Malware-Classification

Malware Classification

This is my study note, mainly about the introduction of ten types of malware.
All the content is from the following “sourse”

source: 12 Types of Malware + Examples That You Should Know (crowdstrike.com)

1.Ransomware

Definition

Ransomware is a type of malware that encrypts a victims’ data where attackers demand for a “ransom”, or payment in order to restore the access to file or network. Typically, the victim receives a decryption once payment is made to restore the access to the file or network. If the ransom payment is not made, the thread actor publishes the data on data leak sites(DLS) or blocks the access to the files in perpetuity.

How does ransomware work?

step1: Infection

Ransomware operators often use phishing emails and social engineering techniques to infect their victim’s computer. In most cases, the victim ends up clicking a malicious link in the email, introducing the ransomware variant on their device.

step 2 : Encryption

After a device or system has been infected, ransomware then searches for and encrypts valuable files. Depending on the variant, the malicious software may find opportunities to spread to other devices and systems across the organization.

step 3 : Ransom Demand

Once the data has been encrypted, a decryption key is required to unlock the files. In order to get the decryption key, the victim must follow the instructions left on a ransom note that outline how to pay the attacker – usually in Bitcoin.

Types of Ransomware

There are some common types of ransomware

• Encrypting Ransomware: In this instance the ransomware systematically encrypts files on the system’s hard drive, which becomes difficult to decrypt without paying the ransom for the decryption key. Payment is asked for using BitCoin, MoneyPak, PaySafeCard, Ukash or a prepaid (debit) card.
• Screen Lockers: Lockers completely lock you out of your computer or system, so your files and applications are inaccessible. A lock screen displays the ransom demand, possibly with a countdown clock to increase urgency and drive victims to act.
• Scareware: Scareware is a tactic that uses popups to convince victims they have a virus and directs them to download fake software to fix the issue

2.Fileless Malware

Definition

Fireless Malware is a type of malicious activity that uses native, legitimate tools built into a system to execute a cyber attack. Unlike traditional malware, fileless malware does not require attackers to install any code on a target’s system, making it hard to detect.

This fileless technique of using native tools to conduct a malicious attack is sometimes referred to as living off the land or LOLbins.

I think, the fileless malware may obtain the authorization of system for attacks.

Common Fileless Malware Techniques

While attackers don’t have to install code to launch a fileless malware attack, they still need to get access to the environment so they can modify its native tools to serve their purposes. Access and attacks can be accomplished in several ways, such as through the use of:

• Exploit kits
• Hijacked native tools
• Registry resident malware
• Memory-only malware
• Fileless ransomware
• Stolen credentials

How does Fileless Malware work?

Stage #1: Gain Access

Technique: Remotely Exploit a vulnerability and use web scripting for remote access (eg. China Chopper)

The attacker gains remote access to the victim’s system, to establish a beachhead for his attack.

Stage #2: Steal Credentials

Technique: Remotely Exploit a vulnerability and use web scripting for remote access (eg. Mimikatz)

Using the access gained in the previous step, the attacker now tries to obtain credentials for the environment he has compromised, allowing him to easily move to other systems in that environment.

Stage #3: Maintain Persistence

Technique: Modify registry to create a backdoor (eg. Sticky Keys Bypass)

Now, the attacker sets up a backdoor that will allow him to return to this environment at will, without having to repeat the initial steps of the attack.

Stage #4: Exfiltrate Data

Technique: Uses file system and built-in compression utility to gather data , then uses FTP to upload the data

In the final step, the attacker gathers the data he wants and prepares it for exfiltration, copying it in one location and then compressing it using readily available system tools such as Compact. The attacker then removes the data from the victim’s environment by uploading it via FTP.

3.Spyware

Definition

Spyware is a type of malware that covertly infects a computer or mobile device and collects sensitive information like passwords, personal identification numbers (PINs), and payment information. The information is then sent to advertisers, data collection firms, or malicious third parties for a profit.

Spyware is one of the most common threats on the internet. It was more commonly installed in Windows desktop browsers, but has evolved to operate on Apple computers and mobile phones as well. Mobile spyware attacks have become much more common and advanced as people rely on their phones to conduct banking activities and access other sensitive information. However, not all software that tracks online activity is malicious. For example, some website tracking cookies can serve as a legitimate function to customize a user’s website experience by remembering login information.

