Different Types of Malware and Other Attacks

In this article, I am going to talk about
👉 Malware (Virus, Trojans, Worms, Adware, Macro Virus, etc)
👉 Password Attacks
👉 Physical Attacks
👉 Adversarial AI
👉 Supply Chain Attacks
👉 Cloud-Based vs On-Prem Attacks
👉 Cryptographic Attacks (Ransomware)
And I think this is useful to you to take a small idea about these attacks.

Indicators of Compromise (IOC)

• Artifacts observed that indicate (with a high degree of confidence) a computer intrusion.
• Some potential indicators of compromise
  👉 Usual outbound network traffic
  👉 DNS request anomalies
  👉 Mismatch port-application traffic
  👉 Anomalies in privileged user account activity
• Unusual outbound network traffic can be upload or remove data from our networks.
• DNS request anomalies can be when attackers try to use DNS port 53 to initiate their attack or somehow further their exploits within our network. It is a little bit more difficult to actually identify.

Adware

• Advertising used by some software and can be a result of some pop-up ads or auto logging of browser to commercial sites. (Unsecured torrents used to comes to PC or untrusted software)
• Actually, it’s a hijack web browser or operating system.
  📌️ Hijack: Add an extra code to the operating system or web browser to make pop-up ads, auto browser logging to commercial sites like that.

Attack kit

• Used to generate Malware (or crimeware tool) using by variety supplied propagation and payload mechanisms.
• It has a list of propagation and payload mechanisms. We can create malware by using the above mechanisms without more computer knowledge.

Downloaders

• Execute some tiny code it can download hacker’s payload as an insider of the system, we call this to the downloader.
• When attacking the system it can be difficult for the attacker, because the system has Antivirus Software, Firewalls, Intrusion Detection & Prevention software. So the attacker delivers a large piece of code without being detected. Then use the downloader to download this payload.
• Firstly the attacker inserts this downloader then imports a large malware package.

Drive-by-download

• Attack use code in a compromised website that exploits a browser Vulnerability to attack a client system, when the site is viewed.

Exploits

• Single code or sequence of commands to use vulnerability. Sometimes it useful code because it can be used to check the security strength of the systems.

Virus

• Malicious code that requires user interaction to install and replicate.

Top 7 viruses

1. Stuxnet (2009–2010)
2. Conficker (2009)
3. MyDoom (2004)
4. SoBigF (2003)
5. ILOVEYOU (2000)
6. CODERED (2001)
7. SLAMMER (2003)

Virus life cycle

📌️Actually, the virus has four phases of the cycle.

1. Dormant Phase
   👉 The virus is idle and doesn’t do anything.
   👉 The virus is hard to detect in this phase.
   👉 But every virus hasn’t this phase, then that kind of virus active all time.
2. Propagation Phase
   👉 Put a copy into other programs by itself or from the attacker’s help.
   👉 When copying into another program, the virus changes its structure (pattern-based structure). And it helps to avoid direction. Because some detection mechanisms are based on pattern-based signatures.
3. Triggering Phase
   👉 The virus is activated to perform its intended function.
4. Execution Phase
   👉 Release the payload.

Cryptographic Malware (Ransomware)

• Malicious applications that scared or scam users into taking some type of action.
• Actually, it encrypts all files of the user and asks for payment to decrypt that files. (Typically paying the creator for removal this ransomware decryption of files)
• Ransomware is very harmful to individuals but is not harmful to organizations like individuals. Because organizations don’t give access to some data and they always use encryption mechanisms.
• So an example of Ransomware is WannaCry Attack (Wcrypt)
  👉 This is a specific piece of Malware (Ransomware) literally holds a user’s PC and their data for ransom.
  👉 This one quickly spread to over 150 countries and infected 200000 computers within a just day.
  👉 Spread via Microsoft “EnternaBlue” vulnerability.
  👉 Patched with MS17–010.

Trojan Horse

• A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms. Sometimes by exploiting legitimate authorizations of a system entity that invokes the Trojan Horse program. That malicious software can be RAT (Remote Access Tool)

Common Remote Access Tools (RAT)

📌️ Project BioNET
📌️ NetBUS
📌️ Sub7
📌️ Back orifice
📌️ BO2k (Back orifice 2k)
📌️ Beast
📌️ Lost Door

• Basically, RAT can do upload and download files, can watch webcams, can turn on audio, and work like keyloggers.

