Week 1 - Introduction to Malware
This week we were introduced to the basics of malware. The first commercial anti-virus was released in the early 1990s where updates would be distributed monthly via floppy disks. An important component in current and future anti-malware is collaboration efforts between companies. If one company remains siloed in their efforts they can miss behavior that a different company may see from the same piece of malware. The primary vector for malware is users. Next is USB drives.
Some basic definitions that were covered are:
DGA - domain generating algorithm that creates lots of domain names that can be used as rendezvous points for command and control servers
Malware - shorthand for malicious software
viruses - these are a type of malware that are polymorphic and parasitic
worm - this type of virus is not necessarily parasitic, the main purpose is to spread as quickly as possible
trojan - backdoor and downloader means that the hacker is controlling the host machine remotely. Trojans can be parasitic.
PUP - potentially unwanted programs, such as spyware, adware, key generator.
Sample - a term used to reference a piece of malware
White- a "clean" sample
Black - a "dirty" sample
Gray - an unknown sample
Goat - a sacrificial machine to run malware on. This is not the same as a honeypot, a honeypot is a trap placed on an outside network that is trying to catch malware
Replication - what exactly is the malware doing? It must be replicated to understand the malware
Hash - calculating the value of the file. If any part of a file is changed, the hash has changed. A hash is akin to a fingerprint, meaning if two pieces of malware that have two different names but the same hash they are really the same malware. A name can be modified to be anything, but a hash collision will confirm that the two pieces of malware are the same.
Exploit kit - after a piece of malware has been developed, an exploit kit is used to help get into a system
RATS - remote access trojan system
Ransomware - uncrackable if the client does not have the key
POS ransomware - used to try and capture credit card info by examine the processes on the terminal the moment the card is swiped.
Patient zero - the first infected machine when an attack is carried out and spreads across a network.
Packer - used to compress and encrypt the code file to get past antivirus system
APT - stands for advanced persistent threats. This describes three aspects fo attackers that represent their profile, intent, and structure. Advanced means the hacker is highly skilled in intrusion methods and techniques. The hacker is an adept coder and can write custom exploits and tools. Persistent means that there is a mission or objective that the hacker is trying to achieve. Threat means that the attacker is in an organization that has funds to carry our their attack which is planned and organized.
There are four characteristics of an APT: actors, motives, targets, and goals. Actors can be governments, terrorists, competitor, organized crime, or malicious employees/ex-employees.
Motives are usually money, excitement, revenge, or ideology. Targets could be anyone, but often they are corporations, defense contractors, governments, and universities. Goals are often to create backdoors to gain access, to be stealthy while carrying our the attack as well as leaving once the attack has started.
APT kill chain is a term for the general workflow for advanced persistent threats. The chain looks like this:
reconnaissance -> weaponization -> delivery -> exploitation -> installation -> command and control -> actions on objectives
Malware follows a specific naming convention. The breakdown is as follows:
1st part - what type of malware is it
2nd part - what platform does it run on
3rd part - what family the malware belongs to, families are determined by common characteristics or authors of malware
4th part - the variant which is a sequential letter indicating the version of the malware family
5th part - informational which often is part of the md5 hash or another piece of information.
Additional resource for malware naming conventions: https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/malware-naming
Tools that were introduced this week include:
Cuckoo - an isolated sandbox where malware can be run
Process Monitor - this is used to track and monitor processes
Process Explorer - this is used to monitor processes
FakeNet - simulates a network to help catch traffic
AntiSpy - this is used to track down malware
FlyPaper - this freezes processes to prevent them from closing which allows them to be studied
Static analysis is a term for studying malware without executing it; instead the code and/or structure is studied. Dynamic analysis is the opposite of static analysis, what the malware does is studied as it is running. There are a few elements of static analysis; string, binary, and source analysis.
