All About Malware - Overview

By Kunal Patil, Senior Threat Hunter
 
         
              Malware stands for malicious software, meaning software that can be used to cause harm to the host computer. Malware is a broad term that refers to a variety of malicious programs. The most common types of malware as below : 
  1. Virus
  2. Adware
  3. Bot
  4. Ransomware 
  5. Rootkit
  6. Spyware
  7. Trojan Horse
  8. Worm
  9. Spam
  10. Keylogger
  11. Backdoors
  12. Phishing
Lets discuss each one in detail :

Virus 

          A computer virus is malicious computer program that replicates by copying itself to another program or computer boot sector which changes the way computer works. A virus can be spread by opening an email attachment, clicking on an executable file, visiting an infected website, connecting removable storage device or viewing an infected website advertisement.

Adware

          Adware is unwanted software designed to throw advertisements up on your screen, redirect your search requests to advertising websites and collect marketing-type data about you. The ads are delivered through pop-up windows or bars that appear on the program's user interface. Adware is commonly created for computers, but may also be found on mobile devices.

 Bot

          A bot is an automated program that runs over the Internet. Some bots run automatically, while others only execute commands when they receive specific input. There are many different types of bots, but some common examples include web crawlers, chat room bots, and malicious bots. While most bots are used for productive purposes, some are considered malware, since they perform undesirable functions.

Ransomware

          Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. Today, ransomware authors order that payment be sent via crypto currency or credit card. Ransomware controls over your computer, threatens you with harm, usually by denying you access to your data.

Rootkit 

          The term rootkit is a connection of the two words "root" and "kit". A rootkit is one of the most difficult types of malware to find and remove. Once a rootkit installs itself on your computer, it will boot up at the same time as your PC. On top of that, by having administrator access, it can track everything you do on the device, scan your traffic, install programs without your consent, hijacker your computer’s resources or enslave it in a botnet.

Spyware

          Spyware is software that is installed on a computing device without the end user's knowledge. It’s actually a generic term for malicious software that infects your PC or mobile device and gathers information about you, your browsing and Internet usage habits, as well as other data. That includes capturing keystrokes, screen shots, authentication credentials, personal email addresses, web form data, Internet usage information, and other personal information, such as credit card numbers.

Trojan Horse

          Trojans contain malicious code that when triggered, cause loss, or even theft, of data. Trojans can be Appoint by hackers trying to gain access to users systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once Trojan is activated, it can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. These actions can include Deleting data, Blocking data, Modifying data, Copying data, Disrupting the performance of computers or computer networks

Worm

          Worm is self-replicating malware that duplicates itself to spread to uninfected computers. It is a type of virus which does not alter any files on your machine instead worms can still cause havoc by multiplying so many times that they take up all your computer's available memory or hard disk space. If a worm consumes your memory, your computer will run very slowly and possibly even crash. If the worm affects your hard disk space, your computer will take a long time to access files and you will not be able to save or create new files until the worm has been eradicated.

Spam

          Irrelevant or unsolicited messages sent over the Internet, typically to a large number of users, for the purposes of advertising, phishing, spreading malware, etc. Fraudulent spam also comes in the form of phishing emails, which are emails disguised as official communication from banks, online payment processors or any other organizations a user may trust. Users should avoid opening spam emails and never respond to them or click on links in the messages. Spam email may also deliver other types of malware through file attachments or scripts, or contain links to websites hosting malware.

Keylogger

          Keyloggers are used as a spyware tool by hackers to steal personally information , login credentials and sensitive important data. Keylogger recorders may also be used by organisations to observe employees computer activities, parents to supervise their children's internet usage, users to track possible unauthorized activity on their devices or law enforcement agencies to analyze incidents involving computer use. 

Backdoors

          A backdoor is a malware type that bypassed security mechanism undetectably to access a computer or its data. As a result, remote access is granted to resources within an application, such as databases and file servers, giving permission to remotely issue system commands and update malware.

