an AV product reliably protect against it.
- Install a different anti-virus software on e-mail servers.
- User awareness training in identifying suspicious e-mail.
- Disable scripts when previewing or viewing e-mail.
- Prevent download of software from the Internet.
- Strict software installation policies.
- Remove removable drives to prevent unauthorized software entering a system.
- Anti-virus scanners on e-mail gateways are the only effective security measure against e-mail viruses.