Malware

Malware #

Definitions #

Malware: umbrella term for malicious software

  • Virus: a malicious program that infects other program, usually spreading with human assistance
  • Worm: a malicious program that spreads automatically, often without human intervention
  • Trojan Horse: a malicious program that pretends to be something innocuous
  • Rootkit: software that provides an adversary access to a computer in a hidden manner
    • Specifically: control the computer at a system or kernel level
  • RAT (Remote Access Toolkit): a rootkit that is often optimmized for ease-of-use

A history of malware #

  • Once upon a time (Commodore 64 era), viruses were carried on a floppy disk
    • Inserting it would cycle colors and display a message
    • At this time, there was no way to make money with malware, so viruses were mostly cute pranks
  • Wipers: early destructive malware
    • Floppy disk, would erase MSDOS disk
  • The Morris Worm: the first fully automated worm
    • Released by Robert Morris Jr., then a graduate student at Cornell (now a professor at MIT)
    • Took out a large chunk of the internet in those days (6000 computers)
    • Had three different payloads (sendmail, finger, rsh, password guessing)
    • For two different architectures (VAX and Sun-3)

Modern malware #

Modern rootkits (example: TDL4/TDSS) #

Installed via affiliates, who might use

  • Social engineering attack
  • Infected download
  • Exploited website

Hides in Windows

  • Master Boot Record (MBR) infection
    • Now can infect UEFI machines as well, including those with Secure Boot enabled
  • Bypasses driver signing

Makes money as a botnet

  • Controlled by P2P network
  • Deletes other bots
  • Does not infect in Russia

Self-propagating worm (example: Stuxnet) #

  • The most complex malware of its day
    • Used to infect Iranian nuclear refineries
  • Multi-stage lifecycle
    • Initial infection seeded via compromised Farsi websites
    • Movement between machines via net/USB
    • On Siemens control system, local infection of master software
    • Loaded onto PLCs to cause damage
    • Complex, stealthy mechanism for airgap-jumping communication

Ransomware (example: Cryptolocker) #

  • Scan internet for vulnerable compters, push malware that encrypts files and demands ransom to decrypt
  • Originally: Cryptolocker in 2013, for Windows XP machines - demanded 2 BTC as payment
  • Mid 2010s: shift away from individuals and towards municipalities
    • May 2019, Baltimore, MD - city government computer systems infected by RobinHood ransomware for 13 BTC (~$100k at the time), attack cost city ~$6mn in damages
    • February 2016, Hollywood Presbyterian Medical Center - hospital had to divert patients and use paper and fax, ultimately paid a 40 BTC (~$17k) fine
    • November 2016, San Francisco MUNI - department had to make MUNI fares free as they scrambled to recover from attack
  • Early 2020s: ransomware targeted towards big businesses and governments
    • May 2021 - Colonial Pipeline infected by DarkSide group, halted all operations and paid $5M ransom immediately

The future of malware #

  • Truly self-guided malware on the high end
  • Commodity malware (good enough) available to almost all groups on the low end
  • Consumer malware moving away from lockers to BTC theft
  • Continued growth of individual risk via cheap mobile RATs
  • Lack of skilled analysts and truly capable software means that malware is still a growth industry