Malware Study Guide

📖 Core Concepts Malware – software created to disrupt, steal, or gain unauthorized access to computers, networks, or data. Classification – major families: Virus, Worm, Trojan Horse, Ransomware, Rootkit, Backdoor, Spyware/Adware (Grayware/PUP), Fileless. Goodware / Grayware / Malware – spectrum of intent: goodware (benign), grayware (unwanted but not clearly malicious), malware (destructive/unauthorized). Static vs. Dynamic Analysis – static = inspect code/signatures without execution; dynamic = run in a sandbox to watch behavior. Evasion Techniques – encryption, polymorphism, packing, environment‑fingerprinting, timing attacks, steganography, file‑less execution. Mitigation Layers – antivirus/anti‑malware, real‑time scanning, sandboxing, network segregation, air‑gap isolation. --- 📌 Must Remember Virus → attaches to host file, replicates when host runs. Worm → standalone, spreads automatically over networks. Trojan → masquerades as legitimate software; often drops backdoors or other payloads. Ransomware → locks system (locker) or encrypts files (crypto) until ransom paid. Rootkit → modifies OS to hide malicious processes/files. Fileless Malware → lives only in memory, uses legitimate tools (Living‑off‑the‑Land). Static detection relies on signatures; dynamic detection relies on behaviour heuristics. Polymorphic malware changes its code each infection to evade signature‑based detection. Air‑gap = physical network isolation; still vulnerable to removable‑media attacks (e.g., Stuxnet). Two‑factor authentication (2FA) dramatically lowers risk from weak passwords. --- 🔄 Key Processes Malware Infection via USB Plug in → OS auto‑runs (autorun) or reads macro‑enabled file → payload executed → possible dropper installs additional malware. Static Signature Creation Extract hash / byte pattern → store in AV database → compare each scanned file → match → quarantine. Dynamic (Heuristic) Analysis Launch sample in sandbox → monitor API calls, file writes, network traffic → flag if behavior deviates from baseline. Ransomware Encryption (crypto‑type) Generate random symmetric key → encrypt files → encrypt symmetric key with attacker’s RSA public key → demand ransom for private key. Botnet Command‑and‑Control (C2) Communication Infected host contacts C2 → receives instructions (spam, DDoS, data exfiltration) → executes. --- 🔍 Key Comparisons Virus vs. Worm Virus: needs host file/program → spreads when host is executed. Worm: self‑contained → spreads over network without host files. Locker Ransomware vs. Crypto Ransomware Locker: blocks access to system/UI, no encryption. Crypto: encrypts files and may lock system. Static Analysis vs. Dynamic Analysis Static: fast, signature‑based, can miss obfuscated/packed code. Dynamic: slower, catches behavior, can be evaded by timing/environment checks. File‑Based Malware vs. Fileless Malware File‑Based: leaves malicious binaries on disk → detectable by AV. Fileless: resides only in RAM, uses legitimate binaries → harder to detect. Antivirus Real‑Time Scanner vs. Sandbox Real‑Time: intercepts file access at kernel level → quick block. Sandbox: isolates execution, useful for unknown/zero‑day samples. --- ⚠️ Common Misunderstandings “All malware is a virus.” – Only a subset (virus) attaches to host files; worms, trojans, etc., are distinct. “Antivirus catches everything.” – Signature‑based AV misses polymorphic, zero‑day, and fileless threats. “Air‑gap means 100 % safe.” – Stuxnet shows removable media can bridge the gap. “Rootkits only hide files.” – They also hide processes, network connections, and can alter kernel behavior. “Disabling macros eliminates macro viruses.” – Attackers can also use PowerShell or other scripting engines. --- 🧠 Mental Models / Intuition “Layered Onion” – Think of defenses as concentric layers: patches → AV → sandbox → network segmentation → air‑gap. Break through one layer, the next still protects. “Payload vs. Delivery” – Separate the delivery mechanism (USB, email, exploit kit) from the payload (ransomware, keylogger). Changing one doesn’t automatically change the other. “Memory‑Only = Invisible” – If a malicious action leaves no file, traditional AV can’t see it; focus on behaviour (process injection, PowerShell commands). --- 🚩 Exceptions & Edge Cases Polymorphic vs. Metamorphic – Polymorphic changes only the decryption stub; metamorphic rewrites the entire code. Both evade signatures but metamorphic is rarer. Zero‑Day Exploits – Malware may exploit a vulnerability that has no patch yet; signature‑based detection is ineffective. Stegomalware – Hides malicious payload inside benign files (e.g., images); static hash comparison fails. Timing‑Based Evasion – Malware executes only at specific times (e.g., at system boot); sandbox runs may miss the trigger. --- 📍 When to Use Which Static analysis → first line for known families, quick triage of large file sets. Dynamic analysis → unknown/obfuscated samples, zero‑day investigations. Sandboxing → test potentially dangerous behavior without risking production systems. Network segregation → limit spread of worms/botnets across critical subnets. Air‑gap → protect high‑value industrial control systems; pair with strict media‑handling policies. Real‑time AV → baseline protection for end‑user desktops; supplement with heuristic/ML detectors for advanced threats. --- 👀 Patterns to Recognize Repeated “autorun” or macro prompts → classic USB or document‑based infection vector. Sudden spikes in outbound traffic → possible C2 beacon from a botnet or ransomware exfiltration. Unusual process names or parent‑child relationships → indicator of a rootkit or fileless malware using legitimate binaries. Multiple failed login attempts followed by a successful login → credential‑theft or password‑spraying attack. Encrypted files appearing en masse with new file extensions → crypto‑ransomware activity. --- 🗂️ Exam Traps “A worm must attach to a file.” – Wrong; worms are standalone and spread via network. “All ransomware encrypts files.” – Incorrect; locker ransomware only locks the UI. “Fileless malware leaves no trace on disk, so it cannot be detected.” – Misleading; behavior‑based tools can still spot it. “Installing an antivirus eliminates the need for patches.” – False; patches close vulnerabilities that AV can’t protect against. “Rootkits only affect Windows.” – Incorrect; rootkits exist for Linux, macOS, and embedded systems. ---