Malware
Malware
The term malware describes a wide range of software that is intentionally designed to cause harm to systems and devices, networks, or users.
Malware can also gather information, provide illicit access, and take a broad range of actions that the legitimate owner of a system or network may not want to occur.
Malware Types
Ransomware
Ransomware is malware that takes over a computer and then demands a ransom. There are many types of ransomware, including crypto malware, which encrypts files and then holds them hostage until a ransom is paid. Other ransomware techniques include threatening to report the user to law enforcement due to pirated software or pornography, or threatening to expose sensitive information or pictures from the victim's hard drive or device. Creating an exact backup of the system files in case attackers encrypt the data and hold is hostage. Anti-ransom tools also mitigate damages. Trojans
Trojans, or Trojan horses, are a type of malware that is typically disguised as legitimate software. They are called Trojan horses because they rely on unsuspecting individuals running them, thus providing attackers with a path into a system or device. Remote access Trojans (RATs) provide attackers with remote access to systems. Some legitimate remote access tools are used as RATs, which can make identifying whether a tool is a legitimate remote support tool or a tool being used for remote access by an attacker difficult. RATs provide remote access and monitoring of a system for attackers. Security practitioners often combat Trojans and RATs using a combination of security awareness—to encourage users to not download untrusted software—and antimalware tools that detect Trojan and RAT-like behavior and known malicious files. Worms
Unlike Trojans that require user interaction, worms spread themselves with out user assistance or intervention. Although worms are often associated with spreading via attacks on vulnerable services, any type of spread through automated means is possible, meaning that worms can spread via email attachments, network file shares, or other methods as well. Worms also self-install, rather than requiring users to click on them, making them quite dangerous. Often credited as the most dangerous malware type. RootKits
Rootkits are malware that is specifically designed to allow attackers to access a system through a backdoor or BIOS. RootKits can be concealed from detection using a few methods: Leveraging filesystem drivers to ensure that users cannot see the rootkit files Infecting startup code in the master boot record (MBR) of a disk, thus allowing attacks against full-disk encryption systems. The best way to detect a rootkit is to test the suspected system from a trusted system or device. Secure Boot also protects against Rootkit installations. Rootkit detection tools look for behaviors and signatures that are typical of rootkits. Techniques like integrity checking and data validation against expected responses can also be useful for rootkit detection Anti-rootkit tools often use a combination of these techniques to detect complex rootkits. Full system restoration is the best viable option Patching, using secure configurations, and ensuring that privilege management is used. Backdoors
Backdoors are methods or tools that provide access that bypasses normal authentication and authorization procedures, allowing attackers access to systems, devices, or applications. Backdoors can be hardware or software based. Trojans and rootkits often include a backdoor so that attackers can access the systems that they have infected. Manufacturer-installed backdoors are a concern since they may not be disclosed, and if they are discovered by attackers, they can provide access that you may not be aware of. Detecting backdoors can sometimes be done by checking for unexpected open ports and services, but more complex backdoor tools may leverage existing services. Some backdoors that conceal their traffic by tunneling out to a remote control host using encrypted or obfuscated channels. Bots
Bots are remotely controlled systems or devices that have a malware infection. Groups of bots are known as botnets, and botnets are used by attackers who control them to perform various actions, ranging from additional compromises and infection, to denial-of-service attacks or acting as spam relays. Large botnets may have hundreds of thousands of bots involved in them, and some have had millions of bots in total. Botnet Command and Control (C&C) These systems operate in a client-server mode; they will contact central control systems, which provide commands and updates, and track how many systems are in the botnet Modern botnets rely on secure HTTP (HTTPS) traffic to help hide C&C traffic and to prevent it from easily being monitored and analyzed by defenders. Command and control (C&C) servers are the core of a botnet. They allow attackers to manage the botnet, and advanced C&C tools have a broad range of capabilities that can help attackers steal data, conduct distributed denial-of-service attacks on a massive scale, deploy and update additional malware capabilities, and respond to attempts by defenders to protect their networks. Peer-to-Peer Botnet Control Peer-to-peer networks connect bots to each other, making it harder to take down a single central server or a handful of known C&C IP addresses or domains. Fast Flux mean that the many systems in the network of control hosts register and de-register their addresses, often every few minutes on an ongoing basis. Using DNS, it quickly rotates through many bots, using each one for only a short time to make IP-based denylisting and takedown efforts difficult. Techniques like that can be defeated in controlled networks by forcing DNS requests to organizationally controlled DNS servers rather than allowing outbound DNS requests. Logging all DNS requests can also provide useful information when malware hunting, because machine-generated DNS entries can frequently be easily spotted in logs Taking down the domain name is the best way to defeat a fast flux DNS–based botnet or malware. Antimalware tools, IDS, IPS, endpoint detection, and response tools help mitigate the chances of botnet takeover. Keyloggers
Keyloggers are programs that capture keystrokes from keyboards, although keylogger applications may also capture other input like mouse movement, touchscreen inputs, or credit card swipes from attached devices. Keyloggers can capture data from the kernel, to APIs or scripts, or even directly from memory. Patching and system management can help prevent software-based keylogging from occurring. Multifactor Authentication (MFA) can help limit the impact of a keylogger, even if it cannot defeat the keylogger itself. Using a bootable USB drives can prevent use of a potentially compromised underlying operating system. Logic Bombs
