EXAM FOCUS

Explain botnets, how they are created and their purpose

• Explain architecture of typical botnet and how one could take
down botnet
• Explain techniques used by bots to locate their command and
control architecture
• Explain signature-based and behaviour-based malware
detection
• Explain polymorphic and metamorphic malware
• Explain what commoditisation of malware means
• Classify different types of malware based on distribution and
dependency on host
• Explain static and dynamic analysis of malware
• Explain what exploit kits are and how they work
HOW TO UNDERSTAND MALWARE
Collect samples:

infected machines

honeypots (bait)

other means

Analyse samples (static):

study program without executing it

reverse engineering made harder by obfuscation(making it

undetectable)/encryption

Analyse samples (dynamic):

 study program properties by executing it

limited by environment in which it runs (eg.sandbox)

TRADITIONAL MALWARE
assembler/C/ macro code

spread via infection (virus), network (worm) or removable media

detection is very easy

payload is neither protected nor obfuscated

signature based detection is sufficent

compare hash of inspected code against malware signature based

database (antivirus)

huristics used to detect unknown malware

code execution starts in last section

incorrect header size

suspicious section names

patched table of imported functions

POLYMORPHIC MALWARE
uses different encryption keys for payloads each time it infects

file based signatures practically impossible (as signature always

changes) but memory based detection still possible

makes heuristic approaches based on files practically impossible

METAMORPHIC MALWARE
rewrites its own code with each infection

while payload of each sample is different than others

 simple techniques: varying number of NOPs, permuting used CPU
registers, adding useless instructions

advanced techniques: function recording, program flow modification,

data structure modification

BEHAVIOUR BASED DETECTION

doesnt focus on what the code looks like but on what it does

monitor events, get behaviour, detect mallicious behaviour

execute potential malware is sandbox [but many detect sandbox i.e.

whether it is executed in VM]

Kapersky behaviour based protection [uses ML to detect]

EXPLOIT KITS
prepackaged attacks designed to exploit prewritten/ known or unknown
vulnerabilities.

Example: Active angler

changing patterns and payloads to hide presence

 2 level redirection before landing page

compromised web servers hosting landing page can only be visited

once from IP

detects virtual machines and security products

uses garbage and junk calls to make reverse engineering

difficult

fileless infection (direct memory)

downloads payload on victim machine

MALWARE ECONOMY / MALWARE AS A SERVICE

launching malware attacks for users

pay per install :

clients have malware installed on other machines.

Clients/Providers and affiliates(preform install)

Example: PrivateLoader

avoiding detection:

stealthy executable

clients are on their own

affiliates rely upon provider to provide them with stealthy

downloader

stealthy = relying on packets

providers tell affiliates and clients not to test programs

on free malware scanners

services often do share data with AV vendors

BOTNETS
system for carrying criminal acts

victims turned into bots

botmasters outsource inferctions to PPI provders

financially motivated

host infected by

Network Worm

Email attachment

Trojans (like that Photoshop Keygen)

Drive by Downloads

Existing Backdoor

Cloud Service: Exploit as a Service

Specialised Services: Pay-Per-Install (PPI)

communications:

push vs pull

push means C&C sends command to bot

pull means bot requests C&C for command

depend on protocol (eg HTTP usually pull)

centralised control

internet relay chat: commands published in IRC channels

HTTP: commands published on web server

SMB: commands published via file sharing

Neoteric: home grown protocol based on UDP,TCP or even ICMP

Distributed control
 P2P network and protocols: exisiting peer 2 peer protocols

Communication hiding

Encryption (in various forms)

Compression

Multiple protocols (also good for robustness)

Covert channels: channels not intended to be used

Steganography: similar to covert channels but hide communication

in content e.g. images

Stepping stones

Locating C&C by bot

- hard coded IP address
- fastflux/ipflux: one fully qualified domain name, many IP
addresses
- hard coded
- dynamically generated
- Domain flux: set of may FQDN, one IP address
- hardcoded
- dynamically generated
- search keys in the P2P network