4. Famous Malware Examples
1) Type: Viruses and Worms
Stuxnet is being referred to as the finest piece of malware till date. This example indicates the echelon of dexterity achieved by the malware authors and the calibre they possess to wreck havoc in the cyber world. Windows-specific computer worm first discovered in June 2010 by VirusBlokAda, a security firm based in Belarus. It is the first discovered worm that spies on and reprograms industrial systems. It was specifically targeted to attack Supervisory Control And Data Acquisition (SCADA) systems such as power plants and gas and oil refineries, to obtain data. Once installed, the Stuxnet malware attempts to connect to the database associated with SCADA systems to obtain files and run various queries to collect information, according to Symantec. It also may gather other information relating to servers and the network configuration. Stuxnet includes the capability to reprogram the programmable logic controllers (PLCs) and hide the changes. It is the first-ever computer worm to include a PLC rootkit It is also the first known worm to target critical industrial infrastructure. Stuxnet attacks Windows systems using four zero-day attacks (including the CPLINK vulnerability and a vulnerability used by the Conficker worm) and targets systems using Siemens’ WinCC/PCS 7 SCADA software. It is initially spread using infected USB flash drives and then uses other exploits to infect other WinCC computers in the network. Once inside the system it uses the default passwords to command the software. The complexity of the software is very unusual for malware. The attack requires knowledge of industrial processes and an interest in attacking industrial infrastructure. The number of used zero-day Windows exploits is also unusual, as zero-day Windows exploits are valued, and hackers do not normally waste the use of four different ones in the same worm. Stuxnet is unusually large at half a megabyte in size, and written in different a programming language (including C and C++) which is also irregular for malware. It is digitally signed with two authentic certificates which were stolen from two certification authorities (JMicron and Realtek) which helped it remain undetected for a relatively long period of time. It also has the capability to upgrade via peer to peer, allowing it to be updated after the initial command and control server was disabled. These capabilities would have required a team of people to program, as well as check that the malware would not crash the PLCs. The purpose of the Stuxnet malware is likely to carry out corporate espionage, as per the ongoing research. Going forward, however, it is likely that the same attack vector will be exploited by other cybercriminals who may have different targets.
Conficker, also known as Downup, Downandup, Conflicker, and Kido, is a computer worm that surfaced November 21st, 2008 with Conficker.A and targets the Microsoft Windows operating system. Till date it has three variants Conficker.A/B/C. This worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. It uses a specially crafted RPC request to execute code on the target computer. When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. It receives further instructions by connecting to a server or peer and receiving a binary update. The instructions it receives may include to propagate, gather personal information and to download and install additional malware onto the victim’s computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe. Conficker combats efforts at eradication by creating scheduled tasks and/or using autorun.inf files to reactivate itself. Symptoms of Conficker infection include the following:
• Access to security-related sites is blocked
• Users are locked out of the directory
• Traffic is sent through port 445 on non-Directory Service (DS) servers
• Access to administrator shared drives is denied
• Autorun.inf files are placed in the recycled directory, or trash bin
2) Type: Trojan Horse
Zeus (also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber) is a Trojan horse that steals banking information by keystroke logging. Zeus is spread mainly through drive-by downloads and phishing schemes. Zeus’ infection rate is higher than that of any other financial Trojan. Being used to attack, both, companies and private individuals, this malware undergoes frequent mutations which demonstrate how technically innovative its author is.
ZeuS is a well-known crimeware. This trojan steals data from infected computers via web browsers and protected storage. Once infected, the computer sends the stolen data to a bot command and control (C&C) server, where the data is stored.
ZeuS is sold in the criminal underground as a kit for around $3000-4000, and is likely the one malware most utilized by criminals specializing in financial fraud. ZeuS has evolved over time and includes a full arsenal of information stealing capabilities:
• Steals data submitted in HTTP forms
• Steals account credentials stored in the Windows Protected Storage
• Steals client-side X.509 public key infrastructure (PKI) certificates
• Steals FTP and POP account credentials
• Steals/deletes HTTP and Flash cookies
• Modifies the HTML pages of target websites for information stealing purposes
• Redirects victims from target web pages to attacker controlled ones
• Takes screenshots and scrapes HTML from target sites
• Searches for and uploads files from the infected computer
• Modifies the local hosts file (%systemroot%\system32\drivers\etc\hosts)
• Downloads and executes arbitrary programs
• Deletes crucial registry keys, rendering the computer unable to boot into Windows
The Zbot trojan creates a %windir%\system32\wsnpoem folder in which it places two files, video.dll and audio.dll. These files are used to store information stolen from the infected system, as well as an encrypted configuration file which the trojan downloads from a predefined location. The wsnpoem folder and its content are usually hidden using stealth techniques.
