转载自思科公司(https://docs.umbrella.com/deployment-umbrella/docs/threat-type-definitions)
Advanced Persistent Threat (APT)—A set of stealthy and continuous computer hacking processes, often orchestrated by cyber criminals targeting a specific entity. An APT usually targets organizations and/or nations for business or political motives.
Examples: turla, vpnfilter, aggah, carbanak, seaturtle
APT Attack Stages
APT attacks occur in multiple stages that vary in length depending on the lifecycle of the attack These stages include:
1) Initial access
APT attacks begin when attackers gain initial access. This is accomplished through compromised users, network connections, or web-based systems. Access is gained through methods such as exploitation of system vulnerabilities, spear phishing of privileged credentials, malicious uploads, or misconfigurations in security tooling.
2) Deploy malware and secure access
Once access is gained, it is secured via the installation of backdoor shells, trojans, creation of credentials, or other malware. Whichever method is used, the purpose is to create both inbound and outbound access to a command and control center.
3) Move laterally and expand access
After access is secured, attackers focus on increasing that access and moving laterally through your networks. This is accomplished using information gained in the initial steps or by brute forcing or exploiting vulnerabilities from within your systems. Often, attackers create additional backdoors or tunnels to further secure and expand access.
4) Stage the attack
Eventually, attackers have enough knowledge and access to your systems to identify their objective data or processes. At this point, they begin preparing data for exfiltration, implementing control measures, or modifying systems and data.
5) Attack execution
After preparations are complete, criminals execute their attack. This is frequently done under the cover of another attack, such as a distributed denial of service (DDoS) attack. This distracts security teams and enables attackers to exfiltrate data or make system changes without detection. It also provides attackers cover to remove traces of the attack, increasing the chance that access can be regained and preventing prosecution or tracing.
6) Follow-up attacks
Frequently, APTs persist after an initial attack in the hopes of gaining greater access or additional data. If not detected during the execution stage, attackers can continue using their secured access routes and gain the opportunity to automatically bypass new or updated controls with you might institute.
How to Detect APTs
Detecting APTs can be a challenge. Attackers are well prepared and often use more advanced measures than standard attacks. However, detection is not impossible. The following tools can help you detect attackers and any damage they may cause.
1)User and entity behavior analytics (UEBA)
UEBA is an essential tool for detecting and tracing APTs. This method doesn’t rely on attack signatures and enables you to detect attacks of almost any type.
It uses artificial intelligence (AI) and machine learning (ML) to collect and analyze network events. From these analyses, UEBA tools create baselines of “normal” behavior against which new events are measured. If an event falls outside the expected range of behavior, security teams are alerted or defenses are deployed.
2)Deception technology
Deception technology uses traps baited with appealing, but fake, data and access. These traps serve no legitimate purpose and provide a near 100% positive alert rate. When attackers are attempting to enter or are traversing your network, they are lured to these traps. As long as traps are well designed, attackers may never know that they have been tricked. Meanwhile, you can observe and track their movements and activities and limit their access.
3)Network monitoring
While network monitoring isn’t as novel as UEBA or deception technology, it forms the base of APT detection. Without monitoring, you cannot collect network information or determine the source of attacks. To be effective, this monitoring needs to cover the entirety of your network, including all endpoints and connected systems.
How to Prevent APTs
While detecting APT attacks is key, preventing attacks is ideal. To increase your chances of successfully preventing attacks, consider adopting the following practices.
1)Perform penetration testing
Penetration testing can help you uncover unknown vulnerabilities and test the effectiveness of your implemented tools. It enables you to mimic the actions and methods that attackers might use and can provide immediate feedback on how you can improve systems.
You can perform penetration testing internally, with red (attack) and blue (defense) teams or with a third-party service. Alternatively, you might institute a bug bounty program. These programs encourage independent security testers to try and infiltrate your systems and report any vulnerabilities they may find.
2)Educate your employees
One of the most common methods of gaining system access is through the use of compromised credentials. These credentials may be stolen through phishing campaigns, false log-in portals, or brute force. Weak password controls also put credentials at risk.
To avoid these liabilities, you need to train your employees to recognize and avoid tactics used for credential theft. For example, training on how to recognize and report spam emails. You should also educate your users on how to create strong passwords and why it’s important to not reuse or share credential information.
3)Keep your systems updated
A common tactic used to gain or expand access in APTs is the exploitation of existing vulnerabilities. In particular, known vulnerabilities that have not been patched. By making sure that your systems remain up-to-date you can easily eliminate these vulnerabilities as points of entry.
To ensure that you remain aware of current updates and to verify that your systems are fully patched, you need to monitor your versions. The easiest way to do this is with a software composition analysis (SCA) solution. These solutions can help inventory your systems, identify the components you’re using, monitor for vulnerability announcements or patch releases, and alert you when components are out of date.
4)Limit system access
The most effective way to limit system access is by applying defense-in-depth (DiD) and the principle of least privilege. DiD involves securing your systems throughout, as opposed to just on the perimeter. This includes the use of internal firewalls and internal traffic filtering.
The principle of least privilege complements DiD by specifying that users and applications should be given only the minimum amount of required access. In combination, these strategies can help limit an attacker’s ability to traverse your networks. The combination can also significantly slow down access, giving you more time to detect and halt an attack.
Adware—Any software package that automatically renders advertisements in order to generate revenue for the author. The advertisements may be in the user interface of the software or presented in the web browser. Adware may cause tabs to open automatically that display advertising, make changes to the home page settings in your web browser, offer ad-supported links from search engines, or initiate redirects to advertising websites.
Examples: revizer, chinad
Following are major types of adware −
1)Application Program
2)Software as a service
The following are some of the important differences between Malware and Adware
What is the risk from adware?
Adware programs are not as dangerous as computer Trojans, worms, rootkits and other forms of malware, but they negatively impact the user's experience and making computers and browsers run slower. They also serve as a means for cybercriminals to fund other malicious campaigns and can ultimately serve as a backdoor into computers through which other threats can be delivered or data can be stolen.
Backdoor—A type of trojan that enables threat actors to gain remote access and control over a system.
Examples: pterodo, servhelper, godlua
The differences between backdoors and exploits
Malwarebytes Labs defines exploits as, "known vulnerabilities in software that can be abused to gain some level of control over the systems running the affected software." And we know a backdoor works like a secret entrance into your computer.
While backdoors and exploits seem awfully similar at first glance, they are not the same thing.
Exploits are accidental software vulnerabilities used to gain access to your computer and, potentially, deploy some sort of malware. To put it another way, exploits are just software bugs that researchers or cybercriminals have found a way to take advantage of. Backdoors, on the other hand, are deliberately put in place by manufacturers or cybercriminals to get into and out of a system at will.
Botnet—A number of Internet-connected systems infected with malware that communicate and coordinate their actions received from command and control (C&C) servers. The infected systems are referred to as bots. The most typical uses of botnets are distributed denial-of-service (DDoS) attacks on selected targets and the propagation of spam.
