07. Malware & Threat Analysis
The Anatomy of Malicious Software
Malware—malicious software—is the weapon of choice for cybercriminals, nation-states, and hacktivists alike. Understanding how different malware families operate, propagate, and persist is essential for both building defenses and understanding the threat landscape your organization faces.
Today, malware is a multi-billion dollar illicit industry with its own customer support, affiliate networks, supply chains, and venture-funded organizations. Ransomware groups post job listings, run HR departments, and offer employee benefits. Understanding this ecosystem is as important as understanding the technical mechanisms.
🦠 Malware Taxonomy: Know What You're Facing
Not all malware is the same. Security engineers classify threats by two axes: propagation method (how it spreads) and payload objective (what it does once deployed). Misclassifying malware leads to incorrect incident response.
Viruses vs. Worms — Propagation Models
Virus: Malicious code that attaches itself to a legitimate executable file, document, or boot sector. A virus requires human interaction to spread—a user must execute the infected program, open the infected document (macro viruses), or boot from an infected disk. Viruses were the dominant threat in the pre-internet era when software was distributed via floppy disks. Modern examples include macro-based malware in Office documents.
Worm: A self-contained program that replicates autonomously across networks without human interaction. Worms exploit vulnerabilities in network protocols or services to move from machine to machine automatically. The defining characteristic is autonomy—once a single machine is infected, a worm can propagate to thousands of others in minutes. WannaCry and NotPetya are modern worm examples that caused billions in damage within days of release.
Key Difference: A virus needs you to do something. A worm does it entirely on its own.
Trojans and RATs — Deception and Control
Trojan Horse: Malware disguised as legitimate, desirable software. Named after the Greek myth, a Trojan presents a benign exterior (a cracked game, a fake software update, a "free" tool) while concealing malicious functionality. Unlike worms, Trojans cannot self-replicate—they rely entirely on social engineering to trick users into installing them. The attacker's challenge is the delivery; once executed, the Trojan has all the access of the user who ran it.
Remote Access Trojan (RAT): A specific category of Trojan that establishes a covert, persistent backdoor giving the attacker full remote control. Modern RATs provide: real-time desktop viewing and control, webcam and microphone access, keylogging, file system browsing and transfer, process management, and network traffic inspection. Famous RATs include njRAT, DarkComet, Cobalt Strike (commercial, dual-use), and AsyncRAT.
Backdoor: Any mechanism—installed by a Trojan or directly by an attacker—that provides ongoing remote access to a system, bypassing normal authentication. Backdoors can be simple (a hidden user account, an SSH key added to authorized_keys) or sophisticated (a kernel-level implant that intercepts login to always succeed for a specific password).
Ransomware — The Criminal Business Model
Ransomware encrypts the victim's files using strong asymmetric encryption (RSA-2048 or higher) and demands payment—almost always in cryptocurrency like Monero or Bitcoin—for the decryption key. The attacker generates a keypair: the public key is embedded in the malware and used to encrypt files on the victim's machine. Only the attacker's private key (held on their servers) can decrypt them.
Modern Ransomware Tactics:
- Double Extortion: Attackers exfiltrate a copy of all sensitive data before encrypting. Even if the victim restores from backups, the attacker threatens to publicly release the stolen data. Many victims pay even when they have working backups to prevent data leaks.
- Triple Extortion: Extends double extortion by also threatening to notify the victim's clients, regulators, or launch DDoS attacks against the victim if they don't pay.
- Ransomware-as-a-Service (RaaS): Ransomware groups operate franchise models. The core developers provide the ransomware binary, decryption infrastructure, and victim negotiation portal in exchange for 20–30% of ransoms. Affiliates (anyone willing to deploy it) handle the actual attacks. This dramatically lowered the technical barrier to ransomware attacks.
- Dwell Time: Professional ransomware groups don't encrypt immediately on access. They move laterally, gain domain admin rights, exfiltrate data, and identify all backup systems (which they delete or encrypt first) before triggering encryption. Average dwell time before ransomware deployment is 11 days.
Botnets — Armies of Compromised Machines
Botnet: A network of compromised internet-connected devices (bots, zombies) under the centralized control of an attacker (botmaster) via Command and Control (C2) infrastructure. A botnet can consist of thousands to millions of devices—PCs, servers, IoT devices, routers, smart TVs, and industrial equipment.
