Malware Classification: Virus, Worm, Ransomware, Rootkit

A virus is a type of malware that replicates by attaching its code to a legitimate program or file (the host). It requires human action to spread, such as opening an infected email attachment or running an infected program. The key characteristic: a virus cannot run independently; it depends on the host file to execute.

Infection Mechanism: - File Infector Virus: Appends or prepends its code to executable files (.exe, .com, .dll). When the user runs the legitimate program, the virus code executes first, then transfers control to the original program. Common technique: changing the entry point in the PE (Portable Executable) header to point to the virus code. - Macro Virus: Written in a macro language (e.g., VBA for Microsoft Office). Embedded in documents (.doc, .xls) and executes when the document is opened. Classic example: the Melissa virus (1999), which used Outlook to email itself to contacts. - Boot Sector Virus: Infects the Master Boot Record (MBR) or Volume Boot Record (VBR). Loads before the operating system, making it extremely persistent. Example: Stoned virus (1987).

Propagation: Viruses rely on user activity: sharing infected files via email, USB drives, or network shares. They do not autonomously scan for targets.

Payload: May corrupt or delete files, steal data, display messages, or simply replicate. Some viruses are polymorphic, changing their code signature each time they infect a new host to evade signature-based antivirus.

Detection & Removal: - Signature-based antivirus scans for known virus signatures (byte sequences). - Heuristic analysis detects suspicious behavior (e.g., modifying other executables). - Removal requires booting from a clean medium (e.g., rescue disk) and scanning the system offline because the virus may be active in memory.

A worm is a standalone malware program that replicates itself to spread to other computers, typically over a network. Unlike a virus, a worm does not need a host file or user action to propagate. It exploits vulnerabilities in network services or operating systems.

Infection Mechanism: - Network Scanning: The worm scans IP addresses for open ports (e.g., TCP port 445 for SMB). - Exploitation: Sends a crafted packet to trigger a buffer overflow or other vulnerability. Example: Conficker (2008) exploited the MS08-067 vulnerability in Windows Server service. - Payload Delivery: Once a system is compromised, the worm downloads and executes its payload (often from a remote server). - Replication: The worm copies itself to the new host and begins scanning from there.

Propagation: Worms can spread rapidly because they automate the entire process. The Morris worm (1988) infected about 10% of the Internet at the time. Modern worms use multiple propagation vectors: email (as an attachment or link), instant messaging, peer-to-peer networks, and removable drives (e.g., Stuxnet spread via USB).

Payload: Worms often carry a secondary payload such as a backdoor, keylogger, or DDoS agent. Some worms are designed to deliver ransomware.

Detection & Removal: - Network-based intrusion detection systems (IDS) can detect worm scanning patterns. - Signature-based antivirus can detect known worm code. - Removal often involves disconnecting the infected system from the network to prevent further spread, then running an antivirus scan. Patching the exploited vulnerability is critical.

Ransomware is malware that encrypts the victim's files or locks the system, then demands a ransom (usually in cryptocurrency) for the decryption key. It is a major threat because of its direct financial impact.

Infection Mechanism: - Delivery: Typically via phishing emails (with malicious attachments or links), drive-by downloads from compromised websites, or exploit kits (e.g., Angler, Nuclear). - Execution: Upon execution, ransomware often contacts a command-and-control (C2) server to receive an encryption key. Modern ransomware generates the key locally using cryptographic functions (e.g., RSA-2048 or AES-256) to avoid network detection. - Encryption: The malware enumerates local drives, network shares, and removable media. It encrypts files with specific extensions (documents, images, databases). It may also delete Volume Shadow Copies (VSS) using vssadmin.exe to prevent recovery. - Ransom Note: A text file or image is placed in each directory with instructions on how to pay the ransom (typically Bitcoin) and receive the decryption key.

Examples: - CryptoLocker (2013): Used a C2 server to generate keys. Estimated $3 million in ransoms. - WannaCry (2017): Spread using the EternalBlue exploit (MS17-010). Encrypted files and demanded $300 in Bitcoin. Infected over 200,000 computers in 150 countries. - Ryuk: Targeted large organizations with ransom demands up to millions of dollars.

Detection & Removal: - Prevention: User education, email filtering, application whitelisting, and regular patching. - Detection: Behavioral analysis (e.g., mass file rename events, VSS deletion). - Removal: Disconnect the system immediately. Do NOT pay the ransom. Restore from clean backups. Use decryption tools if available (e.g., No More Ransom project). Reimage the system if necessary.

A rootkit is a collection of tools that provides persistent, undetectable access to a system, often at the kernel level. The term comes from Unix: a "rootkit" is a kit for maintaining root (administrator) access. Rootkits hide their presence and the presence of other malware by intercepting system calls and filtering output.

