CFC Week 2: Advanced malware and worldwide SPAM
Learning outcomes
- Describe how users get infected with malware.
- Describe how malware hides and how botnets function.
- Discuss the different ways criminals use malware.
What is Infection vector?
The method malware uses to propagate itself or infect a system or device
List methods users get infected
-
Social engineering : - Users are made to believe that they are installing a useful program instead of a malicious one
- Common vehicles are:
-
Email attachments
-
Software updates
-
Scareware
-
- Common vehicles are:
-
Drive-by-download : - A vulnerability on the user’s computer is exploited to have the computer automatically download and install malicious software
- Common processes:
-
The user click on a link and is redirected to a malicious site
-
Malware is downloaded to the user’s computer
-
By exploiting a vulnerability, malware is executed and spread without the user’s interaction
-
- Common processes:
How mebroot malware works?
- Install in the Master Boot record, where executed before the operating system is loaded
- then the malware modifies the operating system when it is loaded, disable the antivirus
What are differences between instruction reordering and instruction substitution?
-
Instruction reordering : - the order of the instructions is changed
- output is the same
- signature is different
-
Instruction substitution : - different instructions are used with produce the same result
How modern antivirus software works against instruction reordering/substitution?
looks for behaviours that are typical of malicious code
What is polymorphic malware
malware itself comes encrypted, each infection file looks different
How malware authors prevent analysis in the first place?
Malware developers try to detect whether their malware is being analysed and stop execution
How botnets works?
- A number of computers compromised by an attacker
- bots connect to a botmaster to receive commands
What is fast flux?
Host C&C servers in static domain names, but frequently change the IP addresses behind
What does domain generation algorithm(DGA) do?
constantly change the domain names of C&C servers, DGA is used to map domain names to C&C servers
What is remote access tools(RATs)
- usually used in commodity malware
- RAT operator interacts with the victim’s machine via a GUI
-
- capture audio and video from device
- logging keyboard inputs
- browse files on machine
Three main challenges of criminals evolving in an arms race?
- Modern malware does not need user interaction to install
- Malware uses advanced techniques to avoid detection
- Botnets are constantly evolving their communication model to become more resilient
Ways of monetising botnets include:
- Send email spam
- Post malicious content on social networks
- Perform advertisement fraud
- Encrypt victim data and ask for ransom
- Steal the victim’s financial information
Differences between legitimate and malicious affiliate programmes
- they deal with products that are illegal
- they endorse criminal promotion techniques(botnets, black-hat SEO)
What is blackhat search engine optimisation(SEO), and how it works?
To attract victims, malicious websites are pushed high in search engine ranking for keywords that are unrelated to the website
- Find popular trends on Google
- Generate content related to the trends and link to the malicious site
- Upload the content on a forum, or on a compromised websites
What are two tiers in spam operations
- Front-end
- Deals with sending spam emails:
- Email harvesters
- Botmasters
- Spammers
- Back-end
- Deals with converting spam traffic into money:
- affiliate programmes
Actors in underground economy
- Botmasters
- infect computers, create botnets, and rent them
- Harvesters
- crawl the internet looking for valid email addresses
- Search engine optimisation(SEO) experts
- make sure that malicious sites are highly ranked on search engines
- Spam affiliate programs
- Set up sites selling goods - spammers can sign up to these programs and receive their cut