Forensic analysis
Lab:
I found this week's lab to be challenging but fun. I encountered many program freezes which slowed me down. I had to revert back to base frequently to get back to a functioning state. That said, it was fun to hunt around the VM and try various tools to see what data could be extracted about the malware. There were a few pieces of information that I wasn't able to get, but it was still fun to try.
Some basic definitions that were covered are:
DGA - domain generating algorithm that creates lots of domain names that can be used as rendezvous points for command and control servers
Malware - shorthand for malicious software
viruses - these are a type of malware that are polymorphic and parasitic
worm - this type of virus is not necessarily parasitic, the main purpose is to spread as quickly as possible
trojan - backdoor and downloader means that the hacker is controlling the host machine remotely. Trojans can be parasitic.
PUP - potentially unwanted programs, such as spyware, adware, key generator.
Sample - a term used to reference a piece of malware
White- a "clean" sample
Black - a "dirty" sample
Gray - an unknown sample
Goat - a sacrificial machine to run malware on. This is not the same as a honeypot, a honeypot is a trap placed on an outside network that is trying to catch malware
Replication - what exactly is the malware doing? It must be replicated to understand the malware
Hash - calculating the value of the file. If any part of a file is changed, the hash has changed. A hash is akin to a fingerprint, meaning if two pieces of malware that have two different names but the same hash they are really the same malware. A name can be modified to be anything, but a hash collision will confirm that the two pieces of malware are the same.
Exploit kit - after a piece of malware has been developed, an exploit kit is used to help get into a system
RATS - remote access trojan system
Ransomware - uncrackable if the client does not have the key
POS ransomware - used to try and capture credit card info by examine the processes on the terminal the moment the card is swiped.
Patient zero - the first infected machine when an attack is carried out and spreads across a network.
Packer - used to compress and encrypt the code file to get past antivirus system
APT - stands for advanced persistent threats. This describes three aspects fo attackers that represent their profile, intent, and structure. Advanced means the hacker is highly skilled in intrusion methods and techniques. The hacker is an adept coder and can write custom exploits and tools. Persistent means that there is a mission or objective that the hacker is trying to achieve. Threat means that the attacker is in an organization that has funds to carry our their attack which is planned and organized.
There are four characteristics of an APT: actors, motives, targets, and goals. Actors can be governments, terrorists, competitor, organized crime, or malicious employees/ex-employees.
Motives are usually money, excitement, revenge, or ideology. Targets could be anyone, but often they are corporations, defense contractors, governments, and universities. Goals are often to create backdoors to gain access, to be stealthy while carrying our the attack as well as leaving once the attack has started.
APT kill chain is a term for the general workflow for advanced persistent threats. The chain looks like this:
reconnaissance -> weaponization -> delivery -> exploitation -> installation -> command and control -> actions on objectives
Malware follows a specific naming convention. The breakdown is as follows:
1st part - what type of malware is it
2nd part - what platform does it run on
3rd part - what family the malware belongs to, families are determined by common characteristics or authors of malware
4th part - the variant which is a sequential letter indicating the version of the malware family
5th part - informational which often is part of the md5 hash or another piece of information.
Additional resource for malware naming conventions: https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/malware-naming
Tools that were introduced this week include:
Cuckoo - an isolated sandbox where malware can be run
Process Monitor - this is used to track and monitor processes
Process Explorer - this is used to monitor processes
FakeNet - simulates a network to help catch traffic
AntiSpy - this is used to track down malware
FlyPaper - this freezes processes to prevent them from closing which allows them to be studied
Static analysis is a term for studying malware without executing it; instead the code and/or structure is studied. Dynamic analysis is the opposite of static analysis, what the malware does is studied as it is running. There are a few elements of static analysis; string, binary, and source analysis.
Forensic analysis
Lab:
I found this week's lab to be challenging but fun. I encountered many program freezes which slowed me down. I had to revert back to base frequently to get back to a functioning state. That said, it was fun to hunt around the VM and try various tools to see what data could be extracted about the malware. There were a few pieces of information that I wasn't able to get, but it was still fun to try.
Comments
Post a Comment