A botnet attack can be made up of hundreds or even more than a million infected devices that are all executing malicious code on behalf of the bot herder
Examples: brobot, xbash,robotobotnet, darknexus, goldbrute
A botnet is comprised of 3 main components:
1) the bots
2) the command and control servers (C&C)
3) the botnet operator
Once an adversary is in control of a botnet, the malicious possibilities are extensive. A botnet can be used to conduct many types of attacks, including:
1) Phishing
Botnets can be used to distribute malware via phishing emails. Because botnets are automated and consist of many bots, shutting down a phishing campaign is like playing a game of Whack-A-Mole.
2) Distributed Denial-of-Service (DDoS) attack
During a DDoS attack, the botnet sends an overwhelming number of requests to a targeted server or application, causing it to crash. Network layer DDoS attacks use SYN floods, UDP floods, DNS amplification, and other techniques designed to eat up the target’s bandwidth and prevent legitimate requests from being served. Application-layer DDoS attacks use HTTP floods, Slowloris or RUDY attacks, zero-day attacks and other attacks that target vulnerabilities in an operating system, application or protocol in order to crash a particular application.
Many will remember the massive Mirai botnet DDoS attack. Mirai is an IoT botnet made up of hundreds of thousands of compromised IoT devices, which in 2016, took down services like OVH, DYN, and Krebs on Security.
3) Cryptojacking
Cryptocurrency is “mined” by computers that earn bits of currency by solving encrypted math equations. However, computations use a lot of electricity – Bitcoin mining alone uses as much energy as the entire nation of Switzerland, and when all expenses associated with mining cryptocurrency are counted, an adversary would spend three times more mining cryptocurrency than mining actual gold. To a criminal mind, it makes a lot more sense to make someone else pay for the effort by commandeering their resources.
4) Snooping
Botnets can be used to monitor network traffic, either passively to gather intelligence and steal credentials or actively to inject malicious code into HTTP traffic. Domain Name System (DNS) snooping maps IP addresses to domain names that are contained in the dynamic database or a local list in order to discover what queries are being made, which domains might be the best targets for a cache poisoning attack, or what mis-typed domains might be worth registering.
5) Bricking
A bricking attack deletes software from an IoT device with weak security, rendering it useless, or bricked. Cybercriminals may use bricking attacks as part of a multi-stage attack, in which they brick some devices to hide any clues they may have left when launching the primary attack. Bricking makes it difficult or impossible for forensic analysts to discover remnants of botnet malware that would provide information on who, how or why the primary attack was conducted.
6) Spambots
Spambots harvest emails from websites, forums, guestbooks, chat rooms and anyplace else users enter their email addresses. Once acquired, the emails are used to create accounts and send spam messages. Over 80 percent of spam is thought to come from botnets.
Browser Hijacker—Any malicious code that modifies a web browser's settings without a user's permission, to inject unwanted advertising into the user's browser or redirect to fraudulent or malicious sites. It may replace the existing home page, error page, or search page with its own. It can also redirect web requests to unwanted destinations.
Examples: eitest, darkleech
A browser hijacker’s usual definition is any sort ofpotentially unwanted programthat installs itself on your computer without you agreeing to the installation. After this step, the hijacker will modify your settings in order for the browser to do one or more of the following:
1. Feed you with a lot ofmalvertisingpopups and ads.
2. Change your browser homepage to a new one. For examples, it changes your default home page from Google to another search engine.
3. Redirect you constantly to a particular website, such as an online store. This one is called aDNS hijacking.
But it doesn’t stop here. It won’t even allow you to change your settings since it keeps reverting to its own default configuration. In other words, it will keep changing your browser’s homepage until you give up fighting it and accept the hijacker’s new homepage.
The Impact and Risk
Unscrupulous individuals and organizations inject their software into browsers for several reasons:
1) To steal information from users
2) To spy on users
3) To display persistent advertising
4) To run a try-before-you-buy hard sell to a consumer
Bulletproof Hosting—A service provided by some domain hosting or web hosting firms that allow their customer considerable leniency in the kinds of material they may upload and distribute. This type of hosting is often used for spamming, phishing, and other illegal cyber activities.
Many cybercriminal operations have some level of organization, planning, and some form of foundation that reflects the technical acumen of the individual or group behind them. The use of underground infrastructure is inherent to the modus operandi of a cybercriminal. In our Underground Hosting series, we have differentiated how cybercrime goods are sold in marketplaces and what kinds of services are offered.
Criminal sellers use different mechanisms to protect their businesses. The offerings of these "businesses" are often suited to the respective requests and demands of the criminals. Bulletproof hosting (BPH) services, also known as abuse-resistant services, and in some cases, offshore hosting, usually comprises compromised assets and infrastructures with a high level of resistance to abuse. Providers often offer customer support by sharing early notifications of abuse requests and even automatically moving servers to another IP space.
A bulletproof host employs various ways to sustain crimes operating under its wing and offer protection from law enforcement agencies. BPH services tend to strategically allocate resources globally, keeping in mind local regulations and geographical characteristics.
BPH托管服务提供商的分解参见图:https://documents.trendmicro.com/images/TEx/articles/Breakdown-of-BPH-hosting-providers.png
Hosting on compromised assets is the cheapest option, with the caveat that the hosts do not survive for long. Hosting providers that have their data centers and infrastructure are more viable for systems that require long-term availability.
Bulletproof Hosting: A Customer Perspective
参见图:https://documents.trendmicro.com/images/TEx/articles/Preferred-criminal-hosting-locations-by-country-and-activity.jpg
Note: [Y]es: Underground actors mention this location; [N]o: Underground actors actively suggest not using this location; [M]aybe: Underground actors sometimes mention this location along with restricted factors, like the targeted region
Cryptojacking—The covert use of a system's computer resources to mine cryptocurrency. Cryptojacking is initiated by malware or through web crypto miners embedded in website code.
Examples: massminer, webcobra, heavensgate, webcryptominer, graboid
This usually occurs when the victim unwittingly installs a programme with malicious scripts which allow the cybercriminal to access their computer or other Internet-connected device, for example by clicking on an unknown link in an e-mail or visiting an infected website. Programmes called ‘coin miners’ are then used by the criminal to create, or ‘mine’, cryptocurrencies.
As they are digital currencies, only computer programmes and computing power are needed to create cryptocurrencies. The type of cryptocurrency we see primarily mined on personal computers is called Monero.
Why is this a concern?
Cryptojacking might seem like a harmless crime, since the only thing ‘stolen’ is the power of the victim’s computer. But the use of computing power for this criminal purpose is done without the knowledge or consent of the victim, for the benefit of the criminal who is illicitly creating currency. As a large number of infected devices generates a huge amount of cryptocurrency, cybercriminal see this as a lucrative crime.
The primary impact of cryptojacking is performance-related, though it can also increase costs for the individuals and businesses affected because coin mining uses high levels of electricity and computing power.
Signs you could be a victim of cryptojacking
1)A noticeable slowdown in device performance
2)Overheating of batteries on devices
3)Devices shutting down due to lack of available processing power
4)Reduction in productivity of your device or router
5)Unexpected increases in electricity costs
Cryptomining— Malware that accesses cryptomining pools where miners group together and share resources—processing power—to better gather and share cryptocurrencies, and from known web cryptomining source code repositories.
What are malicious cryptominers?
Formerly, most malicious crypto-mining code tried to download and run an executable on the targeted devices.
