Malware comes in many forms and poses increasing threats. The document discusses the basics of how malware works, including propagation techniques to spread, payloads to damage systems, and self-defense mechanisms. It also covers common malware classes like viruses, worms and Trojans. Examples are given of real malware outbreaks like WannaCry and Petya to show how quickly they can spread. Defense strategies include using antivirus software, keeping systems updated, and maintaining backups.
2. #Whoami?
Satria Ady Pradana #xathrya
Indonesian Cyber Security Consultant at Mitra
Integrasi Informatika (MII)
Red Team
Security Risk Assessment
Incident Response
Threat Intelligence
Education
Researcher and Developer at dracOs (Linux
Distro)
Coordinator of Reversing.ID
Member of Indonesia Honeynet Project fb.me/xathrya.sabertooth
3. Today’s Agenda
Learn malware classes, characteristics, and potential threats.
Learn how malware works
attacking and infecting
common propagation technique
Common concealment and self-defense technique
Learn how Anti Virus works.
Learn common protection from malware attacks.
Profit??
5. Introduction
o Malware threat is (really) increasing, become more advanced and more contagious.
o Malwares are new weapons used by lot of actors, for examples:
o Governments
o Spies
o Hacktivist
o Criminals
o What motivate them?
o Malwares are interesting, both for creator and analyst.
o Ever wonder how malware works?
7. Why Crafting A Malware?
To win the battle we must know what enemy capabilities are.
Learn the enemy’s tactics to build our own tactics for combating them.
For education. For fun and profit!
8. Disclaimer: Do at your own risk!
• Pasal 33 UU ITE tahun 2008
“Setiap orang dengan sengaja dan tanpa hak atau melawan hukum
melakukan tindakan apa pun yang berakibat terganggunya sistem
elektronik dan/atau mengakibatkan system elektronik menjadi tidak
bekerja sebagaimana mestinya”.
• Pasal 49 UU ITE tahun 2008
“Setiap orang yang memenuhi unsur sebagaimana dimaksud dalam pasal
33, dipidana dengan pidana penjara paling lama 10 (sepuluh) tahun
dan/atau denda paling banyak Rp 10.000.000.000,00 (sepuluh miliar
rupiah).”
9. Lab Activity: Setup
You are provided with a VM for developing simple malwares
Make sure everything is working.
11. Malware? What’s That?
MALicious softWARE
Software that is built for hostile or intrusive purpose, infiltrating other system and might
damaging it without user consent.
12. Malware Roles
Mostly used by cybercriminal for financial gain.
Stealing resource: money, bank account, credit card, cryptocurrency.
Used by government and agencies for “protecting” national security.
As a surveillance to citizen.
Sabotage other country.
Used by some corporation for protecting its own interest.
Copy protection / digital right management.
As espionage to competitor.
etc
13. Malware Classes
Viruses
Worms
Trojans
Rootkit
Adware
Spyware
Ransomware
However, current malware is a combination of traits from several classes
14. Viruses
Malicious software which can infect files, software, and data
carriers.
Replicates by embedding itself or inserting its code
(infect) into other.
The host (carrier) is modified.
Host can be: program, boot sectors, etc.
15. Worms
Spreads independently, reproduce and spread as quickly as
possible.
Stand alone, no need of host.
Use network and removable media as propagation
vector.
16. Trojans
Misleading users of its true intent by pretending as useful
program, in order to carry out unnoticed additional
malicious functions.
Working in background
Connected and controlled by malicious actors.
17. Timeline
In earlier day, malware typically vandalized PC and destroyed files for fun.
Began with a theory of self-reproducing automata in 1949. Since then scientists are creating self-
reproducing software as a game, wargame, conquering the other faction.
The term computer viruses was (formally) coined in 1983, while some science fictions had used it
before.
Brain boot sector virus appeared in 1986, more coming.
AIDS Trojan, the first ransomware, appeared in 1989.
Morris worm, appeared in 1988 and spread extensively in the wild
18. Timeline (cont’d)
First Polymorphic virus, Chameleon, was developed in 1990.
Concept, the first macro virus appeared and attacking Microsoft Word documents.