The Zbot trojan also copies itself to %windir%\system32\ntos.exe (or in some variants, …\oembios.exe). A random amount of junk data is appended to the copy in an attempt to make its detection more difficult. During installation, the Zbot trojan will check the running programs for firewall related processes such as outpost.exe or zlclient.exe. If either of these processes is running, the trojan only copies itself to the system32 folder, then exits. If it is safe to procees, it will amend the registry keys to enable the malware to execute at every startup, which will also cause it to inject itself into other processes.
The Zbot-trojan starts its main information-stealing function by opening a connection to a remote server and downloading an encrypted configuration file. This file contains the address where the trojan will later upload the information it has stolen; an address where it can download a new version of itself; and the address of another configuration file. This file also defines what websites the trojan will target for information theft.
Once the configuration file is downloaded, any confidential banking data the victim types in is compromised. If the victim enters account information on an online banking site, the trojan intercepts the data in the webform and uploads it to the server defined in the trojan’s configuration file. To gather more information, the malware author can even create additional fields, which are then injected into a targeted webpage for the unsuspecting victim to fill in. Zbot-trojans are also capable of presenting the victim with a fake version of a webpage. Victims trying to browse specific webpages will be presented with a modified copy of the website from a server controlled by the attacker, rather than the correct webpage from the legitimate server. Again, any information entered is captured by the attacker. Keylogging, stealing data from the clipboard and taking screenshots of the desktop are also in Zbot arsenal. Zbot trojans steal the content of the Windows Protected Storage, as well as certificates stored on the infected system. Username and password information for POP3 and FTP protocols are also stolen.
Zbot trojans have limited backdoor functionality, which mainly involve executing a file already on the system or downloading a new version of itself. A Zbot-trojan can also act as a proxy-server. Other miscellaneous functionality includes the ability to modify the content of %windir%\system32\drivers\hosts, and to redirect or block access to websites.
3) Type: Keylogger
The World Wide Web has a plethora of keyloggers to offer. All of these do much more than just keystroke logging. They can track virtually anything running on a computer. Some keyloggers, known as “screen scrapers,” enable the visual surveillance of a target computer by taking periodic snapshots of the screen. The captured images can then be used to gather valuable information about the user. Advanced keyloggers can track such things as cut, copy, and paste operations, Internet usage, file operations (executing, creating, renaming, modifying, and deleting), and printouts. Although many of them are built with the legitimate intent of parental control and employee monitoring, the bad guys are making the most of it. Most forms of malware such as worms, Trojans, spyware are actually the vectors carrying keyloggers. Once a system is compromised, the keylogger is installed to cause further damage.
Some of the keyloggers available on the internet are as follows:
(i) Refog Personal/Employee Monitor
(ii) All in One keylogger
(iii) Perfect keylogger
(iv) Elite keylogger
(v) Spector pro
(vi) Stealthy keylogger
And the list goes on!
4) Type: Spyware
The spyware CoolWebSearch originates from Russia. It is one of the most famous and most aggressive spyware developed to date. The majority of the variants are, in some capacity, hijackers. The name originates from the first wildly spread hijacker directing searches through search pages affiliated to coolwebsearch.com. This is still the main functionality of the spyware, but there are also advertisements in the form of pop-ups. The advertisement is, in general, of dubious content. Several pop-ups deliver advertising of fraudulent products.
The company Cool Web Search offers affiliates a fee in exchange for visitors’ use of their search program. An affiliate builds a search page of his liking and draws visitors there. The search page is linked to Cool Web Search’s backend, which delivers the search results. To bring in profit to Cool Web Search, the company bids out keywords to the public, with top bidders getting top position in the search query list. Cool Web Search disclaims they have nothing to do with the hijacks and have closed down some affiliate sites.
CoolWebSearch hijacks are usually much more advanced than the common hijack. It is more difficult to detect and trickier to remove. Even manual removal can sometimes be a difficult task.
(ii) Internet Optimizer
Also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites.
It transmits detailed information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions Company. It opens pop-up ads that cover over the Web sites of competing companies.
(iv) HuntBar, aka WinTools or Adware,WebSearch
It was installed by an ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other SpyWare programs-an example of how SpyWare can install more SpyWare. These programs add toolbars to IE, track aggregate browsing behavior, redirect affiliate references, and display advertisements.
