3. Ransomware is a type of malware
that restricts access to the infected
computer system in some way, and
demands that the user pay a ransom
to the malware operators to remove
the restriction.
Straight to it: What is Ransomware?
5. Personal favorites !!! (Of course, they shouldn’t be yours.)
Scareware
Keyloggers Invisible – Show as a keyboard!!!
Hardware and software available
Wi-Fi enabled
Does AV look for these?
$10 - £7.70
Not
Really!
25. DLL-related attacks
▪ Rundll32
▪ Common process used all the time by Windows
▪ Execute arbitrary code in a DLL
▪ DLL Hijacking
▪ Take advantage of the Windows search path
▪ KnownDLLs registry key
▪ DLL with the same name will be loaded
▪ Fxsst.dll (Fax Service)
26. Process hollowing
▪ Typical process created on the system suspended
▪ Legitimate code is deallocated and replaced with malicious code
▪ Process then resumed
▪ Can get around many security products that check the process as
it starts
▪ AC patented technique will verify the process that is running is the
same as the process that was initially checked
27. Fileless malware
▪ Wowliks
▪ Poweliks registry-based threat
▪ CLSID {FBEB8A05-BEEE- 4442-804E-409D6C4515E9} - “ShellFolder for
CD Burning”
▪ Visits webpages in a hidden browser window and loads
advertisements. These adverts can contain malicious content.
▪ Powerliks
▪ Uses base64 encoded powershell command
▪ PowerShell –Nop –Sta –NonI –W Hidden –Enc JABIDFSFGDJGDKJGHJ
▪ Creates a subkey under the CLSID with an objectname 0608 that
prevents even admins from opening
28. Fileless malware (cont.)
▪ Privilege escalation
▪ TS WebProxy component. Windows checks the path must end with
mstsc.exe and start in the system folder. Eg:
▪ %Windir%System32mstsc.exe
▪ The following path passes the checks but launches bad.exe instead:
▪ %Windir%System32....tempbad.exemstsc.exe