A -very- detailed Guide about Web Malware

What is Malware?

Malware stands for “Malicious Software”, and it refers to a category of computer software that is written for malicious purposes causing harm to computer systems or networks.

History of Malware

The first PC virus ever made, dubbed “Brain”, was made by two Pakistani software engineers in 1986. It is an example of the Boot Sector Virus. Authors of “Brain” designed it to be a copyright protection software and didn’t intend for it to be used for malicious purposes, but it was an eye-opener for security researchers and major software vendors.

How Does Malware Spread?


Similar to human diseases, malware can spread and infect other target systems in many ways and methods. It’s a choice that is up to the malware author and it heavily depends on the reason of developing this particular malware. Some malware authors choose to make their malware as hidden as possible – just like in targeted attacks -, and some choose to cause as much noise as possible.

Some of the methods used by malware authors to further spread their malware are listed below:

1. Removable Media (USB Sticks and Hard Drives)

Some types of malware monitor the activity of USB ports and copy themselves to any USB drive that gets plugged into the computer. Next, when the same USB drive is plugged into another device, either it runs by itself with what is known as “autorun”, or an unsuspected user runs it intentionally or by mistake.

2. Network

Whether the network is wired or wireless, some malware types scan the local network and attempt to copy themselves into devices that allow unauthorized people to upload files e.g. FTP and NFS.

3. Email

Phishing emails have become increasingly threatening, and malware authors have taken notice of that. Unsuspecting victims could easily fall for an email with infected attachment files, leading to the infection of their systems.

4. Documents

Some malware types such as Macro Viruses hide and spread by embedding themselves in Word and Excel spreadsheet files. A historical example of this type of viruses is the Melissa Virus, which was first introduced in 1999. Whenever a user opens an infected Word document, the malicious macro infects the machine and sends itself to the first 50 contacts in the victim’s address book.

5. Websites

In order to infect the largest possible number of people, the most efficient way is to infiltrate a legitimate website and by abusing the website’s trust, an attacker uploads malicious code there and let people download and execute it. However, this method is extremely difficult and requires having access to the website.

Why Does Malware Exist?


Because malware authors come from different backgrounds and they have different agendas and causes, every malware acts in a different way and was made for a different purpose.

1. Destruction

A malware could be written just to cause irreparable harm to a target computer system.

2. Espionage

Spyware could be used by both good and bad guys, but they’re mostly used to monitor systems and steal valuable information from target systems. Not only used by individuals, but malware could also be developed by larger entities to take out the competition for example.

2. Monetization

a. Blackmail

A perfect example is a ransomware, where the victim’s files get encrypted and the user has to pay a certain amount of money for his files to be decrypted. Attackers mostly request cryptocurrency not cash to avoid getting tracked by authorities.

b. Mining

Crypto miners utilize the system’s resources to perform complex mathematical operations on a target machine, joining the attacker’s mining network as a worker in without the victim’s knowledge.

c. Ads

Adware forcefully instructs the target system to view and perhaps click on ads for the attacker’s benefit. Depending on the advertisement agency, each view or click equates to money, and it’s all for the benefit of the attackers.

d. Theft

Trojans such a Zeus, Ramnit and Neverquest are examples of Banking trojans that specifically target stealing banking information from a target computer system.

4. State-Sponsored malware

This type of malware is usually very sophisticated and is used in cyber wars between different nations and cyber armies. Some are designed to be merely a surveillance tool, some cause destruction and some actually steal data using covert channels. A good example is the 2010 Stuxnet malware that affected the Natanz nuclear plant in Iran.
Another example is the TRITON malware that was used in the Industrial Control System (ICS) based attacks. TRITON targets safety controllers in ICS systems, disabling them. This could lead to sabotaging these systems and potential loss of lives.

How Does Malware get Detected?


Malware can be detected using several techniques, and most anti-malware software use one or more of these techniques.

1. Malware Signature/Pattern

Every malware was ever discovered has a “signature”, which is a unique sequence of bytes (characters or numbers) to identify the malware. Think of it as the malware’s fingerprint. Every anti-malware vendor has its own signature database that is updated frequently.
YARA is a pattern-matching tool for malware analysis. It has a set of rules such as specific strings, file size and hashes to correlate with the target file. With the community’s support, there are thousands of YARA rules that can be viewed and imported to the engine.

2. Heuristic or Behavioral Analysis

In this technique, the anti-malware software analyzes the behaviour of the suspicious code or file, detecting some unusual activities such as writing to certain registry keys or altering specific system files. It is aimed towards detecting new variants of previously known malware.

