SLIDES : Here >>>
Attacks Using Malware
Malware is any software designed to damage or disrupt a computer system without the owner’s knowledge or permission. It gets in using a “threat vector” (like an email attachment or infected website) and then unleashes its payload – the actual harmful action.
Attacks Using Malware (Mutation)
Some malware is designed to change its code, making it harder to detect. We have three types:
- Oligomorphic: Changes to a set of pre-defined variations. Think of it like having a few different costumes.
- Polymorphic: Completely transforms its code each time it runs. A shapeshifter.
- Metamorphic: Rewrites its own code entirely, looking completely different every time. A master of disguise.
Attacks Using Malware (Classification)
We can also classify malware based on its key characteristics:
- Circulation: How quickly it spreads.
- Infection: How it infiltrates a system.
- Concealment: How well it hides itself.
- Payload Capabilities: What harmful actions it performs.
Viruses
Viruses are malicious code that replicates itself on the same computer. They need a host file (program or document) to attach to. Infection methods include:
- Appender: Attaches itself to the end of a file. Relatively easy to detect.
- Swiss Cheese: Injects itself into the executable code. More difficult to detect due to code scrambling.
- Split: Splits itself into multiple parts, scattered throughout the host. Harder to find.
Viruses primarily do two things:
- unload their payload (the damage) and reproduce themselves.
- They don’t spread automatically to other computers; they rely on user actions (like opening an infected file).
Worms
Worms replicate themselves across networks, spreading independently without needing a host file like viruses. They actively seek out new victims on the network and can consume resources or deliver payloads.
Trojans
Trojans disguise themselves as legitimate software. You download something that seems harmless, but it secretly contains malicious code. They don’t replicate themselves like viruses or worms.
Rootkits
Rootkits are tools used to hide malware’s presence. They can manipulate system files and logs to conceal their activity, making it very difficult to detect. Essentially, they take control and mask what’s happening on the system.
Payload Capabilities
Malware payloads aim to: collect data, delete data, modify system security settings, or launch further attacks.
Collect Data
- Spyware: Secretly collects information without your consent. Keyloggers are a type of spyware that records keystrokes (passwords, credit card numbers, etc.).
- Adware: Displays unwanted ads and often tracks your online activity to sell this data to advertisers.
- Ransomware : Ransomware encrypts your data and demands a ransom for its release. We’ll discuss recent examples.
Delete Data – Logic Bombs
Logic bombs are dormant code that activates when a specific condition is met (e.g., a date, a certain file being accessed). They’re hard to detect until they trigger.
Backdoors - Modify System Security
Backdoors Proved attackers with secret access, bypassing normal security measures. They allow persistent access even after the initial attack.
Botnets
Zombies are infected computers under an attacker’s remote control. A botnet is a network of these zombies, controlled by a “bot herder,” used to launch large-scale attacks. Command and control (C&C) structures use protocols like HTTP to communicate instructions.
Social Engineering Attacks
Social engineering exploits human psychology to trick individuals into revealing information or taking actions that compromise security.
- Psychological Approaches: Building trust and using subtle manipulation techniques.
- Impersonation: Pretending to be someone else (IT support, a manager, etc.).
- Phishing: Deceptive emails or websites designed to steal credentials. Variations include: Pharming (redirecting to fake websites), spear phishing (targeting specific individuals), whaling (targeting high-profile individuals), and vishing (voice phishing).
- Spam: Unsolicited emails, often carrying malware. Image spam uses images to evade filters.
- Hoaxes: False warnings, often manipulating victims into making system changes that compromise security.
- Typo Squatting: Registering domain names similar to legitimate sites to capture traffic from typos.
- Watering Hole Attacks: Targeting a specific group of users who visit the same website.
- Physical Procedures: Dumpster diving, tailgating, shoulder surfing.
Submissions
Submit your work through the ‘Assessment 1 Practical Lab Work’ before you leave the class Lab 1 CSES >>> Lab 2 CSES >>>
Malware Types: Characteristics and Behaviors Summary
| Malware Type | What it Does | How it Spreads | Key Features/Behaviors | Detection Difficulty |
|---|---|---|---|---|
| Virus | Attaches to host files, replicates on the same computer, unleashes a payload. | Through infected files (e.g., email attachments, infected media). User action required to execute the infected file. | Appender, Swiss Cheese, Split variations. Does not spread across networks independently. | Relatively easy to detect (appenders), more difficult with code scrambling (Swiss Cheese, Split). |
| Worm | Replicates across networks independently, consuming resources and delivering payloads. | Exploits network vulnerabilities to spread autonomously. Doesn’t require user interaction after initial infection. | Actively searches for new targets. Can cause network congestion and denial of service. | Can be more challenging to detect due to rapid spread and network-based propagation. |
| Trojan | Disguises itself as legitimate software, delivering malicious payloads. | Often downloaded through deceptive methods (e.g., fake software updates, malicious ads). Requires user interaction to install. | Doesn’t replicate itself like viruses or worms. Payload varies widely. | Difficult to detect if disguised effectively; relies on user vigilance. |
| Rootkit | Hides malware’s presence by manipulating system files and logs. | Often installed alongside other malware or through exploits. Can be pre-installed on devices. | Provides persistent access. Makes detection and removal very challenging. | Very difficult to detect; requires specialized tools and techniques. |
| Spyware | Secretly collects information (keystrokes, browsing history, etc.) without user consent. | Bundled with other software, through malicious websites, or drive-by downloads. | Keyloggers are a common type. Data is often sent to a remote server. | Can be difficult to detect; often requires monitoring system activity and network traffic. |
| Adware | Displays unwanted ads and tracks online activity for targeted advertising. | Similar to spyware – bundled software, malicious websites, etc. | Can significantly slow down system performance. Privacy concerns due to data tracking. | Relatively easy to detect, but often difficult to completely remove. |
| Ransomware | Encrypts data and demands a ransom for its release. | Phishing emails, malicious websites, exploit kits, etc. | Varies widely in encryption methods and ransom demands. | Detection depends on identifying suspicious encryption activity or ransom notes. |
| Logic Bomb | Dormant code that activates when a specific condition is met. | Pre-installed or delivered via other malware. | Difficult to detect until triggered. Payload can vary widely. | Extremely difficult to detect proactively; often discovered only after activation. |
| Backdoor | Provides attackers with persistent, secret access to a system. | Often installed by other malware or through exploits. | Bypasses normal authentication and authorization mechanisms. | Requires specialized tools and network monitoring to detect. |
| Botnet (Zombie) | Infected computer controlled remotely by an attacker. | Often infected through malware (Trojans, worms). | Part of a larger network of compromised machines (botnet). Used for DDoS attacks, spam, etc. | Difficult to detect individual zombies; detecting the entire botnet requires advanced techniques. |
Note: This table provides a general overview. The specific characteristics and behaviors of malware can vary significantly depending on the specific type and implementation. Furthermore, malware often combines multiple characteristics (e.g., a Trojan that also includes a rootkit component).