“My computer has a virus!” Almost anyone who has been involved with any kind of computing device has either said or heard this phrase. These days, we frequently hear about virus attacks. Some of these attacks impact millions of users across the globe. As security professionals, we explain that the term virus is not very accurate. The correct scientific terminology is malware. A virus is a category of malware.
What is malware? Malware is a weapon used by malicious entities to execute sinister motives. In technical terms, malware (or rather mal-ware) is malicious software—a piece of software whose intentions are malicious.
Malware has always existed, but in the early days of computing, it was hardly a concern for end users. Industry sectors like banking, finance, and government were more concerned about malware attacks compared to the rest of the industry. But the malware landscape has changed drastically over time. Previously, it all seemed to be about money, but data is now the greatest currency in every facet of our lives, and it has become the primary target of malware.
To make sure our data is protected, data protection laws are strictly enforced. Any organization that stores information about the public is held responsible for all forms of misuse and loss of data. This has ensured that no organization in the world can take cybersecurity for granted anymore.
At the same time, not only organizations, but we end users can’t take it lightly. The kind of computing devices available now, and their usability has changed massively over the last decade. Personal computers and cellphones are used to carry out bank transactions, hotel bookings, flight bookings, pay our utility bills, act as key fobs for our cars, operate the appliances at home, control IoT devices, and so on. Our personal devices hold a lot of private data, including usernames, passwords, and images. Today, no one can afford to be hacked. In the past, malware attacks directly involved a corporation or a government body. Today, malware attacks have grown to target and attack end users’ computing devices to monetize.
Malware is pretty much a part of every cyberattack carried out by attackers. Malicious threat actors release malware in millions every day. But the number of security professionals who work on malware is much smaller than the required number of security individuals who can handle this deluge of malware. Even lesser are the percentage of said security professionals who are qualified to detect and analyze them.
Malware analysis is a growing business, and security professionals need to learn more about analyzing malware. Some of the studies carried out expect the malware analysis market to grow from 3 billion in 2019 to 11 billion by 2024.1 This growth projection comes from the fact that not only is the amount of malware increasing every day, but it is becoming more complex with the advent and use of new technologies. Also, the availability of new computing platforms like the cloud and IoT, has given malware new attack surfaces that they can target and monetize. While the attack surface and complexity has increased, the defense remains largely unmanned due to a shortage of security professionals with the requisite skills to tackle malware.
The step-by-step walkthrough of a malware analysis workflow in this book ensures that its readers (malware analysts, reverse engineers, network engineers, security operations center (SoC) analysts, IT admins, network admins, or managers and chief information security officers (CISOs)) advance their malware analysis and reversing skills and improve their preparedness for any kind of malware attack. At the same time, the introduction to the internals of how antiviruses, sandboxes, IDS/IPS, and other malware detection–related tools give a fresh look at new ideas on how to use these tools and customize them to improve your analysis infrastructure.
Before you dive into learning how to analyze malware, let’s first go through the terms for various types of malware and their functionalities.
Virus is a type of malware. There are many other types of malware, like botnets, trojan horses, RATs, ransomware, and so forth.
Types of Malware
A virus is the first kind of malware that is known to self-replicate. It is also called a file infector. Viruses survive by infecting and inserting themselves into other healthy files on the system. When executed, these infected healthy programs run, execute, and display the intended functionality, but can also execute the virus in the background.
A worm is malware or a malware functionality that spreads and infects other computers, either via the network or some physical means like the USB.
A backdoor is an unauthorized entry point by which an attacker can enter the victim’s system. For example, malware can create an open network port on the system which has shell access, that can be accessed by the attacker to gain entry into the system.
A trojan is malware that masquerades as a clean software and is installed on the victim machine with the user’s full knowledge, but the user is not aware of its real malicious intentions.
Spyware or InfoStealer spies on and steals sensitive data from your system. The data targeted by spyware can be usernames, passwords, images, and documents.
A keylogger is a kind of spyware that can log the user’s keystrokes and send the recorded keystrokes back to the attacker.
