Professional Documents
Culture Documents
Malware
Malware
Information Security
CS 526
Topic 13-a
Overview of Malwares
Targeted Malware
Malware
Executable
Malware
Infected
Targeted
Malware host
Executable
Executable
Malware
25/09/2019 EL5112 - Sem 1 2019/2020 12
Cavity malware
Malware
Targeted
Malware
Executable Infected host
Executable
Malware
Targeted
Malware
Executable
Malware
Malware
Payload
Packer Infected host
Malware
Executable
• Win.ini : run=[backdoor]" or
"load=[backdoor]".
• System.ini : shell=”myexplorer.exe”
• Wininit
• Config.sys
Meta-server worm :Ask server for hosts to infect (e.g., Google for
“powered by phpbb”)
Topological worm: Use information from infected hosts (web server logs,
email address books, config files, SSH “known hosts”)
Contagion worm : Propagate parasitically along with normally initiated
communication
Internet
2 Attacker secretly
installs zombie agent Unsecured Computersbie
Zombies
Attacker programs, turning
unsecured computers
into zombies
Internet
3 Zombie agents
``phone home’’ Zombies
Attacker and connect to a
master server
Master
Server
Internet
Master
Server
Internet
Master
Server
Internet
Targeted
25/09/2019 EL5112 - Sem 1 2019/2020
System 71
System
Detailed Steps (6)
6 Targeted system is
overwhelmed by
Zombies
zombie requests,
Attacker denying requests
from normal users
Master
Server
Internet
• Hypervisor-level rootkits
• Hardware/formware rootkits
• Whoever gets to the lower level has the upper hand.
• Kernel task
• Process What to hide
management
• File access Process
• Memory Files
management
Network traffic
• Network
management
25/09/2019 EL5112 - Sem 1 2019/2020 77
Kernel rootkit
P1 P2
PS
P3 P3
rootkit
KERNEL
Hardware :
HD, keyboard, mouse, NIC, GPU
25/09/2019 EL5112 - Sem 1 2019/2020 78
Subverting techniques
• Kernel patch
• Loadable Kernel Module
• Kernel memory patching (/dev/kmem)
P1 P2 Pn Csrss.exe
Ntdll.dll
Executive
ntoskrnl.exe
Underlying kernel
P2
Ntdll.dll
C
Interrupt Hook
System service dispatch
System service dispatcher table
ntoskrnl.exe
New pointer
B
A
25/09/2019 Driver OverwritingEL5112
functions - Sem 1 2019/2020
Driver Replacing Functions 81
MBR/Bootkit
• Bootkits can be used to avoid all
protections of an OS, because OS
consider that the system was in trusted
stated at the moment the OS boot loader
took control.
App App
Target OS
Hardware
App App
Hardware
• Popular
query
• 35.5% are
malwares
(Kalafut 2006)