The many forms of Malware

Most of us have heard the term malware being used in recent years, but do we understand the many variations that the blanket term ‘malware’ actually covers. Below we have listed many variations that we can think of.  We would love to hear your comments and feedback. Also, if we have missed anything, we’d love you to get in touch and let us know.

Financial Malware
A term loosely used to describe the growing trend of malicious software (malware) that has been designed to scan a computer system or entire network for information related to financial transactions. Information gleaned by the financial is then transmitted back to a third-party controlling the malicious program.

Dridex Malware
Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.

Dridex operates by first arriving on a user’s computer as a malicious spam e-mail with a Microsoft Word document attached to the message. If the user opens the document, a macro embedded in the document surreptitiously triggers a download of the Dridex banking malware, enabling it to first steal banking credentials and then attempt to generate fraudulent financial transactions.

Dridex is an evolution of the Cridex malware, which itself is based on the ZeuS Trojan Horse malware. According to security firm Trustwave, the Dridex banking malware initially spread in late 2014 via a spam campaign that generated upwards of 15,000 emails each day. The attacks primarily focused on systems located in the United Kingdom.

Mobile Malware
Malicious software (“malware”) that is designed specifically to target a mobile device system, such as a tablet or smartphone to damage or disrupt the device.  Most mobile malware is designed to disable a mobile device, allow a malicious user to remotely control the device or to steal personal information stored on the device.

Cridex Malware
Cridex is a sophisticated strain of banking malware that can steal banking credentials and other personal information on an infected system in order to gain access to the financial records of a user.

The Cridex Trojan Horse spreads by copying itself to mapped and removable drives on infected computers. Cridex creates a backdoor entry point on infected systems, enabling the possibility for additional malware to be downloaded and run as well as conduct operations such as opening rogue websites.

This latter capability enables Cridex to capture the banking credentials of users on an infected system when the user attempts to visit and log into a financial web site. Cridex will surreptitiously redirect the user to a fraudulent version of the financial site and record the login credentials as they are entered.

Flame (Malware)
An extremely sophisticated strain of malware that shares similarities with Stuxnet, although Flame is much more massive in terms of complexity and size, at 30MB or larger when all modules have been installed vs. Stuxnet’s 500KB. Also known as Flamer or Skywiper, Flame was discovered by Kaspersky Lab following a significant increase in infected systems in Iran and other countries in the Middle East and North Africa over the past two years.

After infecting a computer or device, Flame spies on the machine’s activity and steals data from it with keystroke monitoring and packet sniffing functionality as well as backdoor capabilities that enable cyber attackers to update the malware and trigger it or erase it as desired. The Flame malware features multiple levels of encryption as well as more than 20 different modules and plug-ins that can be swapped in and out for added functionality. One unique characteristic of Flame is that some of its code has been written in LUA, a programming language typically used for developing games rather than malware.

Additional distinctive characteristics of Flame include scanning for Bluetooth-enabled devices in order to steal data and infect the devices with the Flamer malware, the ability to turn on a computer’s internal microphone in order to secretly record conversations, and code for taking frequent screenshots of activity such as e-mail and instant messages and secretly uploading the screenshots to “command and control” servers.

As with Stuxnet, security experts believe that Flame is so sophisticated and well-coordinated that it likely was created and conducted with “nation-state support” rather than by typical cyber criminals, although no countries have taken responsibility for the malware to date.

Shylock Malware
Shylock refers to a family of malware that relies on browser-based man-in-the-middle (MITM) attacks and fake digital certificates to intercept network traffic and inject code into banking websites. The Shylock malware was first discovered in February 2011 and derives its name from references in the code to Shakespeare’s The Merchant of Venice.

The Shylock malware code is designed to trick customers into providing banking login and account details to hackers instead of to the bank’s customer service department. Some Shylock strains even have the ability to open a fake customer service chat window on an infected computer to enable cybercriminals to prompt the user for their sensitive account information.

Newer strains of the Shylock malware have added the ability to detect whether the malware is running in a virtual machine (VM) that’s being analysed by malware researchers. The Shylock malware does this to help make analysis more difficult and avoid detection by security researchers.

Virtual machines are frequently employed by security teams to test programs in simulated environments to more easily detect malicious behaviour. When the Shylock malware detects it is being run in a virtual environment, the code will shut down the program.

Stuxnet
Stuxnet is a family of cleverly written malware worms that primarily target SCADA (Supervisory Control and Data Acquistition) control systems for large infrastructures such as industrial power plants. The original Stuxnet worm was first discovered in 2010, and numerous variants of Stuxnet have been identified since then, with most targeting organizations in the country of Iran.