A botnet is a bot network or robot network that comprises of multiple machines infected by malware. The malware that forms this bot network or botnet works together as a herd, accepting and acting on commands sent by an attacker from a central server. Botnets can carry out denial-of-service (DOS) attacks, send spam, and so forth.
Remote administration tool (RAT) is malware or a malware feature that can give the hacker full control of your system. These tools are very similar to desktop sharing software usually used by administrators to access our systems for troubleshooting purposes. The only difference being malware RATs are used by attackers to access our computers without any authorization.
Adware is a common type of malware that most of us have come across but never noticed. Adware is included with software downloads from third-party websites. While installing the downloaded software, adware is installed behind the scene without our knowledge. Do note that not all adware is malicious. But you can call these as a category of trojan but only responsible for displaying unwanted ads on your system. Many of them are known to change the default search engines for the browsers on our computers.
A rootkit is malware or a malware functionality combined with another piece of malware, whose aim is to conceal its activity or that of another malware on the system. Rootkits mostly function by modifying system functions and data structures.
Banking malware works by intercepting and modifying browser communication to capture information on banking transactions and credentials.
Point-of-sale (PoS) malware infects PoS devices, which are used by most retail, shopping outlets, and restaurants worldwide. PoS malware’s main functionality includes trying to steal credit card information from the PoS software.
Ransomware works by taking hostage of the data, files, and other system resources on the system, and demand the victim for ransom in return to release these resources. Compared to other malware types, ransomware is easy for a hacker to program. At the same time, from a remediation standpoint, ransomware is very hard to deal with since once encrypted, the data causes huge losses for the users, and requires a lot of effort to neutralize the damage and restore the system to its former state.
A cryptominer is a relatively new member of the malware family, having become popular with the increasing use of cryptocurrencies. This malware is rarely known to steal data from the victim’s machine, but they eat up system resources by mining cryptocurrencies.
A downloader is malware that downloads other malware. Botnets work as downloaders and download malware upon receiving a command from the central server. These days most of the Microsoft Office file-based macro malware are downloaders, which downloads another piece of the bigger malware payload. Emotet is a popular malware that uses a Microsoft document-based macro downloader.
Spammers send out spam emails from the victim’s machine. The spam may contain emails containing links to malicious sites. The malware may read contacts from email clients like Microsoft Outlook installed on the victim’s machine and send out emails to those contacts.
An exploit is not malware but rather malicious code that is meant to take advantage of a vulnerability on the system and exploit it to take control of the vulnerable program and thereby the system. These days most exploits are responsible for downloading other malware.
Platform Diversity
People often question which programming language is used to create malware. The answer is malware can be written and are written in almost any programming language, such as C, JavaScript, Python, Java, Visual Basic, C#, and so on. Attackers are also taking it one step further by using a technique called Living Off the Land, where they develop attacks that carry out their objectives by using natively available tools provided by the operating system.
Target Diversity
Malware authors create malware to hit certain targets. The target could be anything: the random population, a geographical area, an organization or corporation, the government, military, or an industry, such as finance or healthcare, and so on.
Malware that aims to target all individuals or machines randomly without any specific consideration is coded and tested to work on as many platforms and devices as possible. They are spread mostly through email spam containing malicious attachments or through exploits delivered by malicious or compromised websites. For example, the email IDs needed for spam emails are collected by attackers by crawling the Web and skimming through publicly available information of various victim user accounts, or via hacking some websites database and dumping their users’ information or even purchasing it from malware marketplaces.
Malware attacks are customized and known to be geographically bound, where the infection target computers using a particular spoken language, such as Ukrainian or Chinese. Or it might target computers belonging to a particular IP address range specific to the region the attacker is targeting. As an example of a geographically targeted malware, some ransomware displays ransom messages in languages within a particular geographical region.
Hacker groups also create malware to infect a particular individual, company, or organization. These targeted attacks and malware are called advanced persistent threats (APT) and are coded according to the devices, operating systems, and software used by the target. These malware and campaigns are programmed to stay in the victim machine for a long time and involve advanced stealth techniques to avoid detection. Stuxnet was an infamous malware that was part of an APT campaign against Iran that targeted industrial control systems (ICS) used at its nuclear power plant. These kinds of attacks are carried out by more sophisticated and well-funded groups, and most often, nation-states.