Types of Rootkits: - User-Mode Rootkit: Runs in user space (ring 3). Intercepts API calls (e.g., by hooking the IAT in Windows). Example: HackerDefender. - Kernel-Mode Rootkit: Loads as a device driver or kernel module (ring 0). Has full access to the OS. Can modify kernel objects (DKOM – Direct Kernel Object Manipulation). Example: FU rootkit. - Bootkit: Replaces the Master Boot Record (MBR) or boot loader, loading before the OS. Example: TDL-4 (Alureon). - Firmware Rootkit: Hides in hardware firmware (e.g., BIOS, UEFI, hard drive firmware). Extremely difficult to detect. Example: LoJax (used by Sednit group).

Mechanism: - Hooking: Rootkits hook system calls (e.g., NtQueryDirectoryFile in Windows) to hide files, processes, registry keys, and network connections. - Direct Kernel Object Manipulation (DKOM): Modifies kernel data structures (e.g., the EPROCESS list) to remove a process from the scheduler's view. - Filter Drivers: Load a driver that sits between the OS and hardware, intercepting I/O requests.

Detection & Removal: - Detection: - Signature-based: Antivirus can detect known rootkit drivers. - Behavioral: Anomalies in system call timing (e.g., longer than expected). - Cross-view: Compare the view from the OS (which may be filtered) with a low-level scan (e.g., reading the disk directly). Tools like GMER, RootkitRevealer. - Removal: - Booting from a clean medium: Use a rescue disk or bootable antivirus (e.g., Kaspersky Rescue Disk). - System restore: If the rootkit is deep (e.g., bootkit), reimage the system from known good media. - Firmware rootkit: May require reflashing the BIOS/UEFI or replacing hardware.

| Feature | Virus | Worm | Ransomware | Rootkit | |---------|-------|------|------------|--------| | Requires host file | Yes | No | Usually | No | | Self-propagating | No | Yes | Sometimes (e.g., WannaCry) | No | | Primary goal | Replication/damage | Propagation | Extortion | Stealth/control | | Persistence | Low | Low | Low (but can be persistent) | Very high | | Detection difficulty | Moderate | Low | Low-Moderate | Very high |

Exam Tip: The exam often asks you to classify a scenario. Remember: if the malware needs a host file, it's a virus. If it spreads automatically over a network, it's a worm. If it encrypts files for ransom, it's ransomware. If it hides itself and other malware, it's a rootkit. Be aware that real-world malware often combines characteristics (e.g., a worm that delivers ransomware).

Scenario 1: WannaCry Ransomware Outbreak in a Hospital

In May 2017, the WannaCry ransomware worm spread globally, crippling the UK's National Health Service (NHS). The worm exploited the EternalBlue vulnerability (MS17-010) in SMBv1. Many NHS systems were unpatched, running outdated Windows versions (e.g., Windows 7). The ransomware encrypted patient records and demanded $300 in Bitcoin per machine. The attack forced hospitals to cancel appointments and revert to paper records. The root cause: failure to apply the March 2017 security patch. Mitigation involved disconnecting infected machines, restoring from backups (where available), and patching all systems. This scenario underscores the importance of patch management and network segmentation.

Scenario 2: Rootkit in a Financial Institution

A bank's trading floor experiences unexplained data exfiltration. Security analysts find that antivirus reports show no malware, but network traffic reveals periodic connections to an unknown IP. Investigation using a bootable scanner (e.g., Kaspersky Rescue Disk) reveals a kernel-mode rootkit (e.g., similar to the "Rovnix" bootkit) hiding in the MBR. The rootkit intercepts disk reads to hide its files and modifies network stack calls to hide connections. Removal requires booting from a clean medium, wiping the MBR, and reinstalling the OS from trusted media. Post-incident, the bank implements UEFI Secure Boot to prevent bootkits and uses hardware security modules (HSMs) for sensitive data.

Scenario 3: Virus Infection via Email in a Law Firm

A law firm receives an email with a malicious macro-enabled Word document. An employee opens it, enabling macros, which triggers a file infector virus. The virus infects all .exe files on the local machine and any shared network drives. It does not spread automatically but relies on users running infected executables. The IT team notices that many applications crash or behave oddly. Using endpoint detection and response (EDR) tools, they identify the virus by its file modification patterns. They isolate the workstation, scan with updated antivirus, and restore infected files from backup. They then implement macro security policies (e.g., block macros from the internet) and conduct user awareness training.

Common Misconfigurations and Pitfalls: - Failing to patch: The number one cause of worm outbreaks. The exam emphasizes that patching is critical. - Over-reliance on antivirus alone: Rootkits and polymorphic viruses can evade signature detection. Use layered defenses. - Not verifying backups: Ransomware recovery depends on clean, tested backups. Many organizations discover their backups are also encrypted or corrupted. - Powering off a rootkit-infected system: Some rootkits (e.g., TDL-4) store data in the MBR; powering off may cause data loss. Always boot from a clean medium first.