(v) Zlob Trojan
It downloads itself to your computer via an ActiveX codec. Zlob trojan displays popup ads that look like Microsoft Windows warnings telling you that your computer is infected. Clicking these warning popups will cause a fake anti-spyware program to be downloaded to your computer. You will then be urged to purchase the fake anti-spyware program, thus giving the malware perpetrator actual money, as well as your credit card information. The perpetrator is often a web site in the Ukraine! “Zlob Trojan” is most usually encountered at adult web sites masquerading as a video codec that will give you access to adult content videos. It reports information back to Control Server. Some information can be as your search history, the Websites you visited, and even Key Strokes.
5) Type: Adware
The following is a list of some adware
 123 Messenger
 180 Solutions
 Adssite Toolbar
 Bonzi Buddy
 Comet Cursor
 Crazy Girls
 Daemon Tools
(Software comes bundled with the “Daemon Tools WhenUSave Toolbar” but can be unchecked during installation)
 Direct Revenue
 Ebates MoneyMaker
 Mirar Toolbar
 Messenger Plus! Live
(Option to install sponsor. Not required.)
 Oemji Toolbar
 Smiley Central
 Tribal Fusion
 Sweet IM
 XXX Shop online
 XXX Toy
 Zango Toolbar
 Zlob trojan, or just Zlob
6) Type: Rootkit
(i) Virtual Machine Based Rootkit (VMBR)
In the overall structure of a VMBR, a VMBR runs beneath the existing (target) operating system and its applications (Figure 2). To accomplish this, a VMBR must insert itself beneath the target operating system and run the target OS as a guest. To insert itself beneath an existing system, a VMBR must manipulate the system boot sequence to ensure that the VMBR loads before the target operating system and applications. After the VMBR loads, it boots the target OS using the VMM. As a result, the target OS runs normally, but the VMBR sits silently beneath it.
To install a VMBR on a computer, an attacker must first gain access to the system with sufficient privileges to modify the system boot sequence. There are numerous ways an attacker can attain this privilege level. For example, an attacker could exploit a remote vulnerability, fool a user into installing malicious software, bribe an OEM or vendor, or corrupt a bootable CDROMor DVD image present on a peer-to-peer network. On many systems, an attacker who attains root or Administrator privileges can manipulate the system boot sequence. On other systems, an attacker must execute code in kernel mode to manipulate the boot sequence. After the attacker gains root privileges, he or she must install the VMBR’s state on persistent storage.
VMBRs use a separate attack OS to deploy malware that is invisible from the perspective of the target OS but is still easy to implement. None of the states or events of the attack OS are visible from within the target OS, so any code running within an attack OS is effectively invisible. The ability to run invisible malicious services in an attack OS gives intruders the freedom to use user-mode code with less fear of detection.
Blue Pill and SubVirt are examples of VMBR.
The Blue Pill concept is to trap a running instance of the operating system by starting a thin hypervisor (Virtual Machine Monitor) and virtualizing the rest of the machine under it. The previous operating system would still maintain its existing references to all devices and files, but nearly anything, including hardware interrupts, requests for data and even the system time could be intercepted (and a fake response sent) by the hypervisor.
Joanna Rutkowska, the author of Bluepill, claims that, since any detection program could be fooled by the hypervisor, such a system could be “100% undetectable”. Since AMD virtualization is seamless by design, a virtualized guest is not supposed to be able to query whether it is a guest or not. Therefore, the only way Blue Pill could be detected is if the virtualization implementation were not functioning as specified.
The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation. Today, anti-rootkit clean-up tools compare registry and file system API discrepancies to check for the presence of user-mode or kernel-mode rootkits, but this tactic is useless if the rootkit stores malware in a place that cannot be scanned.
In order to install the virtual machine, the rootkit executes before the pre-existing operating system in the boot sequence. This technique is very similar to the one used by BootRoot. After the virtual machine and original operating system have been loaded, the authors created a number of different malicious services that can run from the virtual machine. Included in these services are a malicious web server that could be used for phishing, a keystroke logger that intercepts keystrokes between the pre-existing operating system and the hardware, a service that scans the pre-existing operating system’s filesystem for sensitive data, and what the authors call a “defensive countermeasure service.” This defensive countermeasure service was specifically built to defend against techniques that are commonly used by software to determine whether it is running in a virtual machine or not. This prevents such methods from being able to detect SubVirt.
Note: It can be seen from the examples above that a piece of malware can simultaneously have many forms. It could be a trojan, a keylogger, a spyware and an adware all at the same time! Zeus and Zlob are such examples.