The Cyber Kill Chain
The Cyber Kill Chain is a model developed by Lockheed Martin to represent various phases of an APT attack carried out by an attacker external to the target organization. The kill chain describes all the steps required by attackers to achieve their goal, which may include data exfiltration or espionage. Security professionals can compromise the entire plan of attack if they can identify any of the intermediate steps and stop it.
- 1.
Reconnaissance involves observing the target and gathering information about it from various sources. The extracted information includes server details, IP addresses, the various software used in the organization, and possible vulnerabilities. This step may involve extracting personal information of employees in the organization to identify potential victims for social engineering attacks. Both active and passive methods can be used to gather information. Active methods can include direct actions like port scanning. Passive methods can include offline methods, including obtaining email IDs and other information from various sources.
- 2.
Weaponization involves devising weapons that can penetrate an organization’s infrastructure and infect its system. One of the most important weapons are exploits which are developed based on the vulnerabilities during the reconnaissance phase. The other weapons can include spam emails that can be used for delivering exploits and malware that needs to be installed into the target infrastructure after successful penetration.
- 3.
A delivery mechanism involves delivering the weapon to the victim. This step is meant to transmit the weapon into the target organization. The step may involve sending spam emails to the employees contain links to malicious web pages that contain exploits or attaching malware as well. Other social engineering methods like honey trapping may also be used for delivery.
- 4.
Exploitation involves the execution of the exploit, which leads to a compromise of the software in the target. The software may include web servers, user browsers, or other software that may be exploited by zero-day exploits or even known exploits in case the target software is not patched. Exploitation step is not always mandatory since malware can also be delivered to the system without needing to exploit the victim, by other means, including social engineering techniques like attachments in emails.
- 5.
Installation involves installing specially crafted malware in the target’s network/systems. The exploit does the malware installation if it has been successful in exploiting the target software. The installed malware was developed in such a manner that it stays hidden and undetected in the target network for a longer duration of time. This malware should have the capability to download secondary malware and exfiltrate sensitive information back to the attacker.
- 6.
Command-and-control involves the establishment of communication between the installed malware and the attacker. The malware is now ready to take commands from the attacker and act accordingly.
- 7.
Action on objectives is the last step of the kill chain, where the malware has been installed in the target infrastructure and is ready to take commands from the attacker. Malware can execute its goals for which it was created. This includes spying inside the target network, gathering sensitive data, and exfiltrating it out to the attacker, taking hostage of sensitive data and infrastructure, and so forth.
Malware Attack Life Cycle
Hacking was meant for fun when it first started. Not that it isn’t done for fun anymore, but now it is motivated financially or by other needs like espionage, often run by well-funded and organized cyberattack groups and criminals. Cyberwarfare uses malware as its main weapon. It is capable of attacking and bringing a nation to its knees.
Different phases in the malware life cycle
Development Phase
We often encounter malware that cannot be written by a single individual. Malware is no different than regular software, and this is clear from the malware development process, where the malware developers seem to take the software development life cycle approach, like development teams in any software company.
Malware is written in a modular fashion, like other software. Different modules can be assigned to different developers. Often, the same module is identified across different malware families. It is possible that the author of a module is the same, or due to its independent modular nature, a module or its code has been bought or bartered from another hacker group.
Like the regular software quality assurance (QA) process, the malware also goes through a testing phase to make sure it works and operates as expected. A lot of malware receives updates like regular software. The final finished malware is usually encrypted or packed (you learn about packing in Chapter 7), and then tested against antivirus and other malware detection products to ensure that the malware remains undetected by these anti-malware products.
Self-Defense
Technologies are invented to serve humankind, but there are always people who misuse it. We can say that the bad guys in the cyber world do this. For example, encryption algorithms are developed to protect data on our systems, as well as protect it while it is traversing the Internet across various networks and systems. Cryptography is an extremely difficult subject, and cryptographers spend years developing algorithms and making sure that they are unbreakable. While it was developed to protect our data, malware authors use the same cryptography to protect their malware from being decrypted, detected, and analyzed.
