Anatomy of a Malware Attack

Anatomy of a Malware Attack: after watching a recent episode of CSI:Cyber a friend asked me if malware attacks were really that easy to accomplish. That got me thinking about how easy it is for malware to bypass any software protections we use, and how easy it is for us to ignore warnings and neglect to take action because we’re so focused on our work deadlines. Here’s a possible scenario for a malware attack on a computer user. Please, this is only slightly fantasy, all the actions are real-world capable. First, here are the actors:

• John Doe: the computer user. He has a Microsoft Windows computer system and is keeping it up-to-date whenever he remembers (which is not always), and he has a free antivirus program he got off the internet. His system is less than 2 years old, and he primarily uses it for personal and work email, word processing, and spreadsheets. He also does a fair bit of web surfing – online shopping, watching Youtube videos, social networking, and just plain surfing around. While he has Internet Explorer, he prefers to use Google Chrome which he downloaded 2 years ago when he got the computer.
• Hacker #1 “Zobno”: This is a relatively unskilled hacker who buys his malware from websites on the internet. Some might call him a ‘script kiddie‘, but while he’s not a code expert, he does know enough to have figured out how to create and run a botnet – a group of compromised computers. He mostly does this for the fun of it, but has recently discovered that he can make serious money hacking.
• Hacker #2 “Pwn2ownZ”: This is a hacker who’s been at it since his early teens. Now in his 20’s, he’s been making a good living buying and selling his botnet services for many years now. He’s very good at covering his tracks, and knows he’s unlikely to get caught.

Now comes the opening scene, the Initial Infection. John is surfing away on his computer, and is in a hurry because he knows he has to get some work done today. But first he wants to check on his social accounts, take a quick look at email, and play an mp3 that a friend gave him on a thumbdrive. He does one of the following, any one of which will download a small piece of malware onto his computer:

1. he clicks on a link in a random webpage
2. he clicks on a link in an email which opens a webpage
3. he opens a file attachment in an email
4. he sees a popup on his screen, and clicks the OK button without even reading the popup text
5. same popup appears, but he clicks the Cancel button
6. same popup appears, but he clicks the x at the top-right, or anywhere on the popup
7. he inserts the thumbdrive in his computer’s USB port

Any one of these are relatively innocuous actions he’s taken hundreds of times in the past and never thought anything about it. But this time, something different happened, not that he’d noticed. That single click or inserting the thumbdrive does the usual and expected action he sees, but also does something else that’s invisible to him. It runs a small script, a little program that performs a few actions without any noticeable activity on the screen:

• it opens a communications port to allow incoming and outgoing traffic through the computer’s firewall, and
• it sends a small message to another computer on the internet that’s already under the control of Zobno. This message tells Zobno that he now has access to John’s computer and also provides some information about John’s computer: the brand and model, the version of Microsoft Windows in use, the current timezone the computer is set to, and a list of installed programs

John doesn’t see anything on his screen or any indication that anything unexpected is happening. Zobno sees this message and then sends a series of scripts (he bought off the internet) to John’s computer during the middle of John’s night:

• A script that sets up a keylogger to capture every keystroke John makes on his computer. The keylogger records and sends these keystrokes to Zobno daily. Zobno starts to collect usernames and passwords every time John logs into websites including his bank and credit card company.
• Another script that sets up a remote administration tool (RAT) so he can remotely control John’s computer. In the middle of John’s night, Zobno logs into John’s computer and uninstalls the antivirus program John had, replacing it with a fake antivirus program that Zobno bought – which uses the same icon so that John won’t know the difference.
• A third script that scours John’s hard drive for email addresses. It then feeds this information back to Zobno who then sells these addresses on the internet to another hacker.
• A fourth script that Zobno bought off the internet that sets up an email service to run on John’s computer, and includes a set of spam messages and a list of thousands of email addresses. This email service runs intermittently on John’s computer, and sends out messages. It also watches for when John is using his computer, and scales back spamming work that it does until John’s computer has been idle for awhile. Zobno starts receiving bitcoin payments as spam that John’s computer sent are acted on by email recipients.
• Another script that makes copies of all the scripts Zobno installed, and hides those copies all over John’s hard drive. Hundreds of these copies are hidden in dozens of file folders. Some of the scripts are setup as individual files and named to look like valid system files for either the operating system or installed hardware or software. Other copies are inserted right into critical Windows system files, – .dll, .exe, and .com files. By the time this script finishes its work, there are over 3,000 copies of each of Zobno’s scripts squirreled away throughout John’s hard drive. Each script has a small bit of code added which watches to see if there’s any activity on John’s computer which the script is supposed to perform. If it doesn’t see any activity for a while, it activates the copy of the script. That way if John removes the original scripts or even a bunch of copies, there will still be other copies to continue doing Zobno’s work.

