Video out now for the following lecture 1A of malware development
What is malware ?
Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user’s computer security and privacy.
What is malware development?
This is the development process of malicious software or scripts with intent to stealing target information, spying, espionage purpose and others
What programming languages are best for malware development?
My own opinion
1.Assembly reason faster and next to machine code con hard to learn
C and c++
python for server end
Rust
Lua
Golang
What is computer programming? Computer programming or coding is the composition of sequences of instructions, called programs, that computers can follow to perform tasks
what are the types of malware
1. Ransomware
This is software that uses encryption to disable a target’s access to its data until a ransom is paid. The victim organization is rendered partially or totally unable to operate until it pays, but there is no guarantee that payment will result in the necessary decryption key or that the decryption key provided will function properly.
2. Spyware
Spyware collects information about users’ activities without their knowledge or consent. This can include passwords, pins, payment information and unstructured messages.
3 Trojan
This disguises itself as desirable code or software. Once downloaded by unsuspecting users, the Trojan can take control of victims’ systems for malicious purposes. Trojans may hide in games, apps, or even software patches.
4. Worms
Worms target vulnerabilities in operating systems to install themselves into networks. They may gain access in several ways: through backdoors built into software, through unintentional software vulnerabilities, or through flash drives. Once in place, worms can be used by malicious actors to launch Dos or Ddos attacks, steal sensitive data, or conduct ransomware attacks.
- virus
This is a piece of code that inserts itself into an application and executes when the app is run. Once inside a network, a virus may be used to steal sensitive data, launch DDoS attacks or conduct ransomware attacks.
6. Rootkits
is software that gives malicious actors remote control of a victim’s computer with full administrative privileges. Rootkits can be injected into applications, kernels, hypervisors, or firmware. They spread through phishing, malicious attachments, malicious downloads, and compromised shared drives.
7.Keyloggers
This is a type of spyware that monitors user activity, keyloggers can be used to steal password data, banking information and other sensitive information. Keyloggers can be inserted into a system through phishing, social engineering or malicious downloads.
8. Bots/Botnets
A bot is a software application that performs automated tasks on command. They’re used for legitimate purposes, such as indexing search engines, but when used for malicious purposes, they take the form of self-propagating malware that can connect back to a central server.
9. Fileless Malware
This kind doesn’t install anything initially, instead, it makes changes to files that are native to the operating system, such as PowerShell or WMI. Because the operating system recognizes the edited files as legitimate, a fileless attack is not caught by antivirus software.
MALWARE PAYLOADS
What is staged malware?
Staged payloads break down the distinct phases of an attack, often using multiple payloads phases that a single payload would have otherwise performed. These payloads are typically broken down into a ”stager” (initial payload or beacon) executable and a ”stage” (main payload) executable.
A stagger is a small executable that is an initial payload. It is a relatively small piece of code that is executed to prepare for a much larger and more capable payload known as the stage payload. This means that “the stagger sets the stage.”
what is stageless malware?
Stageless payloads are self-contained and usually much larger than staged payloads. They typically combine all the required capabilities of an attacker into one executable.
What is shell code?
Shell code is a malicious code that attempts to hijack the normal flow of a running program in computer memory. It then redirects the flow so that the malicious code is executed, instead of the normal program, giving the attacker a shell or reverse shell. These are often beacons or payloads in the form of low-level programming code or a machine code combined with an exploit
What are exploits?
Exploits are pieces of low-level or native code that successfully leverage a vulnerability.
Exploited vulnerabilities often involve a buffer overflow in an application’s memory where the attacker has overrun the allocated memory to redirect normal program flow. A successful exploit will then lead to the execution of a payload, which is the malware.
what is a dropper?
A dropper is a kind of Trojan that has been designed to “install” malware on a target computer. The malware code can be contained within the dropper in such a way as to avoid detection by virus scanners; or the dropper may download the malware to the targeted computer once activated.
Types of malware droppers
persistent dropper. Upon running the malware, it hides itself on the device. It then modifies the windows system registry keys, even if the malware is removed the hidden file will execute upon rebooting the system. This allows it to reinstall the malware even if it was previously removed.
non-persistent dropper. It is less dangerous because upon executing its payload it removes itself from the system. This way, when the malware is removed it will not be able to reinstall itself
what is penetration testing?
A penetration test, also known as pentest or ethical hacking, is an authorized simulated cyber attack on a computer system, performed to evaluate the security of the system;
what is red team?
A red team is a group that pretends to be an enemy, attempts a physical or digital intrusion against an organization at the direction of that organization, then reports back so that the organization can improve their defenses. Red teams work for the organization or are hired by the organization. Their work is legal, but can surprise some employees who may not know that red teaming is occurring, or who may be deceived by the red team.
what is incident response?