All in all, he final goal of spyware is to steal personal information.

Types of Spyware

There are several types of spyware. While all spyware programs share the common goal of stealing personal information, each uses unique tactics to do so.

1. Adware

Adware tracks a user’s web surfing history and activity to optimize advertising efforts. Although adware is technically a form of spyware, it does not install software on a user’s computer or capture keystrokes. Thus, the danger in adware is the erosion of a user’s privacy since the data captured by adware is accumulated with data captured about the user’s activity elsewhere on the internet. This information is then used to create a profile that can be shared or sold to advertisers without the user’s consent.

2. Trojan

A trojan is a digital attack that disguises itself as desirable code or software. Trojans may hide in games, apps or even software patches. They may also be embedded in attachments in phishing emails. Once downloaded by users, trojans can take control of victims’ systems for malicious purposes such as deleting files, encrypting files or sharing sensitive information with other parties.

3. Keylogger

A keylogger is a type of spyware that monitors user activity. When installed, keyloggers can steal passwords, user IDs, banking details and other sensitive information. Keyloggers can be inserted into a system through phishing, social engineering or malicious downloads.

4. System Monitor

A system monitor captures virtually everything the user does on the infected computer or device. System monitors can be programmed to record all keystrokes, the user’s browser activity and history, as well as any form of communication, such as emails, webchats or social media activity.

5. RedShell

RedShell is a type of spyware that installs itself on a device whenever specific PC games are downloaded to track online activity. Developers use this information as feedback to better understand their users, and improve their games and marketing campaigns.

6. RootKits

Rootkits allow attackers to easily infiltrate a system, as they are almost always undetectable. To infiltrate a system, they either exploit security vulnerabilities or logging as an administrator.

7. Tracking Cookies

Websites, both legitimate and illegitimate, drop cookies into your device to track users’ online activity.

What Does Spyware Do?

This three-step process provides a general overview of how an author launches their spyware attack:

1. Infiltrate: Spyware may infiltrate any device upon visiting a malicious website, installing a malicious app, or even opening a file attachment in an email.
2. Monitor and capture: Once the spyware is installed, it begins to collect data, which could range from web activity and history to keystrokes.
3. Send or sell: The spyware creator collects the data where they can either use it directly or sell it to third parties.

The presence of spyware will generally slow down the computer or device, degrading its usability and functionality over time. Due to decreased functionality, the system may also be more vulnerable to other types of malware.

4.Adware

definition

Adware — or advertising-supported software — is automated, unwanted software designed to monitor online user behavior and bombard them with targeted advertisements, banners and pop-ups.

Problems with adware mostly happen within computers, but it ’s not uncommon for adware programs to make their way onto mobile devices.

How Does Adware Get Onto Your Device?

Adware typically infects devices via downloadable content – like any shareware or freeware – that opens the door to malicious third-party programs. These can covertly install ad software onto your device without your knowledge.

Program developers can make money each time an ad is displayed or clicked on, meaning even legitimate companies can be tempted to include adware in their software.

Types of Adware

Despite its often-unwanted nature, not all adware is illegal – and if anything, it’s far more common than you might expect.

1. Traditional Legal Adware

Traditional legal adware is a profitable business model. Pay-per-click, pay-per-view and pay-per-install adware models are even used by reputable firms to market products and promote free software. However, the legality lies in consent – users must know what they’re downloading. Without consent, adware becomes problematic.

2. Potentially Unwanted Programs (PUPs)

PUPs are types of adware that reside in your device without your knowledge or desire, even if you’ve given consent for their download. While they may not necessarily be malicious, PUPs can provide a platform for further malware to make its way onto your device – making it a notoriously gray area in terms of legality.

3. Malicious Adware

Malicious Adware PUPs are the most damaging. Distributors aim to cause as much damage as possible to their targets, with their adware campaigns usually involving embedding harmful ransomware or trojans inside the adware.

This adware may target your browser and clog up your screens with toolbars and advertisements. These toolbars may even contain trojans that redirect your searches away from legitimate sites, towards fraudulent replicas designed to look like carbon copies of the original – so, take extra care when browsing and always double-check URLs when entering new sites.