As another example, attackers reverse engineer software and develop cracks and patches for it so that the software can be used without paying for its license, which is known as software piracy. To prevent this, software developers have devised several antipiracy and anti-reverse engineering techniques. Malware authors also use these techniques to prevent malware researchers from analyzing and deobfuscating malware, making it difficult to write effective signatures to detect malware.
The Adaptive and Deceptive Nature of Malware
Computer viruses (malware) evolve like real-world viruses and germs in the human body. They adapt to new changes in the environment and develop resistance against the anti-malware defenses. A lot of malware detects, evades, and kills anti-malware detection software on the system.
Also, malware does not show its real qualities when they are tested in the presence of anti-malware products and analysis tools and environments like those used by malware analysts. When they detect the presence of such an environment, malware sometimes takes a split personality approach and start executing benignly, thereby not exposing its true malicious intentions. Upcoming chapters discuss various anti-VM, anti-reversing, and other techniques.
Mass Production of Malware
It might take quite a long time for a malware author to program a piece of malware, testing it to make sure it works across all kinds of environments. But his efforts are rendered useless if any of the antivirus vendors catch hold of that piece of malware and develop a simple signature to detect that malware file. With this signature in place, if the very same malware file is found in any other computer, the same antivirus can easily detect the malware, thereby rendering the entire mission of the attacker useless.
To defend against this, malware authors employ strength in numbers. They create a lot of malware to thrive. They use programs called polymorphic packers or cryptors that can create many malware variants from a single piece of malware. The final goal and behavior of the generated malware remain the same from a functionality point of view. But the malware file looks different in the form of actual binary content and structure, which translates to a malware sample file that generates a different hash. Millions of pieces of malware that look different structurally and content-wise but exhibit the same behavior are created using these packer programs and released into the wild to hit random targets. If antivirus engines are good, they detect some, but the rest infect the victim.
This kind of malware technology forced the antivirus industry to develop next-generation antivirus, which can identify malware by looking into the behavior rather than detect it by its static properties or hash only.
Distribution Phase: The Diverse Transport System
Exploit kits
Email spam and malicious attachments
Advertisements
USB drives
Other social engineering techniques
We take a close look at this in Chapter 6.
Infection Phase
Antivirus software. The biggest threat to most malware is an antivirus engine. If the malware is freshly created, then it is less likely that an antivirus engine is going to catch it.
Bugs. If the malware was coded incorrectly or has bugs, it might fail to infect the target successfully.
Lack of a suitable execution environment. Sometimes the malware does not find a suitable environment like the appropriate dependency files and libraries on the victim machine, which might result in failed execution or a crash. For example, malware written in Java cannot execute on a machine if Java virtual machine is not installed on it.
Post-Infection Phase
After successful infection, the malware needs to carry out the objectives of the attacker. It might try to contact its owner or the central server for upgrades or commands from the attacker, upload the victim’s information, and so forth. The actions might include stealing data, credentials, or personal information, and giving remote access to the attacker, and so on.
The Malware Business Model
Not every malware attack is motivated by money, but it sure does top the list in motivation for most of the attacks. A very good example of this is banking malware, which uses the man-in-the-browser technique to hijack our banking transactions. Similarly, point-of-sale (POS) malware steal our credit card information. Likewise, ransomware takes hostage of our data to extort money.
For the malware author or reseller, malware-as-a-service (MaaS) is a flourishing business in the underground malware community. You do not need to be a hacker or a computer nerd to use the service. The only thing you need to have is money and a profile to convince the malware seller that you are not a part of a law enforcement agency masquerading as a genuine customer. Malware building kits can be a part of the package to create customized malware for specific attacks. Various other services are also offered, including support infrastructures like command-and-control servers, exploit kits needed to carry out the infection, spam, and malware advertising services to deliver the exploit and malware. The customer can also rent botnets to carry out DDOS attacks or send spam.
Also, malware authors and hacker groups are very careful while receiving money for their malware or attacks. They must make sure that they can get away with the money without being tracked by security agencies. Most ransomware demands that payment is made over the anonymous Tor network by using bitcoins, monero, or other anonymous cryptocurrencies. Usually, the bank account of the attackers is in third world countries, which are safe from the reach of international law enforcement agencies.
