ethical.blue Magazine

// Cybersecurity clarified.

Learn About Over 20 Types of Malware

2022-01-03   Dawid Farbaniec
...
Malicious programs are much more dangerous than computer viruses in a cybernetic world. These evil apps can steal, blackmail and even control infected machines remotely.



Virus Definition (Microbiology)

Virus in the sense of microbiology is the smallest of all microbes. This creature is a very interesting phenomenon because it can only live when attached to another living cell. The most characteristic feature of viruses is theirreplication. They attach to the cells of living organisms and replicate. Living organisms infected with viruses are called hosts. A virus is made up of genetic material (DNA or RNA) surrounded by a protective shell.



Definition of Computer Virus

Although the subject of computer viruses is somewhat shrouded in mystery, there is no magic to it. The term computer virus is certainly loaded with negative emotions. It happens that computer viruses are credited with virtually everything from stealing funds from internet wallets to deleting files and even damaging hardware. In fact, a traditional computer virus, just like a virus in biology, exists to replicate itself. On the other hand, computer programs that destroy data, steal, blackmail or spy on us should be referred to as malware.

A traditional computer virus requires a host "organism" to replicate. Other programs are just such a host. A computer virus has code written by programmer, which usually consists of a mechanism that searches for objects to be infected (files) and a payload.

A sample scenario might look like this: We have run a program that is a computer virus. The application stuck its code to the files found on the disk. An unaware user copies infected files for example to an USB flash drive or sends it to other unaware people. Subsequent users then run the infected programs, which spreads the virus code even more. Let us return to the concept of payload. The virus can carry a code (payload) that is launched after a certain condition is met for example playing a tune from the speakers at a given time or something more malicious, such as deleting user files.

How Antivirus Software Works?

The task of antivirus software is to detect threats and prevent the computer from being infected by viruses or malicious applications. In order to identify a threat, the antivirus program must contain the characteristics of a malicious application. The antivirus can trigger an alarm if, for example, it finds a piece of code in the program that is similar to the code of a known computer virus. There are also heuristic analysis techniques that are designed to recognize unknown threats. For this purpose, the antivirus program can, for example, perform a simulation that will tell us what changes have been made to the system and on this basis mark the program as malicious or not. Some may have encountered false positives from antivirus software. This is a false detection of malware in legitimate program.

Funny Jokes and Cyber-Crime

Many young people are fascinated about computer viruses. In school years, my friends and I liked to test various hacking programs, such as virus generators or remote control tools. There was no intent to destroy something or get an illegal way to make money. We were just happy when a colleague could control my computer, which we infected for testing purposes. Unfortunately, not everyone stays ethical. Many crimes are committed by people associated with computer viruses and malware.

Adware

The adware means advertisement software. This type of software contains ads but often these ads are not subtle. Application of this kind can be often categorized as PUA (Potentially Unwanted Application). Sometimes adware is connected with spyware to log user activities.


Adware shows disturbing ads and can run also malicious code

Backdoor

The attacker may leave a hidden entrance in the system, which will allow him to access a compromised system or application in the future. The backdoor can be also left by author of the program for example to spy users.


Backdoor program gives attacker remote access to infected machine

Botnet

The term botnet can most simply be defined as a network of computers infected with malware that allows an evil hacker (there are good ethical hackers too) to control compromised machines. It is worth noting that if someone infected several computers then it is not a botnet. A small botnet begins when several hundred to several thousand machines are infected. History tells that the zombie computer army has grown to millions of bots. For example, the Bredolab botnet compromised around 30 million machines. Following this, it can be concluded that the intentions of the evil hacker are different when the Remote Access Trojan is used and fewer computers are targeted than during a mass infection. If an evil hacker takes control of fewer machines, he can afford to browse files manually or other individual actions. However, the harmful effects change when it comes to tens of thousands of machines or more. It is then possible to efficiently execute a distributed denial of service attack, for example, causing a specific website to be disabled. The sales platform is the easiest example to imagine. Turning our site off equals stopping sales, which means no profit.


Centralized botnet structure

Crypter (Evader)

Crypters (or cryptors) are tools for evading detection by antivirus software. In black markets for non–ethical hackers there can be found programs or services which try to make the life of malware analysts harder. Programs of this type, if detected by the anti–virus, require immediate update. One thing is sure with crypters: they makes a little delay in analysis.


Executable file crypters are used for malicious purposes

Cryptojacking (Miner)

Cryptocurrency is, in simple words, virtual money. Along with the growing popularity of cryptocurrency, malware has appeared, the purpose of which is to use the computing power of an infected machine to mine the cryptocurrency. These malicious miners can appear as executable files or even as a scripts on infected websites.


