"Malware are the cyber weapons of the information age" | ||
--Samir Datt |
Our information age lives are driven by technology. Day in, day out, we live with technology from morning to evening. Technology drives our lives, governs our behavior, manages our finances, enables our work, facilitates our communications, and even enhances our relationships. Hence, it should not come as a surprise that technology also drives the crimes of today. A whole new industry has come up around technology-driven crimes. Organized criminals have taken to cyber crime in a big way. Even countries and states have gone in for cyber warfare. Where there is crime and war, weapons cannot be far behind. Weaponization of the Internet is a multibillion-dollar industry and malware, as we know it, is the weapon of choice.
In this chapter, we will work towards understanding malware, its different types, the various indicators of compromise, and the forensic methods of investigating malware.
We will divide our study into the following topics:
The word "mal" has its origin in Latin and means "bad" in English. "Ware", on the other hand, carries the meaning of "products". Hence, when we put these two together, we get the sense of having bad products or goods made with a bad intent.
As per NIST publication SP800-83, malware, also known as malicious code or malicious software, is meant to signify a program that is inserted (usually covertly) in a system with the intent of compromising or disrupting the confidentiality, integrity, or availability of the victim's data, applications, or operating system. Over the past few years, malware has emerged as an all encompassing term that includes all sorts of malicious programs, including viruses, worms, Trojans, rootkits, and so on.
Today, malware is considered the most significant external threat to computers and networks. Malware causes considerable losses to organizations in terms of the widespread damage caused, disruption of functioning, and huge recovery efforts required to get back to normal. Spyware is a significant subcategory of malware, which focuses on breaching user privacy. Spyware is used to monitor user activity (both online and offline); gather personal information, especially, related to online financial actions; and then, send it to criminals for subsequent misuse.
In the previous chapters, we understood a number of tools used for network forensics. Just as we, the digital 007s of the network world, have our tools of trade, criminals and bad guys also have their own set of tools that they use to further their own nefarious purposes. These tools are known as malware. Though, malware comes in a wide variety, cyber criminals wish to install malware on victims' digital devices to achieve at least one of the following objectives:
The menace of malware is growing by leaps and bounds. In fact, a recent news item from SC Magazine UK (http://www.scmagazineuk.com/research-shows-12-new-malware-strains-discovered-every-minute/article/448978/) mentions that 12 new malware strains are discovered every minute.
Making malware is no longer left in the realm of kids that do it for kicks. Malware manufacture, sale, and distribution is now a serious organized crime with really large amount of money riding on it. Recent reports of the money extracted for decrypting files that were encrypted by bitcoin ransomware such as CryptoWall and CryptoLocker show victims reporting losses as high as $18 million over a 14 month period (http://www.coindesk.com/fbi-malware-victims-should-pay-bitcoin-ransoms/).
Just like making a professionally manufactured product in any manufacturing facility, malware today is also manufactured or written to exacting specifications. This is done by talented programmers who write exploits to leverage vulnerabilities in existing software and hardware in use by the targets or planned victims. Malware is actually a part of a long chain of activities and helps in enabling the objectives of the attackers or cyber criminals.
The usual stages in this exercise are as follows:
A lot of these stages tend to telescope into each other. Malware authors have now moved onto bundling malware exploit kits that carry a number of different malwares, each targeted at different environments, which when bundled together, increase the possibility of identifying, compromising, and penetrating targets.
3.145.199.112