Stages of a Malware Infection

Version 6




    Although various types of malware exhibit vastly different behaviors from each other, they all share a pattern in how they spread and work:



    Infection Phase


    System Exploit


    A System Exploit means that malicious material (such as a piece of software, a chunk of data, or a sequence of commands) takes advantage of a bug, glitch or vulnerability in a service, host, server, network, or more complicated system to perform unauthorized access, illegal privilege escalation, data reveal, or denial-of-service against the system.


    A System Exploit can happen with or without end user engagement. In some cases, such as a phishing email or web link, attackers tempt the end user to click on URL links or buttons in order to execute some malicious material to achieve the exploit . In other cases, attackers can directly exploit the system with sophisticated code or data that targets vulnerabilities, as was the case with ShellShock.


    In this stage, attackers aim for partial or full control of the victim’s browser, host, service or network. They use short and smart malicious materials generally only containing the minimum required content to achieve the exploit. Once the system has been exploited, they use other dedicated materials to execute malicious acitvity.


    Binary (Dropper) Loading


    After the system is exploited, the browser, service, or host downloads a malware binary, or "dropper," generally fetching it from a website completely independent of the original exploit website. Using a separate site to host the dropper helps hide the exploit source.


    The exploited browser, service ,or host then unpacks and executes the binary to load the attackers’ full malware toolkit. When the toolkit is loaded, the malware binary is ready to communicate with the Command and Control (C&C) Host.



    Callback Phase




    Malware callbacks normally come from the internal network to external hosts. The malware binary instructs the infected machine to transmit network callback traffic to the C&C host to signal the attacker that it is ready to be controlled remotely.


    However, some malware callbacks originate from external hosts and go to the internal network. In this infrequent scenario, external hosts scan the Internet to find infected machines. In this case, the C&C host scan can randomly be found in the traffic that tries to enter the internal network. (Fortunately, FireEye detection signatures are normally two ways, so callback traffic in either direction is flagged.)


    Some worms will sequentially or randomly scan a network (either LAN or the Internet) from an infected machine for specific network service vulnerabilities. For example, the worm Conficker A, found in November 2008, propagates by exploiting vulnerability MS08-067 on the NetBIOS service. This scan can be considered a callback.


    Data Exfiltration


    When the callback has established a connection, the C&C host can now control the infected machine, collect data, and transmit the data back to C&C host or another destination.


    In a worm scenario, the copies of malware transmitted to new victims can be treated as data exfiltration. The worm can send out any information from the “Targeted victim” host.





    Example 1:

    A email with a URL link is received by a user; the user clicks the URL, not realizing it's malicious. The link takes the user to an innocent-looking, possibly even popular and well-known, website that executes malicious JavaScript.


    Malware StageAction
    System Exploit

    The browser is redirected to a controlled website that executes malicious JavaScript - for example, containing the heap spray attack code and corresponding shellcode - and compromises the browser.

    Binary (Dropper) LoadingThe exploited browser, now partially or fully controlled, runs the shellcode and downloads a keylogger Trojan archive file from the C&C host. Later the Trojan is unpacked and installed in the infected machine by the shellcode.
    CallbackThe installed keylogger Trojan does not do malicious activity right after the installation; it sleeps for several days. After that, it opens a network connection to a C&C host to collect the data from the victim.
    Data ExfiltrationWhen the end user types on the keyboard, the Trojan transmits the characters to the C&C server. In this case, all the data that the end user types will be exported to the C&C server.


    Example 2:

    A worm finds and exploit a victim (Victim A), which then spreads the infection to other machines (Victim B-1, Victim B-2, etc.) Each new infected machine becomes a mini-C&C Host for the next set of victims.


    Malware StageAction
    System Exploit

    Victim A is exploited with port 445/TCP and the worm is copied from the infected host to %systemroot%\system32. The shellcode creates a remote thread in processes such as svchost.exe and initiates the use of Winsock DLL.

    Binary (Dropper) LoadingAfter 30 minutes sleeping, the worm downloads a binary file called loadadv.exe, which is a tiny HTTP server.
    CallbackWhen the HTTP server is up, it will scan for other vulnerable machines.
    Data ExfiltrationAfter the Victim B host is exploited, the HTTP server on Victim A transmits the worm itself.


    Thanks to Support Engineer felix.tong for contributing this article!