CEH - Part 3B Malware

Worm

-Exploits and Replicates -Infects a system by Exploiting a vulnerability in an OS or application by Replicating itself. -Spreads through the Infected Network, can Install backdoors. EX: Monero, Bondat, Beapy

The phases in Fileless malware attack

1. Point of Entry 2. Code Execution 3. Persistence 4. Achieving Objectives

The Virus Lifecycle

6 stages from origin to elimination: 1. Design: Development of virus code using programming languages or construction kits. 2. Replication: The virus replicates for a period within the target system and then spreads itself. 3. Launch: The virus is activated when the user performs specific actions such as running an infected program. 4. Detection: The virus is identified as a threat infecting the target system. 5. Incorporation: Antivirus software developers assimilate defenses against the virus. 6. Execution of the damage routine: Users install antivirus updates and eliminate the virus threats.

.text

: Contains instructions and program code that the CPU executes.

-e

: Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.

-o

: Displays active TCP connections and includes the process ID (PID) for each connection.

-n

: Displays active TCP connections; however, addresses and port numbers are expressed numerically, and no attempt is made to determine names.

-a

: Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.

Point of Entry

: In this stage, the fileless malware takes advantage of memory exploits, malicious website, phishing mail, and malicious document.

Netstat

: It displays Active TCP connections and ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). When used without parameters, netstat displays only active TCP connections.

Dropper

: It is a covert carrier of malware. Attackers embed notorious malware files inside droppers, which can perform the installation task covertly. Attackers need to first install the malware program or code on the system to execute the dropper. The dropper can transport malware code and execute the malware on a target system without being detected by antivirus scanners.

Sandbox

: To perform dynamic analysis manually.

Cerber

: Uses RC4 and RSA algorithms for encryption

Persistence

:this stage of fileless malware attack As it is memory-based, restarting the system would remove the malicious code from memory and stop the infection. However, depending on the goal of the attacker, malicious scripts can be stored in various Windows built-in tools and utilities such as Windows registry, WMI, and Windows Task Scheduler, and be set to run even after a system reboot.

Sheep Dip

A computer installed with port monitoring, file monitoring, network monitoring, and antivirus software and connected to network only under strictly controlled conditions is known as: Sheep Dip Droidsheep Malwarebytes Sandbox

Rainbow Table Attack

An optimized, technological resource for "cracking" cryptographic hash functions and discovering plaintext passwords in an authentication database. -This tool use a specific algorithmic matching function to essentially look up the information needed to Crack Password Hashes. -This tool will not work with salted hashes as they add additional random values to the original hash.

DDos

Attack comes from multiple computers called Botnets. Attack Types: Volumetric Fragmentation Application Layer

Legitimate applications

Attackers exploit legitimate system packages installed in the system, such as Word, and JavaScript, to run the malware.

In-Memory Exploits

Attackers inject a malicious payload into the RAM that targets the legitimate process without leaving any footprints.

Social Engineered Click-jacking

Attackers inject malware into websites that appear legitimate to trick users into clicking them. When clicked, the malware embedded in the link executes without the knowledge or consent of the user.

Windows services monitoring

By conducting which of the following monitoring techniques can a security professional identify the presence of any malware that manipulates HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services registry keys to hide its processes? -Startup programs monitoring -Windows services monitoring -Process monitoring -Registry monitoring

Kernel32.dll

Core functionality, such as access and manipulation of memory, files, and hardware

Port 20/22/80/443

Emotet

Dharma:

Encrypts files using an AES 256 algorithm. The AES key is also encrypted with an RSA 1024.

Polymorphic virus

Encrypts itself using a variable Encryption Key so that each copy of the virus appears different.

WannaCry

Exploits SMB Uses a combination of the RSA and AES algorithms to encrypt files.

Script-based Injection

Fileless attacks are also performed using the scripts where binaries and shellcodes are embedded, obfuscated, and compiled to avoid file creations on the disk. Scripts allow attackers to communicate and infect the applications or operating systems without being traced.

