Malware analysis – Basics

Malware has become a common word understood by the average person. Whether it’s in the media, through fellow users, or because one’s own anti-virus software sets off an alarm, the term is regularly brought back into consciousness.

If this happens in the business environment, the situation is immediately more critical. Malware quickly causes high costs, which can result from damage, additional working hours or penalties. It depends on the type of malware, which damages are to be feared and also in which way the malware can be removed from the network again. If the malware alarm is triggered by the “endpoint protection” solution used, it usually includes a classification. This means that you can be largely certain that the malware will be removed from all devices on which this anti-virus software is installed. However, since anti-virus programs still primarily detect malware that is already known, an analysis of the functionality must be carried out in the case of unknown malware that is found, in order to be able to estimate the extent of the damage.

Maleware Definition

Malware stands for “malicious software” and is a regular computer program that has, however, been developed to cause damage. This is a clear distinction from faulty software, which can also cause damage but was not designed to do so. For example, the Ariane 5 control program that led to the explosion of the rocket and the death of the astronauts [1] was not malware, but faulty software.

As is true for all programs, malware belongs to a process at runtime in some form and is found in memory, and it survives a system restart only if it is previously stored – at least in a minimal form – in persistent memory. Thus, at least in theory, malware can be interacted with in the same way as other programs.

Malware as a Tool

If you look at Lockheed Martin’s “Intrusion Kill Chain” [2] or the “Unified Kill Chain” [3], it quickly becomes clear what malware is used for: It is a means to achieve the real goal. Running a malware on a computer in the target company is thus only part of an entire attack that can theoretically be repeated any number of times until the defences have been outwitted. If malware has been successfully executed on a target system, further actions can be performed over it. Whether this is exfiltration of data, use of gained computing power or extortion depends entirely on the type of malware. Thus, if malware is found on the network at any time, it is not necessarily possible to determine what the target of the attack was. Finally, ransomware can also be used to hide traces, as in many cases such an infection simply restores data from the backup.

Types of Malware

In order to have a conversation about a topic, it is often useful to categorize the subject matter. When it comes to malware, apples and oranges are often lumped together by mixing distribution type groupings with capability groupings.

Categorization by Distribution Type

When malware is categorized by distribution type, three terms are used: Virus, Trojan, and Worm.

A virus infects another program so that this program henceforth also contains the malware’s code. As long as the infected program is running or, if an executable file or script has been infected, the file is opened, the virus will continue to run and may seek out a new matching target file or a new instance of the running target program to continue the infection. For example, if an Office file, such as an Excel spreadsheet for budget management, is found with an unsigned macro on a central network drive, the macro may have been enhanced with the virus’ malicious code. The next employee who opens this file will ignore any warnings because the document comes from a trusted source.

A worm is a self-propagating malware that, unlike a virus, does not require an additional carrier program or file for propagation. For example, if a worm gains administrative rights on a second system, it can copy itself to the hard disk of that system and run there.

A Trojan – derived from the legend of the Greeks who hid in their wooden horse presented as a gift in order to invade the city of Troy – is malicious software that disguises itself as a legitimate program. This is to trick a potential victim into trusting the legitimate-looking shell and running the malicious program hidden inside. Unlike the other two categories presented here, a Trojan will not spread itself.

Categorization by Capabilities

If malware is categorized by its capabilities, then the list of possible groups becomes considerably longer.

Terms such as ransomware, crypto miners and keyloggers are always in the media. A “remote access Trojan” (RAT) or “backdoor” provides the controlling person with access to the infected computer and all connected resources. A “stager” usually only has the ability to check if it is safe to reload further malware and then do so. A “bootkit” or “rootkit” will hide deep in the system – the former in the computer’s BIOS or “bootloader“, the latter in the operating system itself – so that it is as undetectable as possible and cannot be easily removed. This is by no means an exhaustive list, as even slight variations from the behaviour described here lead to the creation of new names.

Categorization of Real Malware

Unfortunately, the categorizations just described are not so easily applied to real-world attacks.

The use of stagers was only found in malware used by Advanced Persistent Threats (APT) more than a decade ago, but is now used in almost every campaign. For example, a legitimate-looking Word document with macros is sent to a potential victim, that, when opened, reloads the actual malware: This can be a Trojan that acts as a stager and reloads a ransomware, for example. Such ransomware can potentially propagate itself. “WannaCry” [4] was such a ransomware, which could spread virus-like via the MS17-010 (EternalBlue) vulnerability [5] or, if the malware had scammed administrative credentials, worm-like with the administrative program “psexec” [6].

