Topics
- Threat Modeling
- Malware Types
- Virtual Machines
- Analysis Techniques
Lecture
In the lectures this week I learned about basic malware classifications and analytics. The first lecture was mainly a review for me, from the Intro into Security course. Over the lecture I did learn quite a bit, and solidify some other topics.
I learned about varying degrees of malware, from viruses and worms to PUPs, or Potentially Unwanted Programs. Viruses can be parasitic, polymorphic, or worms. I didn’t know about trojans, which are programs that are presented as other programs. This is to make it more likely to download and install them on victim machines. There are also PUPs, which are often downloaded along with other programs, just as a unchecked box. They are mostly harmless, but are specifically directed to mining data. The majority of malware is copied and altered, or combined with other malware to attack different systems. People writing malware are often after a large group, instead of a single individual or company, so the malware most used is cobbled together on the cheap, it would seem. High powered malware is targeted and directed at specific exploits and targets. This sort of attack is rare because it can take a lot of work to write custom malware, which can be far more complex. Another reason that most malware is cobbled together is that the biggest infection vector is still the user and high powered malware isn’t needed to take out a large crowd.
Malware Vocabulary:
- White: A clean, harmless program
- Black: Dangerous and unwanted
- Gray: Unknown
- Sample: Just a collected malware
- Goat: Sacrificial system, to be corrupted in analysis
- Honeypot: A sitting system to collect malware
- Replication:
- Hash: Used to refer to malware samples
Along with the vocabulary, I learned that malware can be VM aware, by looking at different system features. I’m guessing that this is one of the reasons that we also need goats, as a goat would just be sacrificed. In the anti-malware business, I learned that false-positives are absolutely to be avoided. This comes as a surprise, because I would have wrongly assumed it would be okay to catch a few okay programs in the net, so long as all of the dangerous ones were caught. The issue comes from halting a program that is executing innocently. This can cause great trouble, especially in critical systems.
Naming Conventions
In the lectures I also learned about the naming conventions of malware.
| Type | Platform | Family | Variants | MD5 segment |
|---|---|---|---|---|
| Trojan: | Win32/ | Revaton | .T | !Ink |
This is not however not universal, so there is some variation. Knowing the MD5 you can also look up the malware on databases, such as VirusTotal.
I learned also about transporting malware. In transport, malware is zipped, with the password infected. An additional protection is to changed the extension, so that it cannot be accidentally executed.
In analysis of malware many different tools are used. Hex editors and debuggers are necessary, but also the use of a VM is very helpful. Virtual Machines can take snapshots, to revert to and compare. This makes it possible to run devastating malware on your computer multiple times. Sometimes, however, just running the program isn’t enough Another definition I learned was Advanced Persistent Threat. This describes an organized, determined and targeted cyber attack with specific actors, motives, and goals. The attackers are often company competition, malicious insiders or enemy nations. Motives are often revenge or money. The goals can be anything from creating targeted competitive ads, or destroying nuclear refinement centers. Threat modeling was talked about, but I learned most of that in my intro to security course.
Lab
For the lab this week we analyzed a specific Windows malware. This malware was used in Korea, against banks. It rerouted user traffic from bank websites to a unencrypted server, so that the attacker could steal bank information. The specifics are in my lab writeup, but here I will talk about what I learned. From this lab I initially was taken aback at how incapable I am at the Windows system. I use my Mac computer for school work, but, having a Windows computer at home, I assumed I knew at least a little as far as the OS goes. Apparently I was wrong. After fumbling around in command prompt I reverted to using the supplied tools, which made it possible to track the files and alterations.
With some difficulties I was able to find the methods responsible, and started to understand the attack. Without the hints provided though, I’m sure it would have taken much longer. At one point I spent an hour scrolling through a list of processes. At the end, although tired, I felt accomplished. It has been a little while since I got into the internals of a computer, and it was fun. I later found that I could filter. Of course.
Return