1: Determining Types of Malware

Software designed to infiltrate a computer system and possibly damage it without the user's knowledge and consent.


Piece of malicious code that replicates by attaching itself to another piece of executable code.

  • Boot sector: Boot sector viruses are stored in the first sector of a hard drive and are loaded into memory upon boot up.

    • Difficult to be detected by a general anti-virus software

    • Specialized anti-virus that specifically looks for boot sector virus.

    • Windows has Early Launch Anti-malware (ELAM) detection. These are actually system drivers that load before the operating system do.

  • Macro: Virus embedded into a document and is executed when the document is opened by the user.

    • MS Word, Excel or PowerPoint

    • Macros are a way to execute some code to do some tasks faster but malicious actors do it with malice intents.

  • Resident Virus: Unresident virus an executable that needs to be clicked or initiated. However, resident virus can load itself automatically without any initiation into the RAM. Worse so, it can load itself into the RAM at the moment that the OS is booting. What that ends up doing is blocking the actions of anti-virus that's looking to find it.

    • loads itself into RAM and infects any file or program

    • can load itself into memory with the OS

    • can block the actions of the antivirus

  • Program virus: Program viruses infect an executable or application

    • Examples: If a virus is attached with an executable like MS Word, every time you open up World software gets executed again and again.

  • Multiparitite: Boot sector + Program virus that first attach itself to the boots sector and system files before attacking other files on the computer. Multiple attack avenues.

  • Polymorphic virus: Advanced version of an encrypted virus that changes itself every time it is executed by altering the decryption module to avoid detection.

    • In simple words, it morphs the code the way it looks every time so that a signature-based anti-virus can't detect it anymore.

  • Polymorphic worm: It adds a whole new layer of complexity.

  • Metamorphic: Virus that is able to rewrite itself entirely before it attempts to infect a file. (advanced version of polymorphic virus)

  • Stealth virus: Polymorphic and metamorphic viruses are the stealth category of the virus that avoids detection.

    • Intercepts calls from the OS

  • Armored viruses have a layer of protection to confuse a program or person analyzing it.

  • Hoax: This is not a virus but tricking a user into believing it their machine being infected with a particular type of virus. In fact, this is a type of social engineering.

Worm: A worm is self-sufficient and can replicate itself without any user interaction. Worms take advantage of security holes in OSs and apps.

  • Example - Nimda in 2001, propagated across the entire internet within 22 minutes.

  • Conficker in 2009, it was able to infect between 9-15 million machines. It would infect all the machines that had Microsoft 08-067 patch missing.

  • Resolution?

    • Constantly update your system.

Difference between Viruses and Worms

Viruses are usually host based and they attach themselves to a piece of executable to run.

Worms on the other hand, are self-sufficient and self-replicating piece of code.


Rootkit: The term rootkit is a connection of the two words "root" and "kit." Originally, a rootkit was a collection of tools that enabled administrator-level access to a computer or network.

  • A rootkit may contain a number of malicious tools such as keyloggers, banking credential stealers, password stealers, antivirus disablers, and bots for DDoS attacks.

  • Zues = 2008

  • Stuxnet = IDS/SCADA

  • Flame

Trojan Horse: A piece of malicious software that is disguised as a piece of harmless or desirable software.

  • One difference between trojans and other malware types is that trojans do not try to replicate/propagate themselves

  • What types of attacks the trojan paves the way for depends on the motivation of the attacker.

  • Botnets, viruses, ransomware, identity theft, data theft, money theft, spying

  • For example - Trojans perform desired functions but it also performs malicious functions in the background.

  • Remote Access Trojan (RAT): Provides the attacker with remote control of a victim computer and is the most commonly used type of Trojan.

  • Programs that are used for this purpose -

    • Virus Marker 3.0 or JPS

    • ProRat


  • CryptoLocker

  • CryptoDefense

  • CryptoWal

Botnets and Zombies

A botnet is a collection of compromised computers/systems including IoT devices under the control of a master node.

So what happens to your computer if it happens to become botnet?

Let's say your computer has picked up a malware. The purpose of the malware is to change your computer into its victim that what we call zombie.

Botnet and Zombie

What type of things can these zombies do?

They might be used as a pivot point. When they have a new victim (or a server), they can access it through your computer, and it looks like you are launching the attack.

  • The zombies can be used to host illegal things like child pornography. So they don't get caught with them.

  • They (hackers) may use zombies to spam other people and send out phishing campaigns, malware or DDoS.

    • DDoS (Distributed Denial of Service) attack occurs when many machines target a single victim and attack them at the exact same time that would, in turn, overloaded by so much fake traffic that real customers would be served and the server may crash.

  • They may also use zombies for bitcoin or other crypto mining as this is a processor-intensive process. Zombies work in a distributed manner, so you can set them off and let it mine and the money will go back to Command and Control (C2) center.

Active Interception and Privilege Escalation

Active Interception occurs when a computer is placed between the sender and receiver and is able to capture or modify the traffic between them.

  • They (hacker) may be able to capture the username and password.

  • They may modify what's coming back as well and embed malware.

Image credit: https://www.youtube.com/watch?v=F_obVu9HknQ

Privilege Escalation occurs when you are able to exploit a design flow or bug in a system to gain access to resources that a normal user isn't able to access. There are lots of ways to do privilege escalation but most of them involve exploiting some sort of bug in the software, the OS, the apps that lets you get closer to the kernel and be able to operate as an administrative/root user.

2012 Symantec

  • Single C2/C&C server,

  • compromised 5,700 Computers

  • Average ransom = $200

  • 2.9% of all users paid

  • $33,600 per day

  • $394,000 per month

Use BurnIn on Desktop 1 with all tests and cycles max

Use CMD x 2 running ping -l 65500 local IP