Malware is an abbreviated term meaning “malicious software.” This is software that is specifically designed to gain access or damage a computer without the knowledge of the owner. There are various types of malware including spyware, keyloggers, true viruses, worms, or any type of malicious code that infiltrates a computer. Generally, software is considered malware based on the intent of the creator rather than its actual features. Malware creation is on the rise due to the sheer volume of new types created daily and the lure of money that can be made through organized internet crime. Malware was originally created as experiments and pranks, but eventually led to vandalism and destruction of targeted machines. Today, much of malware is created for profit through forced advertising (adware), stealing sensitive information (spyware), spreading email spam or child pornography (zombie computers), or to extort money (ransomware).
Malware may be stealthy, intended to steal information or spy on computer users for an extended period without their knowledge, as for example Regin, or it may be designed to cause harm, often as sabotage (e.g., Stuxnet), or to extort payment (CryptoLocker). ‘Malware’ is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software. Malware is often disguised as, or embedded in, non-malicious files. As of 2011 the majority of active malware threats were worms or trojans rather than viruses.
Many early infectious programs, including the first Internet Worm, were written as experiments or pranks. Today, malware is used by both black hat hackers and governments, to steal personal, financial, or business information.
Malware is sometimes used broadly against government or corporate websites to gather guarded information, or to disrupt their operation in general. However, malware is often used against individuals to gain information such as personal identification numbers or details, bank or credit card numbers, and passwords. Left unguarded, personal and networked computers can be at considerable risk against these threats. (These are most frequently defended against by various types of firewall, anti-virus software, and network hardware).
Since the rise of widespread broadband Internet access, malicious software has more frequently been designed for profit. Since 2003, the majority of widespread viruses and worms have been designed to take control of users’ computers for illicit purposes. Infected “zombie computers” are used to send email spam, to host contraband data such as child pornography, or to engage in distributed denial-of-service attacks as a form of extortion.
Programs designed to monitor users’ web browsing, display unsolicited advertisements, or redirect affiliate marketing revenues are called spyware. Spyware programs do not spread like viruses; instead they are generally installed by exploiting security holes. They can also be packaged together with user-installed software, such as peer-to-peer applications.
Ransomware affects an infected computer in some way, and demands payment to reverse the damage. For example, programs such as CryptoLocker encrypt files securely, and only decrypt them on payment of a substantial sum of money.
Some malware is used to generate money by click fraud, making it appear that the computer user has clicked an advertising link on a site, generating a payment from the advertiser. It was estimated in 2012 that about 60 to 70% of all active malware used some kind of click fraud, and 22% of all ad-clicks were fraudulent.
Malware is usually used for criminal purposes, but can be used for sabotage, often without direct benefit to the perpetrators. One example of sabotage was Stuxnet, used to destroy very specific industrial equipment. There have been politically motivated attacks that have spread over and shut down large computer networks, including massive deletion of files and corruption of master boot records, described as “computer killing”. Such attacks were made on Sony Pictures Entertainment (25 November 2014, using malware known as Shamoon or W32.Disttrack) and Saudi Aramco (August 2012).
Viruses and Worms
The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any specific types of behavior. The term computer virus is used for a program that embeds itself in some other executable software (including the operating system itself) on the target system without the user’s consent and when that is run causes the virus to spread to other executables. On the other hand, a worm is a stand-alone malware program that actively transmits itself over a network to infect other computers. These definitions lead to the observation that a virus requires the user to run an infected program or operating system for the virus to spread, whereas a worm spreads itself.
Concealed Malware
These categories are not mutually exclusive, so malware may use multiple techniques. This section only applies to malware designed to operate undetected, not sabotage and ransomware.
Viruses – A computer program usually hidden within another seemingly innocuous program that produces copies of itself and inserts them into other programs or files, and that usually performs a malicious action (such as destroying data).
Virus is essentially a piece of software that is capable of infecting other programs by self-replicating and modifying the OS or the application’s portable executable (PE) files. This modification includes a copy of the virus program, which propagates to infect other programs in other hosts or devices. In a manner similar to that employed in biological viruses, a computer virus carries within its instruction code, the recipe for replicating itself. Once a virus is executed, it can perform any function, e.g., download files and execute programs.
The virus may progress from dormancy, where it lies in wait of a triggering event, to either propagation where it uses exploits for replication to other hosts, or to an event that causes it to execute a payload that may include information stealing.