However, a different form of crypto-mining malware has recently become very popular – in-browser mining that uses simple JavaScript. This method - also dubbed cryptojacking - enables the same malicious activity to be executed directly in a victim’s browser, without installing any software.
Nowadays, most cryptomining scripts and executables mine Monero. This cryptocurrency has many advantages over the better-known bitcoin: it offers anonymous transactions and can be mined with regular CPUs and GPUs instead of expensive, specialized hardware.
Cryptomining and cryptojacking cyberattacks have been detected on all popular desktop platforms, as well as on Android devices. Most of them are classified as potentially unwanted applications (PUA); however, some of the detected attacks fall into the more dangerous Trojan category.
DNS-Tunneling—Sends HTTP and other protocol traffic over DNS. There are various, legitimate reasons to utilize DNS tunneling. However, there are also malicious uses. Threat actors can use manipulated DNS requests to exfiltrate data from a compromised system to the attacker’s infrastructure. And in some cases, DNS responses are manipulated for C2 callbacks from the attacker’s infrastructure to a compromised system. IT Policy avoidance and guest WiFi abuse are also concerns.
Domain name system, or DNS, is the protocol that translates human-friendly URLs, such as paloaltonetworks.com, into machine-friendly IP addresses, such as 199.167.52.137. Cybercriminals know that DNS is widely used and trusted. Furthermore, because DNS is not intended for data transfer, many organizations don’t monitor their DNS traffic for malicious activity. As a result, a number of types of DNS-based attacks can be effective if launched against company networks. DNS tunneling is one such attack.
How DNS Tunneling Works
DNS tunneling exploits the DNS protocol to tunnel malware and other data through a client-server model.
1)The attacker registers a domain, such as badsite.com. The domain’s name server points to the attacker’s server, where a tunneling malware program is installed.
2)The attacker infects a computer, which often sits behind a company’s firewall, with malware. Because DNS requests are always allowed to move in and out of the firewall, the infected computer is allowed to send a query to the DNS resolver. The DNS resolver is a server that relays requests for IP addresses to root and top-level domain servers.
3)The DNS resolver routes the query to the attacker’s command-and-control server, where the tunneling program is installed. A connection is now established between the victim and the attacker through the DNS resolver. This tunnel can be used to exfiltrate data or for other malicious purposes. Because there is no direct connection between the attacker and victim, it is more difficult to trace the attacker’s computer.
DNS Tunneling Detection
There are two general methods to detect DNS misuse: payload analysis and traffic analysis.
With payload analysis defenders are looking at unusual data being sent back and forth: strange-looking hostnames, a DNS record type that’s not used all that often, and unusual character sets that can be spotted by statistical techniques.
In a traffic analysis, defenders are looking at the number of requests to a DNS domain and comparing it against average usage. Hackers who are performing DNS tunneling will create very heavy traffic to the server. In theory, much greater than a normal DNS exchange. And that should be detectable!
Drive-by Download—Any download that happens without a person's consent or knowledge.
Drive by download attacks specifically refer to malicious programs that install to your devices — without your consent. This also includes unintentional downloads of any files or bundled software onto a computer device.
Masked in all corners of the web, these attacks cause even perfectly legitimate sites to spread this threat.
Here are the two main variants of Drive by Download attacks:
1)Non-malicious potentially unwanted programs or applications (PUPs/PUAs).
2) Malware-loaded attacks.
What is a Drive by Download Attack?
A drive-by download attack refers to the unintentional download of malicious code to your computer or mobile device that leaves you open to a cyberattack. You don't have to click on anything, press download, or open a malicious email attachment to become infected.
A drive-by download can take advantage of an app, operating system, or web browser that contains security flaws due to unsuccessful updates or lack of updates. Unlike many other types of cyberattack, a drive-by doesn't rely on the user to do anything to actively enable the attack.
Drive by downloads are designed to breach your device for one or more of the following:
1)Hijack your device — to build a botnet, infect other devices, or breach yours further.
2)Spy on your activity — to steal your online credentials, financial info, or identity.
3)Ruin data or disable your device — to simply cause trouble or personally harm you.
How Website Owners Can Prevent Drive by Downloads
As a website owner, you are the first line of defense between hackers that target your users. To give yourself and your users peace-of-mind, strengthen your infrastructure with these tips:
1)Keep all website components up to date. This includes any themes, addons, plugins, or any other infrastructure. Each update likely has new security fixes to keep hackers out.
2)Remove any outdated or unsupported components of your website. Without regular security patches, old software is perfect for frauds to study and exploit.
3)Use strong passwords and usernames for your admin accounts.Brute force attacks give hackers an almost instant break-in for default passwords, or weak ones like “password1234.” Use a password generator alongside a password manager to stay safe.
4)Install protective web security software into your site. Monitoring software will help keep watch for any malicious changes to your site’s backend code.
5)Consider how your advertisement use might affect users. Advertisements are a popular vector for drive by downloads. Be sure your users aren’t getting recommended suspect advertisements.
7 Tips for Endpoint Users
As a user, you’ll have to rely more on the various security features offered in your software. You can follow these tips to prepare yourself and your software against a drive by download attack:
1)Only use your computer’s admin account for program installations. Admin privileges are necessary for drive by downloads to install without your consent. Since this setting comes default on your main account, use a secondary non-admin account for daily use.
2)Keep your web browser and operating system up to date. New patches help seal gaps in their defenses where drive-by-download code could burrow in. Do not wait or delay — install these updates as soon as they release.
3)Be wary of keeping too many unnecessary programs and apps. The more plug-ins you have on your device, the more susceptible you are to infection. Only keep the software you trust and use often. Also, remove any older apps that no longer receive updates.
4)Use an internet security software solution on all your devices. Products like Kaspersky Security Cloud automatically keep your malware definitions up-to-date to spot the latest threats. They also can scan websites proactively to block known compromised sites.
5)Always avoid websites that may contain malicious code. Sites that offer file-sharing or mature content are common points of infection. Only visit mainstream sites you normally use or at least well-established sites to improve your chances of staying clean.
6)Carefully read and examine security popups on the web before clicking. Scammers use deceptive popup ads on desktop and mobile browsers that look like legitimate alerts. To avoid being linked to an attack site, watch for typos, odd grammar, and grainy images.
7)Use an ad-blocker. Drive-by download attacks often use online ads to upload infections. Using an ad blocker can help reduce your exposure to this type of attack.
Dropper—A program or malware component that has been designed to "install" some sort of malware (ransomware, backdoor, etc.) to a target system. The dropper may download the malware to the target machine once it is received from the command and control server or from other remote locations.
A dropper acts as a carrier or delivery vehicle for the file that is to be dropped, which is referred to as the dropper's payload. The payload is usually stored in the dropper's body as a compressed file.
Droppers are almost always used to deliver harmful programs. It was once common to see droppers delivering viruses, but it is now more usual to see them drop trojans.
Dropping the payload
When the dropper is run, it extracts the compressed file from its body and drops it, or saves it onto the computer or device. The dropper may also run the dropped file to install it onto the computer or device.
A dropper can drop more than one file as its payload. Many droppers will also drop images or videos, which are used as decoys and displayed to the user to distract them from any overt actions that the other dropped files may perform.
Droppers are most frequently Trojans — programs that appear to be or include an application that is valuable to the user. A typical example is a key generator (or keygen) for a pirated copy of a commercial software suite.
