A malware is a software with malicious intent that changes the system without the knowledge of the user. A malware uses the same technologies that are used by genuine software but the intent is bad. The following are some examples:
- Software such as TrueCrypt uses algorithms and techniques to encrypt a file to protect privacy, but, at the same time, ransomware uses same algorithms to encrypt files to extort the user.
- Similarly, Firefox uses HTTP protocol to browse the web while malware uses HTTP protocol to post its stolen data to its command and control (C&C) server
In this article we will focus on the different types of malware. They can be categorized into different types based on the damage it causes to the system. It does not necessarily use a single method to cause damage; it can employ multiple ways. We will look into some known malware types:
- Virus or file infector
- Remote Access Tool (RAT)
- Keylogger and password stealer
- Banking malware
- POS malware
- Exploit and exploit kits
To be clear, malware can act as a backdoor as well a password stealer or can be a combination of any of them. Some of the definitions are simple enough to understand in one line while others need some detailed explanation.
This article is an excerpt taken from the book, ‘Preventing Ransomware‘, written by Abhijit Mohanta, Mounir Hahad, and Kumaraguru Velmurugan.
A backdoor can be a simple functionality for a malware. It opens a port on the victim machine so that the hacker can log in without the victim’s knowledge and carry out their work. A piece of backdoor malware can create a new process of itself or inject malicious code that opens a port in legitimate code executing in the system. Backdoor activity was usually part of other malware. Most of the RAT tools have a backdoor module that opens a port on the victim machine for the hacker to get in.
A downloader is a piece of malicious software that downloads other malware. It has a URL for the malware that needs to be downloaded. Hence, when executed, it downloads other malware. Bedep was mostly known to download CryptoLockers. Upatre was another popular downloader.
Virus or file infector
File infection malware piggybacks its code in clean software. It alters an executable file on a disk in such a way that malware code is executed before or after the clean code in the file is executed. A file infector is often termed a virus in the security industry. A lot of antivirus products tag it as a virus.
In the context of PE executables of Windows, a file infector can work in the following manner:
- Malware adds malicious code at the end of a clean executable file.
- It changes the entry point of the file to point the malicious code located at the end. When the exe is double-clicked, the malware code is executed first.
- The malicious code keeps the address of the clean code which was earlier the entry point. After completing the malicious activity, the malware code transfers control to the clean code:
A virus can infect a file in several ways. It can place its code at different places in the malicious code. File infection is a way to spread in the system.
Many of these file infectors infect every system file on Windows. So malware code has to execute irrespective of whether you start Internet Explorer or a calculator program. Some very famous PE file infectors are Virut, Sality, XPAJ, and Xpiro.
A worm spreads in a system by various mechanisms. File infection can also be considered a worm-like behavior.
A worm can spread in several ways:
- To other computers on the network by brute forcing default usernames and passwords of network shares or other machines.
- By exploiting the vulnerability in network protocols.
- Using pen drives. When an autorun worm is executed, it looks for a pen drive attached to a system. The worm creates a copy of itself in the pen drive and also adds an autorun.inf file to the pen drive. When an infected pen drive is inserted into a new machine, autorun.inf is executed by Windows, which in turn executes the copied .exe. The copied exe can now copy itself at different locations in the new machine where the pen drive is inserted.
A botnet is a piece of malware that is based on the client-server model. The victim machine that is infected with the malware is called a bot. The hacker controls the bot by using a C&C server. This is also called a bot herder. A C&C server can issue commands to the bots. If a large number of computers are infected with bots, they can be used to direct a lot of traffic toward any server. If the server is not secure enough and is incapable of handling huge traffic, it can shut down. This is usually called a denial of service (DOS) attack. A bot can use internet protocols or custom protocols to communicate with its C&C server.
ZeroAccess and GameOver are famous botnets of the recent past.
Keylogger and password stealer
Keyloggers have been well known for a long time. They can monitor keystrokes and log them to a file. The log file can be transferred to the hacker later on.