Logic Bombs are functions or code that are placed inside other programs that will activate when a set of conditions are met. Some malware uses this type of code to activate when a specific date or set of conditions is met. Virus
Viruses are malicious programs that self-copy and self-replicate. Viruses require one or more infection mechanisms that they use to spread themselves, typically paired with some form of search capability to find new places to spread to. Viruses also typically have both a trigger, which sets the conditions for when the virus will execute, and a payload, which is what the virus does, delivers, or the actions it performs. Viruses come in many varieties Memory-resident viruses, which remain in memory while the system of device is running Non-memory-resident viruses, which execute, spread, and then shut down Boot sector viruses, which reside inside the boot sector of a drive or storage media Macro viruses, which use macros or code inside word processing software or other tools to spread Email viruses, which spread via email either as attachments or as part of the email itself using flaws within email clients They spread via methods like spam email and malicious websites, and they exploit flaws in browser plug-ins and web browsers themselves. Once they successfully find a way into a system, they inject themselves into memory and conduct further malicious activity, including adding the ability to reinfect the system by the same process at reboot through a registry entry or other technique Fileless Viruses require the following: They require a vulnerability to succeed Ensuring that browsers, plug-ins, and other software are up to date and protected can prevent most attacks. Using antimalware tools that can detect unexpected behavior from scripting tools like PowerShell can also help stop fileless viruses. Network-level defenses like IPSs, as well as reputation-based protection systems, can prevent potentially vulnerable systems from browsing known malicious sites. Spyware
Spyware is malware that is designed to obtain information about an individual, organization, or system Many spyware packages track users' browsing habits, installed software, or similar information and report it back to central servers. Stalkerware, a type of spyware used to illicitly monitor partners in relationships. Potentially Unwanted Programs (PUPs)
Potentially Unwanted Programs (PUPs) are programs that may not be wanted by the user but are not as dangerous as other types of malware. PUPs are typically installed without the user's awareness or as part of a software bundle or other installation. PUPs include adware, browser toolbars, web browser–tracking programs, and others. Many PUPs are not technically malicious—they're annoying, they can be privacy risks, and they can slow a system down or otherwise cause problems—but they aren't actually malware. Adversarial AI
Adversarial artificial intelligence is a developing field where artificial intelligence (AI) is used by attackers for malicious purposes. The focus of adversarial AI attacks currently tends to deal with data poisoning: providing security and analytic AI and ML algorithms with adversarial (incorrect) input that serves the attacker's purposes, or attacks against privacy. Security of machine learning algorithms themselves will be increasingly important Tainted Training Data for Machine Learning A few subtle tweaks in the training regime can poison this “reinforcement learning,” so that the resulting algorithm responds—like a sleeper agent—to a specified trigger by misbehaving in strange or harmful ways. Security of Machine Learning Algorithms As ML algorithms become more commonly used & complex, securing these algorithms will become more of a main priority. Tainting the AI during the learning phase can ‘brainwash’ it into committing sinister activities. Securing Security Methods Make sure there’s high-quality source data Working environment remains secure
Password Attacks
Manually cycle through passwords until you find one that works. Can be more complex than just using a list of passwords and often involve word lists that use common passwords Brute Force in the end is simply a process that involves trying different variations until it succeeds. Offline-Linux Brute Force Attacks An offline brute-force attack on a Linux system typically targets the system's password hashes. These hashes are stored in the /etc/shadow file on Linux systems. If an attacker gains access to this file, they can attempt to crack the hashes by trying numerous password combinations until they find a match. Password Spraying Attacks A form of brute-force attack that attempts to use a single password or small set of passwords against many accounts. Basically a ‘shotgun blast’ of password attempts across different accounts. Effective if you know that a target uses a specific default password or a set of passwords. Another form of brute-force attack that uses a list of words for their attempts. Commonly available brute-force dictionaries exist, and tools like John the Ripper, a popular open source password cracking tool, have word lists (dictionaries) built in. A Rainbow Table Attack is a password cracking method that uses a special pre-computated table (a “rainbow table”) to crack the password hashes in a database. Ex: An attacker spots a web application with outdated password hashing techniques and poor overall security. The attacker steals the password hashes and, using a rainbow table, the attacker is able to decrypt the passwords of every user of the application. Birthday Attacks is an attack on cryptographic hashes, based on something called the birthday theorem. Birthday Theorem: “How many people would you need to have in a room to have a strong likelihood that two would have the same birthday (month and day, but not year)?” An attackers goal is to get a collision. A collision is when two inputs produce the same output. (Bingo!). The math works out to about 1.7 √ n to get a collision. For an MD5 hash, you might think that you need 2^128 +1 different inputs to get a collision—and for a guaranteed collision you do. That is an exceedingly large number: 3.4028236692093846346337460743177e+38 But thanks to the Birthday Theorem, There’s a 51% chance of there being a collision with a hash you only need 1.7 √ n (n being 2^128) inputs. That number is still very large: 31,359,464,925,306,237,747.2. But it is much smaller than the brute-force approach of trying every possible input. It would take a high-end PC about 8 months to crack the password with a 99% chance.
Downgrade Attack
A Downgrade Attack is sometimes used against secure communications such as TLS in an attempt to get the user or system to inadvertently shift to less secure cryptographic modes. The idea is to trick the user into shifting to a less secure version of the protocol, one that might be easier to break.
1.2 Given a scenario, analyze potential indicators to determine the type of attack.