How droppers work
In most cases, droppers do not perform any malicious functions. The primary purpose of a dropper is to install other malicious tools — its so-called payload— on the target device without the victim noticing. Unlike a downloader, which receives the necessary components from the attackers’ server, a dropper already contains them. Upon launch, it extracts the payload and saves it to device memory. A dropper can also launch malware installers.
What droppers can carry
A dropper’s payload usually includes more Trojans. Some droppers contain only one malicious program, but most carry several malware tools. The items are not necessarily interconnected and may serve different purposes. They may even be developed by different hacker groups. They can also contain harmless files meant to mask the installation of malware.
As a rule, droppers carry known Trojans that the target device’s security features would otherwise block. They impede malware detection at the downloading stage and neutralize system defenses before installing their payload. The neutralization mechanism depends on the target operating system type. For example, droppers for Windows typically deactivate User Account Control (UAC), which notifies users about any attempts to perform actions affecting critical system elements.
Dropper types
Droppers can be persistent or nonpersistent.
1)Persistent droppers copy themselves to a hidden file and can reinstall themselves if removed;
2)Nonpersistent droppers uninstall themselves from the infected device upon payload installation.
Exploit Kit—A software kit designed to run on web servers with the purpose of identifying software vulnerabilities in client machines communicating with it, and discovering and exploiting vulnerabilities to upload and execute malicious code on the client.
Examples: lord ek, rig, grandsoft, sweetorange, angler
Exploit kits are automated threats that use compromised sites to divert web traffic, scan for vulnerable browser-based applications, and run malware
Exploit kits or exploit packs refer to a type of hacking toolkit that cybercriminals use to take advantage of vulnerabilities in systems/devices so they can distribute malware or do other malicious activities. They normally target popular software such as AdobeFlash ®, Java™, Microsoft Silverlight® .
A typical exploit kit usually provides a management console, a bunch of vulnerabilities for different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack.
How exploits and exploit kits work
Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include shellcode, which is a small malware payload used to download additional malware from attacker-controlled networks. Shellcode allows hackers to infect devices and infiltrate organizations.
Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different kinds of software vulnerabilities and, if any are detected, deploy additional malware to further infect a device. Kits can use exploits targeting a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java, and Sun Java.
The most common method used by attackers to distribute exploits and exploit kits is through webpages, but exploits can also arrive in emails. Some websites unknowingly and unwillingly host malicious code and exploits in their ads.
The infographic below shows how an exploit kit might attempt to exploit a device after you visit a compromised webpage.
Exploit kits are a type of malicious toolkit used to exploit security holes found in software applications (Adobe Reader, etc) for the purpose of spreading malware. These kits come with pre-written exploit code and target users running insecure or outdated software applications on their computers. While the process of becoming exploited by one of these kits will vary, the procedure usually goes a bit like this:
1)A victim visits a website whose server has been hacked by cybercriminals.
2)The victim is redirected through various intermediary servers
3)The victim lands at a rogue server hosting the exploit kit
4)The exploit kit gathers information on the victim and determines the exploit to deliver
5)Exploit is delivered
6)If exploit succeeds, a malicious payload (custom malware program) is downloaded to the victim’s computer and executed.
Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware.
Examples of exploit kits:
1)Angler / Axpergle
2)Neutrino
3)Nuclear
How we name exploits
We categorize exploits in our Malware encyclopedia by the "platform" they target. For example, Exploit:Java/CVE-2013-1489.A is an exploit that targets a vulnerability in Java.
A project called "Common Vulnerabilities and Exposures (CVE)" is used by many security software vendors. The project gives each vulnerability a unique number, for example, CVE-2016-0778. The portion "2016" refers to the year the vulnerability was discovered. The "0778" is a unique ID for this specific vulnerability.
You can read more on the CVE website
Fast Flux Botnet—Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures.
What is a Fast Flux network and how does it work?
The term Fast Flux can refer to those networks used by several botnets to hide the domains used to download malware or host phishing websites. It can also refer to a type of network similar to a P2P network used to host both the command and control (C&C) centers or proxies used by these botnets, making them difficult to find and even more difficult to dismantle.
The basic concept of a Fast Flux network is having multiple IP addresses associated with a domain name, and then constantly changing them in quick succession. In the case of Avalanche, for example, more than 800,000 malicious domains used by criminals have been discovered since it appeared in 2009, with IP addresses being changed within periods as short as five minutes, which would initiate connections to different machines despite requesting to see the same website controlled by attackers.
Most machines that make up this type of network are not actually responsible for hosting and downloading malicious content for victims. This task is reserved for a few machines that act as servers of this malicious content; the rest just act as redirectors that help to mask the real addresses of these systems controlled by criminals.
And to complicate matters even further, criminals ensure that the critical systems in their network have the highest possible availability and bandwidth, and even deploy load-balancing systems to handle all of the requests to download malicious content generated by their victims’ systems. Another common practice is to review the network status at regular intervals in order to discard any inaccessible nodes and to ensure that their malicious content is still active and downloading.
Types of Fast Flux networks
There are two main types of Fast Flux networks:
1. Single Flux networks
A Single Flux network is characterized by multiple individual nodes registering and deregistering their IP addresses as part of a DNS A (address) for a single domain name. These registrations have a very short lifespan (five minutes on average) and create a constantly changing flow of IP addresses when attempting to access a specific domain.
The large number of nodes ready to register their IP addresses ensures that when one or more of them drop, others quickly take their place. Moreover, the domains used are usually hosted on “bulletproof” servers that some providers offer their clients, which ensures that any orders from law enforcement agencies to take down that domain will be ignored.
2. Double Flux networks
This type of network uses components and methods of establishing connections between the victim’s system and systems controlled by criminals that are similar to the previous one, but it is more sophisticated in that it has an additional layer that makes it difficult tolocatethe machine actually serving the malware. In this case, zombie computers that are part of the botnet are used as proxies, which prevent the victim from interacting directly with the servers hosting and serving the malware and make it difficult to locate. Essentially, it is an additional concealment measure that criminals use to keep their infrastructure running for longer.
Loader—Malware or malicious code used in the loading of a second-stage malware payload onto a victim's system. The loader is able to hide a malware payload inside the actual loader code instead of contacting a remote location to download a second-stage payload.
Examples: smokeloader, jasperloader, buer, guloader
A fast-spreading malware-as-a-service offering could be providing an alternative to other well-known malware loaders like Emotet and BazarLoader, experts have warned.
Dropper malware become more popular as hackers turn to more quiet attack techniques to avoid detection.
The tenacious loader malware called Brushaloader is growing more menacing, showing no signs of abatement despite best efforts by security professionals. First identified in June 2018, the Brushaloader malware is now more pervasive, stealthy and growing in popularity faster than ever before.
New insights come from Proofpoint, which said on Monday that threat actors are increasingly turning to loader malware and targeting PCs to deliver a number of different malware payloads, such as the versatile DataBot. The goal is to use Brushaloader as a springboard to infect systems quietly in order to deliver more aggressive secondary-stage payloads.
Researchers said loader malware, sometimes called dropper malware, is becoming a more popular tool for adversaries. While loaders lack the panache of more aggressive attacks, their virtue to criminals is the stealth in which they operate.