Types of Malware

1. Virus

It’s the type of malware that was made for purposes of destruction with the ability to replicate. It usually inserts itself into a legitimate code or program, giving itself the ability to run concurrently with the legitimate program. In addition to the malicious effect, it attempts to spread further to other programs on the system.
When an anti-malware detects a virus, it attempts to disinfect the file and remove the malicious parts from the program’s code, restoring the original file.
There are many types of viruses, including, but not limited to:

a. Boot Sector Virus

It’s the type of virus that overwrites the MBR with malicious code, work on the BIOS level, and attempt to infect disks and storage media inserted into the system. They use DOS commands, and that’s why they’re rare to find and only present in extremely old legacy systems (Up to Windows 95).

b. File-infecting Virus

This type of virus infects program files, such as games, applications and utilities, focusing on the executable files rather than the non-executable files.

c. Stealth Virus

Stealth virus is designed to hide from the antivirus software. It spreads to a different file and replaces the old copy of the virus with a clean file, evading antivirus scanning techniques.
The problem with this type of virus is its prevalence, so if a stealth virus was detected, there is a good chance that it already has copied itself somewhere else in the system, and in this case, a full and deep system scan must be conducted by an antivirus.

d. Macro Virus

A macro virus is the type of viruses that abuses the macro functionalities in documents and spreadsheets. It gets embedded or inserted inside the macro code of word files and excel sheets. They have the ability to spread and infect other systems as well.
In addition to installing a suitable anti-malware software, a user shouldn’t open random files from strangers even if they were document files.

2. Trojan

Just like the Trojan War, where they used what is known as the Trojan Horse to hide soldiers inside this giant wooden horse in order to infiltrate the city, this type of malware behaves exactly like a trojan horse. It appears and gets falsely advertised as legitimate software, but it actually isn’t.
When an anti-malware software detects a trojan, there is no disinfection for it, as there is no legitimate software involved and the entire code or program is most likely malicious.

3. RAT

A RAT or a Remote Access Tool/Trojan is a tool developed for the purposes of implanting a backdoor on a target machine. They can be used for both legitimate and malicious purposes.
One of the most common RATs is the Darkcomet, which was developed by an independent programmer and was first observed in 2011 and is still considered one of the most popular RATs.

4. Web Shell

A web shell is a script that is uploaded into the target machine using a web server present on the same machine. It also uses the web server’s process to execute commands on the server, granting the attackers a backdoor to this system.
Similarly to RATs, a web shell could also be used by system administrators to perform administrative actions on their systems through a web interface.
In order to successfully run a web shell on a web server, attackers abuse functionalities such as Unrestricted File Upload, Remote File Inclusion or Local File Inclusion.
There are countless web shells available online for different web programming languages. Most of the shells were initially developed for PHP as it was the predominant web programming language. Some of the common web shells historically are R57, C99 and B374K.

5. Worm

A worm is like a virus in terms of replication and spreading, except that it doesn’t require human interaction to spread. It can replicate by itself. Worms are also similar to viruses when it comes to the damage done.
Their ability of self-replication is owed to various application and network vulnerabilities across different vendors. Code Red worm, for example, used a vulnerability in Microsoft IIS servers that allowed attackers to deface the websites and launch DDoS attacks against online networks, including one of the White House’s networks.

6. Rootkit

A rootkit is the type of malicious software that allows itself to perform functionalities that are not allowed for the regular user/program. It could also replace legitimate commands and functions with malicious ones. It could be using some privilege escalation techniques or exploits in the system that allows for gaining the highest access level possible.
It’s named after the highest level of user access on Unix systems, which is the Super User account “root”.
Its detection is difficult because having access to system-level functions allows you to manipulate detection programs and feed them false information. In addition, anti-rootkits require the same access level as a rootkit, so a malicious anti-rootkit program is able to do the same damage to a computer system as a rootkit.

7. Bootkit

It is similar to rootkits, but it has the possibility of writing itself to the MBR (Master Boot Record), allowing itself to persist on the victim machine even after a reboot. It is considered as the modern version of the Boot Sector Virus. In addition, it hides in the MBR to remain undetected, but Boot Sector Virus overwrites first bytes of the MBR with the virus code.

8. Exploit Kit

An exploit kit is the type of malware that scans the victim’s system for outdated software with known vulnerabilities and attempt to exploit them.
A user usually gets exploit kits from websites with malicious advertisements that redirect the user to a page that serves exploit kits.
In order to protect the system against exploit kits, all software installed on it must always be up-to-date.