Malwares began incorporating zero-day exploit. In 2003 SQL Slammer worm attacked Microsoft
SQL Server and MSDE, regarded as fastest spreading worm.
Malware began being used as cyber weapon. Stuxnet worm, first identified in 2010 but thought
to be in development since at least 2005, targets industrial computer systems especially Iran’s
nuclear program.
19. How Can You Get Infected?
Spam or phishing emails containing attached files.
Infected removable drives
Bundled with other software
Visiting any compromised or infected websites.
Old and unpatched systems
Downloading software, especially illegal one, from untrusted source.
20. General Symptoms of Infections
In short, any anomaly that might happen on your systems
Program start to load slower
System become less responsive
Unusual files appears on hard drive, or files disappear from system
Browsers, word processing application, or other software exhibit unusual operating
characteristics.
Unusual network traffic
Unexpected error message during startup
21. Potential Damage
Corrupting data files (as well as encrypting)
Destroy or removing files
Steal sensitive information
Take control the system
Use as stepping stone for further exploitation
22. Outbreak Case: WannaCry
Ransomware
Exploiting vulnerability in SMBv1, known as Eternal Blue or MS17-010 in Microsoft Security Bulletin.
Also spreading via e-mail.
More than 400,000 machines infected.
Fast-rate infection. Why?
Timing and speed: 1-2 months after public disclosure of the exploit
Coverage: SMBv1 is pretty much widely used, both in workstation and server.
First version a kill-switch (go to dormant state when certain condition met)
23. Outbreak Case: (Not) Petya
A Wiper. Believed as cyber weapon. Pretending as ransomware.
Also use Eternal Blue.
Seeded through update mechanism built into M.E.Doc (accounting program) used in Ukrainian
government.
26. Propagation
Spreading itself.
Infecting other system.
The possibility:
Embed to other.
Just copy itself.
Force to download
27. Payload
Any code designed to do other than spreading and self-defense is referred as payload.
Yes, anything from prank to steal information.
Some payloads that need to be a concern.
Persistence
Communication
28. Example Payload
Not an exhaustive list:
Log key strokes.
Encrypting file or partition.
Clone self to startup directory.
Modify some registry values.
Remove files.
Updating self to new version.
Steal cookies from browsers.
29. Self-Defense
Malware existence is essential, need to be as long as possible.
Detected quickly means less campaign gained.
Malware is investment
Generally, two categories:
Concealment, making malware action unnoticed
Anti-Analysis, making malware analysis difficult.
33. Anti Virus?
Myth busting: viruses are not the only malware that AV combating.
Protecting from malware, scanning viruses, worms, and Trojan horses.
34. How Anti Virus Detect Malware?
Uses various strategy to reveal malware.
Signatures
Heuristic
Sandbox
35. Signature?
The first known approach to detect viruses.
Some viruses have special markers.
Comparing viruses to known viruses marks in database.
Unique byte array usually used to mark whether target has been infected or not.
Mutexes
36. Heuristic
Detect malware by learning its traits.
Detect unknown (no-signature) viruses and its variant.
Expert-based analysis that determines the susceptibility of system towards particular threat.
The decision based on various decision rules or weighting methods.
37. Sandbox
Isolated environment for running malware in safe manner.
“Simulate” the malware and collect/record the behavior, such as:
Connection attempt.
File access.
API calls.
Host modification.
Classify as malware or not based on the known behavior.
41. Technical Aspects (cont’d)
Implement patch management.
Regularly update the system especially for known vulnerability.
42. Personal Aspecst
All about awareness of you and other people
Have a healthy skepticism to anything that will entering your PC, especially from untrusted
source.
Email attachment
Removable drives
Look carefully the link / URL in address bar or in email. If anything suspicious, leave it.
Download software from trusted sources only.
Ignore urgent installation prompts on the web
If possible, do not log on to the system with administrator rights for normal work.
Update regularly.
43. Back Up
Last but not least, perform backups regularly.
Distinguish between a complete system backup and backup of working files.
44. Specific Case: Ransomware
How exploit leaks could lead to global endemic
Rising of malwares: WannaCry, (Not) Petya
45. Conclusion
Malwares are just program, with special purpose.
Malwares are composed of code for propagation, payload, and self-defense.