Malware comes in many forms and poses increasing threats. The document discusses the basics of how malware works, including propagation techniques to spread, payloads to damage systems, and self-defense mechanisms. It also covers common malware classes like viruses, worms and Trojans. Examples are given of real malware outbreaks like WannaCry and Petya to show how quickly they can spread. Defense strategies include using antivirus software, keeping systems updated, and maintaining backups.

1. Malware
To the Realm of Malicious
Code

2. #Whoami?
Satria Ady Pradana #xathrya
Indonesian Cyber Security Consultant at Mitra
Integrasi Informatika (MII)
Red Team
Security Risk Assessment
Incident Response
Threat Intelligence
Education
Researcher and Developer at dracOs (Linux
Distro)
Coordinator of Reversing.ID
Member of Indonesia Honeynet Project fb.me/xathrya.sabertooth

3. Today’s Agenda
 Learn malware classes, characteristics, and potential threats.
 Learn how malware works
 attacking and infecting
 common propagation technique
 Common concealment and self-defense technique
 Learn how Anti Virus works.
 Learn common protection from malware attacks.
 Profit??

4. Our Activity

5. Introduction
o Malware threat is (really) increasing, become more advanced and more contagious.
o Malwares are new weapons used by lot of actors, for examples:
o Governments
o Spies
o Hacktivist
o Criminals
o What motivate them?
o Malwares are interesting, both for creator and analyst.
o Ever wonder how malware works?

6. Statistic: New Malware in Last 5 Years
Copyright © AV-TEST GmbH, www.av-test.org

7. Why Crafting A Malware?
 To win the battle we must know what enemy capabilities are.
 Learn the enemy’s tactics to build our own tactics for combating them.
 For education. For fun and profit!

8. Disclaimer: Do at your own risk!
• Pasal 33 UU ITE tahun 2008
“Setiap orang dengan sengaja dan tanpa hak atau melawan hukum
melakukan tindakan apa pun yang berakibat terganggunya sistem
elektronik dan/atau mengakibatkan system elektronik menjadi tidak
bekerja sebagaimana mestinya”.
• Pasal 49 UU ITE tahun 2008
“Setiap orang yang memenuhi unsur sebagaimana dimaksud dalam pasal
33, dipidana dengan pidana penjara paling lama 10 (sepuluh) tahun
dan/atau denda paling banyak Rp 10.000.000.000,00 (sepuluh miliar
rupiah).”

9. Lab Activity: Setup
 You are provided with a VM for developing simple malwares
 Make sure everything is working.

10. The Virus Outbreak
What? How? Why?

11. Malware? What’s That?
 MALicious softWARE
 Software that is built for hostile or intrusive purpose, infiltrating other system and might
damaging it without user consent.

12. Malware Roles
 Mostly used by cybercriminal for financial gain.
 Stealing resource: money, bank account, credit card, cryptocurrency.
 Used by government and agencies for “protecting” national security.
 As a surveillance to citizen.
 Sabotage other country.
 Used by some corporation for protecting its own interest.
 Copy protection / digital right management.
 As espionage to competitor.
 etc

13. Malware Classes
 Viruses
 Worms
 Trojans
 Rootkit
 Adware
 Spyware
 Ransomware
However, current malware is a combination of traits from several classes

14. Viruses
Malicious software which can infect files, software, and data
carriers.
 Replicates by embedding itself or inserting its code
(infect) into other.
 The host (carrier) is modified.
 Host can be: program, boot sectors, etc.

15. Worms
Spreads independently, reproduce and spread as quickly as
possible.
 Stand alone, no need of host.
 Use network and removable media as propagation
vector.

16. Trojans
Misleading users of its true intent by pretending as useful
program, in order to carry out unnoticed additional
malicious functions.
 Working in background
 Connected and controlled by malicious actors.

17. Timeline
 In earlier day, malware typically vandalized PC and destroyed files for fun.
 Began with a theory of self-reproducing automata in 1949. Since then scientists are creating self-
reproducing software as a game, wargame, conquering the other faction.
 The term computer viruses was (formally) coined in 1983, while some science fictions had used it
before.
 Brain boot sector virus appeared in 1986, more coming.
 AIDS Trojan, the first ransomware, appeared in 1989.
 Morris worm, appeared in 1988 and spread extensively in the wild

18. Timeline (cont’d)
 First Polymorphic virus, Chameleon, was developed in 1990.
 Concept, the first macro virus appeared and attacking Microsoft Word documents.
 Malwares began incorporating zero-day exploit. In 2003 SQL Slammer worm attacked Microsoft
SQL Server and MSDE, regarded as fastest spreading worm.
 Malware began being used as cyber weapon. Stuxnet worm, first identified in 2010 but thought
to be in development since at least 2005, targets industrial computer systems especially Iran’s
nuclear program.

