Malware refers to software intentionally designed to cause damage or unauthorized actions.
Types
| Type | Description |
|---|---|
| Virus | Replicates by attaching to programs |
| Worm | Spreads through networks |
| Trojan Horse | Malicious code disguised as legitimate |
Rootkits
Malicious code that attains root-level privileges. Extremely difficult to detect or eradicate.
Rootkits can:
- Intercept OS function calls
To filter or modify results before passing to caller. - Replace OS functions to be harmful
- Rewrite interrupt handler pointers
- Remove checkers from startup list
- Bypass audit logging
- Take full control of the file system
Rootkits work at different permission levels (in increasing difficulty to eradicate):
- User mode
Only user permissions. Limited harm. - Kernel mode
Modifies OS functions. Halts processes. - Bootkit
Activates on boot. Embedded in OS startup. - Hypervisor/virtual machine
Runs under OS. Intercepts OS calls. - Hardware/firmware
Embedded in hardware or writable microcode.
Rootkit revealers read disk directly to find rootkits.
Splicing
An evasion technique where the first bytes of a system function are overwritten with a jump instruction pointing to the rootkit’s code. Any driver modified this way is called a hooked driver. Legitimate calls to the function silently execute the rootkit code first.
Non-malicious Rootkits
Used by:
- Parental monitoring tools (eBlaster, Spector)
- Law enforcement (on suspects’ machines).
- Security tools (antivirus, IDS)
Keystroke Logger
Aka. keylogger. Records every key typed on a keyboard. Can be done either through a hardware device (USB dongle) or a software malware. Captures passwords, financial information and all private information.
Effects
Malware may affect users and/or systems.
Malware typically:
- Delete or encrypt files
- Steal passwords
- Modify system data
- Spread across networks
- Use infected machines for attacks