Thesis no:
URI: <urn:nbn:se:bth-16314>
Patterns of malware and digital attacks
A guideline for the security enthusiast
Volkan Güven
Faculty of Computing
Blekinge Institute of Technology
1
This thesis is submitted to the faculty of Computing at Blekinge Institute of Technology in partial fulfillment of the requirements for the bachelor degree in Software Engineering. The thesis is equivalent to 10 weeks of full-time studies.
Contact Information:
Author Volkan Güven
email: volkan.guven@hotmail.se University adviser: Fredrik Erlandsson
2
Abstract
Context: In today’s era, many things are dependent on the internet thus the devices and applications that are using it proliferates. Every day, many devices are
getting targeted by malevolent virus authors. To protect the data from malicious
factors becomes a preposterous dispute. A ransomware named CryptoLocker has caused many individuals, hospitals, and institutions thousands if not millions of dollars in damage due to encrypting the computer files thus demanding a ransom in return. Once the
ransomware strikes a system, the recoverability is almost non-existent if no backup or system restore is present due to the private key which was used to encrypt files is encrypted and sent to the attacker’s database. Without the key, there is no recovery for restoring files.
Objective: Exploratory research is conducted to reveal unique methods ransomware and keylogger may use to strike a system. The goal is to disclose protection policies of the Windows systems for the security enthusiasts and computer users. Three main objectives are present; how viruses hide in a system without servicing any rootkits to hide the malware, how ransomware and keylogger can be used together to deliver damage, and how to covert CPU usage of the ransomware during the encryption routine.
Method: To answer the questions and exploit new features, ransomware, keylogger and a trojan horse is built. Original CryptoLocker architecture has been analyzed, and some methods have been derived. The final application is running on the Windows operating system; Windows 10. Win32 API, C++, and C# are used for the construction of the malware programs. Visual Studio 2017 has been used as an IDE.
Results: The testing results reveal that running encryption routine as a background thread covert the CPU usage except the operation time increases by five times. The experiments show that disguising a malware program among the task manager process list is possible by setting Win32 API flag within the execution of the program. Changing the malware name, signature, and description of the program further enhance the sustainability rate from the everyday users.
Keyword: malware, ransomware, keylogger, virus, antivirus, encryption, infection, protection, user guideline, digital attack
3
I sincerely thank uncle Fatih; You go above and beyond the call of duty to the point where you always were an adviser to me.
4
Table of content
1. INTRODUCTION 5
1.1. Background 5
1.2. Purpose 6
1.3. Importance of the thesis in business and technological field 6
1.4. Scope 7
2. RESEARCH QUESTIONS 8
2.1. Objectives 8
3. RESEARCH METHOD 8
4. LITERATURE REVIEW 9
5. ANALYSIS AND RESULT 11
5.1. Ransomware Analysis And Results 11
5.1.1. Ransomware Analysis 11
5.1.2. Ransomware Results 13
5.2. Keylogger Analysis And Results 14
5.2.1. Keylogger Analysis 14
5.2.2. Keylogger Results 15
5.3. Cooperation of Keylogger and Ransomware Analysis And Results 15 5.3.1. Cooperation of Keylogger and Ransomware Analysis 15 5.3.2. Cooperation of Keylogger and Ransomware Results 16
5.4. The Frailty of Antiviruses 17
5.5. Virus Detection of Windows Defender and Kaspersky 18
5.6. Basic Virus Protection 19
6. CONCLUSION 20
7. FUTURE WORK 20
8. REFERENCES 21
5
1. INTRODUCTION
From this thesis, both threat- and protection policies for different users expect to be revealed. For the security enthusiasts, different approaches are present to construct a malware. Also, how ransomware can be scheduled and how its encryption routine can consume less CPU power with benefits and implications. The ways a keylogger can be started up with the computer and send pieces of information, screenshots, and activities are done on the computer to the attacker’s server are presented.