5.Trojan Horse

A Trojan Horse (Trojan) is a type of malware that disguises itself as legitimate code or software. Once inside the network, attackers are able to carry out any action that a legitimate user could perform, such as exporting files, modifying data, deleting files or otherwise altering the contents of the device. Trojans may be packaged in downloads for games, tools, apps or even software patches. Many Trojan attacks also leverage social engineering tactics, as well as spoofing and phishing, to prompt the desired action in the user.

TIPs：Trojan: Virus or Malware?

A Trojan is sometimes called a Trojan virus or Trojan horse virus, but those terms are technically incorrect. Unlike a virus or worm, Trojan malware cannot replicate itself or self-execute. It requires specific and deliberate action from the user.

Trojans are malware, and like most forms of malware, Trojans are designed to damage files, redirect internet traffic, monitor the user’s activity, steal sensitive data or set up backdoor access points to the system. Trojans may delete, block, modify, leak or copy data, which can then be sold back to the user for ransom or on the dark web.

Trojan is malware not virus or worm!!!It requires specific and deliberate action from user to trigger.

10 Types of Trojan Malware

Trojans are a very common and versatile attack vehicle for cybercriminals. Here we explore 10 examples of Trojans and how they work:

1. Exploit Trojan: As the name implies, these Trojans identify and exploit vulnerabilities within software applications in order to gain access to the system.
2. Downloader Trojan: This type of malware typically targets infected devices and installs a new version of a malicious program onto the device.
3. Ransom Trojan: Like general ransomware, this Trojan malware extorts users in order to restore an infected device and its contents.
4. Backdoor Trojan: The attacker uses the malware to set up access points to the network.
5. Distributed Denial of Service (DDoS) attack Trojan: Backdoor Trojans can be deployed to multiple devices in order to create a botnet, or zombie network, that can then be used to carry out a DDoS attack. In this type of attack, infected devices can access wireless routers, which can then be used to redirect traffic or flood a network.
6. Fake AV Trojan: Disguised as antivirus software, this Trojan is actually ransomware that requires users to pay fees to detect or remove threats. Like the software itself, the issues this program claims to have found are usually fake.
7. Rootkit Trojan: This program attempts to hide or obscure an object on the infected computer or device in order to extend the amount of time the program can run undetected on an infected system.
8. SMS Trojan: A mobile device attack, this Trojan malware can send and intercept text messages. It can also be used to generate revenue by sending SMS messages to premium-rate numbers.
9. Banking Trojan or Trojan Banker: This type of Trojan specifically targets financial accounts. It is designed to steal data related to bank accounts, credit or debit cards or other electronic payment platforms.
10. Trojan GameThief: This program specifically targets online gamers and attempts to access their gaming account credentials.

6.Worms

Definition

_A Computer Worm is a type of malware that can automatically propagate or self-replicate without human’s interaction, enabling its spread to other computers across a network._A worm often uses the victim organization’s internet or a local area network (LAN) connection to spread itself.

TIPs: Worms vs. Virus vs. Trojan Horse

One misconception is that worms are the same as virus or trojan horse. But there are different in the ways that the attacks propagate themselves.

• Worm: Independently propagate itself, and spread it to other computers across network. Its biggest danger is that it can copy itself hundreds or thousands of times, causing widespread infection.
• Virus: It can not spread without human’s action. It is almost always attached to a executable file and remains dormant until the victim activate the attacks.
• Trojan Horse: It generally disguise itself as legitimate code. Generally trojan horse does not inject itself to other files and otherwise propagate itself.

Why are worms dangerous?

A computer worm is harmful because it may perform a broad range of attacks, including crashing systems through self-replication, downloading malicious applications, and providing hackers with backdoor access to equipment.

Worms can also be hard to remediate. Because they spread automatically and quickly, it can take a lot of time and effort to eradicate a worm outbreak from the environment and fully recover. When a worm spreads inside a data storage environment, for example, it can take months to completely clean it up. Even when a worm doesn’t have a malicious payload that does damage, it poses a serious nuisance for IT managers who have to dedicate valuable resources to navigate the incident response process.

