Activation

• The next section discusses how malware gains control and install themselves
• One time execution
  • As we have discussed, a click on a web page, auto run or other single run of a program.
• How Malware gains control
  • The purpose of a computer is to run programs.
  • So the malicious code needs to somehow become a program that gets run.
  • There are several methods
    • Outright replace a program with malware.
      • This means the program is not run, and the malware is easier to detect.
    • Become a preamble or postscript to a program.
      • Run before, or after.
      • Harder to do but much harder to detect.
    • Become part of the program
• Boot sector
  • The boot process
    • The sequence begins with read only memory
    • This eventually calls code located on the "boot sector" of some media
    • This allows booting of different operating systems.
    • In fact, it frequently calls a "boot loader" from the media.
    • Which then calls the operating system.
  • Malicious code in this process
    • Several options
      • Replace the boot loader with malicious code.
        • Move the boot elsewhere
        • Place the malicious code where the boot loader was
        • Have the malicious code execute the boot loader.
      • Sneak the malicious code into the OS loading process
        • A modern OS probably has multiple subsystems that start at boot.
        • Make the code look like one of these
        • And have the OS start it.
    • These steps make it
      • So the malicious code is started every time the system is started.
      • Make is very hard to find the malicious code.
• Memory resident
  • Loading programs from disk is expensive.
  • And there are some programs that are called so often, that this process should be avoided.
  • So these programs are kept "memory resident".
  • This is accomplished in various ways in various operating systems.
  • But the idea is to "sneak" a piece of malware in this area and trick the OS into calling it.
• Other homes
  • Anything with a programming language, or pseudo programming language is susceptible to an attack.
  • As we mentioned Office products.
  • PDF files actually contain commands that can be executed.
  • Both of these deal with the file system, so they are vectors of attack.
  • They also mention that malicious code could insert itself into a system library.
• Just as an addendum, on 196 they discuss malware toolkits.
  • They equate these to "Cyberattacks for Dummies"
  • The domain of the script kiddies
  • These are available for sale
    • Apparently you purchase a license to attack a given site.
    • And are fairly brainless to use.
  • In my time, these were just the POC packaged into a script.
  • But apparently they are much more sophisticated these days.