The War Against Malware
The story so far was about malware, the dark elements of the cyber world. But the anti-malware cybersecurity industry aims to combat cyber and malware attacks. The fight against malware is challenging and requires a lot of dedication. Though there has been consistent development of new kinds of anti-malware software, the cybersecurity workforce is limited in number relative to the ever-increasing deluge of malware.
At the same time, malware research is no longer a small subject. We spoke about the diversity of malware, where attackers spread their technical outreach to include new programming languages, OS tools, and other new components to make their malware hard to analyze and break. Also, the huge proliferation of platforms and devices with the advent of the Internet of Things (IoT) and mobile devices, means the surface area has increased for malware attackers, increasing the workload for already overloaded malware analysts and other anti-malware teams.
Let’s look at the various kinds of teams that fight malware every day.
The Combat Teams
The number of people working against malware is small but works in well organized and structured setups. The anti-malware teams can work both in proactive and reactive modes. Proactive teams are always vigilant and look out for new malware trends and prepare for it. Reactive teams come into action if they come across a malware incident occurring in their organization.
Today, most organizations—whether it is an anti-malware company or a financial organization—have teams that deal with malware. But the nature of work can vary from organization to organization. Most companies have an incident response and forensic team to deal with a security incident. They may also have a few malware analysts who are needed to confirm if suspicious activity is generated by malware or a file sample is malware or not. There are also malware hunting teams and detection engineering teams that carry out other roles. Let’s briefly look at these various types of teams present and their roles.
The Malware Hunters
Malware hunters watch out for malware trends proactively. Their job is to hunt for new malware infections in the wild and collect other information related to them so that the organization stays a step ahead in preventing infection if possible and, in the worst case, be ready for an infection breakout. Let’s talk about some of the malware hunting techniques employed.
Blogs, Feeds, and Other Shared Sources
The cybersecurity industry is comprised of many anti-malware teams and SoC teams, whose members actively try to keep the world abreast of the latest trends in malware activity. These teams constantly blog via social media about new threat findings in their customer premises, post–malware analysis reports, and other techniques employed by attackers. Keeping tabs on resources posted by these anti-malware teams from various companies around the world is a great way to be informed on the latest in malware trends.
At the same time, various alliances and groups are created by researchers across organizations, either publicly or via private mailing lists. Being part of such alliances and lists is a fast way to exchange information with fellow peers, especially during live cyber attacks, where the immediate information concerning the attack might be more private to these internal lists, than being publicly available.
Honeypots
As a proactive method, malware hunters use honeypots to trap malware. Honeypots are systems/resources intentionally made vulnerable and easily accessible to attract malware and other attackers looking to infect the system/resource. Using honeypots set up around the world across various geographical zones, and having the honeypot mimic and masquerade as other kinds of devices, you can attract and keep tabs on various new attack groups and malware.
Web Crawlers
Web Crawlers are another proactive method widely employed by more anti-malware teams to detect new infections available in the wild. Attackers often use vulnerable servers on the Web to act as an intermediate jump point or to even host their exploits and malware. Web crawlers work by simulating an end user visiting a website, crawling the web intelligently, searching for these infected web servers, and fooling them to respond with their exploits and malware hosted on them.
Going Dark and Underground
The malware marketplace hosts all kinds of nefarious activities, including sales of exploits, malware, stolen data, and so on. It is usually accessible by invite-only forums in the deep and dark web, which is accessible via an anonymous network like Tor.
Sometimes malware hunters also need to penetrate the underground market, forging their identity and masquerading as malicious hackers to track down other malicious actors, trace any upcoming threats, and other malicious activities. Sometimes they might need to share certain information with other bad actors in these marketplaces, to gain their trust and extract more information out of them.
Incident Responders and Forensic Analysts
Incident responders (part of the Security Operations Center or SoC) and forensics team come into action after a security incident or an infection in an organization. These teams spring into action to take immediate steps to contain the spread of infection. They usually segregate the infected devices from the network, to prevent the spread of infection and also to further investigate the root source and artifacts involved in the infection.
