Anatomy of a malware attack

What happens when a malware attack is out there. How is it made, how does it spread and get onto your PC and what can be done to stop them. This is a description of a typical non-targeted malware attack like some of the ones we have had over the past few years.

When you get a malware infection on your computer a lot of things happen in the background, from the attackers point of view, your point of view and the security community point of view. SO lest start off with the Attackers point of view.

All attacks start as some black hat cracker checking the OS, browser and other software to find some way to get into as many computers as they can. What they are doing is looking for exploits. There are white hats also looking for these same exploits but the white hats are trying to find them so they can be plugged before the black hats find them and exploit them. Every piece of software has exploits. Every OS and and broswer have them and on most of these these exploits are closed or mitigated so that they are not a problem as fast as possible.

If the black hat finds an exploit he rarely uses them himself. He either sells the exploit to other bad characters, makes software to exploit them or makes software allowing others to exploit the hole. One of the things that have happened lately is that these guys have started making exploit kits and build your own malware kits that exploit the different exploits and allow the user to make a new piece of malware without having to know how to write programs. And they are set up like companies with a help-desk, their own quality control and qa and they even advertise and make upgrades.

Once they have made either a set of parts for an exploit or some type of make your own malware kit they sell them to other criminals to use. Those people then use these kits and add to them the payload they want. Then they have to get them out to where you will come into contact with them.

There are two basic ways to get the malware to you, either getting you to download it yourself or get you to go to a site where it will be automatically be infected into your system. To get you to go to it they use spam and social engineering. Simple enough, not everyone will fall for it but enough people do to make it worthwhile. The other way is to put it where you are going to go anyway. If they could add code to a site a lot of people got to then they can just wait while people go to that site and because of the exploit they will become infected. SO they find an exploit in the software used for the site like the web server or the database. If they can exploit those, and with the same guys finding the exploits in the servers as the OS and browser they find them and add this to their kits.

So at this point they have found at least two exploits to not only get the exploit on to your computer but also to get it into sites that you will probably go to and become infected. To get onto the server either an exploit in the server or the server being badly secured (Sony?) and the exploit code is added as a script on the page, or cross site scripted or embedded into code that gets created from a database. This code runs on the browser after being received from the server. It uses some exploit, possibly a buffer overrun, or a part of the browsers scripting engine that allows running something as the user or some other software the browser uses to display part of the page and has some type of exploit like can run what should be data as code. Once it does that then it has run on your system and will execute the commands in it to do the rest of the attack.

At this point the question is will your computer get infected? If you have the version of the browsers being attacked, and it hasn’t been patched to block this attack you probably will be. A lot of computers out there are not fully patched. People seem to think that such things are a waste of time or that they won’t be targeted and they don’t patch their machines. This is a fallacy, unpatched is unprotected but millions of people are still running unpatched versions of Windows XP and Internet Explorer.

Once the system is infected the worm now downloads the payload, a bot, or a keylogger or trojan or any combination including all of the above or even multiples of each. It’s not uncommon to find that an infected system is not just infected by pone thing but I have personally clean machines with 1300 different malware packages on them. At that point so many were trying to run that even the malware was unable to do anything, the computer was useless to the owners and the malware writers. If one malware can infect them they pretty much all can and do.

Now that your system is infected what does it do to your use of the computer? Well it first is using cpu power so it gets slower. It starts to run erratically. It is also probably tracking everything you try to do and sending your passwords to the criminals. It is also probably now part of a bot net. This is an army of computers that are hijacked by the criminals to do what they want, sending spam and making Distributed Denial Of Service attacks (DDOS) against organisations around the world. It might also be spreading viruses and malware to other computers and could even be made into a host for all kinds of files for other people to upload and download, pOrn or worse.

Now that the computer is infected it is probably going to become part of something that security professionals and security officers will be tracking. These systems are easy to find and while there is now some movement in helping owners get their systems back its a not very wide spread yet.

While the attack is running security experts are trying to find the computers that the payload is downloaded from. They block those sites making the malware not able to be downloaded. But the malware writers are prepared for this and they have more than one place to download it from and flexibility built into the system to look for new places to get the payloads. It becomes a real time game of whack a mole with the malware morphing and changing and the security guys kicking sites off the web. The security people at the compromised servers cleaning and patching their systems, and people with infected computers hopefully cleaning their systems …

Virus scanners and anti-malware software will be updated to find and remove the new malware. Microsoft will put out a new version of it’s removal tools. Only if people update their systems will they get the benefit of the updates.

You are a lot less likely to be a victim of this type of attack if your systems is fully patched, if you use a web browser other than Microsoft IE, and maybe now not Chrome and Firefox although they are better than IE. Also if you do not go to sites that typically get attacked by these attacks, pOrn, illegal software or file sharing sites (although there are good ones of those) and sometimes sites like facebook and twitter can be attacked as well, heck even Microsoft was once compromised so just be careful. Using up to date antimalware software is also a good idea and will protect you from most attacks. Both Windows and Linux and other OSs are putting ways of randomly accessing memory for programs so that where things are in memory are harder to determine and thus it is harder to infect those systems but it is not yet impossible and the malware writers are working hard to find ways to get around it.

So in the end the path is; a black hat cracker that finds the exploits who makes the tools that others can then use to make the final malware. It then gets put out there onto the net for people to come into contact with. That initial worm gets into a computer using the exploit and once on peoples systems then pulls down onto the now infected computer the trojans and malware that are the payload for the attack. Then the malware runs, does what the criminals want it to do and they make money. It gets detected, the attack is on and the security community fights back. And the updates are written and hopefully people get the updates and the systems are cleaned again.

And that is it, a look at what happens in a typical malware widespread attack.


About echlinm

Computer Programmer/Systems Analyst/Hacker S31
This entry was posted in Computers and Internet, Security. Bookmark the permalink.

One Response to Anatomy of a malware attack

  1. Pingback: Spam, bots and DDOS explained | Borg or No (S31)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s