Kinda ironic, I like to ask candidates while I am doing a job interview “What is Malware?” and what is it an amalgamation of?
I get responses like “It is a type of virus that gets on your computer” or “It is a backdoor that a hacker installs”
Even funnier is that about half of these educated and certification heavy professionals don’t know that malware is the combination of “Malicious” and “Software”
The interview for them is just about over at this point….
Anyway, here is a brief run down of how malware finds its way onto hosts, some malware families and specific brands and variants within the families.
Malware vs Exploit Kits
This is something that should not have to be explained to a cyber security professional, yet I keep having to do it.
Exploit kits are not malware! You cannot get infected with an exploit kit! Maybe 5% of the professionals I interview understand that concept – keep in mind these are people with years of “experience” expecting six figure jobs.
A web-based exploit kit is hosted on a webserver, either on malicious infrastructure or a hacked website. A common means of deploying exploit kit redirects is to hack a forum or wordpress/joomla site with out of date plugins allowing an attacker to inject code via XSS or SQLi from which they insert a malicious iframe redirect.
The initial redirect is made up of simple HTML, javascript, php, etc which is known as a landing page, basically like you visiting your favorite site blah.com which is really blah.com/index.html or blah.com/index.php but you get the point.
There are many different exploit kits in the wild, the most prevalent for 2016 is Angler Exploit kit, Nuclear Exploit, RIG and Neutrino with some other stragglers out there. There methodology is the same, the differences are in how the exploit kit processes and what the exploit kit is packing. Some exploit kits will pack exploits for various Java, Flash, PDF, Silverlight and Internet Explorer vulnerabilities. Some exploit kits will make a GET request for each of those plugins to determine which version of the software is on your machine, if it runs through all of its checks and the exploit kit does not have an exploit for the versions of the plugins it checked on it the exploit kit will quit and not even attempt exploitation to keep security analyst from analyzing their exploit kit. Other exploit kits will target one type of vulnerability, for instance Angler Exploit kit for most of 2015 targeted just the latest Flash vulnerabilities.
Exploit kits are sneaky, typically a valid referrer is required in the HTTP header for the exploit kit to begin its process, once again to prevent security analyst from getting a free look at their payload from the comfort and safety of a Virtual Machine. Once a vulnerable plugin is detected the exploit kit will send one or more exploits obfuscated to the victim in a GET request, if the exploit is successful the exploit kit will typically make the victim download a malicious payload (the malware). If the exploit kit is not successful it will typically give up and the process is over, HOWEVER there is the off chance that the exploit kit will rely on social engineering and attempt to prompt the potential victim with a download request in the form of a simple pop up window to the victim which if downloaded and run will have the same affect and the potential victim is now a victim. Social engineering from the exploit kit is rarely seen, I have observed it several times when an exploit kit is trying to exploit a patched plugin having no chance of successfully exploiting it, but having redirected a user to the kit deciding in a last ditch effort feeding them a drive-by-download if you will.
Brief Overview of Malware Families
Malware families are specific types of malware that have a shared method of behaviors once infecting a host.
Ransomware Family – you may have heard of this type of malware in the news lately, the Angler Exploit kit has delivered several different types of Ransomware to its victims over the last year. Ransomware is a type of malware that once on a host will typically encrypt the contents of the users hard drive (some offspring only bluff at this) and hold the users data literally for ransom. Ransomware became prevalent in 2012, one of the first variants was known as Reveton fraudulently claiming that the user must pay a fine to the Metropolitan Police Service:
Since Reveton there have been loads of variants popping up with evolved encryption techniques and various means for accepting payment to release the victims data. Some popular flavors of Ransomware include TeslaCrypt, AlphaCrypt, CryptoWall and CryptoLocker.