This is where the forensic analysts step in. From the quarantined infected computer provided by the incident responders, a forensic analyst finds out the root source of the infection. They need to hunt for the malware on the infected computer. They also look for other artifacts, including how the malware and the infection made its way to the computer. They search for other sources of information, including the threat actor involved in the attack and their objectives. The malware extracted by the investigation is then handed over to the malware analyst for further dissection. Sometimes the retrieved malware is shared with other antivirus and detection vendors so that they can write detection signatures for it.
Malware Analysis Teams
Malware needs to be dissected, which is where the malware analysis team steps in. All malware makes its way to a malware analyst, who analyzes and reverses the malware to obtain information on the functionality of the malware, information on the attacker, and other artifacts and Indicators of Compromise (IoC) . This helps teams contain the infection and take proactive steps to write signatures that detect future malware infections.
Detection Teams
An enterprise needs to protect itself, and it does so by having multilayered detection solutions in place. But these detection solutions require constant feedback in the form of new detection signatures from their SoC and IT teams, to keep pace with new infections. Also, anti-malware companies need to constantly upgrade their detection solutions to make sure they catch any new kinds of infections and malware, which they previously failed to catch at their customer’s premises.
The detection team’s job is to consume the infection and malware dissection information from the teams and constantly upgrade the signatures and improve the detection products themselves, to make sure they catch as many infections as possible in the future.
Anti-malware Products
Any organizational infrastructure that means to secure itself uses a multilayered security approach that uses various types of detection solutions. We take an in-depth look at each of these detection solutions in Part 6. Let’s now briefly look at some of the detection solutions and how they fit into the security infrastructure.
Antivirus
Antiviruses are the first known anti-malware products. An antivirus is an application installed on a computer device. It looks for certain patterns in files to identify malware. These patterns are called static signatures , which were created based on seeing malware that carried the same signature but also made sure that other clean files didn’t carry the same signature.
But with time, malware attackers started using technologies like polymorphic packers, in which millions of variants of the same malware were produced in a single shot. It became more challenging to write a static signature to detect these millions of malware files and even harder to detect this malware statically.
The industry needed solutions that could detect malware by its behavior. Today, most antiviruses have adapted to detecting malware based on behavior. And, although they were previously only available for desktop computers and servers, they are now also available for mobile devices.
Firewalls, IDS/IPS, and Network Security Products
While antiviruses look for infections on the host, malware can also communicate over the network with a command-and-control (a.k.a. C2, CnC, or C&C) server, receive commands from the attacker, upload the victim’s data, scan for other devices on the network to spread the infection and so on. There are network-based security products made to stop malware on a network, including firewalls, intrusion detection, and prevention systems, network access controls (NACs) . These network-based securities watch out for exploits, any command-and-control traffic from the attacker, malicious information uploads, and any other kinds of traffic originating from malware. Traditionally, these network security devices worked based on static signatures, but the new generation of products have adapted to use network behavior-based anomalies to identify malware traffic and infections.
Sandbox
Sandbox is a relatively new product in security infrastructure. A sandbox is a controlled, closed execution environment that executes malware and other malicious code to observe its behavior and identify the infection.
Terminologies
In this section, let’s explore some common terminologies usually encountered in the field of cybersecurity. Knowing these terminologies helps us read through malware and threat analysis reports made available by our peers in the industry.
Advanced Persistent Threat (APT) attacks, also known as targeted attacks, are carried out on a particular country, organization, or high-profile individual. The attack is carried out over time, during which the target is monitored continuously. This kind of attack is usually carried out for espionage purposes and also against business rivals.
Vulnerability is a bug in software that compromises and takes control of it and the system on which it is running.
Exploits are small pieces of programs that are meant to compromise a vulnerability in the software and take control of the system.
Shellcodes are small pieces of code that are used inside exploits to carry out small tasks, which allows the attacker to take control of the system.
An exploit kit is a package of exploits hosted usually on a web server, mostly consisting of browser and browser plugin related exploits.
Malvertising is a mechanism of distributing malware to victims by using advertisements and advertising networks, having it carry ads and links to malicious websites and data.
Spam is unsolicited or irrelevant emails that are sent by cyberattackers to the victims, containing malware and other malicious links to malicious sites to collect victim information and to distribute malware.
