简单描述Malware的类型

以下分类是根据CISSP OSG中的分类。

1.  Virus:

Viruses are self-replicating executable programs that attach themselves to or within another executable file with the intention of spreading and infecting. By definition, viruses cannot move from computer to computer on their own. Since they are attached to other executable files, they must enter a new host via an infected floppy disk, CD, memory stick or card, or via an e-mail attachment.

1.1 Virus Propagation Techniques
  •   Master Boot Record Viruses

  Because the MBR is extremely small (usually 512 bytes), it can’t contain all the code required to implement the virus’s propagation and destructive functions. To bypass this space limitation, MBR viruses store the majority of their code on another portion of the storage media. When the system reads the infected MBR, the virus instructs it to read and execute the code stored in this alternate location, thereby loading the entire virus into memory and potentially triggering the delivery of the virus’s payload. Most MBR viruses are spread between systems through the use of infected media inad- vertently shared between users.

 

  • File Infector Viruses

Many viruses infect different types of executable files and trigger when the operating system attempts to execute them, e.g: exe, msc file. The propagation routines of file infector viruses may slightly alter the code of an executable program, thereby implanting the technology the virus needs to replicate and damage the system. In some cases, the virus might actually replace the entire file with an infected version. By comparing file size,hashing, we can find the infected files.

  • Macro Viruses

   Many common software applications implement some sort of scripting functionality to assist with the automation of repetitive tasks. These functionalities often use simple yet powerful programming languages such as Visual Basic for Applications (VBA). Although macros do indeed offer great productivity-enhancing opportunities to computer users.

  • Service Injection Viruse

   Recent outbreaks of malicious code use yet another tech- nique to infect systems and escape detection—injecting themselves into trusted runtime processes of the operating system, such as svchost.exe, winlogon.exe, and explorer.exe. By successfully compromising these trusted processes, the malicious code is able to bypass detection by any antivirus software running on the host. To protected it, ensure all the softwares receive the security patches.

1.2 Virus Technologies To Escape Detection
  •  Multipartite Viruses

    Multipartite viruses use more than one propagation technique in

an attempt to penetrate systems that defend against only one method or the other. For example, a virus might infect critical COM and EXE files by adding malicious code to each file. This characteristic qualifies it as a file infector virus. Then the same virus might write malicious code to the system’s master boot record, qualifying it as a boot sector virus.

  •   Stealth Viruses

   Stealth viruses hide themselves by actually tampering with the operating system to fool antivirus packages into thinking that everything is functioning normally. For example, a stealth boot sector virus might overwrite the system’s master boot record with malicious code but then also modify the operating system’s file access functionality to cover its tracks. When the antivirus package requests a copy of the MBR, the modified operating system code provides it with exactly what the antivirus package expects to see—a clean version of the MBR free of any virus signatures. How- ever, when the system boots, it reads the infected MBR and loads the virus into memory.

  •  Ploymorphic Viruses

    Polymorphic viruses actually modify their own code as they travel from system to system. The virus’s propagation and destruction techniques remain the same, but the signature of the virus is somewhat different each time it infects a new system. 

  •  Encrypted Viruses

Encrypted viruses use cryptographic techniques, they are quite similar to polymorphic viruses—each infected system has a virus with a different signature. However, they do not generate these modified signatures by changing their code; instead, they alter the way they are stored on the disk. 

Other Common malwares

Below are the common viruses. 

2. Logic Bombs

Logic bombs are malicious code objects that infect a system and lie dormant until they are triggered by the occurrence of one or more conditions such as time, program launch, website logon, certain keystrokes, and so on. The vast majority of logic bombs are programmed into custom-built applications by software developers seeking to ensure that their work is destroyed if they unexpectedly leave the company.

