# Malware Types

* **Malware**
  * is software designed to harm or secretly access a computer system without the owner's informed consent
  * based on the intent of the creator rather than specific features
* **Overt channels** - legitimate communication channels used by programs across a system or a network
* **Cover channels** - used to transport data in unintended ways
* **Wrappers**
  * programs that allow you to bind an executable of your choice
  * They have their own signatures and can show up on AV scans
* **Crypters** - use a combination of encryption and code manipulation to make malware undetectable to AV and other security monitoring products
* **Packers** - use compression to pack the malware executable into a smaller size
* **Exploit Kits** - platforms from which you can deliver exploits and payloads
  * Examples:
    * Infinity
    * Bleeding Life
    * Crimepack
    * Blackhole Exploit Kit

### Trojans

* Software that seems to perform a desirable function for the user before running or installing but instead steals information or harms the system
  * a method to gain and maintain access to a target machine
  * they are the means of delivery and the backdoor provides the open access
* **Types**
  * **Defacement Trojan**
  * **Proxy server Trojan** - allows an attacker to use the target system as a proxy
  * **Botnet Trojan** - (Chewbacca and Skynet)
  * **Remote Access Trojan** - (RAT, MoSucker, Optix Pro and Blackhole)
    * **Covert Channel Tunneling Trojan (CCTT)** - form of remote access Trojan that uses a variety of exploitation techniques to create data transfer channels in previously authorized streams
      * provides an external shell from within an internal environment
      * e-banking Trojan (Zeus and Spyeye)
  * **Command shell Trojan**
    * provide a backdoor to the system that you connect via cli
  * **Common Trojan Ports**

### Monitoring Tools

* **Fport** - reports all open TCP/IP and UDP ports and maps them to the owning applications
* **What'sRunning**
  * **TCPView**
  * **IceSword**
  * **Process Explorer**
  * **SysAnalyzer**
  * **Tiny Watcher**
  * **Active Registry Monitor**
  * **Regshot**
  * **Tripwire**
  * **SIGVERIF**

### Viruses and Worms

* [Viruses](https://marco-vazquez.gitbook.io/kb/malware-analysis/malware-types/viruses)
  * program that creates copies of themselves in other programs and activate on some sort of trigger event
  * they usually get installed on a system via file attachments, user clicks on embedded e-mails, or the installation of pirated software
  * *virus hoax* or *fake antivirus* lets a target know about a terrible virus running and provides them an antivirus program to protect themselves with.
* **Ransomware**
  * Type of malicious software designed to deny access to a computer system or data until a ransom is paid
  * Typically spreads through phishing emails or visiting infected websites
  * Examples
    * WannaCry
      * Eternal Blue — exploit leaked in the Shadow Broker dump and used by WannaCry
    * Cryptobit
    * CryptoLocker
    * CryptoDefense
    * police-themed
      * Locky
      * Petya
* **Worms**
  * A self-replicating malware program that uses a computer network to send copies of itself to other systems without human intervention
  * resides in active memory and duplicates itself, eating resources and wreaking havoc along the way
  * Often used in the creation of botnets
  * Examples
    * **Conficker**
      * disabled services
      * denied access to administrator shared drives
      * locked users out of directories
      * restricted access to security-related sites
    * **Ghost Eye Worm** - tool that uses random messaging on Facebook and other sites to perform a host of malicious effort.
    * **Code Red**
      * exploited indexing software on IIS servers in 2001
      * used a buffer overflow and defaced hundreds of thousands of servers
    * **Darlloz**
      * Linux based worm that targets running ARM, MIPS and PowerPC architectures (usually routers, set-top boxes and security cameras)
    * **Slammer**
      * Also known as SQL Slammer, Sapphire, SQL\_HEL and Helkern
      * A denial-of-service worm attacking buffer overflow weaknesses in Microsoft SQL services
      * Spreads quickly using UDP and can bypass sensors because of its small size (entire worm fits in a single packet)
    * **Nimda**
      * File infection virus that modified and touched nearly all web content on a machine
      * Spreads through e-mail, open network shares, and websites
      * Takes advantage of backdoors left on machines infected by the Code Red Worm
    * **Bug Bear**
      * Propagates over open network shares and e-mail
      * Often sets up a backdoor for later use and has keylogging capabilities
    * **Pretty Park**
      * Spreads via e-mail
      * Takes advantage of IRC to propagate stolen passwords

## Related Notes

* Malware Analysis
* Denial of Service