Macro Viruses

• The type of virus that uses Macro or Scripting code, typically embedded in the document, and triggers when the document is viewed or edited, to run and replicate itself into other such documents.
• Always viruses attach to the .exe files then it can be executed with that file. But this kind of virus attached to the document.
• Malicious developers gain developing a macro virus than developing a normal virus that attaches to .exe files. Because .exe is on the Windows platform. But when a virus attached to a document it can spread to more platforms easily and it can do the same bad thing.
• Every Email provider is not allowed to send .exe files. But they accepted these documents. Then this kind of viruses can be spread easily via Emails.
• Every time we don’t deal with .exe files. But we do that with documents. Then these Macro Viruses can do harmful when we view or edit virus-attached documents. And document has read, write, execute privileges. It can be an advantage to this virus.

Worms

• Worms are self-replicating programs that are usually self-contained and can execute and spread without user interaction.
• Worms have a list of propagation mechanisms and the well-known one is by exploiting the vulnerability of the target.
• Worms have rapid propagation methods. Fasted spread Malware is called CODERED. Some malware has a combination of virus and worm properties.

Two main types of worms

1. Network service worms
   👉 Exploits network vulnerabilities to propagate and infect others.
2. Mass mailing worms
   👉 Exploit email systems to spread and infect others.

Potentially unwanted program (PUP)

• Applications that are typically downloaded as part of another program (adware, spyware).

Fileless Virus

• Malware that operates in memory.
  👉 Not stored in a file nor installed on a victim’s machine.
  👉 Typically hooks into a Windows PC via PowerShell or WMI.
  👉 2017 Ponemon Institute study estimates that 77% of detected attacks are Fileless Viruses.
  👉 Fileless viruses are hard to detect.

Common Fileless Virus / Malware tools

📌️ Fileless / Attack Framework Examples.
👉 Empire
👉 Power splot (Which is a PowerShell Exploit Framework)
👉 Metasploit
👉 CobalStrike

• Enables Fileless Malware creation and PowerShell post-exploit framework.
  📌️ Post-exploit: meaning is once it’s attached to your system, that may allow backdoors, that may modify the registry, that might upload & download files, or might do any number of things to allow an attacker to gain persistence on your system and then pivot and start trying to work their way through your network.

Botnets

• Malicious code infects a large number of hosts for the purpose of launching large-scale attacks on a specific target.
• An attacker can be located anywhere in the world.
• A large collection of boats controlled by the Botmaster.
  📌️ Botmaster: Who created botnet program to open rootkit or gain access to remote the machine which malware-infected.
• Control one or more command and control (C & C) servers.
• C & C servers can control thousands of bots (Zombies) for massive DDoS attacks.

Flooders (DoS Client)

• Used to generate a large quantity of data to attack networked computer systems by DoS attacks.
• Simple DoS attack
  👉 Install DoS flooder.
  👉 Give destination for the target IP address.
  👉 Ask for a flooder to generate a large number of certain types of packets to the target.
• We can also use flooders to create some network traffic.

Logic bomb

• Malicious code that triggers after a period of time-based on some date-specific activity.
• Very hard to detect potentially.
  👉 In some cases, we back up our data but think logic bomb in that backup with dormant phase then we cannot detect it.

Spyware

• software that collects information from a computer and transmits it to another system by monitoring keystrokes, screen data, and network traffic by scanning files on the system for sensitive information.

Keylogger

• A malicious application that once installed on a host can capture all keystrokes.
  👉 Usernames and Passwords
  👉 Sensitive Information
  👉 Emails / Chats / Instant Messages
• Captured files can be uploaded to a remote location or stored locally for later retrieval.

📌️ Some online banking systems provide virtual keyboards to avoid keyloggers.

Rootkits

• Malicious code used after the attacker has broken into a computer system and gained root-level access. Rootkit allows attackers to gains continuous access to kernel subsystems remotely. When the attacker broke the system then install the rootkits to get continuous access to the kernel. Rootkits are hard to detect from the system.
• Rootkits are very difficult to get rid of
  👉 Load before the operating system.
  👉 Can disable antivirus and anti Malware.

Backdoors (Trapdoor)

• Use backdoors to unauthorized access to the system without going through the authentication method of the system. (Bypass the authentication mechanisms)

Spraying

• Feeding a large number of usernames into a program that loops through passwords.
• Brute-force type of attack that can be used with dictionary attacks or a database of compromised passwords.

Mitigation Method

📌️ Can be mitigated by using two-factor authentication (2FA).

Brute-force Attack

• Systematic approach trying every possible combination of passwords or passphrases.
  👉 Time-consuming
  👉 Resource-intensive

Mitigation Method

📌️ Most accounts will look out after some number of attempts to enter passwords.
📌️ The length of the password increases the time takes to crack the password.

Dictionary attacks

• Using known words to try and detect Cipher.
  👉 Using words in a dictionary of a predefined set of possible words.
  👉 Faster than Brute-force in that only words that are likely to succeed are used.