Types of computer worms

There are several types of malicious computer worms, including:

Type	Description
Email Worms	As the name suggests, an email worm spreads via email. Also known as a mass-mailer worm, an email worm distributes a copy of itself as an email attachment or as a link to an infected file on a compromised or hacker-owned website.
File-Sharing Worms	File-sharing worms embed and disguise themselves as innocent media files. When an unsuspecting user downloads the file, the worm infects their device. Once the worm has compromised the device, it can capture confidential information that the adversary can use to their advantage or sell to other attackers.
IM Worms	IM worms masquerade as attachments and links on social media platforms, and they frequently include content that baits the victim to click on the URL. Once it’s executed, the IM worm can spread through an instant messaging network.
Cryptoworms	A cryptoworm is a worm attack that encrypts data on the victim’s system and then demands a ransom payment to regain access to the data.
IRC Worms	An IRC worm is a malicious program designed to exploit IRC channels to infect chat rooms and message forums by sending infected messages.
P2P Worms	P2P worms use the mechanisms of P2P networks to distribute copies to unsuspecting P2P users.

7.Rootkit

Definition

Rootkit is a set of software that gives the malware actors control of a computer or network. Once activated, the malicious program sets up a backdoor exploit and may deliver additional malware, such as ransomware, bots, keyloggers or trojans. Rootkits may remain in place for years because they are hard to detect, due in part to their ability to block some antivirus software and malware scanner software.

Types of rootkits

Firmware rootkits

A firmware rootkit targets the software that runs particular hardware components by storing themselves on the software that runs during the boot process before the operating system starts up. They are especially stealthy because they can persist through reinstallation of the operating system.

The use of firmware rootkits has grown as technology has moved away from hard-coded BIOS software and toward BIOS software that can be updated remotely. Cloud computing systems that place multiple virtual machines on a single physical system are also vulnerable.

Examples of firmware rootkits include:

• UEFI rootkit
• Cloaker
• VGA rootkit

Kernel mode rootkits

A kernel mode rootkit is a sophisticated piece of malware that can add new code to the operating system or delete and edit operating system code. They are complicated to create, and if a kernel rootkit is buggy, it will heavily impact the target computer’s performance. On the bright side, a buggy kernel rootkit will leave a trail of breadcrumbs that antivirus solutions will detect.

Examples of kernel mode rootkits include:

• Spicy Hot Pot
• FU
• Knark

Bootloader rootkits

Bootloader rootkits boot up concurrently with the operating system and target the Master Boot Record (MBR), which is the first code executed when starting up a computer, or the Volume Boot Record (VBR), which contains the code needed to initiate the boot process or the code for loading an operating system or application. By attaching itself to one of these types of records, a bootloader rootkit will not appear in a standard file system view and will be difficult for an antivirus or rootkit remover to detect.

Examples of bootloader rootkits include:

• Stoned Bootkit
• Olmasco
• Rovnix

Virtualized rootkits

Unlike kernel mode rootkits, which boot up at the same time the targeted system boots up, a virtualized rootkit boots up before the operating system boots up. Virtualized rootkits take hold deep in the computer and are extremely difficult – or even impossible – to remove.

User Mode rootkits

User mode rootkits modify the behavior of application programming interfaces. They can display false information to administrators, intercept system calls, filter process output and take other actions to hide their presence. However, because user mode rootkits target applications rather than operating systems or other critical processes, they do leave breadcrumbs that trigger antivirus and rootkit remover alerts and they are not as hard to remove as some other types of rootkit malware.

Examples of user mode rootkits include:

• Vanquish
• Hacker Defender
• Aphex

Memory rootkits

Memory rootkits load into the RAM, so they persist only until the RAM is cleared when the system is restarted. While active, their malicious activities consume the targeted system’s resources and thus reduce the performance of its RAM memory.

8.Keyloggers

Definition

Keyloggers are tools that can record every keystroke that you type into a computer or mobile keyboard. Because you interact with a device primarily through the keyboard, keyloggers can record a lot of information about your activity. For example, keyloggers can track credit card information that you enter, websites you visit and passwords you use.

Keyloggers aren’t always used for illegal purposes. Consider the following examples of legal uses for keylogging software:

• Parents might use a keylogger to monitor a child’s screen time.
• Companies often use keylogger software as part of employee monitoring software to help track employee productivity.
• Information technology departments can use keylogger software to troubleshoot issues on a device.

All in all, a malware to collect victims’ every keystrokes to steal some sensitive information from victims’ device.

