Introduction to Different Types of Malware and Viruses

Welcome to the exciting phase. This is the phase most people think of when the word “hacking” is mentioned - launching exploits, gaining access to computers and more!

Introduction

Since the discovery of the first PC virus in 1986 named Brain, there has been a continuous development of malicious software. One of the latest stats from AVTest shows that there are 390,000 thousand new malicious programs each day.

This makes it clear that the scale of the problem is enormous. Because of this, antivirus companies find it increasingly difficult to offer real safety to users against malware threats.

Malware refers to any software that is intentionally developed to perform an unauthorized, usually harmful action on a computer. The term is used generically to group software such as viruses, worms, trojans, exploits, ransomware and more.

Each term refers to a distinct piece of malicious code, each with its own characteristics and functionality. However, while each type of malware has its own characteristics, the current trend shows that many malware types now include a combination of different features within a single piece of code.

Therefore, at times, we can refer to malware as being hybrid, meaning that it includes characteristics from a variety of malware types.

Viruses

A virus is a concealed piece of malicious code designed to infect a system by typically making multiple copies of itself on the hard drive of the victim.

They accomplish this by placing malicious self-replicating code in executable files. When these apps execute, they replicate again and infect even more programs.

Because of this, a typical virus requires human activity to start the infection routine. Once they are started, viruses can deliver different forms of payloads with varying degrees of severity ranging from mischevious to destructive.

A virus can infect the following components of a system:

• MBR or Boot virus - infects disk boot sectors and records

• Files Infector virus - infects executables in OS file system

• Macro virus - infects init sequence of documents, spreadsheets, etc..., instructions interpreted before the app takes control

• Service Injection virus - inject themselves into trusted runtime processes of the OS (winlogin.exe, svhost.exe, etc..)

• Companion Files - creates a companion file for each executable file the virus infects (.com files run instead of the intended .exe file)

Viruses reveal their existence in numerous ways (an increase in file size, when appending/prepending viral code).

Stealth is a virus's attempt to evade detection by concealing their infection and presence from AV software. The longer it remains hidden, the further it can spread. Many technologies exist to evade detection:

• Stealth Viruses

• Multipartite Viruses

• Polymorphic Viruses

• Encrypted Viruses

Stealth Viruses

These hide themselves by tampering with the OS to fool the AV into thinking that everything is normal. Viruses can evade detection by intercepting the AV request to read a file and passing the request to the virus.

The virus can return an uninfected version of the file, so that it appears as if the file is clean. For instance, an MBR virus may save a copy of the MBR on disk and return this to an AV asking the OS for it.

Multipartite Viruses

This uses multiple propogation techniques in an attempt to fool AV software that is only capable of detecting one. For example, infecting .com and .exe files.

Polymorphic Viruses

These attempt to make itself unrecognizable by changing its signature at every infection. Polymorphic code mutates while keeping the original algorithm intact - confusing AV software searching for a byte sequence (signature).

Encrypted Viruses

These use cryptographic techniques to avoid detection. Similiar to polymorphic as they generate a new signature at every infection.

However, they do NOT change their code, but rather they alter the way that they are stored on the disk. Each infection generates a new decryption routine used to load and decrypt the main code.

Decryption routines have their own signature and could be susceptible to up to date AV.

Worms

Worms are malicious self-replicating and self-propogating programs designed to infect multiple remote targets in an attempt to deliver a destructive payload. Worms are standalone programs, meaning they do not need a host file to run or propogate.

Additionally, a worm does not require user interaction to execute its payload. This makes it very dangerous to network environments.

Worms can infect and corrupt files, degrade, overall system performance and security, steal sensitive user information or install other dangerous tools such as backdoors and Trojans.

Trojans

A trojan is a small malicious program disguised as something benign that runs hidden on an infected system and performs unwanted functions. Unlike computer viruses and worms, trojans are NOT able to self-replicate.

Therefore, they must be installed by a user or another program. Once installed, they can cause data theft and loss, system crashes or slowdowns, or launching points for other attacks.

Trojans rely on deception, by tricking a user into running them for their apparent usefulness, but their true purpose is to attack.

Trojans often work using a client-server network model. The server side is installed on the machine of the victim. The client part is on the attacker's system. Once the victim unknowingly runs the server, the attacker can connect to it and start using the malware.

Trojans generally run in stealth mode on a victim's computer, and can be configured for different functions. There are many types of trojans, each behaving differently and producing different results. Some examples include:

• Remote Access Trojans (RATs) - used to gain remote access

• Data-Sending Trojans - used to find and deliver data to an attacker

• Destructive Trojans - used to delete or corrupt files

• DDoS Trojans - used to launch a DDoS attack

• Proxy Trojans - used to tunnel traffic or launch hacking attacks via other systems

• FTP Trojans - used to create an FTP server to copy files

• Security Disabler Trojans - used to stop anti-virus software

• Trojan Banker - designed to steal data for online banking systems

• Trojan Ransom - used to modify data on your computer so that it does not run correctly or the user can no longer use specific data. The attacker can restore the data, after a ransom is paid.

