Complex Malware Attacks

Apr 01, 2020

After completing this video, you will be able to recognize additional, more complex malware attack types like fileless viruses, command and control bots, and crypto malware.

In this lesson, we're going to step it up a bit and look at some more advanced or complex types of malware. Some of these we've already mentioned and some of these can be common, but we're going to put them in this category. Most malware attacks that we see today are more complex. They're "multi-phased" so they go through a kill-chain on a system, for example, several steps. They're "Stealthy" so they can evade different types of anti-virus systems. Even those that, even the ones that use heuristic systems. They can evade, they can change their nature. They're "Polymorphic", they can encrypt certain files. They can run in memory only. And we'll be looking at of those "Fileless viruses" here.

So this is the list "Rootkits", "Backdoors", "Fileless or memory only viruses", "Botnets", which are the most common type of distributed denial of service attack "Crypto malware", which includes ransomware "Logic bombs", which I mentioned in the previous lesson, "Stegomalware", "Polymorphic packers", "Multipartite viruses" and some "Emerging variants" that you might want to be aware of by using different web sites like Sands dot org and they're at risk or other vendors updates through e-mail, texting through other types of bulletins.

A rootkit is a category of malicious software where the goal is to advance administrative level or root level control over a system, "Rootkits" are modules that are placed in unauthorized areas to do things like access data, monitor different actions, escalate privileges or elevate privileges, modify programs or code or even the registry in windows or configuration files in Linux and then conduct further exploits.

The term rootkit, by the way, is a combination of root, which represents the root user in a Unix or Linux system or administrator in a Windows system and KIT, which is a software malware tool kit. These can be difficult to detect because they're initiated often before the operating system is fully loaded into memory or fully booted so it can target the BIOS or the UEFI, the bootloader system files. They can install hidden files, hidden processes, they can run processes beneath the surface and even install hidden user accounts. And because rootkits can be installed in firmware software, they have the ability to intercept data from network connections, keyboard input or output and other peripherals.

Next, we have "Backdoors". you can see in the diagram here, you get access through a backdoor, create a session and then compromise the machine. "Backdoors" are considered Trojan programs and they're most often masqueraded as some actual real program like a game or a device driver or a patch. That's why it's so important to digitally sign all of your code. A backdoor can be closely related to the results of a botnet attack because it can attack more than one system.

Typically, it generates a covert channel back to a command and control server or a C2 server or another member of a botnet. The remote attacker, once the machine is compromised, can control the system. These are also becoming more common on mobile devices. Some "Backdoor exploits" include collecting system and personal data from the system and even attached storage devices like FireWire drives. Perform denial of service attacks on other systems.

That's part of a distributed denial of service and botnet. They can run and terminate tasks and processes typically in the background without the user knowledge. They can connect to other servers or other members of the botnet and download additional files for a multi-phased attack.

Often those files are encrypted and are actually decrypted by the backdoor code. They can upload files in other content. They had the ability to audit the systems status and gather information, and the information that's gathered can be used to elevator escalate privileges or part of the kill -chain of a more advanced persistent threat coming later. They can open remote command line shells on Windows and Linux systems that can modify computer settings like the registry or configuration files, and they can even shut down or restart systems.

One of the more emerging types of viruses are viruses that run only resident in memory. These are called "FiIleless Viruses". They operate in memory without being stored in a file or installed directly on a machine Fileless viruses or memory only viruses will go directly into memory addresses in RAM and the malicious content actually never reaches a hard drive. This is an evolutionary strain of malicious software and this is one of the key categories that anti-virus vendors and anti-malware vendors are dealing with right now.

That's why they're using more advanced systems like machine learning and A.I. to discover these fileless viruses. They have a tendency to target high value systems like banks and brokerage firms, telecommunications companies and government agencies. Couple of examples would be Frodo and Dark Avenger. We've mentioned "Bots and Botnets", quite a few times already, but let's officially learn what they are.

Bots are the most common form of a distributed denial of service attack today. The robot network or the botnet consists of a zombie computer, one that's been infected and a master command and control C&C or C2 server to remotely control victims. And many victims are unaware that they're actually part of the botnet or have been infected with the robot malware.