Port 31/456

Hackers Paradise

The OS performs a One-way Hash of the passwords

How does the Security Account Manager (SAM) database in Windows operating system store the user accounts and passwords?

Mirai

Identify the Botnet Trojan that exhibits the following characteristics: Login attempts with 60 different factory default username and password pairs Built for multiple CPU architectures (x86, ARM, Sparc, PowerPC, Motorola) Connects to CnC to allows the attacker to specify an attack vector Increases bandwidth usage for infected bots Identifies and removes competing malware Mirai PlugBot Ramnit Windigo

Process monitor

Identify the monitoring tool that exhibits the following features: -Reliable capture of process details, including image path, command line, user and session ID. -Configurable and moveable columns for any event property. -Filters can be set for any data field, including fields not configured as columns. -Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data. -Process tree tool shows the relationship of all processes referenced in a trace. -Native log format preserves all data for loading in a different Process Monitor instance 1. Process monitor 2. IDA pro 3. Netstat 4. TCP view

Code Execution:

In this stage, the fileless malware performs code injection, running malicious code directly in the memory, script-based using legitimate tools to load scripts: powershell, cscript, VBScript.

System compromise

In which of the following phases of an Emotet malware attack does Emotet communicate with a malicious C&C Server to receive a malicious payload and upgrade itself to exploit the system?

Godzilla

It is a downloader that can be used for deploying malware on the target machine

Emotet

It is a dropper/downloader for well-known banking Trojans such as Zeus Panda banker, Trickbot, and Iced ID to infect victims globally

Obfuscator

It is a program that conceals the malicious code of malware via various techniques, thus making it difficult for security mechanisms to detect or remove it.

Crypter

It is a software program that can conceal the existence of malware. Attackers use this software to elude antivirus detection. It protects malware from reverse engineering or analysis, thus making it difficult to detect by security mechanisms.

N32dll.dll

It is a type of DLL file associated with third-party application developed by Windows Software Developer for the Windows Operating System.

Point-of-Sale Trojans

It is a type of financial fraudulent malware that target payment equipment such as credit card/debit card readers. Attackers compromise such payment equipment and grab sensitive information regarding credit cards, such as credit card number, holder name, and CVV number.

IExpress Wizard

It is a wrapper tool that guides the user to create a self-extracting package that can automatically install the embedded setup files, Trojans, etc.

Dynamic Malware Analysis:

It is also known as behavioral analysis. It involves Executing the malware code to know how it interacts with the host system and its impact on the system after infection. EX: to execute the suspicious malicious file in a sandbox environment where the malware cannot affect other machines in the network

Exploit

It is the part of the malware that contains code or a sequence of commands that can take advantage of a bug or vulnerability in a digital system or device. Attackers use such code to breach the system's security through software vulnerabilities to spy on information or to install malware. Based on the type of vulnerabilities abused, these are categorized into local and remote.

Payload

It is the part of the malware that performs the desired activity when activated. It may be used for deleting or modifying files, degrading the system performance, opening ports, changing settings, etc., to compromise system security.

Block with the antivirus anything that presents the same hash of the malware

John works as a security analyst for a small company. He has heard about a new threat; a new malware that the antivirus does not detect yet. John has the hash for the new virus. What can he do to proactively protect his company?

Ghirda

Malware Disassembly; is a software reverse engineering (SRE) framework and helps an attacker in performing malware disassembly. It was created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.

Registry/configuration tools

Malware infects the Windows registry and other configuration variables. These tools help to identify the last saved settings.

WSock32.dll and Ws2_32.dll

Networking DLLs that help to connect to a network or perform network-related tasks

Infection through lateral movement:

Once the fileless malware infects the target system, attackers use this system to move laterally in the network and infect other systems connected to the network.

Native applications

Operating systems such as Windows include pre-installed tools such as PowerShell, Windows Management Instrumentation (WMI). Attackers exploit these tools to install and run malicious code.

Advapi32.dll

Provides access to Advanced core Windows components such as the Service Manager and Registry

Cerber

RIG;Which of the following Ransomware is delivered when an attacker uses the RIG exploit kit by taking advantage of outdated versions of applications such as Flash, Java, Silverlight, and Internet Explorer?