9. Ransomware

A ransomware is a malware made for the purposes of blackmailing victims for their money. It encrypts their files with a key that is only known to the attacker and demands ransom from victims so they can their data back. We all have heard of WannaCry, right? WannaCry or WannaCryptor is an example of ransomware which was designed to encrypt all of your files and in order to decrypt them, you need to pay a certain amount of money in cryptocurrency (Bitcoin) as a ransom.
In order to spread further, WannaCry used an exploit that was released by Shadow Brokers hacking group which leaked some of the private and top-secret NSA exploits on April 2017. This exploit, dubbed ETERNALBLUE leveraged a vulnerability in the SMB v1 protocol on Windows, allowing an attacker to gain complete and unobstructed administrative access on the target server.

10. Keylogger

A keylogger monitors your keyboard input, records them and sends them back to the attacker. A keylogger could be a software or a hardware keylogger. A hardware keylogger is a device that is installed between the keyboard’s socket in the motherboard and the keyboard cord.
One way to mitigate keyloggers is to use a keyboard with an encryption feature, where the input is encrypted or scrambled so that only a certain piece of software on the device could understand. This way, keyloggers will only read scrambled data that doesn’t make any sense.

11. Cryptominer

The term Cryptocurrency refers to a new type of unregulated virtual currency that is decentralized. A prime example of a cryptocurrency is the Bitcoin. In order to be awarded bitcoins, you have to use your system resources to solve complicated math problems in a process called Mining.
Miners or cryptominers are the type of malware that infects a target system and utilizes its resources to mine for cryptocurrency in favour of the attacker.
One way to manually detect cryptocurrency miners is by observing the system resources, especially the CPU. In most cases, a miner takes more than 80% of the total computing power of a target system.

12. Logic Bomb

A logic bomb is a piece of software inserted to a legitimate program without having any conditions to be met with the intentions of performing a series of operations such as mass deletion of files, or an infinite loop of spawning processes, leading to the erasure of data or crashing the system. Two examples are The Zip Bomb and The Fork Bomb.
There is also the Billion Laughs Attack, which targets XML parsers on target computers. This attack includes a specially crafted XML file that processes an exponentially increased number of variables leading to exhaustion of the system resources, and in particular the RAM.

13. Grayware

Grayware refers to a class of applications that behave in a disruptive or annoying manner, but they’re less serious than other malware categories. They’re often harmless, but could be a method to deliver malicious software to the target system.

a. Adware

Adware is the type of malware that was designed for monetization purposes. After it infects the victim, it injects advertisements into his system, browser or website. Adware is generally harmless, but a user could download a trojan or a virus from one of the advertisement links.

b. Spyware

Spyware allows the attacker to gain access to a target system, monitor the activities on that system and steal data from the hard disk using a covert channel, sometimes without the victim’s consent.
Luckily for malicious attackers, some spyware are permitted legally to be sold and distributed in some countries. However, some countries require that you must have a legal cause to monitor someone’s activity, such as parental controls and/or police wiretapping.

Malware Terminology

1. Signature

A file’s signature is its fingerprint. It is a sequence of characters or numbers that identifies that file among other files. It could also refer to the checksum of the file, where the file is hashed using certain algorithms and the result would be a unique hexadecimal string that can’t be the same for different files.

2. Master Boot Record

The Master Boot Record or “MBR” is the first boot sector written on the hard drive which contains the instructions required to load the Operating System.

3. Vulnerability

A vulnerability is a weakness or a flaw in a computer software or system that makes the system behaves differently than intended. If a vulnerability is exploited by attackers with malicious intents, it could lead to a partial or complete compromise of the system or data inside it.

4. Botnet

A botnet or “robot network” is a collection of victim systems that has malware secretly installed on them. These systems are called “zombies” and are under the attacker’s control whenever they access the network.
Usually, attackers used the IRC channels as Command and Control (C&C) centres. Victim computers would then connect to the IRC channel automatically and listen for the attacker’s commands, which are mostly used to perform DDoS attacks on other live systems online.

5. Exploit

An exploit is a piece of software that takes advantage of a vulnerability or a flaw in the system in order to be used to access the vulnerable system.

6. Threat

A threat is an action that is likely to take an advantage of a vulnerability and cause damage to a computer system.

7. Zero-day Vulnerability

A zero-day or a 0-day vulnerability is a vulnerability that has been discovered in a software by a security researcher but hasn’t been yet reported to the software vendor.

8. n-day Vulnerability

It is a vulnerability which has been already reported to the vendor but hasn’t been fixed yet, where “n” is the number of days since the vulnerability was reported.

9. Risk

Risk is the potential for loss or damage caused by a threat actor.

Leave a Reply

Your email address will not be published. Required fields are marked *