Key features of the Elite Malware Loader include:
[+] Coded in pure WinAPI C++/Asm.
[+] Build size: 11 kb
[+] Protocol encrypted with dynamic key
[+] Random file names
[+] Resident
[+] Works in windows xp sp1/2/3, vista
[+] URL encrypted in build
[+] Firewall bypass: windows firewall, outpost, McAffee
[+] Can execute multiple commands in simultaneously
[+] Can be used after execution, without reboot
Malvertising—Injects malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Malvertising is often used in exploit kit redirection campaigns.
Example: hookads
Malvertising is an attack in which perpetrators inject malicious code into legitimate online advertising networks. The code typically redirects users to malicious websites.
The attack allows perpetrators to target users on highly reputable websites, e.g., The New York Times Online, The London Stock Exchange, Spotify and The Atlantic, all of which have been exposed to malvertising.
The online advertising ecosystem is a complex network that involves publisher sites, ad exchanges, ad servers, retargeting networks and content delivery networks (CDNs). Multiple redirections between different servers occur after a user clicks on an ad. Attackers exploit this complexity to place malicious content in places that publishers and ad networks would least expect.
Malvertising vs. Ad malware
Malvertising is typically confused with ad malware or adware—another form of malware affecting online advertisements.
Adware is a program running on a user’s computer. It’s usually packaged with other, legitimate software, or is installed without the user’s knowledge. Adware displays unwanted advertising, redirects search requests to advertising websites, and mines data about the user to help target or serve advertisements.
Differences between malvertising and ad malware include:
1)Malvertising involves malicious code which is initially deployed on a publisher’s web page. Adware, however, is only used to target individual users.
2)Malvertising only affects users viewing an infected webpage. Adware, once installed, operates continuously on a user’s computer.
How malvertisements affect web users
Malvertising might perform the following attacks on users viewing the malvertisement without clicking it:
1)A “drive-by download” — installation ofmalwareor adware on the computer of a user viewing the ad. This type of attack is usually made possible due to browser vulnerabilities.
2)Forced redirect of the browser to a malicious site.
3)Displaying unwanted advertising, malicious content, or pop-ups, beyond the ads legitimately displayed by the ad network. This is done by executing Javascript.
Malvertising can do the following when users actually click a malicious ad:
1)Execute code that installs malware or adware on the user’s computer
2)Redirect the user to a malicious website, instead of the target suggested by the ad’s content
3)Redirect the user to a malicious website very similar to a real site, which is a operated by the attacker—a phishing attack
How malvertisements affect publishers
The threat to publishers is damaged reputation, loss of traffic and revenues, and legal liability to damages caused to users visiting their sites.
While publishers are aware of the problem, they find it difficult to test for or block malicious ads. Ad networks serve ads from millions of advertisers, and display ads dynamically according to real-time bidding, making it very difficult to test all the ads that are actually shown to users.
Examples: How malware is inserted into ads
Attackers use several delivery mechanisms to insert malicious code into ads:
Malware in ad calls— when a website displays a page that contains an ad, the ad exchange pushes ads to the user via many third parties. One of these third party servers may be compromised by an attacker, who can add malicious code to the ad payload.
Malware injected post-click— when the user clicks on an ad, they are typically redirected between several URLs, ending with the ad landing page. If an attacker compromises any of the URLs along this delivery path, they can execute malicious code.
Malware in ad creative— malware can be embedded in a text or banner ad. For example, in HTML5 it is possible to deliver an ad as a combination of images and JavaScript, which might contain malicious code. Ad networks that deliver ads in Flash (.swf) format are especially vulnerable.
Malware within a pixel— pixels are code embedded in an ad call or landing page, which send data to a server for tracking purposes. A legitimate pixel only sends data. If an attacker intercepts a pixel’s delivery path, it can send a response, containing malicious code, to the user’s browser.
Malware within video— video players do not protect against malware. For example, a standard video format called VAST contains pixels from third parties, which could contain malicious code. Videos can infect users by displaying a malicious URL at the end of the video.
Malware within Flash video— videos based on Flash can inject an Iframe into the page, which downloads malware, even without having the user click on the video. Flash files might also load a pre-roll banner (a static image that the user can view while the file is loading). Attackers can inject malicious code into the pre-roll banner, and it can run even without the user clicking on the video.
Malware on a landing page— even on legitimate landing pages served by reputable websites, there may be clickable elements that execute malicious code. This type of malware is particularly dangerous because users click an ad, land on a real, legitimate landing page, but are infected by a malicious on-page element.
How can end-users help mitigate malvertising?
1)Antivirus software can protect against some drive-by downloads or malicious code executed by malvertising.
2)Ad blockers offer good protection against malvertising, because they block all ads, together with their malicious elements.
3)Avoiding the use of Flash and Java can protect users from many vulnerabilities that are commonly exploited by malvertising.
4)Updating browsers and plugins can prevent many malvertising attacks, in particular those which operate before the user clicks the ad.
How can publishers help mitigate malvertising
1)Carefully vet ad networks and inquire about ad delivery paths and security practices.
2)Scan ad creative intended for display to discover malware or unwanted code.
3)If possible, enforce a policy of only showing specific file types in an ad frame (JPG, PNG, etc) without allowing JavaScript or other code.
Mobile Trojan—A trojan designed to target and infect mobile phones running Android, iOS, Windows or other mobile operating systems.
Examples: roaming mantis, cerberus, kbuster, x-agent, asacub
Newly Seen Domains—Domains that are newly seen in our DNS logs that we have never seen lookups for in the past. Once a NSD is first seen, it's added to a list where eventually it will expire and no longer be ‘newly seen’. New domains are often 'spun-up' as part of new malware campaigns. However, a significant portion of the domains that are categorized as ‘newly seen’ will not, in fact, be malicious and detections of good domains are expected to occur with this security category.
New domains are created and published every day as part of the Domain Name System (DNS) – but not all of them are created for legitimate purposes. Bad actors use new domains for criminal activities such as spam, malware distribution or botnets in the first minutes of creating them.
Security teams need real-time information regarding new domain usage so that they can apply rules to block access until security providers have time to analyze the domains – and threats can be avoided. Security analysts don’t have a way to gather and analyze this information in a timely manner because it is broadly distributed across name servers around the world.
Point-of-Sale Malware—Used by cybercriminals to target point of sale terminals with the intent to obtain credit card and debit card information by reading the device memory from the retail checkout point of sale system.
Examples: rtpos, dexter, backoff
What are PoS?
A PoS device is designed to complete a retail transaction. It calculates the amount customers must pay for their purchases and provide options for customers to make said payment. PoS devices are connected to the Internet to authorize transactions by sellers.
Most PoS devices run on some variant of Windows and Unix. The decision to run on Windows could be seen as an advantage: it’s easier to run, maintain, and develop apps for devices running on Windows. On the flip side, it also means that malware can run on these systems, given that these are like stripped-down computers.
How do PoS malware work?
The goal of PoS malware is to steal information related to financial transactions, including credit card information.