Phishing

          Phishing is a type of social engineering attack in which a targets are contacted by email, telephone or text message by someone posing as a legitimate source to ask to steal user data, including login credentials and credit card numbers. 

Malware Analysis

              Malware analysis is the art of Exploring malware to understand how it works, how to identify it, and how to defeat or eliminate it. The Goals of malware Analysis to respond to a network intrusion system like Exactly what happened,  Ensure you’ve located all infected machines and files,How to measure and contain the damage, Find signatures for intrusion detection systems.

Types of Malware Analysis


            There are two fundamental approaches to malware analysis: static and dynamic. Static analysis involves examining the malware without running it. Dynamic analysis involves running the malware. Both techniques are further categorized as basic or advanced.
Basic Static : Basic static analysis consists of examining the executable file without viewing the actual instructions.also confirms whether a file is malicious, provide information about its functionality.

 Advance Static: Advanced static analysis consists of reverse-engineering the malware’s internals by loading the executable into a disassembler and looking at the program instructions in order to discover what the program does.

 Basic Dynamic : Basic dynamic analysis techniques involve running the malware and observing its behavior on the system in order to remove the infection, produce effective signatures, or both.

Advance Dynamic : Advanced dynamic analysis uses a debugger to examine the internal state of a running malicious executable. Advanced dynamic analysis techniques provide another way to extract detailed information from an executable.
Why Malware Analysis?
  • To understand the Potential of the malware
  • Determine how the malware works
  • Evaluate the intrusion damage
  • Identify indicators that will helps us determine other infected machine by the same malware and the level of infection in the network
  • Help us identify if the malware is exploiting any vulnerability or on how it is persisting on the system
  • Determine the nature & Motivation of the malware
  • To understand who is targeting & how good they are.
  • To understand what information did they steal.

 Malware Detection is Done by different means like Signature Based, Rule Based , Behavioral Blocking, Sand box and pattern matching. however, we can perform this using different tools and utilities. below are the few important utilities used for Malware Analysis :

 Few terminologies to be remember while performing Malware Analysis:
  1. Strings 
  2. Hash
  3. Packed and Obfuscated Malware
  4. PE file Format (Headers and Section)
  5. Linked Libraries and Functions
  6. Assembly Language
Tools for Static Analysis :
  • Dependancy Walker
  • Resource Hacker
  • PEview 
  • File Analyzer
  • Hashcalc
  • RegRipper
  • HxD
  • Virus Total
  • Regshot
  • PEiD 
Tools for Dynamic Analysis : 
  • ProcessExplorer
  • RegShot
  • ApateDNS
  • Netcat
  • Wireshark
  • INetSim
  • IDA Pro
  • Cuckoo Sandbox
  • OllyDbg
  • WinDbg
  • Muninn
  • DAMM
  • FindAES
  • Volatility
  • Procmon

Stay Tuned for Profound understanding of Malware Analysis in my next Blog.....

I am a security researcher where my expertize includes domains like incident response and investigation, Malware Analysis, Threat Hunting, deception Technology, Brand protection, SIEM configuration, Digital Forensics, Cyber Threat Intelligence, EDR, Network Security, Content Filtering, etc While working I had completed my Masters(2021) in Information security where I published a thesis on “Malware Analysis using machine Learning Ensemble” My goal is to share the knowledge with everyone with technologies, upcoming trends, various platforms and mainly Lock it down, protect it up, and block the hackers.

Comments

Post a Comment

Popular posts from this blog

RTR using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Real Time Response Real Time Response is a powerful tool that gives security administrations the ability to remotely access systems for administration tasks, remediation actions or forensics collection, etc. without requiring physical access to the system. For more information on the CrowdStrike solution, see the additional resources and links below. In the Falcon UI, navigate to Activity > Detections. Commonly, a new detection will be the event that triggers a need for remediation.Directly from a given detection, the “Connect to Host” button allows you to remotely connect and take action. You can also connect to a host from Hosts > Host Management. Once connected, you will be presented with a list of commands and capabilities available in Real Time Response. With the ability to run commands, executables and scripts, the possibilities are endless. A few examples are listed below.
Read more

Top Commands Mostly Used By System Administrator.

