Threats 101
Jonathan Crowe
Dec 2015

The 6th Day of Breach-mas: 6 Types of Malware

Photo by Source

6_Classes_of_Malware.jpg

We're halfway through our 12 Days of Breach-mas, and so far the tips and tactics we’ve been delivering have focused on developing a better understanding of your top security priorities and needs. But to really know what kinds of protection you should have in place you also need to understand what it is you’re up against, and that's where today's post comes in.

Below we'll introduce you to six classes of malware. The more you know about how these malicious pieces of software operate — what makes them dangerous, how they get around anti-virus and other traditional endpoint protection, and what they were created to accomplish at your expense — the better you can prepare your defense.

Flip through the SlideShare or skip ahead to the text descriptions below:

  

Before we dive into each malware class description, let’s take a closer look at the different elements involved in any cyber attack:

Elements of a cyber attack

  • Endpoint: The target of the attack. The purpose of the attack is to control, corrupt, or disable the endpoint.
  • Vulnerability: The weakness that permits the endpoint to be penetrated. Vulnerabilities include software flaws, system design weaknesses, insecure configurations, and even human errors.
  • Malware: Malicious software. There are many different types of malware, and attacks often involve more than one. As you’ll see in the following pages, one way to classify them is by their purpose or intended effect.
  • The delivery vehicle: Malware is delivered to victim machines through a variety of techniques from social engineering (phishing, etc.) to USB sticks.
  • Method of execution (MoE): The means through which attackers get the resources necessary (access, processing time, data, etc.) to execute an attack.

In order for security protection to successfully stop a cyber attack it needs to thwart malware from achieving its purpose or desired effect.

 

6 Classes of Malware

1) Depositors

Malware whose primary purpose is to land and expand.

  • Why they were created: To conceal the introduction of malware by separating the exploit of the system from the execution and installation of the malicious program.
  • Two basic types:
    • Downloader: A type of trojan program that, once running, fetches and installs the malware executables.
    • Dropper: A type of trojan executable that combines both the installation functionality and the actual malware program within the same object. As a result, a dropper does not necessarily require a permissive network connection.  
  • Why they're dangerous: Depositors allow attackers to sneak malware past anti-virus and other traditional security before transforming it into its executable form.
  • Example in action: Cryptowall 2.0 utilized a sophisticated dropper that embedded multiple potential exploits to infiltrate target systems. It performed anti-VM and anti-emulation checks prior to decrypting and executing the malware, decreasing the likelihood of identification and detection, and had the capability of executing 64-bit code from a 32-bit dropper.

2) Ransomware

Malware that threatens to destroy or permanently remove access to data unless a victim makes payment.

  • Why they were created: To extort money from victims.
  • Two different types:
    • Encrypting Ransomware: Takes an inventory of system files, and then encrypts either all or part of the critical assets. Victims are shown a screen with instructions on how to pay an untraceable ransom to decrypt the files.
    • Destructive Ransomware: Demonstrates its presence on the system, disabling administrator access, and demands payment to avoid the automatic destruction of data or system operation.
  • Why they're dangerous: Ransomware provides attackers with an easy and lucrative way to monetize their exploits on systems. Inexpensive and extensible ransomware packages are common and freely available. Like depositors, ransomware can lie dormant for long periods of time, avoiding detection and making it difficult to trace.
  • Example in action: The most notorious examples of ransomware are Cryptowall and  Cryptolocker, which have reportedly cost over $48 million in payments.

 

3) Backdoors

Malware that provides at-will unauthorized remote access or command and control.

  • Why they were created: To give attackers repeated and unfettered access to exploited systems for reconnaissance, or to leverage systems for botnets or future attacks against others.
  • What they do: Backdoors find ways to make their existence persistent and undetected across reboots, providing attackers the ability to tap back into the system and reconnect. Botnets are the most common type of backdoor.
  • Why they're dangerous: Any good attack will take the time to leave a machine open to future visits via a backdoor, and they spread rapidly. In 2014, it was reported that 18 systems were infected with botnets every second.

 

4) Credential Stealers

Malware used to steal user IDs, passwords, or session authorization.

  • Why they were created: For most attackers, getting onto one machine is just a start. Once there, they want to see and steal the IDs and passwords that give access to a much larger number of systems, services, and accounts.
  • What they do: Credential stealers can operate in any number of ways. The easiest way is to install a keystroke logger that will record every key that is struck, showing all your IDs and passwords. For other systems, they can wait until you establish an authorized connection and steal the active credential information of the session in which you're operating.
  • Why they're dangerous: By leveraging just one user’s system, attackers can gain access to a host of local machines, hosted services, and critical servers, which, in addition to providing assets to steal, will be used to expand the attacker’s reach.

 

5) Virus/Worm

Self-replicating, self-perpetuating, malware.

  • Why they were created: Viruses and worms infect host systems and then spread to infect others autonomously.
  • What they do: Once on a system, viruses and worms insert copies of themselves into programs, files, and drives. Worms can then execute actions to spread onto other computers via their network. Worms and viruses can also carry additional “payloads” designed to perform harmful or disruptive activity on their infected hosts.
  • Why they're dangerous: This class of malware creates damage that rapidly becomes widespread. Worms can enable attackers to create a network of hijacked machines (a botnet) for use as spam hubs or distributed denial-of-service (DDoS) attack centers, while viruses are often shared by unaware users who go on to infect others.

 

6) Vandalizers

Malware that is purely destructive in nature.

  • Why they were created: To damage and/or deface websites, systems, and machines.
  • What they do: Once a vandalizer has access to a vulnerable site it can replace site content, redirect users to other locations, or bring the system down completely.  
  • Why they're dangerous: Vandalizer attacks can strike without warning and be very public. Unlike ransomware, they don’t give victims the opportunity to pay up to avoid the attack. A successful vandalizer can make systems inoperable, permanently destroy data and configurations, and create protracted downtime.
  • Example in action: The Syrian Electronic Army has prominently used vandalizers to hit such high-profile media companies as the Associated Press, the New York Times, and the Washington Post. In the latter case, visitors to the Post’s mobile site received pop-up alerts with propaganda messages.


Note: Malware can and almost always does team up.

It’s important to recognize these classes of malware rarely operate in isolation. Good cyber attacks will involve multiple classes of malware to increase effectiveness, enable rapid propagation, or obfuscate underlying operations.

As an example, attackers could use a downloader to establish a command and control infrastructure for ransomware, then they might use a worm to propagate a vandalizer against monitoring systems, and steal access credentials to a hosted email account to spread the ransomware further.

 

Editor’s note: This is the sixth post in our “12 Days of Breach-mas” series — every day we’re sharing new tips and insights to help keep you more secure. For a recap of what you may have missed, see our summary post here. 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.