Stuxnet initially spreads via infected removable drives, particularly USB flash drives, before utilizing additional methods to infect other computers on private networks. The original Stuxnet worm was designed to exploit four zero-day attack vulnerabilities in Microsoft Windows operating systems.

Some computer security experts believe that an attack as sophisticated as Stuxnet could have only been conducted with “nation-state support,” although there haven’t been any confirmations to date as to which country or countries might have been involved in developing Stuxnet.

Mumblehard Malware
Mumblehard is a strain of malware that primarily targets web servers running Linux and BSD operating systems and surreptitiously uses the infected systems as spamming bots.

The security firm ESET discovered the Mumblehard malware in April 2015, but there is evidence of the malware remaining under the radar for at least the past five years. ESET gave the malware the Mumblehard moniker because it “mutters spam from your servers,” according to the security research firm.

The Mumblehard malware exploits vulnerabilities in WordPress and Joomla to execute two components written in Perl. The first component is a backdoor that requests commands from the malware’s command and control server, and the second is a spammer daemon that can be launched via a command received by the backdoor.

In addition to exploiting vulnerabilities in WordPress and Joomla, the Mumblehard malware can also be installed through the distribution and installation of backdoored “pirated” versions of a Linux and BSD program called DirectMailer, which is a software tool used for sending out e-mails in bulk.

The Mumblehard malware backdoor is typically installed in the /tmp or /var/tmp directories, and ESET recommends mounting these directories with the noexec option to prevent the Mumblehard backdoor from being able to start. Those concerned with whether Mumblehard is already installed on a server should first look for unsolicited cronjob entries for all users on the server(s) suspected of being infected.

Citadel Malware
Citadel Trojan is malware created by a malicious code generating program. Citadel was designed to steal personal information, including banking and financial information, from its victims. The Citadel Trojan, based on the Zeus source code, constructs a botnet consisting of a large number of infected computers. The attacker can execute malicious code on an infected computer, including ransomware and scareware.

Malvertising (Malware)
Malvertising is a deceptive process of injecting and spreading malware through otherwise legitimate online advertising networks that display ads on reputable web sites and pages.

A portmanteau of “malicious advertising,” malvertising has become more problematic in recent years, as newer forms of malvertising can infect computers and mobile devices without any action taken on part of the user – in other words, without the user even needing to click on the malware-laden ad.

Malvertising code can secretly run on your computer, deliver malware payloads, and execute the payload before you or your security software has a chance to identify and prevent it from happening. And malvertising creators have started scanning their products before releasing them into the wild to make sure that they aren’t readily picked up by antivirus software.

The payload of malvertising can range from loading ransomware onto a computer to injecting keystroke-monitoring spyware to any range of activities that interfere with or disrupt the proper functioning of a computer, mobile device or network.

A joint report published in late 2015 by the Interactive Advertising Bureau (IAB) and Ernst & Young has estimated the digital industry loses approximately $1.1 billion a year to malvertising.

SoakSoak Malware
SoakSoak is a strain of malware that leverages security vulnerabilities in a WordPress plug-in. These vulnerabilities are found in the RevSlider third-party plug-in, which is included in several popular themes for the open source blogging and content management system (CMS).

SoakSoak can utilize these vulnerabilities on unpatched or out-of-date WordPress systems to connect with the SoakSoak.ru domain and load JavaScript malware onto the infected Website. This malware includes a backdoor Trojan that enables control of the compromised WordPress site.

SoakSoak was launched as a large-scale attack on December 14th, 2014. Despite updated versions of the RevSlider plug-in being available since September of 2014, more than 100,000 WordPress sites were infected by the initial strain of SoakSoak.

Because the RevSlider plug-in isn’t directly installed by users but is instead included as part of downloadable themes for WordPress, many WordPress sites were infected without the knowledge of the webmaster of the site.

Operation Windigo (malware)
A collection of malware developed to create a sophisticated network of botnets that can distribute spam, redirect Web traffic and infect users’ computers with malware, all while keeping the location of the cyber criminals perpetrating the attacks a secret.

Operation Windigo is believed to have been growing behind the scenes for the past three years. It gained public attention in March 2014, when software security firm ESET revealed it was responsible for compromising more than 25,000 Linux servers. At one point during this time the Windigo network was sending 35 million daily spam messages and redirecting more than 500,000 web visitors to exploits kits each day, according to ESET.

Operation Windigo primarily relies on two Linux backdoors, Linux/Ebury and Linux/Cdorked, to steal login credentials, compromise Web servers and redirect traffic. Notable victims of Operation Windigo have included cPanel, a popular web hosting control panel platform, and kernel.org.