A password stealer is a similar thing. It can steal usernames and passwords from the following locations:
- Browsers store passwords for social networking sites, movie sites, song sites, email, and gaming sites.
- FTP clients such as FileZilla and SmartFTP, which can be used in companies or individuals to save data in FTP servers.
- Email clients such as Thunderbird and Outlook are used to access emails easily.
- Database clients used mostly by engineers and students
- Banking applications
- Users store passwords in password managers so that they don’t have to remember them. Malware can steal passwords from these applications. LastPass and KeePass are password manager applications.
Hackers can use these credentials to steal more data or access the private information of somebody or to try to access military installations. They can target executives using this kind of malware to steal their confidential information.
zeus and citadel are famous password stealers.
Banking malware is financial malware. It can include the functionality of keylogging and password-stealing from the browser.
Banks have come up with virtual keyboards, which is a major blow to keyloggers. Now, most malware use a man-in-the-middle (MITM) attack. In this kind of attack, a piece of malware is able to intercept the conversation between the victim and the banking site.
There are two popular MITM mechanisms used by banking malware these days: form grabbing and browser injects.
In form grabbing, the malware hooks the browser APIs and sends the intercepted data to its C&C server. Simultaneously, it can send the same data to the bank website too.
Web inject works in the following manner:
- Malware can perform API hooking in the browser to intercept the web page that as requested by the victim browser.
- An original web page is a form in which victim needs to input various things, such as the amount they need to transfer, credentials, and so on. The malware modifies extra fields in this intercepted web page to add some extra fields, such as CVV number, PIN, and OTP, which are used for additional authentication. These additional fields are injected using an HTML form. This form varies based on the bank. Malware keeps a configuration file which tells the malware which form needs to be injected in the page of which banking site.
- After modifying the web page, the malware sends data to the victim’s browser. So the victim sees the page with extra fields as modified by the malware.
- Hence, the malware is able to steal the additional parameters needed for authentication.
Tibna, Shifu, Carberp, and Zeus are some famous pieces of banking malware.
The method of money transfer is changing. Cash transactions in shops are changing. POS devices are installed in a lot of shops these days. Windows has a Windows POS operating system for these kinds of POS devices. The POS software in these devices is able to read the credit card information when one swipes a card in the POS device.
If malware infects a POS device, it scans the POS software for credit card patterns. Credit card numbers are 16 digits. Malware scans for 16-digit patterns in the memory to identify and then steal credit card numbers.
BlackPOS, Dexter, JackPOS, and BackOff are famous pieces of POS malware.
Hacktools are often used to retrieve passwords from browsers, operating systems, or other applications. They can work by brute forcing or identifying patterns. Cain and Abel, John the Ripper, and Rainbow Crack were old hack tools. Mimikatz is one of the latest hack tools associated with some top ransomware such as Wannacry and NotPetya to decode and steal the credentials of the victim.
A RAT acts as a remote control, like the name suggests. It can be used for both good and bad intentions. RATs can be used by system administrators to solve the issues of their clients by accessing the client’s machine remotely. But since RATS usually give full access to the person sitting remotely, they can be misused by hackers. RATs have been used in sophisticated hacks lots of times.
They can be misused for multiple purposes, such as the following:
- Monitoring keystrokes using keyloggers
- Stealing credentials and data from the victim machine
- Wiping out all data from a remote machine
- Creating a backdoor so that a hacker can log in
Gh0st Rat, Poison Ivy, Back Orifice, Prorat, and NjRat are well-known RATs.
Software is written by humans and, obviously, there will be bugs. Hackers take advantage of some of these bugs to compromise a system in an unauthorized manner. We call such bugs vulnerabilities. Vulnerabilities occur due to various reasons, but mostly due to imperfect programming. If programmers have not considered certain scenarios while programming the software, this can lead to a vulnerability in the software.
Here is a simple C program that uses the function sctrcpy() to copy a string from source to destination:
The programmer has failed to notice that the size of the destination is 10 bytes and the source is 23 bytes. In the program, the source is allocated 23 bytes of memory while the destination is assigned 11 bytes of memory space. When the strcpy() function copies the source into the destination, the copied string goes beyond the allocated memory of the destination.