Malicious cryptocurrency miner

Downloader

The label downloader can be attached to malicious software which gets additional modules or payloads from the Internet. These application are often used when attacker needs for example small executable file and large malicious modules are downloaded later.


Downloader obtains malicious modules from the Internet

Dropper (Loader)

Imagine dropper as a delivery man who carries a payload. After executing dropper there are malicious modules installed in system. Carried payloads are often encrypted or obfuscated to evade detection by antivirus software.

There can be distinguished two main types of droppers:
  • One stage – carries and executes the payload
  • Two stage – downloads payload and then executes it


Dropper carries and executes payload

Exploit

Exploits are programs which break system or application security through programming bug. There can be many types of bugs made by programmers. Some can give access to execute malicious code or simply crash the vulnerable application. Attackers are building exploit kits to target more vulnerabilities. It is very important for security to install software and system updates recently. It is worth noting the term zero day. The zero day is a vulnerability for which software author has not created the fix (patch) yet.

Exploits are powerful attack tools which can target operating systems, web browsers, document readers etc. Machines can get infected for example by opening the malicious link in web browser or opening a malicious document. So not only executable (*.exe) files are affected.


Example infection using exploit kit

Fileless Malware

The fileless malware can execute malicious code without touching the hard drive. This technique can evade security software. All malicious code execution is performed in operating memory. How is this achieved? Often by using legitimate programs like for example PowerShell. The PowerShell in Windows operating systems was designed to help administrators in their tasks by scripting. For typical antivirus software it is less suspicious when legitimate PowerShell (built in system) is run than executable dropped on hard disk is run.


Example fileless malware infection

Form Grabber

Method called form grabbing is used to get login credentials and other sensitive data from online forms. Collecting data by web code injection allows to steal form values before they are encrypted (HTTPS) and sent to server.


Example of form grabbing

Hoax

Hoaxes are fake messages about new dangerous viruses or other emotional situations. Hoaxes can be about politics, penalty, serious diseases, etc.


Fake message from hoax program

Computer Joke

Computer jokes are connected with the VX scene and computer science lessons in schools. Some jokes are harmless and really funny. The other can be destructive or very irritating.


Example of computer joke program

Keylogger

Programs called keyloggers are used for spying. There are software keyloggers (programs) and hardware keyloggers (devices). Basic functionality of these applications is to log key strokes and create reports. This way the attacker can get victim’s private conversations, passwords and everything written on computer keyboard. Advanced keyloggers take screenshots, record audio, record webcam, monitor system clipboard etc. What about hardware keyloggers? Hardware keylogger can be installed as adapter between keyboard and computer or even built in our keyboard!


Example hardware keylogger

Logic Bomb

Logic bombs can be imagined as triggers. Program has a condition and when it is met then payload is executed. These triggers can base on system date and time, specific key press, existing of specific file etc.

Example logic bombs:
  • If operating system language is English, then play the defined tune.
  • If there are computer virus analysis tools on the system, then do not execute the malicious code.
  • If there is no internet connection, then do not send the message.
  • If the user has opened the antivirus software website, then close the browser process.

Conclusion: Logic bombs can be misleading and dangerous.


Example logic bomb based on system date

Potentially Unwanted Application (PUA)

Programs classified as PUA can install advertisement software (adware) or even spying software (spyware). These applications can track visited websites, show disturbing advertisements and download other junk.


Unwanted applications during installation

Ransomware, Scareware, Doxware

Classic ransomware program locks important user files and forces to pay a ransom. The scareware tries to scare the user. The doxware threatens the user with publishing private data for example photos. When ransomware uses a symmetric encryption then there is the same key used for encryption and decryption. Ransomware programs evolved to use asymmetric encryption, where the public key is for encryption and the private key is for decryption.


Example ransomware program

Remote Access Trojan

Tools called Remote Access Trojans, shortly RATs are kind of backdoors but powerful and advanced.

Functionality of typical Remote Access Trojans:
  • Managing files, processes, editing the system registry
  • Screen preview, screenshots
  • Logging pressed keys (so–called keylogger)
  • Remote desktop (e.g. VNC)
  • Remote command execution (Command Prompt)
  • Upload and run any file (Upload & Execute)
  • Recovering passwords from popular programs
  • ... and others dependent on the developer ideas.


Example Remote Access Trojan attacker panel

Rootkit

Tools labeled rootkit are stealth mechanisms for malicious code. These programs can hide processes, files, registry entries and other objects in infected system. There are user mode and kernel mode rootkits. More dangerous and more difficult to detect are kernel mode modules. Notice that Windows operating system architecture uses privilege levels called rings. Typical programs run in ring 3 (user mode). Device drivers run in ring 0 (kernel mode). Code in kernel mode is more privileged. Falsifying the result of system functions in the kernel mode will cause that user mode program result will be false. For example task manager will not show all running processes.