However, because of the nature of PoS devices, routines of PoS malware differ from other data stealing malware. The payment card industry uses a set of security standards that enforce end-to-end encryption of sensitive payment data—which comes from the card’s magnetic strip or chip—when it is transmitted, received or stored. Decryption only occurs in the PoS device’s random-access memory (RAM), where it is processed. PoS malware specifically target the RAM to steal the unencrypted information—a process called "RAM scraping."
In order to perform RAM scraping, PoS malware often look for security lapses to enter the system. Such may include default login credentials or compromised partner systems. Once inside, the PoS malware can select which data to steal and upload to a remote server. It comes as no surprise then that most PoS malware come equipped with backdoor and command-and-control features.
PoS malware do come with limitations. The stolen information cannot be used to make purchases online. The magnetic strip and the chip do not contain the CVV2—the three-digit code on the card that’s required for online shopping. To use the stolen information, a person has to physically clone the credit card.
Notable PoS Malware
PoS malware received a lot of attention from the public after it was revealed that US retailer Target suffered a massive data breach that affected an estimated 110 million customers—nearly a third of the US population. Analysis indicated that the malware involved in this breach are detected as TSPY_POCARDL.AB and TSPY_POCARDL.U. Security researchers believe these malware are part of the BlackPOS/Kaptoxa malware family.
Another PoS malware family that gained notoriety is the DEXTER PoS family. Reports of this family surfaced around the end of 2012. This malware was said to be found in PoS systems of popular establishments, hotels, and other businesses.
Ransomware—Malware that installs covertly on a user's computer, encrypts files, and demands a ransom be paid to decrypt the files or to prevent the attacker from publishing any data publicly.
Examples: avcrypt, locky, petya, wastedlocker, wannacry
Ransomware is malicious software that infects your computer and displays messages demanding a fee to be paid in order for your system to work again. This class of malware is a criminal moneymaking scheme that can be installed through deceptive links in an email message, instant message or website. It has the ability to lock a computer screen or encrypt important, predetermined files with a password.
Examples of Ransomware
Scareware is the simplest type of ransomware. It uses scare tactics or intimidation to trick victims into paying up. It can come in the form of fake antivirus software in which a message suddenly appears claiming your computer has various issues and an online payment is necessary to fix them!
History of Ransomware
The first cases were reported in Russia in 2005. However, since then, the scams have spread throughout the world, with new types still successfully targeting victims. In September 2013, CryptoLocker surfaced and targeted all versions of Windows! It has successfully infected hundreds of thousands of personal computers and business systems. Victims unknowingly opened up emails impersonating customer support services from FedEx, UPS, DHS and other companies. Once activated, the malware's onscreen timer demanded an average payment of $300 within 72 hours. Some versions affected local files and removable media. The United States Computer Emergency Response Team warned the malware had the ability to jump from machine to machine and advised infected computer users to immediately remove infected machines from their networks.
Remote Access Trojan (RAT)—Malware that allows covert surveillance or unauthorized access to a compromised system. RATs make use of specially configured communication protocols. The actions performed vary but follow typical trojan techniques of monitoring user behavior, exfiltrating data, lateral movement, and more.
Examples: gravityrat, khrat, imminent monitor, loda, parallax
What is a RAT?
In the late 1990s, when the internet was still young, it was common for tech-savvy kids to scare their friends by controlling their PCs remotely. They would eject the CD tray, swap the mouse buttons, or change the desktop colors. To the unwitting user, it looked like a ghost was taking over the machine.
Those were the years that marked the birth of remote access Trojans (RATs), malicious software that allows an attacker to gain unauthorized access to a victim’s computer over the internet. RATs are typically installed without user consent and remain hidden to avoid detection.
These things set them apart from a benign type of software with a somewhat similar name, Remote Access/Administration Tool. This category includes computer programs such as TeamViewer or LogMeIn that are legitimately used by system administrators, as well as teenagers trying to fix their grandparents’ PCs.
It’s the malicious remote access software that interests security researchers Veronica Valeros and Sebastian García at the Czech Technical University in Prague. The two have spent the last few years trying to analyze the evolution of this type of malware, studying no less than 337 well-known families, looking at things such as functionalities, quality of the software, and purpose.
Valeros said during a Virus Bulletin 2020 presentation that the number of RAT families grew rapidly in recent years. She counted more than 250 RATs that surfaced in the 2010s as opposed to just 70 in the 2000s. “The number of RATs really, really took off,” Valeros said. “While most of the previous ones were focusing on Windows, we saw some diversity—other platforms like Mac, Linux, and Android were being supported.”
While ransomware families come and go, RATs are known for their longevity and reemergence, says another researcher, Lindsay Kaye, the director of operational outcomes for Insikt Group at Recorded Future. “Some of the RATs have been out for ten years now, and they're still getting used,” she says. “They kind of go down a little bit, and then they come back.”
RATs have become essential for any type of cybercriminal activity, being used by cybercriminals, nation-state hackers, as well as stalkers. The market has matured. RATs have come a long way since NokNok knocked on Windows computers and launched this new chapter in computer security history.
A malicious program that remotely accesses infected resources.
Trojans of this type are among the most dangerous because they open up all kinds of opportunities for remote control of the compromised system.
RAT capabilities usually include program installation and removal, file manipulation, reading data from the keyboard, webcam hijacking, and clipboard monitoring.
Rootkit—A collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.
What Is a Rootkit?
A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. The term rootkit is a connection of the two words "root" and "kit." Originally, a rootkit was a collection of tools that enabled administrator-level access to a computer or network. Root refers to the Admin account on Unix and Linux systems, and kit refers to the software components that implement the tool. Today rootkits are generally associated with malware – such as Trojans, worms, viruses – that conceal their existence and actions from users and other system processes.
What Can a Rootkit Do?
A rootkit allows someone to maintain command and control over a computer without the computer user/owner knowing about it. Once a rootkit has been installed, the controller of the rootkit has the ability to remotely execute files and change system configurations on the host machine. A rootkit on an infected computer can also access log files and spy on the legitimate computer owner’s usage.
Rootkit Detection
It is difficult to detect rootkits. There are no commercial products available that can find and remove all known and unknown rootkits. There are various ways to look for a rootkit on an infected machine. Detection methods include behavioral-based methods (e.g., looking for strange behavior on a computer system), signature scanning and memory dump analysis. Often, the only option to remove a rootkit is to completely rebuild the compromised system.
Rootkit Protection
Many rootkits penetrate computer systems by piggybacking with software you trust or with a virus. You can safeguard your system from rootkits by ensuring it is kept patched against known vulnerabilities. This includes patches of your OS, applications and up-to-date virus definitions. Don't accept files or open email file attachments from unknown sources. Be careful when installing software and carefully read the end-user license agreements.
Well-Known Rootkit Examples
1)Lane Davis and Steven Dake - wrote the earliest known rootkit in the early 1990s.
2)NTRootkit – one of the first malicious rootkits targeted at Windows OS.
3)HackerDefender – this early Trojan altered/augmented the OS at a very low level of functions calls.
4)Machiavelli - the first rootkit targeting Mac OS X appeared in 2009. This rootkit creates hidden system calls and kernel threads.
5)Greek wiretapping – in 2004/05, intruders installed a rootkit that targeted Ericsson's AXE PBX.
6)Zeus, first identified in July 2007, is a Trojan horse that steals banking information by man-in-the-browser keystroke logging and form grabbing.
