Malware Components Part 4: Malware Behaviors

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
3 hours 41 minutes
Difficulty
Advanced
CEU/CPE
5
Video Transcription
00:00
now where, as we know is defined. It's malicious software. And of course, we'd expect bad things to happen on our system. Once malware is running,
00:07
typically, malware does two basic things. It installs itself, and it does. It's evil work in this section. We're gonna learn about mall wears, components and behaviors.
00:20
Malware today is developed using similar stages of that of regular software.
00:25
To ensure malware authors always impact a large amount of people. They're now targeting various operating systems such as Windows Mac, Lennox, Android and they even developed malware for Skate A devices Pos Systems, A T M's thean er, net of things, satellite systems and more.
00:42
Now, although we've got different malware for different platforms, typically, malware has different components that can be segregated. Thes components can be divided into payloads. Persistence, packers, malware, self armoring propagation and communication
00:59
here will provide an overview of these components, and then we'll dive into them a bit more in later modules. A payload is a mandatory component of malware. While it's true that a malware infection can happen with the aid of multiple binaries which could be chained together, the term payload is reserved for the primary component of the malware.
01:18
This binary performs malware is primary functions, and it implements the true intent of the attacker.
01:23
Now payloads these fall into different classifications, such as passwords, dealers, adware, ransomware as well as droppers and downloaders. Generally, we classify them our based on the payload.
01:38
Now, sometimes we have an outer layer around the payload that compresses and obfuscates the payload. This is the Packer Packers have the ability to fool or go undetected by anti virus software. When we analyze Mauer or perform reverse engineering, we typically need to remove this outer layer to understand how the payload is functioning,
01:56
which is called the impacting process.
01:57
Now we're gonna talk about unpacking malware in an upcoming module
02:01
once we defeat a packer if we have one. Malware typically contains one or more of the additional components that we have listed here. Let's begin with communication. So usually malware wants to communicate with the attacker infrastructure. Maybe malware wants to receive command and control instructions.
02:20
Or maybe it wants to upload stolen data.
02:22
This is referred to as commanding control, or C two.
02:27
Now, where communication is typically enabled by any array of different techniques, it could be IRC http https, or even D. N s
02:37
where now we're communication in the past has been rather simple to intercept and decode. In recent years, with the advancements of encryption and network detection products,
02:46
malware has implemented MAWR complex communication mechanisms, which make it harder to detect and analyze in addition to communication. Typically, malware wants to hide itself on the system so that the user doesn't detect it's presence. This is called malware Stealth.
03:04
Today, it's even more important for malware to hide from anti malware, an anti virus software,
03:08
because typically we have these defense mechanisms installed on our systems. To defeat these defenses, malware can implement stealth mechanisms. Stealth mechanisms can range from simple techniques like altering file properties. Toe more complex implementations such as infecting clean programs on the system,
03:28
code injection
03:29
process, hollowing and installing root kits. If not being able to detect malware wasn't bad enough. Now, where authors typically don't like us to reverse engineer their malware, so they create obstacles which prevents us from doing so known as armoring. Now, armoring usually is meant to hinder analysis.
03:46
While evasion techniques are meant to thwart anti malware analysis tools,
03:53
some of These techniques include identifying the analysis environment, looking at the malware tools that are installed on our system, using and detecting if we're running malware in a virtual machine, looking at the processor, implementing anti debugging and anti analysis techniques.
04:11
Anti evasion techniques could include and a virus evasion network security and sandbox evasion. Detecting whether user interaction is automated. Detecting whether malware is running an unknown sandbox, using timing attacks and detecting sandbox agents
04:26
once malware is installed on the system. Typically, malware wants to always run in state resident by surviving system reboots. This is called persistence.
04:35
Most malware makes use of various OS features to remain resident and running, such as adding run keys to the registry, setting up scheduled tasks, adding itself to run folders and installing itself as a Windows service.
04:50
In addition to remaining resident in the system, Malware wants to typically propagate to his maize devices on the network as possible, an attempt to compromise additional targets. In these instances, malware would typically implement techniques to perform reconnaissance, steal credentials, exploit vulnerable systems by taking advantage of weak security controls
05:10
and compromise internal network protocols such as SMB
05:15
in general. Now we're needs to be distributed to infect victims
05:19
now, although creating malware is pretty difficult, sometimes distribution can be equally difficult to be successful in distributing malware, Attackers typically try to make sure they can't be traced back to a particular malware sample.
05:32
In addition, distributing the Mauer should be effective in infecting the target machine if it's part of a targeted campaign. Tha now, where should be able to disregard unintended victims, and the mechanisms should be able to bypass security products.
05:50
Generally, the delivery mechanisms
05:53
can be grouped into three broad categories. We've got physical delivery. This can take the form of a USB flash drive, and then the flash drives can be shared across machines. Also, we've got infected websites. This is where the victim is infected when they visit a website. Usually it can occur
06:14
in the background without the user's knowledge,
06:15
and probably the oldest and most effective technique is delivery over email. Emails, as we know, use a combination of techniques. For instance, emails could contain links to malicious websites. The email could have malicious office documents or PDFs attached, or lastly, the emails could contain downloaders,
06:35
which, upon execution,
06:38
retrieve second stage payloads
06:41
in most cases. Malware infections, no matter which mechanism is used, typically includes some type of social engineering.
06:50
All right, so now that we've looked at the components of Mauer and we've looked at the distribution channels,
06:55
let's close the module with a brief summary.
Up Next
Advanced Malware Analysis: Redux

In this course, we introduce new techniques to help speed up analysis and transition students from malware analyst to reverse engineer. We skip the malware analysis lab set up and put participants hands on with malware analysis.

Instructed By