Incident response (sometimes called Cybersecurity incident response) refers to an organization’s processes and technologies for detecting and responding to cyber threats, security breaches or cyberattacks. The goal of incident response is to prevent cyberattacks before they happen, and to minimize the cost and business disruption resulting from any cyberattacks that occur.
What is digital forensics?
Digital forensics is a branch of forensic science encompassing the recovery, investigation, examination, and analysis of material found in digital devices, often in relation to mobile devices and computer crime.
what is code obfuscation?
code obfuscation refers to a series of programming techniques designed to disguise elements of a program’s code. It’s the primary way that programmers can defend their work against unauthorized access or alteration by hackers or intellectual property thieves.
SPECIFIC TO WINDOWS ENVIRONMENTS
What is a DLL?
A Dynamic Link Library or DLL (“Shared Library” in Linux) is a piece of code stored as a shared library file. This means that it can be used by different computer programs as and when they need it
code injection and DLL injection
DLL injection is the process of running code (DLL) in the context of another process. Meterpreter payloads use DLL injection techniques for stealth and evasion mechanisms.
This is useful for programmers because they only write code once, compile and store it as a shared library or DLL, then use it whenever needed and by multiple programs.
The capabilities of DLLs also make them very useful for threat actors. Code Injection at the basic level involves an attempt by one process (malicious) attaching (or obtaining a handle) to a remote process (victim process). It then allocates enough memory or changing page permissions in the victim process to run new code such as a DLL, after which copying (injecting) the DLL malicious code into the new or already running victim process’ memory space.
Windows API
The Windows API, informally WinAPI, is Microsoft’s core set of application programming interfaces (APIs) available in the Microsoft operating systems. The name Windows API collectively refers to several different platform implementations that are often referred to by their own names (for example, the Win32 API). Almost all Windows programs interact with the Windows API
CREATING A SOFTWARE PROTOTYPE(our malware prototype)
what is a software prototype?
Software prototyping is the activity of creating prototypes of software applications, i.e., incomplete versions of the software program being developed.
The difference between script kiddies and true pros is having programming skills. So we are going to horn these skills together because the truth is one day in your pen test or red teaming endeavors, you will need to write something that is fully undetectable. A lot of you use Metasploit but the problem with this awesome tools is it can only handle one connection at a time but in red teaming engagements, you need in most cases your C2C to control and commands more connections instantly.
So let’s create a tool that will evolve into something big
functions of our prototype
1. connection function between server and target
2. function to listen for incoming connections(shell)
3. be able to survive reboots
4. start other programs
5. changing directory
HELPFUL WINDOW/ C HEADER FILES FOR MALWARE AUTHORS
1. #include<stdio.h>
stdio.h is the header file for the C library that defines various functions and variables for input and output operations.
#include<stdlib.h>
This header defines several general purpose functions, including dynamic memory management, random number generation, communication with the environment, integer arithmetic, searching, sorting and converting.
#include<unistd.h>
In the c and c++ programming languages, unistd.h is the name of the header file that provides access to the POSIX operating system API. I
#include<winuser.h>
Winuser.h is a header file that defines the functions and structures for Windows app development. It contains definitions for common Windows API functions, such as CreateWindow, DialogBox, EnumWindows, and ClipboardFormatListeners, as well as structures for various Windows messages,
#include<winsock2.h>
Windows Sockets API ( WSA ), later shortened to Winsock , is an application programming interface (API) that defines how Windows network application software should access network services, especially TCP/IP. It defines a standard interface between a Windows TCP/IP client application (such as an FTP client or a web browser) and the underlying TCP/IP protocol stack.
#include<wininet.h>
The Windows Internet (WinINet) application programming interface (API) enables your application to interact with FTP and HTTP protocols to access Internet resources. As standards evolve, these functions handle the changes in underlying protocols, enabling them to maintain consistent behavior.
#include<windows.h>
windows.h is a Windows-specific header file for the C and C++ programming languages which contains declarations for all of the functions in the Windows API, all the common macros used by Windows programmers, and all the data types used by the various functions and subsystems
#include<windowsx.h>
This header file re-defines many obsolete and out of use function calls (among other things). This header file speeds ports, but fixes no complex problems. For example in WIN32 the “far” and “pascal” keywords are obsolete due to WIN32’s flat memory model and different function calling procedures.
#include<string.h>
This header file provides functions for copying, concatenating, comparing, searching, and manipulating C strings and arrays.
#include<sys/stat.h>
The header file sys/stat.h defines the structure of the data returned by the functions fstat, lstat, and stat, such as device ID, file serial number, mode, link count, user ID, group ID, and more. It also provides file type macros and symbolic name definitions for the mode bits and file size fields.
#include<sys/types.h>
T his header file defines the types and functions for the POSIX standard, with GNU Gnulib, a library for porting C and C++ applications to various platform.