Click Fraud & Click Hijacking Family – For most of 2015 the Click Fraud family has been the most prevalent and successful, Click Jacking has diminished a bit, this is the process of allowing a victim to type in a search query into the search bar or their favorite search engine and stealing the keywords used for the search to redirect the victim to a custom search page that the hostile actors have an account with and get paid when the victim clicks links from the search. Most click fraud malware will hijack the victims browser start page to be one that they get paid when a user clicks links within and also open pop up windows, pop under windows and customized search pages. Click jacking targeted Google Adsense mainly in its infancy, it would use the victims search query as a crafted referrer to automatically click links after the search. Google is very smart and soon caught on to this scheme and behavior but not before millions of dollars were collected by hostile crimeware families.
A few examples of popular malware botnets performing these actions are Zero Access (one of its plugins), TDSS, Bedep
Pay-Per-Install / Pay-Per-Action / Adware Families – Some types of malware are very hard to isolate and separate from typical adware and toolbars that are usually more of a nuisance than anything else.
Two popular types of this malware are Mevade and Asprox/Kuluoz; Mevade has very little communication with its command and control server, once installed on a victim host it will act more as adware than malware. Mevade will download and install shady PC optimizer software and other software for which it earns anywhere from $1 to $5 per install. Mevade sprung up in early 2014 and hit with fury infecting several hundred thousand hosts through spam e-mail campaigns and within a few months they vanished with their small and quick fortune estimated to be just under one million dollars.
Another popular one is Kuluoz/Asprox which issues commands that instruct compromised computers to download and execute additional payloads provided by a pay-per-install (PPI) affiliate, from which botnet operators earn revenue. Unlike Mevade the crimeware bosses behind it were very greedy, they delivered their malware through spam e-mails, typically using subject lines like “Your Fedex tracking information” or “UPS Shipment Information” which surprisingly had a very high infection rate. Kuluoz had a very nice run, they started in 2013 and kept on pushing their malware until early 2015 when the FBI finally got their claws on them with assistance from international agencies. The group has been reported to make in excess of $100,000 over their duration.
Bitcoin/Crypo-currency Mining – With Bitcoin, miners use special software to solve math problems and are issued a certain number of bitcoins in exchange. This provides a smart way to issue the currency and also creates an incentive for more people to mine. Mining is the process of adding transaction records to Bitcoin’s public ledger of past transactions. This ledger of past transactions is called the block chain as it is a chain of blocks. The block chain serves to confirm transactions to the rest of the network as having taken place. Bitcoin nodes use the block chain to distinguish legitimate Bitcoin transactions from attempts to re-spend coins that have already been spent elsewhere.
Malware writers realized that it was easier to create a botnet of compromised hosts and use their GPU’s to perform bitcoin mining instead of investing money in infrastructure to do it themselves. In the early years of bitcoin mining it was a lot easier to earn coins but the market became saturated and more and more resources were required to generate substantial revenue.
One of the most prevalent and sucessful malware to employee bitcoin mining as its primary source of income was the Zero Access / Sirefef botnet which utilized a peer-to-peer network of a list of 128 hardcoded IPs of other infected systems with a master node hidden within the list which fed to a supernode making it very hard to track down the criminals behind this enterprise. After a few years of tremendous success law enforcement was able to shut down the botnet and make several arrests. All told the Zero Access masterminds reportedly generated over $100,000,000 in revenue!
Banking Trojans – Banking trojans are timeless and we may never truly put an end to them as they are big money and hard to trace. Once a victim is infected banking trojans install a keylogger that sits and waits for a victim to browse one of the prepopulated list of banks the malware tracks. An unsuspecting user will login to their bank account over port 443 using SSL thinking that their login and password are secured by encryption, they are correct assuming that nobody will be able to sniff their password crossing the wire, however keyloggers are not concerned with defeating encryption. The keylogger or keystroke logger will capture every key the user presses on the keyboard which would include the victim typing in the web address of their bank followed by their login name and password. Basically, it is game over for the victim, their only chance is to immediately remove the malware and change their passwords. The crimeware group will use the banking information to login to the victims bank account and use bank to bank transfers, western union, cashiers checks and other means to initially within sums of cash from the victims bank account. After they have pulled the money into a shell account they typically spread it around and launder the money so when the crimeware group goes to withdraw it the money has passed through so many intermediaries it is essentially untraceable.