Dynamic malware analysis

Ramon is a security professional for xsecurity. During an analysis process, he has identified a suspicious .exe file. Ramon executed the suspicious malicious file in a sandbox environment where the malware cannot affect other machines in the network. What type of analysis does Ramon conduct? -Dynamic malware analysis -Sheep dipping -Preparing testbed -Static malware analysis

SamSam

Ransomware it uses the RSA-2048 Asymmetric encryption technique

Payload

Ransomware encrypts the files and locks systems, thereby leaving the system in an unusable state. The compromised user has to pay ransom to the attacker to unlock the system and get the files decrypted. Petya delivers malicious code can that even destroy the data with no scope of recovery. What is this malicious code called?

Metamorphic Virus

Rewrites its code itself in order to make each copy of the virus appear different without using a variable encryption key. -Self-replicating -Reprograms/Rewrites itself -Cannot be detected by antivirus -Changes the malicious code with each infection -Inserts dead code -Reorders instructions -Reshapes the expressions -Modifies program control structure

Dos Attacks

Single Computer Source. Use tools like Low Orbit Ion Cannon Attack types: Buffer Overflow Ping of Death Teardrop

Cavity Virus

Some programs have empty spaces in them. These viruses are also known as a space-filler, overwrites a part of the host file that is with a constant (usually nulls), without increasing the length of the file but preserving its functionality. Maintaining constant file size when infecting allows it to avoid detection. The viruses are rarely found due to the unavailability of hosts and due to the code complexity in writing.

Port 421

TCP Wrappers Trojan

HTML Injection

The Trojan creates fake Form fields on E-banking pages, thereby enabling the attacker to collect the target's account details, credit card number, date of birth, etc. The attacker can use this information to impersonate the target and compromise his/her account.

Log analyzers

The devices under attack record the activities of the malware and generate log files. These tools are used to extract the log files.

Preparation

The first phase of the APT lifecycle, where an adversary defines the target, performs extensive research on the target, organizes a team, builds or attains tools, and performs tests for detection.

System or Boot Sector Viruses

The most common targets for a virus are the system sectors, which include the master boot record (MBR) and the DOS boot record system sectors. An OS executes code in these areas while booting. Every disk has some sort of system sector. MBRs are the most virus-prone zones because if the MBR is corrupted, all data will be lost. The DOS boot sector also executes during system booting. This is a crucial point of attack for viruses.

Initial Intrusion

The next phase involves attempting to enter the target network. Common techniques are sending spear-phishing emails and exploiting vulnerabilities on publicly available servers. In this phase, malicious code or malware is deployed into the target system to initiate an outbound connection.

Launch

The virus is activated when the user performs specific actions such as running an infected program.

Detection

The virus is identified as a threat infecting the target system.

Replication

The virus replicates for a period within the target system and then spreads itself.

Tunneling Viruses

These viruses try to hide from antivirus programs by actively altering and corrupting the service call interrupts while running. The virus code replaces the requests to perform operations with respect to these service call interrupts. These viruses state false information to hide their presence from antivirus programs.

Stealth virus

These viruses try to hide from antivirus programs by actively altering and corrupting the service call interrupts while running. The virus code replaces the requests to perform operations with respect to these service call interrupts. These viruses state false information to hide their presence from antivirus programs. For Example this virus hides the operations that it modified and gives false representations. Thus, it takes over portions of the target system and hides its virus code.

Senna Spy Trojan Generator

This is a Trojan that comes hidden in malicious programs. Once you install the source (carrier) program is installed, this Trojan attempts to gain "root" access (administrator level access) to your computer without your knowledge.

Divergent

This malware automatically disables various components of Windows Defender and Windows Update, it exploits NodeJS.

Fileless Malware

This malware is written directly to RAM — random access memory — which doesn't leave behind those traditional traces of its existence, its operation ends when your system reboots. Malicious code can be injected into already-installed, Trusted Applications, which can then be hijacked and executed. - Phishing emails, malicious downloads, and links that look legitimate as points of entry. - Applications you've already installed, like Microsoft Word or JavaScript. - Native and highly trusted applications like Windows Management Instrumentation (WMI) and MS PowerShell. -Legitimate-looking websites that actually are malicious.