Spyware

Spyware is a non-technical term used to define computer software that secretly gathers information about a user. This info can then be passed back to a spy through an internet connection.

Spyware could be hidden among other programs (Trojan-Spy) or can be unwittingly downloaded when certain websites are visited - known as drive-by downloading.

Once the spyware is installed, it remains invisible to the user and secretly monitors the user's activities. Spyware could include keylogging features to steal passwords, watching your searching habits and/or changing your browser home and search pages.

IMPORTANT: Spyware also exists in the form of commercial software. One example is a software package called SpectorSoft, which can be used to monitor employees.

Backdoors

A backdoor is a program that is installed on a system to allow access to it at a later time. A backdoor enables an attacker to retain access to a compromised device, to perform malicious activities remotely.

A RAT can be considered an example of backdoor software.

Rootkits

The term rootkit is used to describe a set of software tools used to mask the presence of malicious software. This is achieved in a variety of ways, but the overall idea is to modify the host OS to hide the presence of malware.

Rootkits are often used by an attacker to maintain access to a system as its use can prevent malicious processes from being visible in the system's list of processes, or keep them safe from being read by antivirus.

A rootkit is a program used to hide files and utilities on a compromised system. They also have the ability to hide themselves and cover up traces of activities. When a rootkit is installed, it replaces certain OS calls and utilities with its own modified version of these routines.

Most rootkits come with accessories like packet sniffers, log file editors and time stamp utilities. Rootkits may include so called backdoors to help an attacker subsequently access the system more easily.

There are several types of rootkits including the following:

• Kernel-level rootkit - add code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system. This is often accomplished by adding new code to the kernel via a device driver or loadable module - especially dangerous because they can be difficult to detect without appropriate software.

• Library-level rootkit - commonly patch, hook or replace system calls with versions that hide information that might allow the hacker to be identified

• Application-level rootkits - they may replace regular application binaries with Trojanized fakes or they may modify the behaviour or existing applications using hooks, patches, injection code or other means.

All rootkits require admin access, so password security is critical. If a rootkit is detected, it is recommended that critical data is backed up and OS and apps are re-installed from a trusted source.

The admin should keep a well-documented automated installation procedure and trusted restoration media.

Another countermeasure is to use the MD5 checksum utility - this makes sure that a file has not changed. It can be useful in checking file integrity if a rootkit has been found on a system.

Botnets

The term botnet refers to a network of compromised computers, remotely accessible and used for malicious activity. A botnet uses some form of malware to infect thousands of computers, which lies dormant until told otherwise by the attacker.

The malware enables communication amongst bots and the bot-herder to ensure the delivery of commands to coordinate an attack.

The bot-herder is the controlling device and must ensure that bots can be contacted. If the communication channel is shut down, then the botnet can be disabled.

The bot-herder is often referred to as the C&C center. Three types of C&C are generally found:

• Centralized - single device used to communiate with bots. If taken down, the whole botnet ceases to exist

• Decentralized - each bot can act as both client or server, reducing the chances of the bot being compromised

• Hybrid - bit of both. For example, it can rely on a decentralized C&C, but if something goes wrong, then it resorts to a centralized C&C.

Botnets can be used by an attacker to perform a variety of tasks. Some examples are:

• DDoS attacks - taking a target system offline

• Information harvesting - used to steal information such as usernames, passwords, and banking information

• Click fraud - used to generate income

Ransomware

Ransomware is used by an attacker to encrypt documents or the target hard drive and demand money for the decryption key. Ransomware can spread in a variety of ways including email attachments, infected programs and compromised websites.

Examples include Reverton, CryptoLocker, CryptoWall and WannaCry.

Exploits

Exploits are software tools normally used to gain remote access to a system. An exploit is created to take advantage of a vulnerability in a software system or app. Exploiting this vulnerability offers the chance for an attacker to inject code into a system and obtain remote access.

Other malware could make use of exploits to install in a vulnerable system. The worm named Conficker used a popular vulnerability to run an exploit against Microsoft Windows systems.

Construction Kits

Construction kits are tools designed to provide the capability to those with limited programming knowledge, to write their own malware. They provide a user interface which allows users to choose from a list of features that they want their malware to have.

Construction kits can also be referred to as Crimeware kits. An example is the malware called ZBot, used to create many samples of the Zeus Trojan, which resulted in one of the largest botnets ever discovered.

Fortunately, many of these kits create malware which can be easily detected by antivirus software as their signature remains the same for all code they produce.