Banking trojans are known to be region specific, meaning that they might only target victims that live in Mexico where they know they can easily withdraw the money because they have people on the ground there acting as mules. Banking trojans have also been observed transferring money into bitcoins making them virtually untraceable as well.
There have been so many variants, ZeuS/Zbot/Gameover ZeuS was one of the first big time banking trojans to hit the world, they hit the world hard and over time some have considered them to be the most successful and profitable malware campaigns of all time raking in a reported $500,000,000 between the various variants. The source code for this malware was leaked and a multitude of ZeuS variants have sporadically popped up all over the world. Other big time banking trojans include Oddjob, SpyEye, Geodo ebanking Trojan, Dyreza, Dridex, Dyre and Emotet.
Currently, the most active threats are VawTrak, Dridex and Dyre, they use specially crafted self-signed SSL certificates making their communication difficult to decipher. Dridex uses a different self signed certificate in each campaign making it virtually impossible to write snort rules for.
Trojan Downloaders – This should be axiomatic looking at the name, trojan downloaders are small pieces of malware that hostile actors like to install once they have compromised a victim because they can be easily re-written to avoid detection and their small size and requirements for installation are virtually none they sneak onto systems at a higher rate than the average malware. The purpose of trojan downloaders is to load other malware and malicious software. One of the most prolific ones is the Pony Trojan Downloader, the detection ratio is always very low as the writers are always tweaking the code, this one has survived for years.
FakeAV – Once the most common form of malware and may hold the lead for revenue generated as a family as this type of threat has been around since the 2000’s and continues to this day. FakeAV is extremely hard to remove from an infected system as it embeds itself virtually everywhere it can, once again we recommend that you re-image any machine with FakeAV installed on it. After infection a victim may see what looks like legitimate Windows Defender pop-ups from the task bar, virtually any webpage a victim tries to visit is redirected to a flashing page warning the user that they have been infected with a very serious virus and they need to remove it immediately before it’s too late. I have heard it compared to ransomware and they do have some similarities, FakeAV wants you to purchase their anti-virus solution to remove the malware that it in fact installed on your system. If you pay for their software it may remove the threat, realistically it depends on the flavor of FakeAV that you have been infected with.
Internet Relay Chat (IRC) Botnets – This type of malware has become more of a thing of the past with the exception of hacked *nix and MacOS systems. An infected machine will connect to an IRC server that has been preloaded by the malware which will connect the victim to the server and join a specific channel that usually host the botnet controllers group of compromised victims. The connection to IRC happens in the background all without the victim knowing they are in a chat room. Typically the IRC channel that the bot joins requires a password to get in or the bot master has created his own IRC server to host the botnet which he can ACL out anyone who isn’t a bot or him. Once the victim is in the channel just about anything is possible, the botmaster can issue commands to download tools, malware or whatever desired. The botmaster can use them in DDoS attacks or load them up with bitcoin mining software, it is really at their disposal.
SDBot has been around since the mid 1990’s and it still exist today as the most common IRC backdoor trojan, the code is very simple and can be easily modified to bypass anti-virus solutions. Typically IRC botnets are only used for the most prized possessions of a botnet which are Linux/Solaris/BSD and other *nix based servers and usually used to DDoS members on IRC that the group has made enemies with or for sport.
DDoS Botnets – The name says it all, these are malware botnets just like the rest of the ones discussed with the difference being the primary focus of these botnets is Distributed Denial of Service (DDoS) attacks. Just like most of the monetary mechanisms used by botnet owners above, DDoS has actually become big business as well on the underground. You can visit a site like hackforums.net and there will be hundreds of ads posted for “stressers” and DDoS botnet leasing services. For as little as $5 you can take down a corporate network for an hour. The DDoS malware typically contains a UDP flooder, TCP reset flooder (stream), ICMP attacks, IGMP and various other protocols, they also can initiate Distributed Reflection Denial of Service (DrDoS) attacks to masquerade the botnet owners identity.