Persistence

This phase involves maintaining access to the target system, starting from evading endpoint security devices such as IDS and firewalls, entering into the network, and establishing access to the system, until there is no further use of the data and assets.

Injector

This program injects exploits or malicious code available in the malware into other vulnerable running processes and changes the method of execution to hide or prevent its removal.

Packer

This software compresses the malware file to convert the code and data of the malware into an unreadable format. It uses compression techniques to pack the malware.

Malvertising

This technique involves embedding malware-laden advertisements in legitimate online advertising channels to spread malware on systems of unsuspecting users.

Covert Credential Grabber

This type of malware remains dormant until the user performs an online financial transaction. It works covertly to replicate itself on the computer and edits the registry entries each time the computer is started. The Trojan also searches the cookie files that had been stored on the computer while browsing financial websites. Once the user attempts to make an online transaction, the Trojan covertly steals the login credentials and transmits them to the hacker.

polymorphic virus

This type of virus infects a file with an encrypted copy of a polymorphic code already decoded by a decryption module. These viruses modify their code for each replication to avoid detection. They accomplish this by changing the encryption module and the instruction sequence. Polymorphic mechanisms use random number generators in their implementation.

Data Analysis

To perform static analysis of potential malware files

File/data analysis

To perform static analysis of potential malware files.

Covert Channel

Transfers information over, within a computer system, or network that is outside of the security policy

Covert channel

Transfers information over, within a computer system, or network that is outside of the security policy

Execution of the damage routine

Users install antivirus updates and eliminate the virus threats

Port 445

WannaCry, Petya, Dragonfly 2.0

CVE-2018-8174

What is the CVE number of the Windows VBScript engine remote code execution vulnerability?

Compromised Legitimate Websites

When an unsuspecting user visits the compromised website, he/she unknowingly installs the malware on his/her system, after which the malware performs malicious activities.

XtremeRAT

Which of the following Trojans uses port number 1863 to perform attack? Millennium Devil XtremeRAT Priority

Static Malware Analysis

Which of the following analysis techniques involves going through the executable binary code without actually executing it to have a better understanding of the malware and its purpose? Static malware analysis System baselining Spectrum analysis Dynamic malware analysis

Backdoor Trojans

Which of the following is a program that is installed without the user's knowledge and can bypass the standard system authentication or conventional system mechanism like IDS, firewalls, etc. without being detected? Backdoor Trojans Covert Channel Trojans Remote Access Trojans Proxy Server Trojans

Wingbird

Which of the following is not a remote access Trojan? Theef Netwire Kedi RAT Wingbird

SamSam

Which of the following malware is used by an attacker to restrict access to a computer system's files and folders and demand an online ransom payment to remove the restrictions? employs brute-force tactics against weak passwords of the Remote Desktop Protocol (RDP).

1001

Which of the following port numbers is used by Trojans such as Silencer and WebEx? 1170 1177 1001 1011

Port 8080

Which of the following port numbers is used by the Trojans Zeus, OceanSalt, and Shamoon? Port 80 Port 443 Port 8080 Port 11000

Dynamic malware analysis

Which of the following techniques is also called behavioral analysis and involves executing malware code to determine how it interacts with a host system as well as its impact on the system after infection?

File fingerprinting

Which of the following techniques is used to compute the hash value for a given binary code to uniquely identify malware or periodically verify changes made to the binary code during analysis?

IExpress Wizard

Which of the following tools is used by an attacker to employ a wrapper that can bind a Trojan executable with genuine-looking .EXE applications, such as games or office applications? IExpress Wizard​ BitCrypter Godzilla Emotet

Tunneling viruses

Which of the following types of viruses hides itself from antivirus programs by actively altering and corrupting service call interrupts while running? Tunneling viruses File viruses Macro viruses System or boot sector viruses

Metamorphic virus

Which virus has the following characteristics: 1. Inserts dead code 2. Reorders instructions 3. Reshapes the expressions 4. Modifies program control structure ​

E-banking Trojans

are extremely dangerous and have emerged as a significant threat to online banking. They intercept the victim's account information before the system can encrypt it and send it to the attacker's command-and-control center.