Types of Keyloggers and How They Work

There are two types of keyloggers: hardware keyloggers and software keyloggers. The two types of keyloggers differ by the way that they log a keystroke. Both types of keyloggers can be used for malicious purposes, including credential theft and identity theft.

Types of Keyloggers

Hardware keyloggers are physical devices that record every keystroke. Cybercriminals can disguise them in the computer cabling or in a USB adapter, making it hard for the victim to detect. However, because you need physical access to the device to install a hardware keylogger, it isn’t as commonly used in cyberattacks.

Software keyloggers don’t require physical access to a device. Instead, users download software keyloggers onto the device. A user might download a software keylogger intentionally or inadvertently along with malware.

There are many different varieties of software keyloggers, including the following types:

• Form-grabbing keyloggers record data entered into a field. This type of keylogging software is typically deployed on a website rather than downloaded on a victim’s computer. A hacker might use form grabbing keyloggers on a malicious website that prompts victims to enter their credentials.
• JavaScript keyloggers are written in JavaScript code and injected into websites. This type of keylogging software can run scripts to record every keystroke entered by website visitors.
• API keyloggers use application programming interfaces running inside of applications to record every keystroke. This type of keylogging software can record an event whenever you press a key within the application.

How Keyloggers Work

Keyloggers are spread in different ways, but all have the same purpose. They all record information entered on a device and report the information to a recipient. Let’s take a look at a few examples showing how keyloggers can spread by being installed on devices:

• Web page scripts. Hackers can insert malicious code on a web page. When you click an infected link or visit a malicious website, the keylogger automatically downloads on your device.
• Phishing. Hackers can use phishing emails, which are fraudulent messages designed to look legitimate. When you click an infected link or open a malicious attachment, the keylogger downloads on your device.
• Social engineering. Phishing is a type of social engineering, which is a strategy designed to trick victims into divulging confidential information. Cybercriminals might pretend to be a trusted contact to convince the recipient to open an attachment and download malware.
• Unidentified software downloaded from the internet. Malicious users can embed keyloggers in software downloaded from the internet. Along with the software you want to download, you unknowingly download keylogging software.

9.Botnet

Definition

Botnet is a set of hundreds or even thousands of computers that have been infected in the same network, being controlled by the bot herder.

A botnet is a network of computers infected with malware that are controlled by a bot herder. The bot herder is the person who operates the botnet infrastructure and uses the compromised computers to launch attacks designed to crash a target’s network, inject malware, harvest credentials or execute CPU-intensive tasks. Each individual device within the botnet network is called a bot.

TIPs: How are bot herders controlled?

Bot herders control their botnets through one of the two structures: a centralized model with direct communication between the bot herder and each computer, and a decentralized system with multiple links between all the infected botnet devices.

Centralized, Client-Server Model

The first generation of botnets operated on a client-server architecture, where one command-and-control (C&C) server operates the entire botnet. Due to its simplicity, the disadvantage of using a centralized model over a P2P model is that it is susceptible to a single point of failure.

The two most common C&C communication channels are IRC and HTTP:

IRC (Internet Relay Chat) botnet

IRC botnets are among the earliest types of botnet and are controlled remotely with a pre-configured IRC server and channel. The bots connect to the IRC server and await the bot herder’s commands.

HTTP botnet

An HTTP botnet is a web-based botnet through which the bot herder uses the HTTP protocol to send commands. Bots will periodically visit the server to get updates and new commands. Using HTTP protocol allows the herder to mask their activities as normal web traffic.

Decentralized, Peer-to-Peer Model

The new generation of botnets are peer-to-peer, where bots share commands and information with each other and are not in direct contact with the C&C server.

P2P botnets are harder to implement than IRC or HTTP botnets, but are also more resilient because they do not rely on one centralized server. Instead, each bot works independently as both a client and a server, updating and sharing information in a coordinated manner between devices in the botnet.

A great design! It solves the problem that if a single point fails, the whole Botnet fails.

How Does a Botnet Work?

The stages of creating a botnet can be simplified into these steps:

1. Expose
2. Infect and Grow
3. Activate

In stage 1, the hacker will find a vulnerability in either a website, application, or user behavior in order to expose users to malware. A bot herder intends for users to remain unaware of their exposure and eventual malware infection. They may exploit security issues in software or websites so that they can deliver malware through emails, drive-by downloads, or trojan horse downloads.