Botnet Uses:
- Distributed Denial of Service (DDoS): All bots simultaneously flood a target with traffic. The Mirai botnet used 600,000 IoT devices to generate 1.2 Tbps of traffic—the largest DDoS ever recorded at the time (2016).
- Spam Campaigns: Bots send billions of spam and phishing emails using legitimate-looking IP addresses (not the attacker's own).
- Credential Stuffing: Bots attempt stolen username/password combinations against thousands of websites simultaneously.
- Cryptocurrency Mining: CPU/GPU resources of compromised machines are used to mine cryptocurrency for the botnet operator.
- Click Fraud: Bots click on ads to generate fraudulent revenue for the attacker or drain competitors' advertising budgets.
C2 Communication: Modern botnets use sophisticated, resilient C2 channels—Domain Generation Algorithms (DGA) that generate hundreds of potential C2 domain names automatically (requiring defenders to block thousands of domains), DNS tunneling, HTTPS C2 that looks like legitimate web traffic, and even social media platforms (Twitter accounts used as C2).
Rootkits — The Invisible Persistence
A rootkit is malware designed to hide itself and other malicious processes from the operating system itself. Unlike other malware that tries not to be noticed, rootkits actively manipulate the OS to make detection impossible through normal means.
Rootkit Types by Privilege Level:
- User-Mode Rootkits: Operate at the same level as normal applications. They hook user-space API calls—intercepting calls to functions like GetProcesses() and removing their own entries from the returned list. Less stealthy; can be detected by looking at the raw kernel data structures directly.
- Kernel-Mode Rootkits (Ring 0): Most dangerous. Patch the operating system kernel directly. When an administrator runs
lsor opens Task Manager, the kernel itself lies—the rootkit removes malicious files and processes from the output at the lowest possible level. Almost undetectable without external analysis. - Bootkit: Infects the Master Boot Record (MBR) or UEFI firmware. Loads before the operating system—allowing it to manipulate the OS loading process itself. Survives OS reinstallation.
- Hypervisor Rootkit: Operates below the OS by inserting a thin hypervisor under the running operating system, which continues running as a virtual machine. The OS has no awareness it's being virtualized and monitored.
Detection: Cross-view detection compares what the OS reports against raw disk reads or memory dumps taken externally. Discrepancies reveal rootkit manipulation. Tools: chkrootkit, rkhunter (limited effectiveness against sophisticated rootkits), memory forensics with Volatility, and booting from a trusted external medium.
🔬 Malware Analysis: Static vs. Dynamic
When a security analyst captures a new malware sample, they must reverse-engineer it to understand its capabilities before it can be properly attributed, detected, and defended against. This analysis is always performed in an isolated environment (sandbox) disconnected from production networks.
Setting Up a Safe Analysis Environment:
- Use a virtual machine (VMware, VirtualBox) with no network access to the real internet
- Take a snapshot before analysis so you can instantly revert to a clean state
- Use a separate, isolated analysis network if network connectivity is needed for dynamic analysis
- Never analyze malware on a physical machine connected to a production network
Static Analysis — Examine Without Executing:
- Hash the sample:
md5sum malware.exe/sha256sum malware.exe. Submit the hash to VirusTotal to instantly check if the sample is known to any of 70+ antivirus engines. A clean VT result doesn't mean clean—it may be a novel variant. - Extract strings:
strings malware.exe | grep -i "http\|password\|cmd\|powershell". Human-readable strings in a binary often reveal hardcoded C2 domains, IP addresses, file paths, registry keys, and error messages. These are immediate indicators. - File type identification:
file malware.exeandxxd malware.exe | head. The magic bytes at the start of a file (file signature) reveal the true format regardless of the extension. Malware often lies about its extension. - PE analysis (Windows executables): Tools like pestudio or PE-bear reveal the imports (which Windows API functions the program calls—a program importing CreateRemoteThread and VirtualAllocEx is likely injecting code), exports, sections, compilation timestamp, and embedded resources.
- Disassembly and Decompilation: Ghidra (free, NSA-developed) and IDA Pro (industry standard, commercial) convert binary machine code into readable assembly and pseudocode. This is the deepest level of static analysis and requires significant expertise.
Dynamic Analysis — Detonate and Observe:
- Process Monitoring (Process Monitor/Procmon): Record every file system access, registry modification, and network connection made by the malware during execution. The output tells you exactly what persistence mechanisms were installed, what files were created, and what registry keys were added.