Trojan Horses – For a malicious program to accomplish its goals, it must be able to run without being detected, shut down, or deleted. When a malicious program is disguised as something normal or desirable, users may unwittingly install it. This is the technique of the Trojan horse or trojan. In broad terms, a Trojan horse is any program that invites the user to run it, concealing harmful or malicious executable code of any description. The code may take effect immediately and can lead to many undesirable effects, such as encrypting the user’s files or downloading and implementing further malicious functionality.
In the case of some spyware, adware, etc. the supplier may require the user to acknowledge or accept its installation, describing its behavior in loose terms that may easily be misunderstood or ignored, with the intention of deceiving the user into installing it without the supplier technically in breach of the law.
Rootkits – Once a malicious program is installed on a system, it is essential that it stays concealed, to avoid detection. Software packages known as rootkits allow this concealment, by modifying the host’s operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process from being visible in the system’s list of processes, or keep its files from being read.
Some malicious programs contain routines to defend against removal, not merely to hide themselves. An early example of this behavior is recorded in the Jargon File tale of a pair of programs infesting a Xerox CP-V time sharing system:
Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently stopped program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system.
A rootkit typically includes a sniffer to record user passwords. It creates a hidden directory, e.g., /dev/.lib./usr/src/.poop and the like, and often uses invisible characters in a directory name. Hacked binaries are installed for system programs such as netstat, ps, lsdu, and login, and the attacker’s processes, files or network connections avoid detection when standard UNIX commands are being run. Furthermore, the modified binaries have the same checksum as the original ones.
There are several types of Rootkits as
- User-mode Rootkits involve a system for hooking the user or application space in such a way that whenever an application makes a system call, the predetermined path of the system’s execution permits a Windows Rootkit to hijack the system call at many points along the path. One of the most common user mode techniques is the in-memory modification of the system Dynamic Link Libraries (DLLs).
- Kernel-mode Rootkits involve system hooking or modification in kernel memory space in order to avoid detection. For example, one can view the active processes in an OS to detect a malicious process. A rootkit wants to avoid detection using methods that can produce false information. As a system call’s execution path leaves user mode and enters kernel mode, it must pass through a gate that prevents the user mode code from accessing kernel mode space. Only the super-user or equivalent process can access the kernel.
- The Master Boot Record (MBR) Rootkit, as the name implies, infects the computer’s master boot record. The Rootkit installs itself on the first sector of the user’s disk and then modifies other sectors. The code runs before a PC boots up using Windows XP/7/Vista or any OS and fully controls the boot process. Since a MBR rootkit, such as Mebroot, loads prior to anything else and is nearly invisible to security software, once the machine is infected, the hacker controlling the Rootkit has complete control of the victim’s machine.
Backdoors – A backdoor is a method of bypassing normal authentication procedures, usually over a connection to a network such as the Internet. Once a system has been compromised, one or more backdoors may be installed in order to allow access in the future, invisibly to the user.
The idea has often been suggested that computer manufacturers preinstall backdoors on their systems to provide technical support for customers, but this has never been reliably verified. It was reported in 2014 that US government agencies had been diverting computers purchased by those considered “targets” to secret workshops where software or hardware permitting remote access by the agency was installed, considered to be among the most productive operations to obtain access to networks around the world. Backdoors may be installed by Trojan horses, worms, implants, or other methods.
Evasion
Since the beginning of 2015, a sizable portion of malware utilizes a combination of many techniques designed to avoid detection and analysis.
The most common evasion technique is when the malware evades analysis and detection by fingerprinting the environment when executed.
The second most common evasion technique is confusing automated tools’ detection methods. This allows malware to avoid detection by technologies such as signature-based antivirus software by changing the server used by the malware.
The third most common evasion technique is timing-based evasion. This is when malware runs at certain times or following certain actions taken by the user, so it executes during certain vulnerable periods, such as during the boot process, while remaining dormant the rest of the time.
The fourth most common evasion technique is done by obfuscating internal data so that automated tools do not detect the malware.
Malware, including viruses, mutate in a disguised mechanism in an effort to evade detection. The obfuscation techniques of polymorphism and metamorphism are used to change the form of each instance of software in order to evade pattern matching, i.e., signature detection. Malware may change itself every time it replicates. Obfuscation techniques, including entry point obfuscation (EPO), polymorphism and metamorphism, are used by malware to avoid detection and analysis. Polymorphism relies on changing the encryption/decryption routine. The malware employs a very large pool of encryption/decryption routines and thus is much harder to detect using signatures. This high number of encryption/decryption routines is delivered using a mutation engine. Metamorphism changes the virus body while performing the same task using equivalent functions (or code). This technique includes such things as changing the sequence of codes, and inserting unneeded functions (or code).