Riskware, Adware and Pornware

Riskware is not malware in the conventional sense, but is included as it is a commonly used term. Riskware is in fact legitimate software which is exploitable by hackers so as to modify or disrupt a computer's operation.

Examples of Riskware include FTP, Telnet and IRC clients.

Adware and Pornware reprsent types of programs that are unwanted, rather than malware per se.

Adware can be used to display advertisements on your computer, redirect Internet searches to advertizing websites and collect marketing data which can be used to create bespoke adverts.

Pornware displays porn material and includes programs that have been installed without the user's permission or knowledge.

Newer Malware Trends

Recently, the whole thinking behind malware development has changed. Formerly, a vulnerability might be identified and an exploit used to take advantage of the same vulnerability.

In comparison, modern malware is targeted. The target is decided, a weakness is found and an attack designed based on the identified weakness.

This technique can also be referred to as Advanced Persistent Threat. It implies the attacker continously monitors and studies a target organization and in most cases, develops some form of malware that can be used exclusively against that organization.

An example of this is Stuxnet.

Additionally, as their development is costly and time-consuming, production of this type of malware requires the support of nation-states or large organizations.

Another current trend in malware is to target mobile devices. Due to its openness and popularity, Android seems to be the primary OS being affected. An example of malware for Android is the Svpeng Trojan, which combines the functionality of a banking Trojan with ransomware capabilities.

Cyberweapons

The term cyberweapons indicates a highly-sophisticated type of malware normally used for targeted attacks on specific production facilities. These tools are being developed by well-funded and well organized groups - often nation states - that are using malware as a means to cause disruption and for espionage.

The most famous example is Stuxnet which started the beginning of a cyberwar, where nations have the ability to fight each other within cyberspace.

Several other examples of this type of malware already exists such as Duqu, Gauss and Flame. It is clear that this is becoming a common trend and we can expect more countries to develop cyberweapons for various purposes.

There is also the chance that these malware types could be copied and modified by non-nation states to perform cyber attacks targeted at critical infrastructure.

Fileless Malware

This is a type of malware that does NOT rely on files and leaves no footprint, making it challenging to detect and remove:

How Does Malware Spread?

90% of unknown malware is delivered via web-browsing - be careful of malvertizing! Additionally, it also spreads via social media by posting links on Facebook and Twitter. Another popular option is via social engineering such as phishing emails and external devices (e.g. USBs).

Naming Convention

While an official naming standard for malware does not exist, most anti-malware vendors use names which contain some common features. Often, malware is given a name similiar to the one below:

Trojan-Spy.Win32.Zbot.abcd

Each section is used to indicate a category or subcategory of malware. Here is the explanation:

• Trojan - malware category

• Spy - sub category

• Win32 - platform affected

• Zbot - name of the particular malware family

• Abcd - the suffix that denotes the variant

A methodology used by some malware researchers to standardize names of malware is The Computer Antivirus Researcher's Organization (CARO)

Detection and Mitigation

The basic symptoms of an infected system are:

• Machine running slow

• Unexpected messages or apps starting automatically

• Hard disk running continuously

• Browser freezing and/or visiting unwanted web pages

Antivirus

The primary method used to prevent the propogation of malicious code is AV software. This generally comes in the form of an app that gets installed in a computer to protect it from many malware threats.

AV software exists for all sorts of devices, from network infrastructure and servers, to hosts and mobile devices. Many of these tools analyze network traffic and files for common malware characteristics by comparing them to a predefined database.

Therefore, the maintenance of this database is vital for these tools to work correctly. This an over simplification. In reality, many types of virus detection exist.

Detection Mechanisms

There are two main detection mechanism methods:

• Signature based

• Heuristic based

Signature-Based

This is the most common method, which implies the use of database. The idea is to check for a specific set of bytes (signature) on the files scanned, compare it to known malware code and alert the user if a match is found.

In order for this to work efficiently, it is essential for the database to be updated regularly.

Heuristic-Based

Heuristic detection is a more complex mechanism that can offer detection for known and unknown malware types. Several types of heuristic detection exist. One of the most commonly used works by monitoring the malware code behaviour in real time to see how the malware interacts with the machine.

To make this work, known malware is previously analyze in a simulated environment like a VM or sandbox. Once the malware behaviour is recorded, it can then be checked against live malware.

The advantage of this is that it is capable of discovering both known and unknown malware. However, this analysis technique is more time consuming and results in many false positives.

User Education

Without a doubt one of the most important defense methods against malware is user education. To install or propogate, most malware relies on a user unwittingly completing a task.

Clicking a link, visiting a web page or opening an attachment are a few examples. This is why users get bombarded with spam emails asking us to click on a link or to open an attached document.

It is essential, especially in a business environment, that the user is made aware of these threats and is capable of recognizing them.