Hacking, Malware

Some notes on malware – Part 1

The Motivation Behind Malware these days
This is rather a long list but it can be narrowed down to the following:

  • Steal sensitive data (identity theft, illegal immigration, terrorism, drug trafficking, blackmail, etc).
  • Banking fraud (credit card fraud, etc).
  • Spamming.
  • Espionage.
  • Advertisements/Click fraud.
  • Medical insurance fraud.
  • Money.

Propagation Techniques

  • Social Engineering (emails, spamming, phishing, office documents, pdfs, zips, ..).
  • P2P file sharing (games, documents, ..).
  • Exploit kits.
  • USBs.
  • Embedded exploits.
  • Infected websites (waterhole attacks, etc).
  • Client side exploits.

Peer-To-Peer (P2P) Botnets

  • Sustain survivability.
  • Ability to survive attacks against its command-and-control infrastructure.
  • No single point of centralized control.
  • No one machine has a full list of the entire botnet.

Metamorphism

  • Metamorphic malware changes as it reproduces or propagates.
  • Changes its code and signature patterns with each iteration.
  • Hard to identify it using signature-based antivirus.

Polymorphism

  • Evades the pattern-matching detection.
  • A form of camouflage.
  • Defeats the simple string searches.
  • Encryption.
  • Numerous exceptions generation.

Obfuscation

  • Packing code via compression or encryption.
  • Host obfuscation.
  • Network obfuscation.
  • Portable Executable (PE) packers.
  • Network encoding.
  • Encryptors (code is encrypted and compressed).
  • Packers (an encryption module used to obfuscate the actual main body of code).
  • Junk instructions and Loops.
  • Assembly instructions that don’t change program’s functionality.
  • Calls to null functions.
  • Using a packer, the actual malware never hits the hard disk.
  • Everything run as in-process memory.
  • Private new packer.

Network encoding

  • Encrypted data over HTTPS etc.
  • Symmetric Encryption
  • Asymmetric Encryption

Network

  • Dynamic Domain Name Services (DDNS)
  • Fast Flux
  • Single Flux
  • Double Flux

Personal Identifiable Information (PII)
How identity theft is being conducted:

  • Stealing letters.
  • Dumpster diving.
  • Government registers.
  • Internet search engines.
  • Public records search engines.
  • Corporate computer databases.
  • Advertising fake phone job offers.
  • Social engineering and malware.
  • Exploiting social networks.
  • Voice phishing (vishing).
  • Changing the email account in various online accounts.