Skip to content

07.md

Latest commit

 

History

History
218 lines (215 loc) · 7.8 KB

07.md

File metadata and controls

218 lines (215 loc) · 7.8 KB

module 7 - malware threats

concepts

  • major types of malware (worms, rootkits, spyware, trojan, virus, ransomware, keyloggers)
  • way to enter a system
  • malware distribution techniques
    • Social Engineered Click-jacking - Attackers inject malware into websites that appear legitimate to trick users into clicking them. When clicked, the malware embedded in the link executes without the knowledge or consent of the user
    • Malvertising - involves embedding malware-laden advertisements in legitimate online advertising channels to spread malware on systems of unsuspecting users
    • Black hat Search Engine Optimization (SEO) - unethical SEO uses aggressive SEO tactics such as keyword stuffing, inserting doorway pages, page swapping, and adding unrelated keywords to get higher search engine rankings for malware pages
    • Compromised Legitimate Websites - Often, attackers use compromised websites to infect systems with malware
  • components of malware
    • crypter
    • downloader
    • dropper
    • exploit
    • injector
    • obfuscator
    • packer
    • payload
    • malicious code
  • APT (Advanced Persistent Threat)
    • lifecycle
      1. preparation
      2. initial intrusion
      3. expansion
      4. persistence
      5. search and exfiltration
      6. cleanup
  • trojans:
    • major trojans port numbers (exam)
    • types
      1. RAT - Remote Access Trojans (njRat)
      2. Backdoor Trojans (PoisonIvy)
      3. Botnet Trojans (Necurs)
      4. Rootkit Trojans (EquationDrug Rootkit)
      5. E-Banking Trojans (Dreambot)
        • TAN grabber
        • HTML injection
        • Form grabber
        • covert credential grabber
      6. POS - Point-of-Sale Trojans (GlitchPOS)
      7. Defacement Trojans (Restorator)
      8. Service Protocol Trojans (HTTP RAT)
        • VNC
        • HTTP/HTTPS
        • SHTTPD
        • ICMP
      9. Mobile Trojans (BasBanke)
      10. IoT Trojans: Mirai - it works as botnet infecting IoT devices with default credentials (port 48101)
      11. Security Software Disabler Trojans (CertLock, GhostHook, Trojan.Disabler)
      12. Destructive Trojans
      13. DDoS Attack Trojans
      14. Command Shell Trojans
    • how to build a trojan
      • Trojan horse construction kits
      • DarkHorse Trojan Virus Maker
      • bitcrypter
    • signature base detection
    • bind vs reverse connection
    • cover channels
  • exploit kits
    • RIG exploit tool
  • viruses
    • infection phase
      • method of infection
      • method of spreading
        • infected files
        • file-sharing services
        • DVDs and other storage media
        • malicious attachments and downloads
    • attack phase
    • how does a Computer Get Infected
      • downloads
      • email attachments
      • pirated software
      • failing to install security software
      • updating software
      • browser
      • firewall
      • pop-ups
      • removable media
      • network access
      • backup and restore
      • malicious online ads
    • types
      • system or boot sector
      • file
      • multipartite
      • macro
      • cluster
      • stealth/tunneling
      • encryption
      • sparse infector
      • polymorphic
      • metamorphic
      • overwriting file or cavity
      • companion or camufage
      • shell
      • file extension
      • FAT
      • logic bomb - is a malicious program that has been inserted into the victims’ computer network, operating system, or software application. Unlike other malware attacks, logic bombs can remain dormant in a victims’ computer unless the programmed condition that will trigger it is met.
      • web scripting
      • email
      • armored
      • add-on
      • intrusive
      • direct action or transient
      • terminate and stay residient (TSR)
    • ransomware - is a form of malware that restricts the user from accessing their infected computer system or files and then asks for a ransom payment to regain user access. The main goal of a ransomware attack is to extort money from its victims. It restricts the user from using the system
      • examples
        • Dharma
        • eCh0raix
        • SamSam
    • infect a system
      • creating virus
        • using virus maker tools (DELmE’s Batch Virus Maker, JPS Virus Maker)
      • propagating and deploying virus
        • virus hoaxes
        • fake antivirus
  • computer worms (subtype of viruses)
    • makers
      • Internet Worm Maker Thing
  • fileless malware (also called non-malware) - type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove
    • reasons:
      • stealth
      • LOL (Living-off-the-hand)
      • trustworthy
    • techniques:
      • phising emails
      • legitimate applications
      • native applications
      • infection through lateral movement
      • malicious websites
      • registry manipulation
      • memory code injection
      • script-based injection
    • taxonomy
      • type 1 (No file activity performed)
      • type 2 (Indirect file activity)
      • type 3 (Required files to operate)
    • classification
      • exploits
      • hardware
      • execution and injection
    • fileless malware
      • divergent
    • obfuscation techniques to bypass antivirus
      • inserting characters
      • inserting parentheses
      • inserting caret symbol
      • inserting double quotes
      • using custom environment variables
      • using pre-assignment environment variables
  • malware analysis
    • sheep dip computer
    • types:
      • static
        • file fingerprinting
          • HashMyFiles
          • mimikatz
        • local and online malware scanning
          • virustotal
        • performing string search
          • bintext
        • Identifying Packing/Obfuscation Methods
          • PEiD
        • finding the portable executable (PE) information
        • identifying file dependencies
          • dependency walker
        • malware disassembly
          • IDA
      • dynamic
        • system baselining
        • host integrity monitor
        • port monitoring (netstat, TCPview)
        • process monitoring (Process monitor)
        • registry monitoring (jv16 PowerTools)
        • windows service monitoring (SrvMan)
        • startup program monitoring
        • event log monitoring/analysis
        • installation monitoring (Mirekusoft Install Monitor)
        • files and folders monitoring (PA File Sight)
        • device drivers monitoring (DriverView)
        • network traffic monitoring/analysis (SolarWinds NetFlow Traffic Analyzer)
        • DNS monitoring/resolution (DNSQuerySniffer)
        • API calls monitoring (API Monitor)
  • virus detection method
    • scanning
    • integrity checking
    • interception
    • code emulation
    • heuristic analysis
  • trojan analysis
    • emotet

tools

  • beast (windows, create trojans)
  • DELmE virus maker
  • internet worm maker thing
  • virustotal
  • bitext (for malware analysis)
  • PEid (windows, identify signatures of malware)
  • PE Explorer (Portable Executable information)
  • Dependency walker
  • IDA (disassembly tool for win, linux and mac)
  • procmon
  • netcat: set up a listener and send all to bash (or cmd) :
    • nc -L -p 79 -d -e cmd.exe
  • process explorer (virus total integration)
  • jv16 PowerTools
  • splunk
  • PA file sight
  • solarwinds netflow
  • tcpview
  • DNSQuerySniffer

Back to index | Go to next module