Covert channels

are methods attackers can use to hide data in an undetectable protocol. They rely on a technique called tunneling, which enables one protocol to transmit over the other. Any process or a bit of data can be hidden. This makes it an attractive mode of transmission for a Trojan because an attacker can use the this channel to install a backdoor on the target machine.

BitCrypter

can be used to encrypt and compress 32-bit executables and .NET apps without affecting their direct functionality

BitCrypter

can be used to encrypt and compress 32-bit executables and .NET apps without affecting their direct functionality. A Trojan or malicious software piece can be encrypted into legitimate software to bypass firewalls and antivirus software. It supports a wide range of OS, from Windows XP to the latest Windows 10.

Monit

can monitor and manage distributed computer systems, conduct automatic maintenance and repair, and execute meaningful causal actions in error situations.

source code security analyzer

examines source code to detect and report weaknesses that can lead to security vulnerabilities.

WannaCry Ransomware

exploits SMB; spreads through malicious e-mail attachments and also spreads across the same LAN by using a Windows SMB (server message block) vulnerability via port 445 (Microsoft Security Bulletin MS17-010). IT uses the RSA AES encryption algorithm to encrypt contents on infected systems and change the wallpaper of the system desktop demanding payment in bitcoins.

Macro Viruses

infect Microsoft Word or similar applications by automatically performing a sequence of actions after triggering an application. These viruses are written using the macro language Visual Basic for Applications (VBA), and they infect templates or convert infected documents into template files while maintaining their appearance of common document files.

AlienVault® USM Anywhere™

is a Fileless malware detection tool that provides a unified platform for threat detection, incident response, and compliance management. It centralizes security monitoring of networks and devices in the cloud, on premises, and at remote locations, thereby helping you to detect threats virtually anywhere.

ClamWin

is a Free Antivirus program for Microsoft Windows 10 / 8 / 7 / Vista / XP / Me / 2000 / 98 and Windows Server 2012, 2008 and 2003.

GrayFish Rootkit

is a Windows kernel rootkit that runs inside the Windows operating system and provides an effective mechanism, hidden storage and malicious command execution while remaining invisible. It injects its malicious code into the boot record which handles the launching of Windows at each step. It implements its own Virtual File System (VFS) to store the stolen data and its own auxiliary information.

EquationDrug Rootkit

is a dangerous computer rootkit that attacks the Windows platform. It performs targeted attacks against various organizations and arrives on the infected system by being downloaded and executed by the Trickler dubbed "DoubleFantasy", covered by TSL20110614-01 (Trojan.Win32.Micstus.A). It allows a remote attacker to execute shell commands on the infected system.

Dharma

is a dreadful ransomware that was first identified in 2016; since then, it has been affecting various targets across the globe with new versions. It has been regularly updated with sophisticated mechanisms in recent years

Trojan.Gen

is a generic detection for many individual but varied Trojans for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics.

SamSam Ransomware

is a notorious ransomware that infected millions of unpatched servers in 2018. It was first discovered in 2016; however, it was considered as a grave ransomware after the WannaCry attack due to its vast victim base in 2018

File Fingerprinting

is a process of computing the Hash value for a given binary code to identify and track data across a network.

Transaction Authentication Number (TAN) Grabber

is a single-use password for authenticating online banking transactions. Banking Trojans intercept valid TANs entered by users and replace them with random numbers. The bank will reject such invalid random numbers. Subsequently, the attacker misuses the intercepted TAN with the target's login details.

BinText

is a small, fast and powerful text extractor that will be of particular interest to programmers. It can find Ascii, Unicode and Resource strings in a file and can extract text

Ntdll.dllInterface to tGhirda: Ghirda

is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Hakiri: Hakiri monitors Ruby apps for dependency and code security vulnerabilities. Snyk: Snyk is the platform developers choose to build cloud native applications securely.he Windows kernel

Win32.Trojan.BAT

is a system-destructive trojan program. It will crash the system by deleting files.

Form Grabber

is a type of malware that captures a target's sensitive data such as IDs and passwords, from a web browser form or page. It is an advanced method for collecting the target's Internet banking information. It analyses POST requests and responses to the victim's browser. It compromises the scramble pad authentication and intercepts the scramble pad input as the user enters his/her Customer Number and Personal Access Code.

Ransomware

is a type of malware that restricts access to the infected computer system or critical files and documents stored on it, and then demands an online ransom payment to the malware creator(s) to remove user restrictions.

Zmist

is also known as Zombie. Mistfall was the first virus to use the technique called "code integration." This code inserts itself into other code, regenerates the code, and rebuilds the executable.

IV Attack (Initialization Vector)

is an attack on wireless networks. It modifies the encrypted wireless packet during transmission. Once an attacker learns the plaintext of one packet, the attacker can compute the RC4 key stream.

APT

is an attack that focuses on stealing information from the victim machine without its user being aware of it. The impact of these attacks are on computer performance and Internet bandwidth is negligible as these attacks are slow in nature. These attacks exploit vulnerabilities in the applications running on a computer, operating system, and embedded systems.

Snyk

is the platform developers choose to build cloud native applications securely.

The sole purpose of Trojans

is to delete files on a target system. Antivirus software may not detect destructive Trojans. Once a destructive Trojan infects a computer system, it randomly deletes files, folders, registry entries, and local and network drives often resulting in OS failures

DarkHorse Trojan Virus Maker

is used to creates user-specified Trojans by selecting from various options available. The Trojans created to act as per the options selected while creating them. For e.g., if you choose the option Disable Process, the Trojan disables all processes on the target system.

DLL injection

is used to manipulate the execution of a running process. Most attacks are performed to do reverse engineering attacks. This attack primarily tricks an application to call a malicious file which then gets executed as part of the target process. 1. Attach to the process 2. Allocate Memory within the process 3. Copy the File or the File Path into the processes memory and determine appropriate memory addresses 4. Instruct the process to Execute your Malicious File

Static Malware Analysis

known as Code Analysis, Not Executing. It involves going through the executable binary code without Executing it to have a better understanding of the malware and its purpose

Hakiri

monitors Ruby apps for dependency and code security vulnerabilities.

Defacement Trojans

once spread over the system, can destroy or change the entire content of a database. However, they are more dangerous when attackers target websites, as they physically change the underlying HTML format, resulting in the modification of content. In addition, significant losses may be incurred due to the defacement of e-business targets by Trojans.

GFI LanGuard

patch management software scans the user's network automatically as well as installs and manages security and non-security patches

HashMyFiles

produces a hash value for a file using MD5, SHA1, CRC32, SHA-256, SHA-512, and SHA-384 algorithms. The program also provides information about the File, such as the full path of the file, date of creation, date of modification, file size, file attributes, file version, and extension, which helps in searching for and comparing similar files.

Remote access Trojans (RATs)

provide attackers with full control over the victim's system, enabling them to remotely access files, private conversations, accounting data, and others. EX: Theef, Netwire, and Kedi RAT

Overt Channel

refers something that is explicit, obvious, or evident. An example is a legal channel for the transfer of data or information in a company network and works securely to transfer data and information.

Sheep Dipping

refers to the analysis for malware of suspect files, incoming messages, etc. The users isolate the computer from other computers on the network to block any malware from entering the system. This Computers should have tools such as port monitors, files monitors, network monitors, and one or more anti-virus programs for performing malware analysis of files, applications, incoming messages, external hardware devices (such as USB, Pen drive, etc.), and so on.

Boot loader level rootkit

rootkits function either by replacing or modifying the legitimate bootloader with another one. The rootkit can activate even before the operating system starts. So, the rootkits are serious threats to security because they can help in hacking encryption keys and passwords.

Code Emulation

techniques, the Antivirus executes the malicious code inside a virtual machine to simulate CPU and memory activities. These techniques are considered very effective in dealing with encrypted and polymorphic viruses if the virtual machine mimics the real machine.

HTTP/HTTPS Trojans

these Trojans can bypass any firewall and work in reverse, as opposed to a straight HTTP tunnel. They use web-based interfaces and port 80. The execution of these Trojans takes place on the internal host and spawns a child program at a predetermined time.

File Viruses

these viruses infect files executed or interpreted in the system, such as COM, EXE, SYS, OVL, OBJ, PRG, MNU, and BAT files. These viruses can be direct-action (non-resident) or memory-resident viruses.

Achieving Objectives

this stage of fileless malware attack. By maintaining persistence, attackers bypass security solutions and achieve a variety of objectives, such as data exfiltration, credential stealing, reconnaissance, and cyberspying, on the target systems and network.

Companion/Camouflage Viruses

this virus stores itself with the same filename as the target program file. The virus infects the computer upon executing the file, and it modifies the hard disk data. These viruses use DOS to run COM files before the execution of EXE files. The virus installs an identical COM file and infects EXE files.

Sonar Lite

tool is used to troubleshoot network connectivity, domain resolution issues, or find out registration information for any domain.

Hardware/Firmware Rootkit

use devices or platform firmware to create a persistent malware image in hardware, such as a hard drive, system BIOS, or network card. The rootkit hides in firmware as the users do not inspect it for code integrity. A firmware rootkit implies the use of creating a permanent delusion of rootkit malware.

Port 443

used by: ADVSTORESHELL, APT 29, APT 3, APT 33, AuditCred, BADCALL, BBSRAT, Bisonal, Briba, Carbanak, Cardinal RAT, Comnie, Derusbi, ELMER, Empire, FELIXROOT, FIN7, FIN8, gh0st RAT, HARDRAIN, Hi-Zor, HOPLIGHT, KEYMARBLE, Lazarus Group, LOWBALL, Mis-Type, Misdat, MoonWind, Naid, Nidiran, Pasam, PlugX, PowerDuke, POWERTON, Proxysvc, RATANKBA, RedLeaves, S-Type, TEMP.Veles, Threat Group-3390, TrickBot, Tropic Trooper, TYPEFRAME, UBoatRAT

Black hat Search Engine Optimization (SEO)

uses tactics such as keyword stuffing, inserting doorway pages, page swapping, and adding unrelated keywords to get higher search engine rankings for malware pages.

Shell Viruses

virus code forms a shell around the target host program's code, making itself the original program with the host code as its sub-routine. Nearly all boot program viruses are these types of viruses.

FAT Viruses

virus is a computer virus that attacks the File Allocation Table (FAT), a system used in Microsoft products and some other types of computer systems to access the information stored on a computer

Add-on Viruses

viruses append their code to the host code without making any changes to the latter or relocate the host code to insert their code at the beginning.

Metamorphic Virus

viruses are programmed in such a way that they rewrite themselves completely each time they infect a new executable file. Such viruses are sophisticated and use metamorphic engines for their execution. Metamorphic code reprograms itself. It is translated into temporary code (a new variant of the same virus but with a different code), and then converted back to the original code.

Metamorphic Viruses

viruses are programmed such that they rewrite themselves completely each time they infect a new executable file. Such viruses are sophisticated and use metamorphic engines for their execution.

Armored Viruses

viruses are viruses that are designed to confuse or trick deployed antivirus systems to prevent them from detecting the actual source of the infection.

Encryption Viruses

viruses or cryptolocker viruses penetrate the target system via freeware, shareware, codecs, fake advertisements, torrents, email spam, and so on. This type of virus consists of an encrypted copy of the virus and a decryption module

Transient Viruses

viruses transfer all controls of the host code to where it resides in the memory. It selects the target program to be modified and corrupts it.

Advapi32.dll

—To access/manipulate Service Manager and Registry

Kernel32.dll

—To access/manipulate memory files and hardware

User32.dll

—To display and manipulate graphics