Common tools

📌️ Brutus
📌️ Cain and Abel
📌️ Crack
📌️ Aircrack-ng
📌️ John the Ripper
📌️ Airodump-ng
📌️ LOphtCrack
📌️ Metasploit Project
📌️ Ophcrack

Hybrid method

• Hybrid is a Brute-force attack that combines a dictionary attack along with word variations before it. Then results in just a plain old brute-force attack.
  👉 Used prior to restoring to plain brute force attack.

Rainbow tables

• Precomputer table to reversing Cryptographic Hashes.
  👉 Reduces time to brute-force a password.
  👉 Increases the amount of storage necessary to storage rainbow tables.
  👉 Rainbow table needed for each has type (MD5, SHA 1, etc)

Mitigation Method

📌️ Can be mitigated using the “password salting”
👉 Adding random data to the hashing algorithm. So that each user’s hash is unique even if both have the same password.
👉 A larger salt value increases more security.

Known Plaintext / Ciphertext

• Access to both the plaintext and the encrypted output (ciphertext)
  👉 The attack can be used to reveal further information such as secret keys or codebooks used to encrypt the subsequent messages.

📌️ Advanced encryption standard (AES) cipher is not vulnerable to this type of attack.

Birthday attack

• Brute-force attack that works on the cryptographic phenomenon of hash collisions.
  👉 Given enough time, two independent sources could yield the same hash value. (Rate of occurrence various depending on the hash algorithm.)

Downgrade attack

• The attack forces a system to negotiate down to a lower quality method of communication.
  👉 Allows an attacker to force lower grade, less secure method of communication.
  👉 Typically allowed to enable communication with legacy systems.
  👉 Often used with Man-in-The-Middle (MiTM) attacks.

Physical attacks

Malicious universal attacks

• It basically doesn’t matter where the thing lies or resides, this system of the attack surface, but it’s universally applicable.
• So there things like Gates, locks, doors, all the things that we should be aware of from a physical security standpoint.

Universal serial bus (USB)

• That’s an attack vector. And there are a number of ways that attackers and hackers get access to a system via a USB drive. So we could have actual malicious flash drives.

Malicious flash drive

• That’s one of the easiest things to do is take an infected USB stick, grab a handful of those, and drop them in a parking lot or in places that a fairly conspicuous around the company. And someone picks that and plugs it into their computer, and it may or it may not be anything malicious looking. It could be an empty drive, or it has some files. But the point is it launching RAT behind the scenes. (RAT — Remote Access Trojan)

Card cloning

• Where we can actually clone an RFID card, an NFC card, or even a credit card.

Skimming

• There are some skimming techniques
  👉 Card reader used at the checkout counter that scans magnetic strip.
  👉 The duplicate card reader slips over the ATM card reader and downloads magnetic strips information.

Adversarial Artificial Intelligence

Tainted Training Data for Machine Learning

• The technique to fool models by supplying deceptive input.

Security of Machine Learning Algorithms

📌️ Threat modeling
📌️ Attack simulations
📌️ Countermeasure simulations
📌️ Secular running algorithms

Supply Chain Attacks

• Attack on an organization by targeting less secure elements in a supply network. (Much like watering hole attacks)
  👉 Advanced persistent threats.
  👉 Target victims further down the supply chain network.

Examples
📌️ POS Malware (Point of Sale) / infected USB sticks
📌️ Malware (or Hardware) installed on computer equipment or network gear before it reaches the target company.

Supply chain attack example.

📌️ There is an e-commerce website company it takes a third-party ad the company to pop up ads. When an attacker compromises this third-party ad company and injects some Malware into that company’s servers. Now, who are the customers working with those e-commerce websites that malware affects with their credit card details and order details.

Cloud-based vs On-Premises Attacks

• The effectiveness of security depends on many factors
  👉 Type of company/Data-centres
  👉 Industry (regulations, compliance)
• Infrastructure refreshes
  👉 If we are in the cloud, don’t really have to worry about infrastructure refreshes.
• Cloud provider security
  👉 Large security staff
  👉 Deep expertise across a wide range of industries
  👉 24 × 7 monitoring
  👉 Complaints and regulatory expertise

I think now you have an idea about different malware and different attacks. There are blogs written by me. If you are interested in these topics you can read them via hyperlinks.

✅ Comparing Different Types of Social Engineering Techniques
✅ COLDDBOX:EASY [Vulnhub] Walkthrough
✅ Basic Pentesting: 1 Walkthrough | Vulnhub

Written by Dinidhu Jayasinghe— 3rd Year 1st Semester -Cyber Security Student-SLIIT