There have been countless DDoS botnets since 1995, the originals being Tribal Flood Network, Stachaelnet, MStream and Trinoo. These botnets were not automated like the ones of today, in the old days you would hack a *nix server and install the client side of the DDoS software on the host and control it with a master server. These were some of the most powerful botnets ever built, hacker groups would pool their shells and roots into one big collection and load them up for attack. These were not Windows boxes on slow cable modems but instead high performance computing at places like HUT.FI and TUT.FI bringing the fastest connections and uplinks in the world together to knock off any site, company or even country offline with OC248 power vs T3 if you were lucky.
DDoS botnets that are still active are the Dorkbot, YZF, Ferret and currently the most dangerous is the XOR Linux Botnet capable of delivering over 200+ GB/s bandwidth
Remote Access Trojans (RAT) – When used for administration of legit services it is usually referred to as a Remote Administration Tool, when used by hostile actors this type of malware is usually associated with APT threats and state sponsored activity. A RAT will allow the hostile actor a means to access the compromised host or server even if it is protected by layers of security and defense in depth. Originally they used what is known as a bindshell, this is when a command line shell is binded to a specific port, for instance I edit /etc/services and /etc/inetd.conf and I make a rootshell on port 4444 and call it test server in ineted and services, once I restart ineted I can remote into the machine by telneting to port 4444 or ssh in later iterations. Rarely were there firewalls in place to block this type of incoming traffic, the servers that had firewalls were usually host based and you could simply modify ipchains/iptables to open the port of your choosing allowing access.
Modern RATs use what is known as a reverse shell to spawn a connection, this means that the initial SYN packet would come from the compromised host within the protected network and would not typically be blocked. The hostile actor would run software such as netcat to listen for the incoming connection and spawn a shell on connect. RATs do not all work the same way, some use ICMP or IGMP knock back packets which look harmless but trigger the reverse shell connection, others create subdomains within the network if they can compromise the domain controllers, other types use the RAT software itself to interact with the compromised host. I have even seen RAT software install other remote administration tools such as Teamviewer which would give the hostile actors GUI access to a Windows machine compromised.
Some examples of RATs include Rammit, GhostNet and Palevo
FTP botnets – Formerly a popular choice for malware writers but has since lost a lot of traction, mainly because FTP is usually a more restricted protocol these days. FTP malware would search an infected host for password files, financial information, text documents, tax information, banking information, stored credit cards and other personally identifiable information or data of value for the hostile actors to resell on the black market or use for profit.
Some recent examples of these botnets are Reedum Point of Sale Infostealer, USteal and Ghost RAT variants
Spam Botnets – These botnets usually do not stand on their own, typically they are rolled into one of the above malware families and this is an extension or module. Spam botnets work by extracting all e-mails on a compromised host from Outlook databases and other e-mail client software user lists. The malware uses the infected server or hosts ability to send mail and starts spamming the client lists with links to the same malware or other malware, also spamming links to generate revenue from ad clicking and taking advantage of peoples trust in others by opening e-mail from friends that would be in the contact list making them very successful.
A few SPAM centric botnets active today are Chanitor and Sanny Daws
Possibly Unwanted Programs (PUPs) / Riskware – Basically everything discussed thus far falls into the category of “Malware” but there is another type of software that is commonly referred to as a “PUP” which basically means there is not enough information at this time to classify the software as malicious or innocuous. Usually more research is needed and reverse engineering of the software to determine its intentions. PUPs can go either way, turn out to be malware, legit or adware, or even something else mistakenly classified here. Detection of a PUP usually relies on Anomaly based detection. APT malware would be a good culprit to show up as a PUP as the purpose of an APT is to stay as low key as possible therefore Anti-Virus would have never seen it before but might be able to question the software’s intent depending on the quality of the vendor.