A fileless attack is an attack mechanism that does not require the creation of a malware file on the victim machine, but instead transfers and runs the malicious payloads all in memory.
Living off the land is an attack technique in which the attacker doesn’t use any malicious file-based payload but instead uses pre-installed software on the victim machine to carry out his nefarious activities.
Drive-by-download is an unintentional and automated download of malware to a victim system. Exploit kits and malvertising are techniques used by attackers to implement drive-by-download attacks.
An antivirus is an anti-malware software installed on systems that aim to detect malware infections on the system.
Endpoint Detection and Response (EDR) is considered a next-generation antivirus that can detect malware not only based on traditional signatures but also by using other techniques, including the behavior of the malware.
An intrusion detection system (IDS) and intrusion prevention system (IPS) are network security products to identify and stop the transfer of malicious traffic over a network.
Sandboxes are automated and isolated malware analysis solutions that execute malware in a controlled manner and logs and observes its behavior for maliciousness.
Data Loss and Prevention (DLP) is software that is meant to prevent the leak of sensitive data from an organization either unintentionally or intentionally both by employees and by malware infections on the system.
Memory forensics is a forensic analysis technique that works by identifying artifacts in the virtual memory of the system. The technique analyzes malware infections on the system and identifies its various artifacts.
The Cyber Kill Chain is a general organization of steps involved during a cyberattack, from reconnaissance to infection to infiltration of a victim system.
Incident response (IR) is the process of responding to cyberattack incidents, quarantining infected systems, and containing the infection from spreading to other systems.
Forensics is the process of investigating a cyberattack, which involves identification and inspection of infected systems for artifacts left by attackers and tools used in the attack.
Threat hunting is the process of proactively looking out for threats in a network. Threat hunting involves looking into logs of security products and systems to find out possibilities of compromise of any systems on a network.
Tactics, Techniques, and Procedures (TTP) is a description of techniques and steps carried out by attacker groups to carry out a cyberattack. The identification of TTP is useful to link attackers with APT attacks.
Artifacts are traces left by attackers or malware on the victim machine during a cyber attack.
An indicator of compromise (IOC) is an artifact left on a system that shows that the system has been compromised.
An indicator of Attack (IOA) identifies the intent of the attacker regardless of the tools/malware used to carry out the attack.
Payload is the core component of the malware that implements the malicious functionality of the malware.
Persistence is a mechanism used by malware to survive reboots or re-logins.
Code injection is a technique used by malware to place malicious code into another legitimate running target process and then executing it from within the target process.
Hooking is a technique used by malware to alter the original functionality of the target process or the kernel by intercepting library and system API calls made and modifying the functionality of these intercepted API calls.
Packer/cryptors are programs used by malware authors to enclose malicious malware payloads inside another layer of code to hide the actual functionality of the malware. Packers compress and obfuscate the true payload of a malware sample.
A rootkit is a malware component that hides artifacts by altering the operating system at the code level using API hooks or by tampering operating system data structures.
Lateral movement is a mechanism by which malware can propagate from one machine to another within a network, searching for other systems/resources to infect.
Command-and-control (C2CnCC&C) is a system that is used as a command center by attackers to control and communicate with their malware.
The Onion Router (Tor) is both a networking protocol and also a tool mostly used by attackers to maintain anonymous communication while carrying out attacks.
Domain generation algorithms (DGA) is an algorithm used by malware to generate a large number of random domain names to communicate with their CnC servers. Some of these generated domain names may be registered as CnC servers for a short duration of time. DGA is used by attackers to prevent IDS/IPS signatures from detecting and blocking CnC communication. It also provides resilience against CnC domain-name takedowns.
Privilege escalation is a technique used by malware and exploits to elevate privilege to access certain system resources that are otherwise inaccessible with non-admin privileges.
Exfiltration is a mechanism by which the malware or adversaries steal sensitive data from the victim machine and export it out of the victim system to its attacker.
Summary
This chapter gives a general overview of malware, the various types of malware, and their components. You learned the different phases in a malware infection cycle. Lastly, you learned about the various teams and detection solutions available from the anti-malware industry to curb and contain malware.