Notes from CPNT-250 course at SAIT.

Malware = Malicous Software

It is used to:

Malware types:

Logic Bombs

Special code that releases a payload whenever a trigger condition is fulfilled.

crash_computer if DateTime.now.friday?

Trojan Horses

Malware that appears to perform a desirable function but performs undisclosed malicious functions that ultimately may allow unauthorized access to the victim computer.

Backdoor

Mechanism to bypass security checks. Remote administration tool.

allow_login if username == "l33t.h4ck0r"

Viruses

Is a type of malware that tries to replicate into other executable programs.

Worms

self replicating computer program. Uses the network to send copies of itself to other nodes and do so without any user intervention. Uses the computer network to spread itself, relying on security failures on the target computer to access it. It does not need to attach itself to an existing program. They almost always cause harm to the network.

Rabbits/Bacteria

Name comes from the idea of quick multiplication. Program consumes all of some system resource. There is usually just one rabbit “hopping” around a network.

Spyware

Software that collects information from a computer and transmits it to another system by monitoring keystrokes, screen data and/or network traffic, or by scanning files on the system for sensitive information. Aids in gathering information about a person or organization without their knowledge and that may send such information to another entity without the consumer’s consent.

Keyloggers

Captures keystrokes on compromised systems.

Rootkits

Malicious code designed to hide the existence of other code. Usually paired with other malware, such as a backdoor, to allow remote access to the attacker and make the code difficult for the victim to detect.

Adware

Advertising that is integrated into software. Automatically renders advertisements in order to generate revenue for its author.

Other

Zombies or bots are programs that can be activated on an infected machine allowing the attacker to perform tasks without the users knowledge, including attacks on other machines.

A botnet is a collection of internet connectec programs communicating with other similar programs in order to perform tasks. it could be used to send spam email or articipate in distributed denial-of-service attacks.

A downloader is malicious code that exists only to download other malicious code. Downloaders are commonly installed by attackers when they first gain access to a system.

Information stealing malware collects information from a victims computer and usually sends it to the attacker.

Scareware is malware designed to frighten an infected user into buying something. It usually has a user interface that makes it look like an antivirus or other security program.

Analysis

Two approaches to malware analysis.

VirusTotal

Allows you to upload a file for scanning by mulitiple antivirus engines. VirusTotal generates a report that provides the total number of engines that marked the file as malicious, the malware name, and additional information.

using objdump

answer.c:

#include <stdio.h>

int ultimate_question() {
  return 0x2a;
}

int main() {
  printf("The answer is %d\n", ultimate_question());
}
$ gcc answer.c
$ ./a.out
The answer is 42
$ objdump -d a.out > answer.dump
comments powered by Disqus