Malware: Malicious Software
Every malware has two components:
● A propagation mechanism
● A payload
Propagation Mechanisms: the way that a malware object spreads. They vary
Payload: malicious action that malware performs
Types of Malware
●
●
●
Virus: take the name from biological viruses: spread from system to system based on
human interaction. Viruses don’t spread unless someone lends them a hand.
Worm: spread from system to system without user assistance. Once a worm has
infected a system, they use that location as a base for spreading to other parts of the
LAN or broader internet. Defend against worms by upgrading to the latest system
patches etc.
Trojan Horse: Pretends to be legitimate software. When running a malicious payload
performs unwanted action behind the scenes.
Four different types of malware Payloads
1. Adware: online ads displays ads generate revenue for adware generator. Redirects
search queries
2. Spyware: malware gathers information without users' consent. ID theft, access to
financial accounts, espionage, etc
a. Uses many different techniques, such as Keystroke loggers.
b. Monitoring web browsing
c. Searches hard drives and cloud storage services seeking sensitive information.
example, social security numbers for ID theft
d. *adware and spyware often come bundled with software that users want to
download. Malware that fits into this profile is known as Potentially Unwanted
Programs (PUPS)
3. Ransomware: blocks users' use of computers or data until a ransom is paid.
Cryptomalware takes over the computing capacity of a computer and uses that capacity to mine
cryptocurrency such as bitcoin.
Tip: Don’t confuse Ransomware with Cryptomalware Ransomware uses cryptography to
encrypt files and demand ransom from a user. For cryptomalware, the user wants to mine
cryptocurrency.
Backdoors: programmer creates a means to grant themselves or others future access to a
system. Backdoor mechanisms include:
● Hardcoded accounts
● Default passwords
● Unknown access channels
Logic Bombs: Malware that is set to execute a triggered payload when certain conditions are
met. Such as a particular date or time when certain files or documents are changed and API call
tests.
Root Account: a special user account that provides unrestricted access to system resources
Rootkits: escalate user privileges
Rootkits deliver a variety of payloads:
● Backdoors
● Botnet agents
● Adware
● Antitheft mechanisms for copyright content
Fileless viruses: seek to avoid detection by antivirus software by not writing any data or
themselves to disk.
Botnets: a network of infected computers used for malicious purposes
Scripts: a sequence of instructions written in a programming language to automate work.
Bash is a scripting language used on Linux and Mac systems.
Powershell allows windows administrators to automate routine windows tasks.
Macros are scripts that run within an application environment allowing automation of tasks
within that application.
Python Programming language allows users to write code to perform any task.
Understanding Attackers
Script kiddies: unskilled attackers who simply reuse hacking tools developed by others.
Hacktivists: seek to use hacking tools to advance political and social agendas
Criminal Syndicates: use ransomware for financial gain
Corporate Espionage
Nation States
White Hats: operate with permission and good intent
Grey Hats: Operate without permission but with good intent
Black Hats: Operate illegally with malicious intent
Privilege Escalation Attacks: take normal users' credentials and transforms them into powerful
user accounts
Shadow IT: exposes the organization to threats from the use of unapproved tech services.
Attack Vectors: provide an attack path example, email (phishing messages to users), social
media to spread malware, or as an influence campaign.
Zero Day Vulnerability: a vulnerability in a product that has been discovered by one researcher
but has not yet been patched by the vendor
Window of Vulnerability: Time between the discovery of a zero-day vulnerability and the release
of a security update
Advanced Persistent Threats (APTS): well fund, typically government-sponsored. Have access
to zero days and other sophisticated weapons.
Threat Intelligence
Threat Intelligence is the set of activities that an organization undertakes to educate itself about
changes in the cyber security threat landscape and adapt security controls based upon that
information.
Open Source Intelligence: Uses public information. From public sources such as insecurity
websites, general news media, social media, dark web, file repositories
Frameworks to help share information on Security Threats
1. Cyber Observable Expression (CybOX): provides a standardized schema for
categorizing security observations. Helps to understand what properties we can use to
describe intrusion attempts, malicious software, and other observable security attempts
when trying to explain them to other people.
2. Structured Threat Information Expression (STIX): standardized language to
communicate security information between systems in organizations. STIX takes
properties of the CybOX framework and gives us a language we can use to describe
those properties in a structured manner.
3. Trusted Automated Exchange of Indicator Information (TAXII): a set of services that
share security information between systems and organizations. Provides a technical
framework for exchanging messages written in the STIX language