The memory beyond the memory assigned to the destination can have important things related to the program which would be overwritten. This kind of vulnerability is called buffer overflow. Stack overflow and heap overflow are commonly known as buffer overflow vulnerability. There are other vulnerabilities, such as use-after-free when an object is used after it is freed (we don’t want to go into this in depth as it requires an understanding of C++ programming concepts and assembly language).
A program that takes advantage of these vulnerabilities for a malicious purpose is called an exploit.
To explain an exploit, we will talk about a stack overflow case. Readers are recommended to read about C programs to understand this. Exploit writing is a more complex process which requires knowledge of assembly language, debuggers, and computer architecture. We will try to explain the concept as simply as possible.
The following is a screenshot of a C program. Note that this is not a complete program and is only meant to illustrate the concept:
The main() function takes input from the user (argv) then passes it on to the vulnerable function vulnerable_function. The main function calls the vulnerable function. So after executing the vulnerable function, the CPU should come back to the main function (that is, line no 15). This is how the CPU should execute the program: line 14 | line 4 | line 5 | line 6 | line 15.
Now, when the CPU is at line 6, how does it know that it has to return to line 15 after that? Well, the secret lies in the stack. Before getting into line 4 from line 14, the CPU saves the address of line 15 on the stack. We can call the address of line 15 the return address. The stack is also meant for storing local variables too. In this case, the buffer is a local variable in vulnerable_function. Here is what the stack should look like for the preceding program:
This is the state of the stack when the CPU is executing the vulnerable_function code. We also see that return address (address of line 15) is placed on the stack. Now the size of the buffer is only 16 bytes (see the program). When the user provides an input(argv) that is larger than 16 bytes, the extra length of the input will overwrite the return address when strcpy() is executed. This is a classic example of stack overflow.
When talking about exploiting a similar program, the exploit will overwrite the RETURN ADDRESS. As a result, after executing line 6, the CPU will go to the address which has overwritten the return address. So now the user can create a specially crafted input (argv) with a length greater than 16 bytes. The input contains three parts – address of the buffer, NOP, and shellcode. The address of the buffer is the virtual memory address of the variable buffer. NOP stands for no operation instruction. As the name implies, it does nothing when executed.
Shellcode is nothing but an extremely small piece of code that can fit in a very small space. Shellcode is capable of doing the following:
- Opening a backdoor port in the vulnerable software
- Downloading another piece of malware
- Spawning a command prompt to the remote hacker, who can access the system of the victim
- Elevating the privileges of the victim so the hacker has access to more areas and functions in the system:
The following image shows the same stack after the specially crafted input is provided as input to the program. Here, you can see return address is overwritten with the address of the buffer so, instead of line 15, the CPU will go to the address of the buffer. After this NOP, the shellcode will be executed:
The final conclusion is, by providing an input to the vulnerable program, the exploit is able to execute shellcode which can open up a backdoor or download malware.
The inputs can be as follows:
- An HTTP request is an input for a web server
- An HTML page is an input for a web browser
- A PDF is an input to Adobe Reader
And so on – the list is infinite.
We often see vulnerabilities mentioned in blogs. Usually, a CVE number is mentioned for a vulnerability. One can find the list of vulnerabilities at http://www.cvedetails.com/. The wannacry ransomware used CVE-2017-0144 . 2017 is the year when the vulnerability was discovered. 0144 denotes that this was the 144th vulnerability discovered in 2017. Microsoft also issues advisories for vulnerabilities in Microsoft software. https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144 gives the details of the vulnerability.
The vulnerability description tells us that the bug lies in the SMBv1 server software installed in some of Microsoft operating system versions. Also, the URL can refer to some of the exploits.
Now that you know what types of malware exist, do check out the book, Preventing Ransomware to further know about the techniques to prevent malware and perform effective malware analysis.