7)Stuxnet - the first known rootkit for industrial control systems
8)Flame - a computer malware discovered in 2012 that attacks computers running Windows OS. It can record audio, screenshots, keyboard activity and network traffic.
Types of rootkits
We classify rootkits according to the place of their injection; A rootkit may reside in application, kernel, hypervisor or hardware. The list below is ordered from easiest to inject, detect and remove to most sophisticated and much harder to detect and remove.
• Applications
Simple rootkits run in user-mode and are called user-mode rootkits. Such rootkits modify processes, network connections, files, events and system services. It is the only type of rootkit that could be detected by a common antivirus application.
• Kernel
Rootkits that run in the kernel, also known as kernel-mode rootkits, can alter the entire operating system. Such modifications in the kernel aim to the concealment of the compromise. Therefore, the detection of a kernel rootkit becomes extremely hard. Different techniques exist to alter a system’s kernel.
• Hypervisor
A hypervisor rootkit takes advantage of the hardware virtualization and is installed between the hardware and the kernel acting as the real hardware. Hence, it can intercept the communication/requests between the hardware and the host operating system. Common detection applications that run in user or kernel mode are not effective in this case as the kernel may not know whether it is executed on the legitimate hardware.
• Firmware / Hardware
The firmware is a small piece of low-level software that controls a device. The Firmware is tiny and in most cases updateable, even though is not modified often. A firmware rootkit can alter firmware of some real interactive hardware that runs firmware code to perform specific functions, such as the BIOS, CPU and GPU. Since only advanced rootkits could reach from kernel level to firmware level, firmware integrity checks are performed very rarely.
Detection mechanisms
Detection of rootkits is considered a complicated problem in computer security, but also depends on the level of sophistication in each particular case. Like in other malware detection mechanisms, signature and behavioural based techniques are utilized. Other techniques used for detection of rootkits are the diff-based analysis and integrity checks. There is no single application that could detect and remove all kinds of rootkits as the area they might reside could be completely different, software or hardware. In most cases, a rootkit can be removed only by rebuilding the compromised system.
• Signature-Based
This is the most common technique for malware detection. However, it is the least efficient as it is only effective for already detected and wide-spread rootkits. Signatures from known rootkits are used to detect if any of them exist on a system.
• Behavioural-Based
These detectors identify a abnormal behaviour on a computer system based on heuristics and behavioural patterns. These patterns are derived from certain activities typically found in rootkits. The advantage of the behavioural based technique compared to the previous one, is that it may detect previously unknown rootkits.
• Diff-Based / Cross view
The Diff-Based or Cross view approach is used mostly to detect kernel-mode rootkits by comparing two different views of the system for the same information by traversing the data structures. In this case, the rootkit detector will get a view of the system and a view obtained from system utilities and then compare them. A difference in the results returned by the two approaches signals the presence of a rootkit.
• Integrity check
Integrity checks can be performed in a system to check for unauthorized code alteration in system files. First, there is the need to run a one way function to calculate a hash for every system file when the system is still clean and then use it as baseline. When the need arises, a hash comparison is performed between the baseline hashes and the current version’s hashes.
Scareware—Malicious software or websites that use social engineering to give the perception of a threat in order to manipulate users into buying or installing unwanted software. Scareware misleads users by using fake alerts to trick them into believing there is malware on their computer and manipulates them into paying money for a fake malware removal tool or allowing an entity remote access to their system to clean the malware. Instead of remediation, the software or remote entity delivers malware to the computer.
Scareware is malicious software that tricks computer users into visiting malware-infested websites. Also known as deception software, rogue scanner software or fraudware, scareware may come in the form of pop-ups. These appear as legitimate warnings from antivirus software companies, and they claim your computer's files have been infected. They are so cleverly done that users are frightened into paying a fee to quickly purchase software that will fix the so-called problem. What they end up downloading, however, is fake antivirus software that is actually malware intended to steal the victim's personal data.
Fraudsters also use other tactics, such as sending out spam mail to distribute scareware. Once that email is opened, victims are then fooled into buying worthless services. According to Kaspersky Lab, falling for these scams and releasing your credit card information opens up the door for future identity theft crimes.
Aggressive Scams
Reputable antivirus vendors don't solicit such data through scare tactics. But cybercriminals are well aware that many people don't know that. The FBI and various international law enforcement organizations continue to investigate these extremely aggressive criminal rings. One international cybercrime case investigated by the U.S. Department of Justice, for example, involved a crime ring that allegedly stole $71 million through software schemes.
Scareware follows a common pattern. Pop-ups suddenly warn you that dangerous files or porn have been found on your computer and will continue to pop up until you click on buttons that ""remove all threats"" or you are asked to register for antivirus software. If the antivirus message isn't from a program you had installed — don't click on anything. It's best to turn off the machine. Antivirus software can also scan for these sophisticated threats.
Sinkhole—A DNS server that gives out false information, to prevent the use of the domain names it represents. Traffic is redirected away from it's intended target. DNS sinkholes are often used to disrupt botnet command and control servers.
Spam—An unwanted, unsolicited message received through email or SMS texts. Spam is sent to many users in bulk. It is often sent through the means of a botnet. Spam can contain advertising, scams, or soliciting. In the case of malspam or malicious spam, it contains malicious attachments or links that lead to malware.
Example: hailstorm
Trojan—Malware used to compromise a system by misleading users of its true intent. Trojans typically create a backdoor, exfiltrate personal information, and can deliver additional malicious payloads.
Examples: geodo, murofet, rovnix, azorult, lokibot
A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. These actions can include:
1)Deleting data
2)Blocking data
3)Modifying data
4)Copying data
5)Disrupting the performance of computers or computer networks
Unlike computer viruses and worms, Trojans are not able to self-replicate.
How Trojans can impact you
Trojans are classified according to the type of actions that they can perform on your computer:
Backdoor
A backdoor Trojan gives malicious users remote control over the infected computer. They enable the author to do anything they wish on the infected computer – including sending, receiving, launching and deleting files, displaying data and rebooting the computer. Backdoor Trojans are often used to unite a group of victim computers to form a botnet or zombie network that can be used for criminal purposes.
Exploit
Exploits are programs that contain data or code that takes advantage of a vulnerability within application software that’s running on your computer.
Rootkit
Rootkits are designed to conceal certain objects or activities in your system. Often their main purpose is to prevent malicious programs being detected – in order to extend the period in which programs can run on an infected computer.
Trojan-Banker
Trojan-Banker programs are designed to steal your account data for online banking systems, e-payment systems and credit or debit cards.
Trojan-DDoS
These programs conduct DoS (Denial of Service) attacks against a targeted web address. By sending multiple requests – from your computer and several other infected computers – the attack can overwhelm the target address… leading to a denial of service.
Trojan-Downloader
Trojan-Downloaders can download and install new versions of malicious programs onto your computer – including Trojans and adware.
Trojan-Dropper
These programs are used by hackers in order to install Trojans and / or viruses – or to prevent the detection of malicious programs. Not all antivirus programs are capable of scanning all of the components inside this type of Trojan.
Trojan-FakeAV
Trojan-FakeAV programs simulate the activity of antivirus software. They are designed to extort money from you – in return for the detection and removal of threats… even though the threats that they report are actually non-existent.