By Kunal Patil, Senior Threat Hunter
Image
Top Commands Mostly Used By System Administrator. 1) IPconfig IPCONFIG Simply entering ipconfig at the command line will return basic addressing information for your system, including the adapter name, IP address, subnet mask, and default gateway. 2) IPconfig /all IPCONFIG/ALL Shows all networking information for the system, including host name, node type, adapter names, MAC addresses, DHCP lease information, etc. 3) Ping PING Ping command to verify that a host can be reached over the network. This command is useful for diagnosing host and network connectivity problems. The device sends a series of ICMP echo (ping) requests to a specified host and receives ICMP echo responses. 4) Ping "Website-name" PING TO WEBSITE   This above command used to find the IP address associated with The Specific Website. eg: 10.24.126.25 is the IP address for Website Intranet.indusind.com 5) Tracert "IP address" TRACE COMMAND Tracert comm...
Read more

SECURITY OPERATION CENTRE

By Kunal Patil, Senior Threat Hunter
Image
What is SOC?                    Security operations centers monitor and analyze activity on networks, servers, endpoints, databases, applications, websites, and other systems, looking for anomalous activity that could be indicative of a security incident or compromise. The SOC is responsible for ensuring that potential security incidents are correctly identified, analyzed, defended, investigated, and reported. SOC works with collaboration with People, Process and Technology.  SOC Architecture PEOPLE:                  The best way to think of a SOC is as a centralized team of people who provide threat monitoring, investigation, and response.  Larger SOCs employ a three-level analyst structure for handling security alerts generated by a security system or SIEM.  Level 1 analysts are responsible for real-time monitoring of security alerts, doing tri...
Read more

Damn Vulnerable Web Application - Part 1

By Kunal Patil, Senior Threat Hunter
Image
The Damn Vulnerable Web Application (DVWA) provides a PHP/MySQL web application that is damn vulnerable whose goal of being an intentionally vulnerable system for practice/teaching purposes in regard to Information Security.There are many Methods for Installing DVWA on Platforms Like Windows and Linux, In this blog i will show the easiest Walk-through for Beginners to Learn and Exploit Web Application. So let us Start with Installation and Implementation of DVWA. Step By Step Installation 1) Requirement :  Windows system for Managing VM Virtual Box ( Link ) or VMware ( Link ) should be installed on system Kali-ISO ( Link ) DVWA ISO ( Link ) 2) Switch-ON Kali and DVWA virtual machines Both must be in HOST only Adapter (we can change using VM Network setting).  3) After the Installation of Kali and DVWA in VM, find the IP address of DWVA using the Command ifconfig and Check Connectivity between them using ping command. 4) Run Kali machine and DVWA ma...
Read more

Cyber Threat Intelligence

By Kunal Patil, Senior Threat Hunter
Image
Gartner Definition:   Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.  To understand this term easily lets split the words and bring out meaning to it :  Cyber :  relating to or characteristic of the culture of computers, information technology, and virtual reality. Threat :  thing likely to cause damage or danger. Intelligence :  the ability to acquire and apply knowledge and skills.                 Cyber Threat intelligence helps Organisation to understands the risk of most common External threats. T hreat intelligence includes in-depth information about specific threats to help an organization protect itself from the types of attacks that could do them the most damage....
Read more

