What does malicious software look like?

[Father]

The variety of security tools is largely due not only to the number of" entry points " in different ICS, but also to the number of different types of malware, each of which can solve a specific task or several at once.

Malicious software (VPO) or malware is the collective name of all utilities and programs that are used to maliciously affect the infrastructure or an individual device.

Kirill Romanov
Business Development Manager of the Information Security Department of Sissoft

Earlier, the textbooks talked about three main malware carriers. It was customary to divide such software into viruses, worms, and Trojans. Now malware has become much more diverse, such programs as rootkits, backdoor, and boot loaders have appeared. Each of these programs has its own characteristics. For example, a rootkit allows a hacker to gain a foothold in a compromised system and hide both traces of their activities and traces of the very presence of the rootkit in the system.

Now HPE is a large range of software products that are delivered in a variety of ways, from free uncontrolled distribution through forums to sales using the service model or development in the "only for your own"format.

This article will analyze the main types of HPE, the specifics of the application of individual programs, their origin and distribution methods both on the network and within the infrastructure of an individual company.

Types of malware​

Alexander Novikov
Head of Research, Cyberanalytics and Development at T1 Group

Currently, HPE of almost any class can be found in the public domain. These can be either OpenSource projects or "merged" versions of Malware used in real attacks. The main difference from non-public instances used by professional attackers is the implementation of malicious functionality and bypassing detection by security solutions and antivirus programs.

The market for selling and renting various HPE on shadow forums is also actively developing, which lowers the entry threshold for the so-called Script kiddie (inexperienced and unskilled hackers with low technical knowledge). Among them, the use of cryptominers and stylers that steal payment information and authorization data of various services is widespread.

Highly qualified hackers belonging to professional cybercrime groups that are financially motivated are currently actively using cryptographers. APT groups often have long-term espionage as their main goal, which leads to the development and use of complex custom spyware and backdoors, as well as rootkits to maintain a hidden location in the infrastructure of victims.

In current conditions, categorizing malware is a rather complicated process, since modern malware carriers often combine several types of features at once. The simplest gradation can be made based on the purpose of using certain programs:

1. Espionage. This is a group of programs that is used to collect data and then transmit it to an attacker. For example, keyloggers (keyloggers) are often used to find out the authentication data of specific users.
2. Disruption of functioning (business processes). A breach can be either irreversible if the targets are destructive (for example, the Azov viper), or reversible, which allows an attacker to demand a ransom for decrypting data.
3. Managing or using a device resource. The purpose of this type of malware is to gain access to the power of a PC (or other device) for later use. For example, botnets are used for mining or organizing DDoS attacks.
4. "Transit". This group includes all software tools that help an attacker hide their presence in the system and get to the target data (most often by increasing privileges). The most common examples of such software are rootkits and bootkits.

In addition, it is worth highlighting a separate large category of programs whose task is to distribute advertising. They do not have a direct harmful effect, so they are usually classified as potentially undesirable (PNP).

Anton Kuznetsov
Leading Information Security Engineer at R-Vision

It is convenient to divide VPO into the following main types:

• Downloader-malware for downloading additional components from third-party Internet resources);
• Backdoor – malicious code for opening remote access to a computer for intruders;
• Launcher-malware for running additional malicious code;
• Stealer-malware for collecting victims ' information and transmitting it to a remote server;
• RootKit-malware that hides its presence in the system;
• BootKit – similar to RootKit, only loaded before the main operating system starts and is able to control all security features, including an antivirus tool;
• Viruses and Worms are malicious programs that can independently distribute copies of themselves from one device to another over the network;
• Botnet – a VPO designed to infect as many users as possible for subsequent DDoS attacks and distribution of other software, such as ransomware.

In the current reality, dividing malware into the groups listed above is not an easy task, since one sample can combine the code of several groups at once. For example, the Emotet malware immediately falls under: backdoor, stealer, RootKit. And the well-known type of Ransomware as a Service ( cryptographer) - can contain code inherent in a group of worms, encoders, backdoors, and stealers. Thus, it is not so important to divide malware into groups, as it is important to understand what functionality is embedded in this software.

It is also important to mention the HPE market itself. In modern reality, this is far from just a set of highly specialized sites "just for your own". Now anyone can buy or find this or that malicious program, and the orientation of a number of "manufacturers" to the category with low technical knowledge allows you to "launch" a cryptographer or other malware even for a novice hacker who has barely mastered the basics.

