Analyzing Indicators of Compromise & Determining Malware Types

Analyzing Indicators of Compromise & Determining Malware Types

Three main areas of malware:

  • Ads / Spyware / Marketing
  • Remote Access / Keyloggers
  • Remote Attacks / DDoS

Indicator of Compromise

Artifacts observed that indicate a computer intrusion (e.g. unusual outbound network traffic, DNS anomalies, anomalies in privileged user account activity, etc.)

Virus

Malware that requires user interaction to install and replicate.
Ex: Stuxnet

Crypto-malware / Ransomware

Malware that scare/scam users into taking some type of action.
Ex: WannaCry

Worms

Self replicating program that usually self-contained and can execute and spread without user interaction.

Trojans

Seemingly friendly software that contains hidden malicious software.
Ex: Sub7, Back Orifice, etc.

Rootkits

Malicious code that install itself at the OS or Kernel level to avoid detection. Hard to get rid of because they load before the OS loads and they can disable anti-virus and anti-malware.

Keyloggers

Malicious application that once installed captures all keystrokes such as credentials, chats, emails, etc.

Adware

Malware that is installed on an infected machine to deliver ads.

Spyware

Malware that captures user activity (i.e. keystrokes, web browsing activity, etc.) and reports back.

Botnets

Malware that connects to one or more command & control (C&C) servers to control thousands of bots for massive DDoS attacks.

Logic Bomb

Piece of malicious code that triggers after a period of time based on some date or specific activity.

Backdoors

Software that installs for the purpose of opening ports and installing additional software. They can phone home, steal creds, install keylogger, etc.

Show Comments