Collective Intelligence Framework v3 - Part 1

By Kunal Patil, Senior Threat Hunter
Image
Basic About CTI Cyber Threat intelligence(CTI) is a Technology which helps an Organization to collect and Analyze threat data received from multiple resources. Cyber threat intelligence is an automation process where it accumulate data from various external resources (such as FEEDS) and recognize the threats suitable for the Organization. By importing the Data from CTI, the next step is to exporting the CTI data into Existing Security systems. Collective intelligence Framework is an underlying Structure of CTI which helps any organization to gather all Threat Data at one place. In this blog we are discussing how to Install Collective Intelligence Framework v3 (Bearded Avenger) into security structure. Details Information About CIF you will found at : csirtgadgets Basic Requirements for Bearded Avenger CIF v3 : OS: Ubuntu 16 LTS,  x64 RAM: 16GB Cores: 4 (As Sqlite, ElasticSearch, CIF-Router among other apps would be running on same instance) HDD Capacity: 100...
Read more

Top 20 Subdomains Search Engines

By Kunal Patil, Senior Threat Hunter
Image
Whats is Domain?  An organization shares a common suffix as Domain names which is controlled by that Organization or individual. What is Subdomains? Basically Subdomains are subdivisions of Domain. Why it is required? Subdomains are second website, which have its own unique content and makes hosting manageable and easy to organize.         Every second Organization Consists of various Subdomains as per their Requirements, I listed few Subdomains Search Engines, list is below :  Google Search - Online Search Censys - Online Search Pentest-Tools - Online Search DNS Dumpster - Online Search Netcraft - Online Search CloudPiercer - Online Search Detectify - Online Search VirusTotal - Online Search Pkey - Online Search Crt.sh - Online Search Sublist3r - GitHub repository DNScan - GitHub Repository Knock - GitHub Repository SubBrute - GitHub Repository Nmap - GitHub Repository Gobuster - GitHub...
Read more

Collective Intelligence Framework v3 - Part 2

By Kunal Patil, Senior Threat Hunter
Image
In Previous blog we learned how to setup CIFv3, in this section we will discuss how to integrate data and filter the Resulted Data by-passing different parameters to it. We might have question that what happens exactly after hitting cif command or how cifv3 fetches feeds from external resources. well in this blog i will cover every details of CIFv3 but before that lets study few terminologies to understands the implementation of this Project. CIFv3 uses few Terminologies like : 1) TLP TLP stands for Traffic Light Protocol originally created by UK government for the Purpose of sharing of sensitive data. There are four colors in TLP (same like traffic lights) : RED - Not for disclosure, restricted to participants only AMBER - Limited disclosure, restricted within own organisation and clients or customers. GREEN -  Limited disclosure, restricted to the community but not via public channels WHITE - Disclosure is not limited 2) Timestamps CIF supports three T...
Read more

Security Architecture for Startup

By Kunal Patil, Senior Threat Hunter
Image
           Security Architecture is the design artifacts that describes how the security controls are positioned and how they relate to the overall systems architecture. These controls serve the Purpose to maintain the system's quality attributes such as confidentiality, integrity and availability. Following is the 10 steps plan required to build Security Architecture For Startup :   Pick Your battle  Establish a security culture  Pick security platform  Upgrade your software  Physical security  Control the internal network  Secure coding  Protect devices against malware  Perform security audits  BYOD Policies Pick Your Battle You can't secure everything, Quantify the monetory damage, likelyhood and mitigation cost of each threat to prioritize time and resource. Below are the list of threats which can taken into consideration as per Goal of the Industry (Budget + Risks). Es...
Read more

TrickBot Malware Family - A Deep Dive using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Use Case  Falcon OverWatch has identified probable TrickBot malware on host NAOUXXXX. A renamed copy of Vhd2disk was executed on the host, likely from a successful phish. This in turn wrote and executed a malicious file, likely TrickBot malware, and established persistence for it with a registry key. Introduction  Emotet Often referred to as a banking trojan or worm. It is a very advanced threat that is updated multiple times a day by the cybercrooks controlling it. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. TrickBot TrickBot is most commonly installed by the Emotet Trojan, which is spread throu...
Read more