Trojan-GameThief
This type of program steals user account information from online gamers.
Trojan-IM
Trojan-IM programs steal your logins and passwords for instant messaging programs – such as ICQ, MSN Messenger, AOL Instant Messenger, Yahoo Pager, Skype and many more.
Trojan-Ransom
This type of Trojan can modify data on your computer – so that your computer doesn’t run correctly or you can no longer use specific data. The criminal will only restore your computer’s performance or unblock your data, after you have paid them the ransom money that they demand.
Trojan-SMS
These programs can cost you money – by sending text messages from your mobile device to premium rate phone numbers.
Trojan-Spy
Trojan-Spy programs can spy on how you’re using your computer – for example, by tracking the data you enter via your keyboard, taking screen shots or getting a list of running applications.
Trojan-Mailfinder
These programs can harvest email addresses from your computer.
Other types of Trojans include:
1)Trojan-ArcBomb
2)Trojan-Clicker
3)Trojan-Notifier
4)Trojan-Proxy
5)Trojan-PSW
Worm—Malware that replicates itself in order to spread to other computers. Worms typically spread through the computer network or removable storage devices that are shared between systems, relying on security failures on the target computer.
Examples: conficker, tempedreve
Worm definition
A worm is a form of malware (malicious software) that operates as a self-contained application and can transfer and copy itself from computer to computer.
It's this ability to operate autonomously, without the need for a host file or to hijack code on the host computer, that distinguishes worms from other forms of malware.
Is a worm a virus?
Worm vs. virus — You'll often see word virus used in a generic sense to refer to any kind of malware, but that's strictly speaking not correct. A computer virus, like its biological counterpart, cannot reproduce or spread on its own accord; instead, it injects its malicious code into existing applications and uses their functionality in order to carry out its mission.
The name worm is meant to indicate that a computer worm is a step up on the ladder of life from a virus. Like a real-life worm, it may be a particularly small and gross life form in its ecosystem, but it contains within itself all the functionality it needs make copies of itself and move around the environment.
Worm vs. Trojan — A worm is also different from a Trojan, a third form of malware, which needs to trick users into launching an application in order to operate; once a worm has installed itself on your computer, it doesn't need your help to do what it plans to do.
These distinctions are important if you want to stay strictly correct, and we'll aim to use all three names correctly here and elsewhere on CSO. But be aware that many people use virus in an overly broad sense, and so you might see worms referred to as viruses, or even as "worm viruses." Remember: if it can reproduce and copy itself on its own, it's a worm.
How do worms work?
Computer worms make use of some of the deepest and most dangerous vulnerabilities in a victim's computer. Whereas a Trojan uses social engineering techniques trick you into activating it, and a virus exploits holes in application code to piggyback a ride, a worm finds seams in the computer's operating system that allow it to install and make copies of itself. In order to propagate itself further, it will then follow known holes in networking and file transfer protocols.
As How To Geek explains, this can be a double-edged sword for cybercriminals who want to use worms to do their dirty work. Because worms exploit vulnerabilities in a computer's operating system, a successful infection can offer unparalleled access to the compromised machine's inner workings. But because those vulnerabilities are so serious, they are often patched by operating system vendors fairly quickly, which means that a worm written to take advantage of them might have a relatively short lifespan of usefulness. Still, the sheer number of enterprises and individuals who fail to keep their OSes up to date usually provides a fertile ground for worms to do their work.
How do computer worms spread?
The NotPetya worm, which rampaged across computer systems around the world in 2017, offers a good case study of how worms spread. NotPetya got its first foothold in the world via a backdoor planted in M.E.Doc, a ubiquitous Ukrainian accounting software package; it's widely believed NotPetya was installed via this backdoor by state-sponsored hackers working for Russia as an attack on Ukraine.
But once NotPetya was installed on the computers of M.E.Doc users, it began, like all worms, to reproduce and seek out new victims on its own accord. Once installed on a computer, it took stock of all the other computers its victim had interacted with in the past and figured out how to connect. It spread from computer to computer within networks by taking advantage of EternalBlue and EternalRomance, two exploits developed by the NSA and later stolen by unknown hackers. EternalBlue and EternalRomance broke Microsoft networking security protocols, and while Microsoft had updated its OSes to patch the hole long before 2017, many systems had not been updated. To spread beyond the walls of individual corporate networks, NotPetya used Mimikatz, an exploit that extracts username/password pairs from parts of Windows' memory where they're supposed to be safely hidden.
What damage can a computer worm cause?
A worm may not do any damage at all: in the early days of computing, worms were sometimes designed as larks or proofs of concept to exploit security holes, and did nothing more to infected computers than reproduce themselves in the background. Often the only way to know anything had gone amiss came when the worm made too many copies of itself on a single system and slowed down its operations.
But as OS security improved and writing a worm that could crack it got harder and took more and more resources, worms became a means to an end. Today, worms almost inevitably include payloads — code that carries out some larger mission beyond the reproduction and propagation of the worm itself. For instance, the Mydoom worm, which spread across the internet in 2004, opened up a backdoor that its creators could use to seize control of the infected system. This is a common use for worms: they serve as the thin edge of the wedge that attackers use to gain total access to their victims' machines.
There are many types of computer worms that do all sorts of different kinds of damage to their victims. Some turn computers into "zombies" or "bots" that launch DDoS attacks; others scour their hosts for banking logins or other sensitive financial information; some encrypt the victim’s hard drive and demand a ransom in bitcoin from the user before it will restore their data to a usable state. (NotPetya presents itself as being a ransomware attack of this type, but while it encrypts files and demands payment, it actually has no capacity to decrypt data: it's essentially destroying your data while masquerading as a hostage taker.) In truth, though, these types of payloads aren't unique to worms and can be transmitted by any kind of malware. Petya, a predecessor to NotPetya, is a Trojan, not a worm.
Another way to categorize different types of worm is via their infection vector. These categories include email worms, IM and IRC worms, file-sharing worms, and internet worms that look for ways to spread by any means necessary.
A short list of famous computer worms
Some of the most famous and high-profile malware attacks have been worms. We've already discussed Mydoom and NotPetya; others include:
SQL Slammer, a tiny 376-byte worm that brought down most of the world's SQL servers;
Blaster, a Windows worm that launched DDoS attacks against Microsoft's own servers and infected as many as two billion computers in 2003;
Conficker, a 2008 worm that infected millions of computers and created vast botnets; and
Stuxnet, a worm developed by US and Israeli intelligence in 2010 that targeted Iran's nuclear program and set it back years.
One thing some of the most famous worm attacks have in common is their almost shocking virulence and ability to spread. In fact, like the Morris Worm, many of the worms on this list far outpaced their creators' intentions or ability to control the situation. SQL Slammer was intended as a proof of concept by its creator. The Conficker worms creators never used the vast botnets they had created because the attack drew so much attention. Stuxnet was smuggled into Iran's Natanz research facility on a USB stick; because the lab was air gapped (not connected to the internet), the worm was never expected to see the light of day. NotPetya was probably created by Russia to wreak havoc in Ukraine, but spread throughout the world — including back to Russia. The truth is that many worms continue to reproduce on old and unpatched computers long after their creators had any use for them. All the more reason to keep your patches up to date.