- Network Monitoring: Wireshark or Fakenet-NG captures all network traffic generated by the malware—revealing C2 server IPs/domains, communication protocols, and exfiltrated data.
- Automated Sandboxes: Submit malware samples to cloud sandboxes (Any.run, Cuckoo Sandbox, Joe Sandbox) that automatically execute the sample and generate behavioral reports—saving hours of manual dynamic analysis for initial triage.
- Registry Monitoring (Autoruns): Check which autorun locations the malware uses for persistence: Run keys, scheduled tasks, services, startup folders, browser extensions, and WMI subscriptions.
⚠️ Historic Case Study: WannaCry (2017)
WannaCry remains one of the most instructive malware incidents in history because it demonstrated how a single unpatched vulnerability combined with worm propagation could cause global catastrophe within days.
The Attack Chain:
- The Exploit: WannaCry used EternalBlue (CVE-2017-0144), an NSA-developed exploit targeting a vulnerability in Windows SMBv1 (port 445). EternalBlue was stolen from the NSA by a group called Shadow Brokers and leaked publicly in April 2017. Microsoft had issued a patch (MS17-010) a month earlier—but millions of systems remained unpatched.
- The Worm: Unlike typical ransomware that required a phishing click, WannaCry actively scanned the internet and local networks for machines with port 445 open. If found unpatched, it entered autonomously, encrypted the drive, demanded $300–600 in Bitcoin, and immediately began scanning for the next victim—all without any human interaction.
- The Impact: 200,000 machines across 150 countries in 72 hours. The UK's National Health Service was paralyzed—surgeries cancelled, patients turned away from emergency departments. FedEx, Telefónica, Deutsche Bahn, and hundreds of other organizations were crippled. Total estimated damage: $4–8 billion.
- The Kill Switch: Security researcher Marcus Hutchins discovered a hardcoded domain in the malware code that was not registered. He registered it for $10.69. When WannaCry called home to that domain and received a response, it interpreted this as a sandbox detection and stopped spreading. This accidentally global kill switch halted the outbreak—but not before the damage was done.
Key Lessons:
- Patch management is not optional. MS17-010 was available 30 days before WannaCry. Organizations that patched were unaffected.
- SMBv1 is a legacy protocol that should be disabled on every network everywhere.
- A worm exploiting a pre-authentication remote code execution vulnerability requires zero user interaction—perimeter defenses and user training provide zero protection against it.
- Network segmentation would have contained the blast radius. If SMB cannot cross segment boundaries, a worm cannot cross them either.
🛡️ Anti-Malware Defense Strategies
- Patch Management: Apply security patches within 30 days of release for non-critical systems, 7 days for critical internet-facing systems, and immediately for actively exploited vulnerabilities. WannaCry proved that 30-day patch windows are sometimes too long.
- Application Whitelisting: Only allow explicitly approved applications to execute. Unknown binaries—including new malware—cannot run. Difficult to maintain but extremely effective.
- Endpoint Detection and Response (EDR): Next-generation endpoint security that monitors process behavior in real time—not just file signatures. Detects malicious behaviors (process injection, credential dumping) even from unknown malware families.
- Email Security Gateway: Sandboxes email attachments before delivery, blocking malicious documents and executables before they reach the inbox.
- Network Segmentation: Limits worm propagation. If SMB traffic cannot cross from the finance VLAN to the engineering VLAN, a worm cannot cross either.
- Offline Backups: Immutable, air-gapped backups that ransomware cannot reach. The 3-2-1 rule: 3 copies, 2 different media types, 1 offsite.
✅ Module 07 Summary
- Classify malware by propagation (virus requires interaction, worm spreads autonomously) and payload (ransomware encrypts, RAT provides control, rootkit hides, botnet coordinates).
- Modern ransomware groups operate as professional businesses with RaaS models, double extortion, and extended dwell times before encryption.
- Static analysis (strings, hashes, PE analysis, disassembly) examines malware without running it. Dynamic analysis (sandbox detonation, process monitoring, network capture) observes behavior during execution.
- WannaCry demonstrated that a single unpatched vulnerability exploited by a self-propagating worm can cause global damage in 72 hours. Patch management and network segmentation are not optional.
- Defense requires layers: EDR, email sandboxing, patch management, network segmentation, and offline backups. No single control is sufficient.
Knowledge Check
Ready to test your understanding of 07. Malware & Threat Analysis?