Module07 Malware Threats
Module 7: Malware Threats
Get an introduction to the different types of malware, such as Trojans, viruses,
and worms, as well as system auditing for malware attacks, malware analysis,
and countermeasures. Hands-On Lab Exercises: Over 20 hands-on exercises
with real-life simulated targets to build skills on how to:
> Gain control over a victim machine using Trojan
> Infect the target system using a virus
> Perform static and dynamic malware analysis
Key topics covered:
> Malware, Components of Malware
> APT
> Trojan
> Types of Trojans
> Exploit Kits
> Virus
> Virus Lifecycle
> Types of Viruses
> Ransomware
> Computer Worms
> Fileless Malware
> Malware Analysis
> Static Malware Analysis
> Dynamic Malware Analysis
> Virus Detection Methods
> Trojan Analysis
> Virus Analysis
> Fileless Malware Analysis
> Anti-Trojan Software
> Antivirus Software
> Fileless Malware Detection Tools
Section 01: Malware Concepts
Malware
Malware:
Malware (a portmanteau for malicious software) is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy.
Virus:
A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code.
Polymorphic Virus:
A polymorphic virus is a harmful, destructive or intrusive type of malware that can change or "morph," making it difficult to detect with antimalware programs.
Metamorphic Virus:
Metamorphic code is code that when run outputs a logically equivalent version of its own code under some interpretation. This is similar to a quine, except that a quine's source code is exactly equivalent to its own output. Metamorphic code also usually outputs machine code and not its own source code.
Macro Virus:
In computing terminology, a macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application (e.g., word processors and spreadsheet applications).
Boot Sector Virus:
A boot sector virus is a type of malware that infects a system's boot partition or the Master Boot Record (MBR) of a hard disk. During startup and before security software can be executed, the virus executes malicious code.
Worm:
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it.
Trojan horse:
In computing, a Trojan horse is any malware that misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.
Rootkit:
A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.
Backdoor:
A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device (e.g. a home router), or its embodiment (e.g. part of a cryptosystem, algorithm, chipset, or even a "homunculus computer" —a tiny computer-within-a-computer such as that found in Intel's AMT technology).
Botnet:
A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection.
Ransomware:
Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid.
Keylogger / Keystroke logger:
Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard,[1][2] typically covertly, so that a person using the keyboard is unaware that their actions are being monitored.
Potentially unwanted application (PUA):
A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary. It is used as a subjective tagging criterion by security and parental control products.
Adware:
Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process.
Section 02: APT Concepts
Advanced Persistent Threats (APT):
An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.
Section 03: Trojan Concepts
Trojan horse:
In computing, a Trojan horse is any malware that misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.
Remote access trojan (RAT):
A RAT (remote access Trojan) is malware an attacker uses to gain full administrative privileges and remote control of a target computer.
Section 04: Virus and Worms Concepts
Viruses and Worms
Virus:
A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code.
Logic bomb:
A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files (such as a salary database trigger), should they ever be terminated from the company.
Virus Hoax:
A computer virus hoax is a message warning the recipients of a non-existent computer virus threat. The message is usually a chain e-mail that tells the recipients to forward it to everyone they know, but it can also be in the form of a pop-up window.
Worm:
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it.
Section 05: Fileless Malware Concepts
Fileless Malware:
Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM. It does not write any part of its activity to the computer's hard drive, thus increasing its ability to evade antivirus software that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaving very little evidence that could be used by digital forensic investigators to identify illegitimate activity.
Living off the land:
Living off the land refers to the use of dual-use tools, which are either already installed in the victims' environment, or are admin, forensic or system tools used maliciously.
Section 06: Malware Analysis
Sheep dip:
In data security, a sheep-dip is the process of using a dedicated computer to test files on removable media for viruses before they are allowed to be used with other computers.
Malware Analysis:
Malware analysis is the study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, trojan horse, rootkit, or backdoor.
Static malware analysis
Static malware analysis: Static or Code Analysis is usually performed by dissecting the different resources of the binary file without executing it and studying each component. The binary file can also be disassembled (or reverse engineered) using a disassembler such as IDA or Ghidra.
Dynamic malware analysis
Dynamic malware analysis: Dynamic or Behavioral analysis is performed by observing the behavior of the malware while it is actually running on a host system. This form of analysis is often performed in a sandbox environment to prevent the malware from actually infecting production systems; many such sandboxes are virtual systems that can easily be rolled back to a clean state after the analysis is complete.
Section 07: Malware Countermeasures
Countermeasures
Trojan countermeasures
Avoid opening email from unkown senders.
Install patches and updates.
Run antivirus and intrusion detection systems.
Check TLS certificate of any website you are interacting with.
Backdoor countermeasures
Many antivirus products can scan for backdoors.
Run monitoring tools that detect malicious registry entries.
Delete malicious files related to the trojan.
Virus and worms countermeasures
Install patches and updates.
Perform regular backups.
Only execute signed code.
Fileless malware countermeasures
Run periodic antivirus scans.
Remove all administrative tools from the server.
Scan for indicators of compromise.
Indicator of compromise:
Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IoCs are virus signatures and IP addresses, MD5 hashes of malware files, or URLs or domain names of botnet command and control servers. After IoCs have been identified via a process of incident response and computer forensics, they can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.
Antivirus software:
Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware.
0 Comments: