{"id":1739,"date":"2016-01-06T20:40:50","date_gmt":"2016-01-06T20:40:50","guid":{"rendered":"https:\/\/www.hackmethod.com\/?p=1739"},"modified":"2017-03-01T05:18:46","modified_gmt":"2017-03-01T05:18:46","slug":"malware-types","status":"publish","type":"post","link":"https:\/\/hackmethod.com\/malware-types\/","title":{"rendered":"Malware Types"},"content":{"rendered":"<h3><strong>Malware Types<\/strong> Malware can be classified by it&#8217;s behavior, target platform, or attack commands.\u00a0 Of the three classifications, we will look more specifically at malware based on behavior.\u00a0 These can be divided into 8 different categories:<\/h3>\n<ul>\n<li>I. Infectors<\/li>\n<li>II. Network Worms<\/li>\n<li>III. The Trojan Horse<\/li>\n<li>IV. Backdoors<\/li>\n<li>V. Remote Access Trojans<\/li>\n<li>VI. Information Stealers<\/li>\n<li>VII. Ransomware<\/li>\n<li>VIII. Rootkits<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<ol style=\"list-style-type: upper-roman;\">\n<li>\n    <strong>Infectors\u00a0<\/strong>often take the form of direct file infectors, macros and scripts, boot-sector, and multipartite. They can further be identified by the objects they infect. <\/p>\n<ol style=\"list-style-type: upper-alpha;\">\n<li>\n        <strong>Direct File Infectors<\/strong> (Overwriting, Companion, and Parasitic) immediately infect files as soon as they are executed.\u00a0 Can be limited to files located in the same folder or <\/p>\n<ol style=\"list-style-type: lower-alpha;\">\n<li>\n            <strong>Overwriting<\/strong> viruses overwrite the host files they infect with their own malware code, making the original host file unusable.\u00a0 Without a backup there is no way to recover this file.\n          <\/li>\n<li>\n            <strong>Companion<\/strong> viruses operate by renaming the host file&#8217;s extension and then create a copy of itself with the original name of the host file.\u00a0 The renamed host file is then given a hidden attribute. When the file is called by the user or the operating system, the companion virus will execute it&#8217;s malicious code and then pass the instruction to the renamed\/hidden original file.\n          <\/li>\n<li>\n            <strong>Parasitic<\/strong> viruses attach themselves to the host file during infection. A prepending parasitic virus attaches itself to the top of the host file, while an appending parasitic virus attaches itself to the end of the host file.\n          <\/li>\n<\/ol>\n<\/li>\n<li>\n        <strong>Macro and Script viruses<\/strong> are created using an application-specific macro language.\u00a0 Although macros are not confined to Microsoft Office alone, it has become the main platform for macro viruses. An example of this would be the <em><a href=\"https:\/\/www.cert.org\/historical\/advisories\/CA-1999-04.cfm?\">Melissa<\/a><\/em> virus from 1999 which spread via email and embedded itself in both saved and new documents.\u00a0 The macro language is a form of scripting and macro viruses showed the malicious possibilities of scripts.\u00a0 A script is code that exists independently and is executed by the operating system or service to do an action.\u00a0 Again, they are used to automate a routine task.\n      <\/li>\n<li>\n        <strong>Boot-Sector viruses<\/strong> infect the boot-sector of a disk to get control of the systems execution flow, in most cases, before the operating system.\u00a0 The virus works by hijacking the first instruction in the boot-sector, pointing to the malicious code, and then releasing control back to the boot-sector code.\n      <\/li>\n<li>\n        <strong>Multipartite viruses<\/strong> are viruses that infect both boot-sector and files.\u00a0 When a multipartite virus is executed, it looks for files to infect and then looks for the presence of disks in drives and infects their boot sector.\u00a0 Examples are <em><a href=\"http:\/\/malware.wikia.com\/wiki\/Flip\">Flip<\/a><\/em> from 1990 and <em><a href=\"http:\/\/virus.wikidot.com\/junkie\">Junkie<\/a><\/em> from 1994.\n      <\/li>\n<\/ol>\n<\/li>\n<li>\n    <strong>Network Worms<\/strong> are malware that replicates itself to multiple systems in the network with little to no user intervention via network services such as browsing, e-mail, and chat just to name a few.\u00a0 Network worms are usually classified based on their network-propagating features (Mass Mailers, File-Sharing, Instant Messaging, Internet Relay Chat (IRC), LAN, and Internet). <\/p>\n<ol style=\"list-style-type: upper-alpha;\">\n<li>\n        <strong>Mass mailer worms <\/strong>spread via e-mail.\u00a0 Usually involves social engineering techniques to fool the user into opening or clicking links\/attachments.\u00a0 Utilizes the users address book to spread.\n      <\/li>\n<li>\n        <strong>File-Sharing<\/strong> worms spread by adding copies of themselves to publicly facing file-sharing folders with enticing names.\u00a0 The idea is to get other users to see via a peer-to-peer program.\n      <\/li>\n<li>\n        <strong>Instant Messaging worms<\/strong>, as the name indicates, use IM software as the main vectors for infection and is similar to the Mass Mailer worm.\u00a0 It infects the user&#8217;s contact list and sends malicious links that result in downloading\/installing itself on the next target machine.\u00a0 Since IM is coming from a &#8220;known&#8221; contact it is likely to be accepted.\n      <\/li>\n<li>\n        <strong>Internet Relay Chat (IRC)<\/strong> worms spread, yup you guessed it, through IRC channels by sending messages containing malicious links or instructions that socially engineer the user to type in a series of commands that can result in infection not just of the user&#8217;s system, but the other users in the channel as well.\n      <\/li>\n<li>\n        <strong>Local Area Network (LAN)<\/strong> worms spread within the confines of a LAN by scanning for write-able shared folders on hosts connected to the network and copying itself into said folders.\u00a0 It also searches for public folders in a network to drop a copy of itself.\n      <\/li>\n<li>\n        <strong>Internet<\/strong> worms spread to other systems by scanning the Internet for vulnerable machines.\n      <\/li>\n<\/ol>\n<\/li>\n<li>\n    <strong>The Trojan Horse<\/strong> (or Trojan to most) is malware in disguise.\u00a0 A Trojan&#8217;s main goal is destruction of files, software, or the entire operating system itself.\u00a0 Typically the easiest way to recover from a Trojan is to reinstall a fresh copy of your OS or restore from a clean backup.\n  <\/li>\n<p> <\/p>\n<li>\n    <strong>Backdoors<\/strong> enable an attacker to gain access to a compromised system and bypassing any form of safeguards and authentication.\u00a0 This access can be in the form of a shell with root\/system privileges.\u00a0 Backdoors can be embedded in software or can be a stand-alone exectuable.\n  <\/li>\n<p> <\/p>\n<li>\n    <strong>Remote Access Trojans (RAT)<\/strong> are malicious administrative tools that have backdoor capabilities.\u00a0 The difference between a RAT and a traditional backdoor is the RAT has a user interface or client like component that the attacker can issue commands to the server (RAT) component; this gives the attacker control over compromised machines.\n  <\/li>\n<p> <\/p>\n<li>\n    <strong>Information Stealers<\/strong> are exactly that; they steal information.\u00a0 The most common information stealers are Keyloggers, Desktop Recorders, and Memory Scrapers. <\/p>\n<ol style=\"list-style-type: upper-alpha;\">\n<li>\n        <strong>Keyloggers<\/strong> capture keystrokes and log them.\u00a0 These logs can either be stored locally for later retrieval or sent to a remote server setup by the attacker.\u00a0 Keyloggers are not limited to software alone, there are also hardware implementations available.\n      <\/li>\n<li>\n        <strong>Desktop Recorders<\/strong> work by taking screenshots or active window on the users platform.\u00a0 They can be setup on a time interval or when triggered by an event such as a mouse click or a pressing of the enter\/return key.\u00a0 The downside of this malware is the amount of data that results from this type of operation.\u00a0 The file size of each screenshot can add up quickly.\n      <\/li>\n<li>\n        <strong>Memory Scrapers<\/strong> steal information in memory while it is being processed.\u00a0 Data that is processed in memory is unencrypted which makes it an ideal place to target.\n      <\/li>\n<\/ol>\n<\/li>\n<li>\n    <strong>Ransomware<\/strong> is a malicious program that holds data or access to systems\/resources containing data unless the user pays a ransom.\u00a0 This kind of virtual extortion can be labled as the encryption of data and withholding the password, a trojan threat of destruction, or a user lockout until a ransom is paid.\n  <\/li>\n<p> <\/p>\n<li>\n    <strong>Rootkits<\/strong> are a set of tools that enables root, or administrator, level access on a computer system. In the malicious software realm, a rootkit is a a set of techniques coded into malware to gain root access and complete control of the OS and it&#8217;s underlying hardware. As a result of this level of control, the malware is able to accomplish one major survival goal; the ability to hide its presence and persistence in the system. There are two different kinds of rootkits are User-mode and Kernel-mode rootkits. <\/p>\n<ol style=\"list-style-type: upper-alpha;\">\n<li>\n        <strong>User-Mode<\/strong> rootkits operate in user mode or ring 3 of the <em><a href=\"https:\/\/en.wikipedia.org\/wiki\/Protection_ring\">Computer Security Protection Ring<\/a><\/em>. Their control and influence is limited to the user or the process space of the affected application. User-mode rootkits operate mostly by <em><a href=\"https:\/\/en.wikipedia.org\/wiki\/Hooking\">hooking<\/a><\/em> or hijacking system function calls made by an application.\n      <\/li>\n<li>\n        <strong>Kernel-mode<\/strong> rootkits operate in kernel mode or ring 0 of the <em><a href=\"https:\/\/en.wikipedia.org\/wiki\/Protection_ring\">Computer Security Protection Ring<\/a><\/em>. This rootkit is much more powerful b\/c it places itself in the lowest level possible. This means it has more control over the OS and the underlying hardware. Ideally, a kernel-mode rootkit is what malware authors want their rootkits to be, but since it requires familiarity with OS internals and hardware it is not always possible considering the time needed to build these skills. Poorly written rootkits in kernel-mode that has system influence will most likely crash the system.\n      <\/li>\n<\/ol>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Malware Types Malware can be classified by it&#8217;s behavior, target platform, or attack commands.\u00a0 Of the three classifications, we will look more specifically at malware based on behavior.\u00a0 These can be divided into 8 different categories: I. Infectors II. Network Worms III. The Trojan Horse IV. Backdoors V. Remote Access Trojans VI. Information Stealers VII. [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":1775,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[52,83,63],"tags":[],"class_list":["post-1739","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","category-malware","category-security"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2016\/01\/malwarepic.png?fit=482%2C150&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5zY4D-s3","_links":{"self":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/1739","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/comments?post=1739"}],"version-history":[{"count":37,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/1739\/revisions"}],"predecessor-version":[{"id":2211,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/1739\/revisions\/2211"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media\/1775"}],"wp:attachment":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media?parent=1739"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/categories?post=1739"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/tags?post=1739"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}