19. How Can You Get Infected?
 Spam or phishing emails containing attached files.
 Infected removable drives
 Bundled with other software
 Visiting any compromised or infected websites.
 Old and unpatched systems
 Downloading software, especially illegal one, from untrusted source.

20. General Symptoms of Infections
In short, any anomaly that might happen on your systems
 Program start to load slower
 System become less responsive
 Unusual files appears on hard drive, or files disappear from system
 Browsers, word processing application, or other software exhibit unusual operating
characteristics.
 Unusual network traffic
 Unexpected error message during startup

21. Potential Damage
 Corrupting data files (as well as encrypting)
 Destroy or removing files
 Steal sensitive information
 Take control the system
 Use as stepping stone for further exploitation

22. Outbreak Case: WannaCry
 Ransomware
 Exploiting vulnerability in SMBv1, known as Eternal Blue or MS17-010 in Microsoft Security Bulletin.
Also spreading via e-mail.
 More than 400,000 machines infected.
 Fast-rate infection. Why?
 Timing and speed: 1-2 months after public disclosure of the exploit
 Coverage: SMBv1 is pretty much widely used, both in workstation and server.
 First version a kill-switch (go to dormant state when certain condition met)

23. Outbreak Case: (Not) Petya
 A Wiper. Believed as cyber weapon. Pretending as ransomware.
 Also use Eternal Blue.
 Seeded through update mechanism built into M.E.Doc (accounting program) used in Ukrainian
government.

24. Malware Internals
Spread, Infect, Survive, Profit !

25. Malware Components
 Propagation
 Payload
 Self-Defense (Survival)

26. Propagation
 Spreading itself.
 Infecting other system.
 The possibility:
 Embed to other.
 Just copy itself.
 Force to download

27. Payload
 Any code designed to do other than spreading and self-defense is referred as payload.
 Yes, anything from prank to steal information.
 Some payloads that need to be a concern.
 Persistence
 Communication

28. Example Payload
Not an exhaustive list:
 Log key strokes.
 Encrypting file or partition.
 Clone self to startup directory.
 Modify some registry values.
 Remove files.
 Updating self to new version.
 Steal cookies from browsers.

29. Self-Defense
 Malware existence is essential, need to be as long as possible.
 Detected quickly means less campaign gained.
 Malware is investment
 Generally, two categories:
 Concealment, making malware action unnoticed
 Anti-Analysis, making malware analysis difficult.

30. Supporting Actor
 C&C server
 Relay server

31. Lab Activity: Malware Crafting

32. Anti-Virus Internals
Not so deep

33. Anti Virus?
 Myth busting: viruses are not the only malware that AV combating.
 Protecting from malware, scanning viruses, worms, and Trojan horses.

34. How Anti Virus Detect Malware?
Uses various strategy to reveal malware.
 Signatures
 Heuristic
 Sandbox

35. Signature?
 The first known approach to detect viruses.
 Some viruses have special markers.
 Comparing viruses to known viruses marks in database.
 Unique byte array usually used to mark whether target has been infected or not.
 Mutexes

36. Heuristic
 Detect malware by learning its traits.
 Detect unknown (no-signature) viruses and its variant.
 Expert-based analysis that determines the susceptibility of system towards particular threat.
 The decision based on various decision rules or weighting methods.

37. Sandbox
 Isolated environment for running malware in safe manner.
 “Simulate” the malware and collect/record the behavior, such as:
 Connection attempt.
 File access.
 API calls.
 Host modification.
 Classify as malware or not based on the known behavior.

38. Defense Against Malware
Protect, avoid, and mitigate malware outbreak

39. Technical Aspects
This software must be installed on your computers
 Anti Virus
 Firewall
 Ad Blocker

40. Technical Aspects (cont’d)
This nodes should be exists in your network

41. Technical Aspects (cont’d)
 Implement patch management.
 Regularly update the system especially for known vulnerability.

42. Personal Aspecst
All about awareness of you and other people
 Have a healthy skepticism to anything that will entering your PC, especially from untrusted
source.
 Email attachment
 Removable drives
 Look carefully the link / URL in address bar or in email. If anything suspicious, leave it.
 Download software from trusted sources only.
 Ignore urgent installation prompts on the web
 If possible, do not log on to the system with administrator rights for normal work.
 Update regularly.

43. Back Up
Last but not least, perform backups regularly.
Distinguish between a complete system backup and backup of working files.

44. Specific Case: Ransomware
 How exploit leaks could lead to global endemic
 Rising of malwares: WannaCry, (Not) Petya

45. Conclusion
 Malwares are just program, with special purpose.
 Malwares are composed of code for propagation, payload, and self-defense.