In stage 2, victims’ devices are infected with malware that can take control of their devices. The initial malware infection allows hackers to create zombie devices using techniques like web downloads, exploit kits, popup ads, and email attachments. If it’s a centralized botnet, the herder will direct the infected device to a C&C server. If it’s a P2P botnet, peer propagation begins and the zombie devices seek to connect with other infected devices.

In stage 3, when the bot herder has infected a sufficient amount of bots, they can then mobilize their attacks. The zombie devices will then download the latest update from the C&C channel to receive its order. The bot then proceeds with its orders and engages in malicious activities. The bot herder can continue to remotely manage and grow their botnet to carry out various malicious activities. Botnets do not target specific individuals since the bot herder’s goal is to infect as many devices as possible so they can carry out malicious attacks.

Types of Botnet Attacks

Once an adversary is in control of a botnet, the malicious possibilities are extensive. A botnet can be used to conduct many types of attacks, including:

1. Phishing

Botnets can be used to distribute malware via phishing emails. Because botnets are automated and consist of many bots, shutting down a phishing campaign is like playing a game of Whack-A-Mole.

2. Distributed Denial-of-Service (DDoS) attack

During a DDoS attack, the botnet sends an overwhelming number of requests to a targeted server or application, causing it to crash. Network layer DDoS attacks use SYN floods, UDP floods, DNS amplification, and other techniques designed to eat up the target’s bandwidth and prevent legitimate requests from being served. Application-layer DDoS attacks use HTTP floods, Slowloris or RUDY attacks, zero-day attacks and other attacks that target vulnerabilities in an operating system, application or protocol in order to crash a particular application.

Many will remember the massive Mirai botnet DDoS attack. Mirai is an IoT botnet made up of hundreds of thousands of compromised IoT devices, which in 2016, took down services like OVH, DYN, and Krebs on Security.

3. Spambots

Spambots harvest emails from websites, forums, guestbooks, chat rooms and anyplace else users enter their email addresses. Once acquired, the emails are used to create accounts and send spam messages. Over 80 percent of spam is thought to come from botnets.

I think I can almost do everything with a Botnet.

10.Mobile Malware

Definition

Mobile malware is malicious software specifically designed to target mobile devices, such as smartphones and tablets, with the goal of gaining access to private data.

Although mobile malware is not currently as pervasive as malware that attacks traditional workstations, it’s a growing threat because many companies now allow employees to access corporate networks using their personal devices, potentially bringing unknown threats into the environment.

Recent years have seen many Android mobile security issues, but Apple isn’t immune to mobile data security malware either.

Types of Mobile Malware

Cybercriminals use various tactics to infect mobile devices. If you’re focused on improving your mobile malware protection, it’s important to understand the different types of mobile malware threats. Here are some of the most common types:

• Remote Access Tools (RATs) offer extensive access to data from infected victim devices and are often used for intelligence collection. RATs can typically access information such as installed applications, call history, address books, web browsing history, and sms data. RATs may also be used to send SMS messages, enable device cameras, and log GPS data.
• Bank trojans are often disguised as legitimate applications and seek to compromise users who conduct their banking business — including money transfers and bill payments — from their mobile devices. This type of trojan aims to steal financial login and password details.
• Ransomware is a type of malware used to lock out a user from their device and demand a “ransom” payment — usually in untraceable Bitcoin. Once the victim pays the ransom, access codes are provided to allow them to unlock their mobile device.
• Cryptomining Malware enables attackers to covertly execute calculations on a victim’s device – allowing them to generate cryptocurrency. Cryptomining is often conducted through Trojan code that is hidden in legitimate-looking apps.
  vice and demand a “ransom” payment — usually in untraceable Bitcoin. Once the victim pays the ransom, access codes are provided to allow them to unlock their mobile device.
• Cryptomining Malware enables attackers to covertly execute calculations on a victim’s device – allowing them to generate cryptocurrency. Cryptomining is often conducted through Trojan code that is hidden in legitimate-looking apps.
• Advertising Click Fraud is a type of malware that allows an attacker to hijack a device to generate income through fake ad clicks.