Malware are a piece of software or program used to performs malicious actions on a target.
Malicious + software = malware
Malware infect any kind of device: computer, phone, tablet…
Basic Components of Malware
Crypter: software that conceal the existence of malware. Used to elude antivirus from detecting it. Also protects the malware against reverse engineering analysis.
Downloader: piece of software that download the malware. Can be another malware or trojan or a simple script.
Dropper: install malware or some code on the system covertly. Uses unidentifiable malware code that’s undetected by antivirus scanners.
Exploit: the part of the malware that contains the code or the sequence of commands that it takes to take advantage of the device. It’s the code used to breach the system securely. Exploits can be local or remote.
Injector: injects the exploit or code form the malware into the system. Hide or prevent the malware from being removed. Reloads the malware if necessary.
Obfuscators: conceal the malware or the malicious code by mean of different techniques. Makes it harder for program and/or professionnal to find and remove the malware.
Packer: compress the malware file and converts it to an unreadable format so that it cannot be detected.
Payload: the actual file that is activated, used to delete files infect the system, encrypt the system etc.
Malicious Code: defines the basic functionality of the malware and include the commands that result in the security breaches itself. Can be ActiveX control, Java appletm browser plugins etc.
Types of Malware
Propagation Malware
Virus: requires human assistance, meaning one needs to execute the file in order to get infected.
Worms: automatic; squirms throughout network infrastructure without human help.
Concealment Malware
Rootkit: hides itself by modifying the OS so it’s not visible to the end user.
Trojan: hidden inside a disired file.
History Bits
In 1996, the first federal computer sabotage case took place. Timothy Lloyd, a network manager and administrator for Omega Engineering created what is called a logic bomb: he created a user account that was called 12345 with no password and full administrator rights. His logic bomb would execute if he didn’t login for 20 days, using the 12345 account to login and execute a script called fix that would delete files, and purge it to hide his tracks. As Omega Engineering did business with United States Navy and NASA, the Secret Service had to get involved. They found the same logic bomb in Lloyd personal computer. He was convinced of computer sabotage and sentenced to 41 months in federal prison.
Things to Look For
On Microsoft Windows, every program with a PID higher than 2000 is launched after the operating system fires up. This is generally where to pay attention to.
If a task is not familiar, try opening it’s location to see where it is going. Look also for the Details tab of Properties which gives more information about it. Searching online is also a good idea, when possible.
You should be suspicious of every task above 2000 that does not have an icon.