Alexander Moiseev
Leading information security consultant AKTIV. CONSULTING (Aktiv Company)

If we talk about the enterprise segment, then the prevalence in recent years can be noted as follows:
1. Cryptographers.
2. Banking Trojans.
3. Remote administration tools.
4. Uploaders.
5. Infostillers.

This is primarily due to the fact that the Enterprise segment is sensitive to disruption of operational reliability and continuity, and here cryptographers have no equal – they can quickly paralyze the business and technological processes in the organization. But often a downtime of 2-3 days costs much more than the amount that could be spent on creating a layered information security system, and the funds required by attackers for ransom.

The second point is related to the fact that organizations are more willing to pay ransom if confidential data is also copied to the attackers ' resources before encryption, since reputational losses, fines and the cost of know-how can be even greater than the cost of losses from direct downtime during the recovery of the IT infrastructure after an attack.

Banking Trojans, as well as VPOS for stealing and spoofing data from cryptocurrency wallets, are popular because they provide fast monetization through direct unauthorized financial transactions with the victim's assets.

The following three positions are used for combined cyber attacks and companies (targeted attacks), and can be used with a wide range of tools and techniques, as well as occur over a long period of time before the targets are reached or detected in the infrastructure.

HPE for attacking businesses and the state​

This year, DDoS attacks on Russian companies and services were most often in the media headlines. For them, as a rule, various kinds of botnets and stressors were used, which allow you to accumulate a huge load on target services.

However, DDoS is often used as one of the elements of an attack, the purpose of which is not to " put " a resource, but to penetrate the infrastructure and carry out malicious impact. For example, steal or encrypt data, or post a political statement (so-called deface).

If we talk specifically about the business environment and the activities of companies, they are most often attacked with three goals:

• encryption;
• data theft;
• espionage.

One way or another, all these processes are aimed either at obtaining a ransom from the company itself, or at monetizing the obtained data on shadow forums. Separately, it is worth highlighting corporate (and state) espionage. As a rule, in such cases, an insider is present in the company or institution, which becomes the entry point for intruders. However, there are precedents with the use of HPE, for example, the activity of the Chinese group TA428 at the beginning of this year.

Anastasia Vinchevskaya
Head of the Cybersecurity platform TheWall

The most common VPOS are cryptographers and vipers. They penetrate the local network of enterprises and instantly encrypt or delete any sensitive data, such as databases, backups. The data is encrypted for the purpose of blackmail. It is almost impossible to decipher them, because unethical hackers know exactly what their target is, they are well prepared, and they almost always write their malware from scratch. That is why it is very important to install security software, and preferably multi-level security systems that detect and prevent WEB attacks.

Any equipment, machine tool, or camera that has Internet access can be a security hole in an enterprise or even a house or apartment. People are very happy to install IoT things in their apartments, but no one thinks about who else can connect to cameras, refrigerators and other equipment. Any local network must be protected, no matter how many devices it consists of.

However, no matter what the purpose of using the malware is and no matter how exclusive it is, the program will be useless if you can't deliver it to the target system. A variety of techniques and methods are used for this purpose.

How malware spreads​

Different methods are used to "deliver" the malware to the target infrastructure or to a specific device. Some of them can be attributed to the program level. For example, methods related to exploiting vulnerabilities. In particular, many APT groups "like" to use 0-day vulnerabilities to gain access to the target system. However, the most common scenarios involve the use of social engineering techniques.

Most often, attackers use the following entry points:

• Email;
• pop-up windows;
• browser extensions;
• infrastructure vulnerabilities;
• physical media;
• backdoors (intentional and unintentional);
• combinations of points.

If we talk about solutions for providing a minimum level of protection that are "minimally demanding" for the company's budget and are relatively easy to integrate, then these include antivirus programs, sandboxes (Sandbox) and firewalls. The use of other tools in each case depends on a number of factors, from regulatory requirements, to the risk model and prioritization of vulnerabilities of a particular organization.

Results​

The world of malicious software is vast and diverse. The emergence of new technologies and their popularization inevitably leads to the emergence of adapted hacking and exploitation tools. With a high degree of probability, we can predict the popularization of HPE aimed at hacking IoT devices, and in the long term – malware that affects artificial intelligence.

At the same time, attacks using VPO are becoming more widespread, due to a decrease in the "entry threshold" for interacting with such programs. A hacker no longer needs to know how a conditional rootkit or keylogger works, just click a few buttons to launch it.

Viruses, vipers, worms and other malicious programs will become more common, "raising" cyber risks in terms of relevance to the very top for a wide variety of companies.