- Executable packing/compression – It is also frequently used to deter reverse engineering or to obfuscate the contents of the executable. A software vendor wants to protect their code from reverse engineering, while hackers want to hide the presence of malware from anti-malware scanners through the use of proprietary packing methods and/or added encryption. There are free, open-source executable packers, such as UPX, that are widely used by hackers. UPX supports Windows Portable Executable (PE) file format, DOS executables, and the Executable and Linkable Format (ELF). ELF is widely used in UNIX, Linux and embedded systems, whereas the old UNIX format is a.out.
- Entry Point Obfuscation (EPO) – It is a type of malware randomly changes a location in the host code rather than changing the headers (PE headers in Windows) so that the entry point of the malware is hidden in a host program file. Embedding the call/jump to the malware code deep within a target executable prevents tracing the execution path of an EPO-infected file but provides no guarantee that the virus code itself will ever be called. It relies on call hooking or call inserting to transfer the execution to the malware code in a host code. The control is transferred back to the host program after the malware execution is complete. EPO disables the static detection method of malware, since it removes the ability of a scanner to trace within the virus code with any guarantee. In other words, the scanner is unable to detect its exact location in order to emulate it. It is also very difficult to clean up an infected host due to the modifications to the host programs that is performed by the malware.
- Polymorphic Malware – Common methods in polymorphism include encryption, and junk instruction insertions. By inserting various garbage loops and commands between normal program instructions, the modified program will always look different. Encrypted malwares contain a decryptor , followed by the encrypted malware body. These malwares are relatively easy to detect if the decryptor is constant. In order to accomplish obfuscation, polymorphism would randomly insert so-called “junk” instructions into its decryptor. Instructions such as clc, nop and unused register manipulations were all part of it. These low-level assembler mnemonics would change the size and appearance of the code, but not its overall function. The end result was an effective decryptor mutation in every generation of the malware that eschewed pattern recognition
- Metamorphic Malware – It is capable of automatically recoding itself each time it propagates to a new host. The basic idea of metamorphism is that each successive generation of a malware changes the syntax while leaving the semantics almost unchanged in order to foil signature-based detection systems. Software can be classified as good or bad metaphoric. “Good” metamorphic software can mitigate buffer overflow attacks, while “bad” metaphoric software is capable of avoiding malware signature detection. A malware is metaphoric in that each copy has a different signature, the same detection does not work on every replicated malware, and it is analogous to genetic diversity in biology. Metamorphism allows malware to extract the semantics of its own code in order to determine its behavior model. Next, the malware applies obfuscation transformations to this model in order to produce a code as different as possible from its parent code, while maintaining the same behavior.
Zeus Malware
The botnet created by the Zeus Trojan certainly lived up to its mythological name during 2009 by infecting nearly 4 million computers worldwide. The package contains a builder that can generate a bot executable and web server files, e.g., PHP, images and SQL templates, for use as the command and control server. While Zbot is a generic back door that allows full control by an unauthorized remote user, the primary function of Zbot is stealing online credentials such as banking information and passwords. The Zeus (or Zbot) is a set of data-stealing Trojans that spreads through email phishing attacks as well as drive-by downloads, in which case the malware infects a user’s computer when visiting a webpage. The Zeus malware monitors for signs that a user is logging in to an account, such as a bank account or webmail, and then collects the necessary authentication credentials and passes them to the botmaster. Zeus has evolved over time and includes a full arsenal of information stealing capabilities. For example it steals
- Data submitted in HTTP forms
- Account credentials stored in the Windows Protected Storage
- Client-side X.509 public key infrastructure (PKI) certificates
- FTP and POP account credentials
- And it deletes HTTP and Flash cookies
Zeus modifies the HTML pages of target websites in order to steal information by utilizing HTML injection techniques. In particular, these threats inject additional HTML into legitimate pages that request the user to input credential information not actually required by the financial website, or HTML content in order to defeat client-side security techniques. Sample web injections are provided in the Zeus package and are defined in the configuration file. It can redirect victims from targeted web pages to attacker controlled areas. After successfully transferring money from an account, Zeus deletes crucial registry keys, rendering the computer unable to boot into Windows in order to slow down both the detection and fraud report by a suspicious user as well as the forensics collection process. Zeus is the first major botnet to exploit a PDF’s Launch feature which, although not a security vulnerability, is a function of an Adobe specification. A Zeus variant uses a malicious PDF file that embeds the attack code in the document. When users open the rogue PDF file, they are asked to save a PDF file, which is nothing more than a Windows executable that installs a Trojan.