The communication historically occurs over Internet Relay Chat (IRC) but more often than that, we're seeing malware create encrypted channels to do covert activities with other bots on the network, bot-centric peer to peer networks and even social media like Twitter, have been victims of botnets.

Bots can exploit trade data, they can do keystroke logging. They can scan your memory for intellectual property or personal identifiable information or identity theft. They can even force a system to participate in mining cyber currency and more. A botnet typically operates this way. The botnet operator will infect computers by sending the malicious bot malware. Again, that can be a Trojan, it can be a drive-by malware from a Web site. It can be through a phishing attack. Lots of different attack vectors.

The malicious bot is self-propagating malware like a worm that infects the hosts and then connects back to their command and control server, much like a remote access Trojan. In addition to its worm like abilities to self propagate, it also can log keystrokes and do a lot of other things that we just mentioned. Once the bot infects the host, it will connect back to the C2 server and wait for commands. Once the command and control server has that channel maybe through IRS or through a web site, it will then send instructions to each bot in the botnet to execute actions.

When the infected hosts, known as zombies, receive the instructions, they begin doing their nefarious activities. For example, exfiltrating data, sending it back to the C2 server, which can be sold on the dark web. We've already talked about "Crypto Malware" because ransomware is a common form of crypto malware. But technically, it's an advanced and evolving form of ransomware that encrypts a user's files and demands ransom.

Sophisticated cryptomalware uses advanced encryption mechanisms so files can't be decrypted without a unique key. What we're looking at here is a crypto locker infection chain. [Video description begins] On the screen there is a linear diagram of the steps that a crypto malware follows to encrypt a user's files. [Video description ends]

The user receives spam with a malicious attachment or it's part of a phishing attack, spearfishing, whaling or watering hole. The malicious attachment, which is usually a variant of the ransomware downloads another variant. In this example, the ZBOT variant exhibits several routines, including downloading a CRILOCK variant. The CRILOCK variant encrypts files to force users to purchase the private encryption key.

What makes crypto malware and the new sophisticated forms different than just run-of-the-mill ransomware is its ability to have polymorphic variants that are being used and running, often changing their behavior during the lifecycle of the kill chain. A logic bomb triggers the exploit or malware when a certain event occurs.

For example, when a mouse moves, when a file is accessed or a program is run. A logic bomb could detonate at a certain date or timestamp. It can go off when a program is executed or the number of times a code is run. A logic bomb can wait to go off during a major event like the World Cup or the Super Bowl or on a holiday. Even if you identify the logic bomb after it detonates, it's often too late to salvage the corrupted data or undo the damage done.

So, it's a good idea to have good backups of all your valuable data and maintain adequate updated anti-virus and anti-malware protection not just on the endpoints, but across your network enterprise. "Stegomalware" is based on steganography. Steganography can be broadly defined as anything done by a cracker to hide data in an unexpected channel. Now, even though it can involve an encryption key, it's technically not encrypting the data. It's hiding it inside of other files. So, for example, a JPEG picture of a dog playing with bubbles might actually contain destructive malware.

Recently, a dangerous banking remote access trojan has hidden its settings in the icon file of a web site. That's an example of stegomalware. And many stegomalware hosting sites are buried deep in the Tor or the Onion Router Network. Common tools are "Steghide", "rSteg" and "Chrypture". Keep in mind, if you use a tool like "Steghide" to actually hide the files and create the stego solution or stegomalware, you need to use the same tool to reverse the process. "Polymorphic packers" are malware variants that have the ability to change and move in stages.

For example, starting out in RAM memory and then moving into compressed RAR files deep in the file system, once an event occurs. Polymorphism is used in email attacks and drive-by exploits. They're also in advanced persistent threats once the cracker has a foothold to a remote access Trojan or a rootkit. Polymorphic packers are tools that bundle up different types of malware into a single package or module. This can be loaded into an email attachment or drive-by malware from a web site.

Finally, we have "Multipartite viruses". This is also known as "multipart virus or multipart malware". It's a combination of file and boot/system infector viruses. A file infector virus attacks the executable files with the .exe and .com extensions. So, when you execute the infected file, the virus attaches itself to other program files. A boot sector or system and effector will plant itself in the system's boot sector and infect the master boot record. This virus is activated when you boot up the system. So multipartite means simultaneously attacking the boot sector and executable files or other areas of the system or application.