3a. Define indicators of compromise and determine the type of malware - Virus/Malware
What is a Virus?
A computer program that is usually hidden within another seemingly innocuous program and that produces copies of itself and inserts them into other programs and usually performs a malicious actions (such as destroying data). - requires a particular action to work - different goals A virus is a type of malware, or malicious software, that seeks to infect a host application then will wait until the user executes a program which subsequently activates and delivers the payload. A Payload is the malicious content that the hacker wishes to place on the host device. If external devices such as a USB drive or tablet are connected, they too may become infected. Though there are a multitude of viruses out there, they all need the user to run the executable (a program) so it can imbed itself onto other programs on the computer, file system, USB Drive or even network. • Designed to self-replicate as a virus would do in the human body • The virus NEEDS the user to run an executable( a program) in order to transfer itself to other programs on your computer, file systems, USB Drive or even network • Viruses can be very difficult to detect as some may simply record the interactions of the user while others can lock the user out of their files or delete them altogether • Very common on Windows OS = essential to update antivirus signatures daily • Thousands of new viruses are discovered weekly which is why it's critical to update your signature file
Boot Sector Virus
Action: Powering your computer on. • The boot sector refers to the first code on the disk and thus starts the boot seq • Older virus that doesn't need an operating system • Attacks the boot sector code and overwrites it • Sits in the boot sector of your hard drive and when it starts up it becomes infected • Difficult to remove; if the user is in the operating system they may not have direct access to the boot sector in which case a special disk/program must be used when booting up to find/remove
Macro Virus
Action: Pus buttons for Macro. A macro virus will replace an action with a virus such as keyboard functions like ctrl+c or ctrl+v. • Malware that is encoded as a macro embedded in a document • A macro is a program such as Word or Excel and the virus would gain access to the OS when programs were running. Many are Visual BASIC scripts that exploit commonly used MS apps • Macro viruses are application specific rather than OS specific and propagate very rapidly via e-mail.
Program Virus
Action: Run .exe file If you run a virus that looks like a .exe file that you have ran before. when you click it to run the file, your computer becomes infected. • Very common, part of the application/ embedded into the application • Could be attached to the program itself activating when the application starts
Script Virus
Action: Run a script Occurs when you run a script. It looks like a script, when you manually run it, it looks like a script and you accidently infect your computer. • Not very common, part of the operating system • Could be scripting in a browser i.e. JavaScript • JavaScript is a common language and easily accessed therefore attackers can easily gain access to your operating system • When the virus attaches to the boot sector, it will affect the systems files and when the virus attaches to the files, it will in turn infect the boot sector
Common Viruses/terms
Antivirus software - designed to detect and destroy many types of computer malware Armored - a virus that is coded specifically to avoid detection/decryption Boot Sector - virus that infects the boot sector of floppy disks or the Mast Boot Record(MBR) of hard disks Macro - a virus written in a macro language to specifically target software applications such as Microsoft Office products Malware - software intended to damage or disable computers and computer systems Multipartite - AKA a hybrid virus that has dual characteristics and attacks both program files and system sectors Parasitic - attach themselves to programs/executables so when ran, the virus is launched first and infects as much as possible Payload - data that is transmitted; actual data that is encapsulated in a packet and transmitted on a network Polymorphic - virus that mutates each time it is run but semantics (function of code) will not change Retrovirus - actively attacks antivirus programs in an effort to prevent detection Stealth - uses various mechanisms to avoid detection by antivirus software (can hide the size of the file or temporarily relocate itself)
What is Malware?
Malicious software. Includes viruses, but is not limited to viruses. I can include the collection or destruction of software. In general, it is designed to do something bad.
Armored Viruses
• Makes itself difficult to detect or analyze • Contains protective code that stops debuggers or dissemblers from examining the code
Polymorphic Viruses
• Polymorphic means genetic variations • The virus is very successful because it changes its code with variations every time it is run, but the actual function of the virus remains the same
Parasitic (File Infector Virus)
• Copies themselves into other programs • When an infected file is executed, the virus is loaded into the memory and tries to infect other executables
Retrovirus
• Designed to avoid detection by actively attacking the antivirus programs attempting to detect it
Stealth Virus
• Hides itself by intercepting disk access requests • When an antivirus program tries to read the files or boot sectors to find the virus, the stealth virus feeds the antivirus program a clean image of file or boot sector
Multipartitve Virus (Multi-Part-Virus)
• Viruses that are able to use both boot sector and file injector methods (i.e. DOS Executables) working together to either embed themselves into the system or copy itself to somewhere else • Needs both a program virus and a macro virus running at the same time to work together to embed, copy and go somewhere else • Every part needs to be removed to prevent re-infection • When the virus attaches to the boot sector, it will affect the systems files and when the virus attaches to the files, it will in turn infect the boot sector