Rootkits are stealth mechanisms

Spyware

Spyware applications are a type of software that spy on a computer user. These programs can collect information about visited websites, collect information on what the user is interested in, and even steal confidential data such as e–mail addresses, passwords or bank credentials.


Example spyware programs

Stealer

We live in digital world. The more sensitive data equals the more valuable data. Programs called information stealers get sensitive data from infected computer and transfer this information to attacker. The typical browser stealer can just dump passwords from web browser and send this data to attacker via various medium like e–mail, web panel, FTP etc.


Example stealer programs

Worm

A traditional computer virus uses files (other programs) as a medium to replicate itself. On the other hand, the Internet worm uses network for replication and infection. It can scan devices for various vulnerabilities or try default passwords, hoping that the user has a weak password to
the service.


Example network worm infection

Hack Tools

During my school years, I had the antivirus that saved me from committing a cyber–crime!

Yes, antivirus software can detect hacking tools as malicious programs. Even when running a hacking tool does not infect the local system, the antivirus program marks the hacking tool as harmful. The hack tools are also called riskware. In my opinion these warnings are good idea.

Example hack tools:
  • Password dumpers,
  • Key generators,
  • Product key changers,
  • Cracks for commercial software,
  • Malware generators and panels etc.


Example hack tool (key generator)

Sample Infection Scenarios

This chapter presents sample infection scenarios that may have occurred. Familiarizing with them will help us to avoid these dangerous situations.

game_hack.exe

David is very fond of computer games. His friend Dominic persuaded him to look for a hacking program that would give him free extra points in a computer game.

On a website of an anonymous hacker, they have found a program that allows to cheat in computer games. The file game_hack.exe has been executed on David’s computer. The program did not respond. David thought the application is broken. He deleted the file and forgot about it.

After a few days, he wanted to open his e-mail inbox to check for new messages. The password he typed and he was sure it was correct was not working.

What happened to David's computer?
Non–ethical hackers often made their hacking tools backdoored. This causes novice hackers to get infected. Sometimes there is instruction with hacking program to turn off the antivirus which makes the compromising easier.

Conclusion
Not every malicious program will be identified by antivirus software. Do not trust on files downloaded from the Internet. When learning ethical hacking use open source tools or execute suspicious programs in isolated environment (virtual machine).

Not a Typical E-Mail

Eva is a nurse and a happy mother and wife. She is not an IT specialist. Some day, she received an email about that she need to change her Internet wallet password for security reasons. The e-mail contained a link with which the password can be changed. The entire password change procedure seemed correct. However, the next day her internet wallet has been cleaned out of money.

What happened to Eva's computer?
The e-mail was a phishing. Link led to false website which grabbed Eva’s login and password. Additionally, Eva's account did not have two factor authentication enabled.

Conclusion
Whenever possible, we should enable two-factor authentication. Then, when we try to log in, we will receive a special code through other medium, which protects against unauthorized login.

Malvertising

Dominic has just returned from school. He turned on the computer to play some computer game. However, all the games he had installed were boring for him. He started downloading a great car racing game. After successful download the game did not run. There was an anti–piracy protection. Dominic started looking for a crack (illegal patch). After launching site with cracks a message was displayed on the computer screen. His files have been encrypted (locked). There was a message that he must pay a ransom to get his data back. He thought. How? I did not download any malicious program!

What happened to Dominic's computer?
There was an exploit on illegal website which executed malicious code. This way his computer was infected.

Conclusion
Website advertisements which contain malicious scripts can infect our machine. These malicious ad campaigns are called malvertising.

Pendrive

John was an office worker. Day like any other. He came to the office. He left his coat in the cloakroom and went to the
kitchen to drink a coffee.

The coffee is brewing.

John looks around and notices a flash drive on the floor. Probably one of the employees have lost it.
Coffee was already brewed.

John went to his office and plugged in a flash drive to check the data.

A few weeks later, customer data leaked from the corporate server.

What happened to John's computer?
John broke the security regulations and connected an unknown flash drive to the corporate computer. The flash drive was intentionally dropped there to infect corporate network.

Conclusion
Unknown devices can break our system security or spy on us.

Summary

These are only sample scenarios. Attackers can be really very inventive. Professional attacks are surprising and well planned.

Do not get VXed 🦠 and stay secure! 🛡️

Bibliography

https://microbiologysociety.org/why-microbiology-matters/what-is-microbiology/viruses.html  [access: 2022-01-03]
https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware/what-is-fileless-malware.html [access: 2022-01-03]
Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross, 2007
— Botnets: The Killer Web App, ISBN: 9781597491358
Robert Slade, Urs Gattiker, David Harley, 2002 — Viruses Revealed, ISBN: 9780072228182