Thus, simple categorizations must be handled with care. A differentiated view allows a more precise definition of the potential damage a malware can cause in a company.

Carrier Formats

As described in the beginning, malware is also simply a program. However, depending on the type of malware, other mechanisms are used to infect a victim. In the past, attempts were often made to send victims regular executable files, such as .EXE or .SCR – an extension for screensavers, which, however, in Windows are simply programs just like .EXE. Today, attackers have taken to packaging their malware in sometimes encrypted file archives, such as .ZIP files, to smuggle it past filters. In doing so, attackers often trust that clever naming of the file will outsmart the potential victim. File names such as “Invoice_reminder_190221.pdf.exe” are supposed to trick the user into opening the alleged invoice, because they are unlikely to see the .EXE file extension, which is hidden by Windows by default.

Since Windows natively supports various scripting languages, attackers have started writing their malware in JavaScript and VBScript. Programs written in these two scripting languages are identified by the .JS and .VBS file extensions and are also executable in Windows. If a user clicks on such a file, the program is executed directly on the computer, just like an .EXE file.

Such direct attacks are now well intercepted by Windows, as program files from the Internet are marked as downloaded by the operating system. If a user tries to execute such a file, the operating system at least asks whether this file is really trusted. For this reason, attackers increasingly rely on abusing script environments in other programs.

All Office programs support macros that are intended to automate regular tasks. However, these can also be used by an attacker to perform malicious actions. Thus, a Word, Excel or PowerPoint file can also contain malicious code. The same applies to PDFs: Adobe Acrobat Reader supports JavaScript in PDFs and can thus be misused to execute malicious code or for sophisticated phishing attacks.

This list is not exhaustive, as in principle any file could exploit a flaw in the associated program. For example, a virus can infect Microsoft Paint if a suitable program error is found in it and the user uses it to open an image with malicious code.

Because of all these possibilities to execute and disguise malware on a system, security experts advise against opening files and links that come from an untrusted source.

Threat Actors

Having discussed the different types of malware, possible infection routes and the purpose of malware, the groups of people behind the malware are still unknown.

Malware is becoming more and more of a commodity: something that people buy when they need it and usually do not develop themselves. There is a demand for malware that is satisfied by a corresponding supply [7]. This is how malware distributed in regular phishing campaigns is circulated: a group of competent people write the corresponding malware and offer it for sale. People who think they can make a profit via such malware – whether this is financial, for example through a ransomware, or psychological, for example when hacktivists hack an organization – buy it and send it to their chosen targets. This covers most of the malware in circulation, which is detected by “endpoint protection” programs a few hours after the initial infection, as it is often distributed en masse. It is mostly used by lone perpetrators or smaller groups who do not have the appropriate knowledge and often just want to maximize the targeted profit with as little effort as possible.

The smallest part of malware in circulation is developed specifically for a target, or at least adapted to it, as part of an APT attack. Since this malware is not executed on many computers, the chance that an “endpoint protection” solution will detect it is correspondingly lower. In addition, attackers here more often employ the “living off the land” paradigm: It describes the use of programs that already exist or are at least signed by trusted vendors to execute malware over them. Examples of this are the use of “powershell.exe“, “rundll32.exe” or the already mentioned “psexec.exe”. These three programs are now also used by regular malware; in the meantime, many other programs have been identified that can be used for such purposes [8]. Since the identification of such suitable programs, the development of tools to match them, and the research of good obfuscation methods cost a lot of time and thus money, these attacks are usually initiated or sponsored by intelligence agencies. Accordingly, the possible targets for such attacks belong to a small circle.

The third category of attackers is potentially their own competitors [9]. As “time to market” and cost pressure are increasing, it is worthwhile to quickly obtain valuable data from a market competitor. This can be done legally, for example by poaching an important employee – but also via illegal methods such as infection with malware. Especially if there is a lot of money to be gained, larger sums can be invested in such an attack, making them relatively dangerous.

Summary

In this article, the basic concepts of malware have been discussed. When talking about malware, the appropriate vocabulary should always be used so that there is no misunderstanding. This will help restore “business as usual” as the potential impact of a malware attack can be described in a few words.

When creating an in-house threat model, looking at threat actors helps. Depending on the group one wants to protect against, a different defence strategy must be chosen. If you are only interested in common attackers who buy most of their malware, it is sufficient to implement the basic measures, such as those presented in this advisory from Oneconsult: https://www.oneconsult.com/de/fight-common-threats/

However, if one is a potential target of an APT group, then a much higher level of protection must be targeted.

The carrier formats presented should reveal how malware is executed in its target environment. This can help set up email and proxy filters and should be considered when training employees.