A few weeks go by and John is toiling away on his computer, and starting to complain how slow it is. John doesn’t realize his computer has become a ‘zombie’ computer under Zobno’s control. By now, Zobno is making a few bucks a week from all the work John’s computer is doing on his behalf. Zobno hasn’t just infected John’s computer, but has dozens of other zombie computers he’s infected just in the last month or so. But Zobno just found a new way to make money – he ‘sells‘ John’s computer to Pwn2ownZ for $20, along with a couple dozen other computers. Zobno starts spending more of his time just infecting new computers, since he can make money faster by selling those zombie computers to other hackers. So he buys a new script to replace the others. This higher-priced script combines the initial infection with email service that simply uses the computer users’s own contact list to send poisoned emails to everyone it can.

Pwn2ownZ now owns John’s computer. He writes and sends a custom script to John’s computer that adds his own keylogger and creates both an email server and a webserver on John’s computer. The email server sets up an email infection distribution system that runs automatically, along with a spam-generating program that distributes malware to large distribution lists Pwn2ownZ has bought off the internet. The webserver has a dozen malware websites on John’s hard drive, and John’s computer starts showing web pages to surfers who visit these websites. Some of the websites are setup as fakes to legitimate websites, with URL addresses that are very close to the legitimate site’s URL. Others are strictly malware sites with URL addresses easy to mistake (like whitehouse.com instead of whitehouse.gov). The websites are all designed to infect unwary visitors’ computers as soon as they open the home page, turning them into zombies and adding to Pwn2ownZ’s growing botnet.

A little time goes by and the keylogger has given Pwn2ownZ tons of website usernames and passwords for everywhere John has been including John’s identity, bank and credit card information as well as login credentials for where John works. Pwn2ownZ sells the latter on the internet to another hacker for $100, but keeps John’s personal information for himself. He then starts to create accounts using John’s credentials, always working through other infected computers so his work can’t be traced back to him.

John has started to notice his computer is working a lot slower than it used to. He sees the hard drive light blinking a lot even when he’s not doing anything, but isn’t sure what’s wrong. He updates his security software and runs scans which come up clean. He writes it off to the vagaries of computers, and stops worrying about it because he has to get his work done.

Pwn2ownZ decides that John’s computer is ripe for more work, so he creates a new script and sends it to John’s computer. This turns John’s computer into a ‘controller’ which is in charge of thousands of other infected computers (a large botnet) and starts to link up these other infected computers to follow instructions given by the controller. Pwn2ownZ remotely controls John’s computer through several other infected computers so he can’t be traced, and starts issuing instructions in scripts to manage his empire of spam sending and malware-laden websites. Pwn2ownZ is now making hundreds of dollars a week from John’s computer and the connected botnet (which is only one of 14 botnets that are being run by Pwn2ownZ). John’s computer is running even slower for John’s work. Pwn2ownZ also sends a script to backup and copy all his other malware that’s on John’s computer into the coding of files and documents in John’s personal folders, setting them up as time-bombs that will restore all the malware he’s installed  from the backup  – every 36 hours if there’s any interruption in service. The system continues to work, and John is none the wiser.

But at this point, John feels that it’s about time for a new computer. He goes out and buys one, and the first thing he does is copy all the personal files and folders from the old computer to the new one. He’s very happy because his new computer is a lot faster than the old one was. But without John’s knowledge, Pwn2ownZ’s programs were also copied in a hidden backup inside John’s personal files. 36 hours go by and the malware restores itself. Pwn2ownZ gets notified that John switched computers, and then resets all his malware programs to run a bit slower than before, using fewer resources. That way John will be less likely to suspect something’s wrong.

John notices that his computer isn’t quite as zippy as it was before, but it’s still faster than the old computer, so he just ignores it and continues working. John also decides to keep his old computer powered on in case he needs it. Pwn2ownZ is now very happy as he has two zombie computers under his control, some credit accounts he’s stolen or created from John’s identity, and access to John’s bank and credit account.

John starts getting dunning notices from credit card companies he’s never dealt with, and sees his bank balance dwindle. Aghast, he finally starts to take action, but resigns himself to losing lots of money, time and perhaps some hair as he deals with the identity theft situation. Quietly in the background his computers are still working and making money for Pwn2ownZ.

If this sounds too fantastical, sorry but it’s quite plausible. Current statistics shows that three out of five computers online have malware on them, and hackers currently control millions of unwary owners’ computers. Hackers are well-funded, highly motivated, and earn insane amounts of money off the botnets they control. This is truly a virtual epidemic, and invisible to most consumers.

So what do you do? Please, please gain some paranoid tendencies in your computer use and follow the guidelines I’ve laid out in these resources:

1. Safe Computing Practices
2. Digital Life Security Checklist
3. Hacker Armor

If you’re at all worried that you’ve been hacked, please take the time to remove and install a fresh copy of your internet security suite (or use the top-rated Bitdefender Internet Security), as well as a malware detection and cleaning tool (we like Malwarebytes Anti-Malware Premium). Be sure to repeat scans until you get a scan that shows nothing detected, and keep your computer system up-to-date. Don’t let your computer become a zombie and help hackers make money!

---

This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via (send to @PosiTek), (send to Support@PosiTek.net), using any credit card (no Paypal account required), using Zelle, Apple Pay or Google Pay, or by mailing a check or cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182. I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public. Thank you!

Go to Top of Page