ESET researchers dubbed the network Windigo after a mythical cannibalistic creature of Algonquian Native American folklore. The security firm recommends administrators and webmasters run the following command to identify if their server has been compromised by Operation Windigo:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”

Servers infected by Operation Windigo should be wiped completely clean and have their operating system and applications reinstalled. Unique passwords and private keys need to be created for future access to a previously infected system in order to help prevent the server from being compromised again.

Mariposa
The name of a malicious botnet. Dubbed Mariposa, this widespread malware campaign managed to infiltrate more than 13 million PCs and more than half of the world’s 1,000-largest companies.

Three men, who called themselves the “Nightmare Days Team” and dubbed their botnet projects “Mariposa,” were arrested by Spanish authorities in February 2010 after a yearlong investigation by law enforcement agencies and security software vendors Panda Security.

The Mariposa (the Spanish word for butterfly) botnet was shut down on Dec. 23, 2009 after operating largely unhindered for almost a year. Mariposa accessed more than 13 million PCs in all, making it one of the largest and most destructive botnets in history.

Hand of Thief Trojan
Trojan malware developed to enable cyber criminals to compromise Linux systems and steal user information from the systems. The Hand of Thief Trojan (HoT Trojan) is one of the first strains of malware to specifically target desktop Linux systems, and it’s claimed that the HoT Trojan can currently compromise at least fifteen different variants of Linux.

The Hand of Thief Trojan is considered a work in progress, lacking some of the key features to be an effective attack tool, but it’s still being sold for $2,000 by its Russian-based developer. And while the code isn’t yet complete at this time, the Hand of Thief Trojan could eventually have full malware capabilities, including the ability to inject content into banking websites as well as better exfiltration and filtering features.

Skywiper
An extremely sophisticated strain of malware more commonly referred to as Flame (or Flamer), although some security experts classify the two differently. Skywiper, or sKyWIper, is one of the largest and most complex malware strains to date, with a total size of more than 30MB when its 20+ modules and plug-ins have been installed.

Skywiper has the ability to record extensive system information on an infected machine, and also has keystroke monitoring and packet sniffing functionality as well as backdoor capabilities that enable cyber attackers to trigger, update or erase the malware on command. The Skywiper malware had been in circulation for at least two years prior to being detected, primarily targeting countries in the Middle East, and Skywiper is believed to have been created and conducted with “nation-state support” due to its high level of complexity and targeted area of focus.

Skype worm
The Skype worm is a strain of the Dorkbot family of malware that made headlines in October 2012. The Skype worm sends a message like “LOL, is this your new profile pic?” from an infected Skype user’s contact list, attempting to entice fellow Skype users into clicking on the link and downloading and installing the Skype worm.

As with other forms of Dorkbot, the Skype worm opens a backdoor on infected computers, allowing for remote access. The Skype worm also installs a form of ransomware, wherein the malware threatens to lock a user out of being able to use their computer and demands a payment of several hundreds of dollars within a limited time frame or have their files deleted.
Computers infected with the Skye worm may also receive a ransomware message claiming that the computer has been used for illegal activity and that the user will be reported to federal authorities unless a payment is made within a limited timeframe.

Dorkbot
A family of malware worms that typically spreads through instant messaging, USB removable drives, websites or social media channels like Facebook and Twitter. Downloading and installing Dorkbot malware results in it opening a backdoor on infected computers, allowing for remote access and potentially turning the computer into a botnet.

The Dorkbot worm gained publicity in late 2011 for an attack on Facebook’s chat system, with users receiving a message with a bogus link that appeared to come from one of their Facebook friends. A similar Dorkbot worm appeared later in the same year, this time preying on Twitter users.

A new strain of Dorkbot targeting Skype users appeared in October 2012, with the Skype worm also installing ransomware in this case. The ransomware would threaten to lock a user out of being able to use their computer and demand a payment of several hundreds of dollars be made within a limited timeframe or have files on the computer deleted.

ZeuS
The most widespread botnet in history, ZeuS is a Trojan horse that infiltrates computers in order to steal data by logging keystrokes and spread copies of itself to other devices via instant messaging and e-mail messages. Computers infected by a ZeuS variant can be controlled by the attacker and monitored for keystrokes in order to gain access to online accounts and other sensitive data.

More than 50,000 variants of the ZeuS Trojan have been recognized since ZeuS made its first known appearance in 2007. The most prolific period for ZeuS came in 2009 and 2010, with some security reports estimating as many as 3.6 million ZeuS-infected computers in the United States alone during that time.

Several mobile botnet variants of the ZeuS Trojan have surfaced more recently, with some targeting Google Android phones while others attack Blackberry devices, Symbian phones, or Windows Mobile phones. These variants are considered part of the Zitmo family of mobile malware and are designed to steal the mobile transaction authentication numbers that banks use to strengthen security for logging in to online accounts.