 

3. Trojan Horses

A software program that appears benevolent but carries a malicious, behind-the-scenes payload that has the potential to wreak havoc(大破坏) on a system or network. Trojans differ very widely in functionality. Some will destroy all the data stored on a system in an attempt to cause a large amount of damage in as short a time frame as possible. Some are fairly innocuous. 
    Remote access Trojans (RATs) are a subcategory of Trojans that open backdoors in systems that grant the attacker remote administrative control of the infected system. Other Trojans are designed to steal computing power from infected systems for use in mining Bitcoin or other cryptocurrencies.挖矿

Trojan Horses generally install on the system as legitimate and useful software that can give unauthorized access and control of the system to the hackers. (很多办公软件游戏软件包含了木马)

Botnets: the Trojan horse made all the infected systems members of a botnet, a collection of computers (sometimes thousands or even millions!) across the internet under the control of an attacker known as the botmaster.

 

4. Worms

Worms pose a significant risk to network security. They contain the same destructive poten- tial as other malicious code objects with an added twist—they propagate themselves without requiring any human intervention. 

Worms are malware that spreads from computer to computer through a network. It takes advantage of the flaw in the security of computers. Furthermore, it doesn’t need a software program to latch on and multiply its infected code. A worm has the same structure as a virus but it can spread from one computer to another without any human action.

Major abnormalities a system exhibits when infected by worms are slowing down the system, the appearance of unfamiliar icons, performance degrading, and unusual opening of applications. Additionally, when worms infect a system, it may send and receive random emails.

Code Red Worm

 

5. Stuxnet

In mid-2010, a worm named Stuxnet surfaced on the internet. This highly sophisticated worm uses a variety of advanced techniques to spread, including multiple previously undoc- umented vulnerabilities. While Stuxnet spread from system to system with impunity, it was actually searching for a very specific type of system—one using a controller manufactured by Siemens and allegedly used in the production of material for nuclear weapons. When it found such a system, it executed a series of actions designed to destroy centrifuges attached to the Siemens controller. 震网破坏伊朗铀离心机

 

6. Spyware and Adware

Spyware monitors your actions and transmits important details to a remote system that spies on your activity. 

    Adware, while quite similar to spyware in form, has a different purpose. It uses a variety of techniques to display advertisements on infected computers.

 

7. Ransomware

Ransomware is a type of malware that weaponizes cryptography. After infecting a system through many of the same techniques used by other types of malware, ransomware then generates an encryption key known only to the ransomware author and uses that key to encrypt critical files on the system’s hard drive and any mounted drives. This encryption renders the data inaccessible to the authorized user or anyone else other than the malware author.

The user is then presented with a message notifying them that their files were encrypted and demanding payment of a ransom before a specific deadline to prevent the files from becoming permanently inaccessible. Some attackers go further and threaten that they will publicly release sensitive information if the ransom is not paid.

 

8. Malicious Scripts

Malicious scripts are also commonly found in a class of malware known as fileless mal- ware. These fileless attacks never write files to disk, making them more difficult to detect.

 

9. Zero-Day Attacks

The existence of zero-day vulnerabilities makes it critical that you have a defense-in-depth approach to cybersecurity that incorporates a varied set of overlapping security controls. These should include a strong patch management program, current antivirus software, con- figuration management, application control, content filtering, and other protections. 

 

rootkit

A rootkit now refers to a type of malicious software that gives continuous access to your device while remaining undetected. Rootkits open a door for other malware, like viruses and keyloggers, to infect your system. 

Rootkits infect your computer system through various tactics, including email phishing, corrupted files, or downloaded software from unsafe websites. Once installed on a device, cybercriminals use rootkits to control the device without its owner noticing. Additional malware can be installed, like keylogging software to track what you type and steal your username and passwords.

A rootkit allows someone to maintain command and control over a computer without the computer user/owner knowing about it. Once a rootkit has been installed, the controller of the rootkit has the ability to remotely execute files and change system configurations on the host machine. A rootkit on an infected computer can also access log files and spy on the legitimate computer owner’s usage.

posted @ 2023-03-20 21:08  saaspeter  阅读(43)  评论(0编辑  收藏  举报