The cooperation of the keylogger and ransomware on the victim’s machine is demonstrated along with the ways on how keylogger and ransomware be serviced via a stooge; Trojan Horse [5].
How can the malware executables be disguised among the process list without injecting a rootkit? The idea here is to show the simplicity of deploying a malware with different name and signature that would go unnoticed by the most users without creating a rootkit which would hide the malware from showing up in the process list.
For the casual users, this thesis will prove both the importance and disadvantages of
antivirus software. Basic locations on the computer malware can hide. The gravity of keeping the machine up-to-date. The steps to be taken when downloading a file.
The weaknesses of UAC (User Account Control) are noted, and basic social engineering techniques are a part of the research. The flaws of the UAC and when the attacker can subtly save applications on the machine are discussed.
1.1. B
ACKGROUNDAccording to a research study [1], the ascending amount of users happen to be children and average computer users. Minors are downloading pirated games, and adults are approaching sites which they hope to get a free license for paid-applications. By doing so, attackers are taking advantage of the users.
This paper will focus on a situation when a keylogger and ransomware can collaborate where the keylogger runs until a determined date and finally ransomware finished off the ransom task. To evaluate the accuracy of this claim, ransomware and keylogger are
constructed for the sake of providing further protection perceptions and suggestions against such threats.
According to the Rick Correa, principal malware researcher, encryption speed is important for the ransomware operation [2]. As stated in the article, the faster ransomware finishes the
6
encryption process, the latter it is detected by protection software. Our approach is to analyze when the optimization is vital for the encryption routine.
By applying a rootkit to hide the threat program from the process list or by taking over another process entry point, it requires injecting and servicing additional malware. This thesis will point out the natural ways a program can disguise itself without the need of any
mentioned techniques.
1.2. P
URPOSEThe purpose of this thesis is to enlight security enthusiast about different ways malware can be serviced. One of the core objectives of the thesis is to exploit- and discover new ways to make a malware application to disguise in the windows process list. Tactical methods to convince users into installing a stooge program and how users shall avert such programs are suggested in the thesis.
During the creation of the ransomware, default antivirus, Windows Defender, is put to the test for integrity and reliance. It is for figuring out the speed of antivirus detection against the malware programs.
Another purpose aims to enlight casual users whom with the minimum to no-knowledge of how the processes operate behind the scenes and are easily lured into accepting UAC
commands when prompt.
The usage of computers by casual users at companies, infrastructures, and homes are abundant. Those users are not often paying attention to the links they click, files they download and executables they run on the local machine. Their wrongful actions can be costly to the company and to the user itself. Those users lack the knowledge of what the files actually contain when they approach it.
1.3. Importance of the thesis in business and technological field
According to the news article, “Why hospitals are so vulnerable to ransomware attacks” [3]
by CNN;
“ After WannaCry, Microsoft made the surprising decision to issue patches for old Windows systems it no longer supports because so many firms -- including those in healthcare and infrastructure -- run old software that was vulnerable to the attack. “
7
Because Microsoft ends the mainstream support for the older systems, the situation of the infrastructure and healthcare that still use legacy systems that are not forward compatible with the latter operating systems, a patch was obliged. In the context of the companies who run on old, unsupported Windows systems, as the parent company of the Windows operating systems; Microsoft, ends the mainstream support for the operating systems after ten years from its initial release and additional five years extended support. Following operating systems are no longer supported by Microsoft:
Windows 1.0, Windows 2.0, Windows 3.0, Windows NT 3.1, Windows for Workgroups 3.11, Windows NT Workstation 3.5, Windows NT Workstation 3.51, Windows 95, Windows NT Workstation 4.0, Windows 98, Windows 98 Second Edition, Windows Me, Windows 2000, Windows XP, Windows Vista.
There isn’t a direct solution to the problem of infrastructures that are using old systems.
Even though the systems are likely to be targeted by malware developers using an exploit for the reason of no patch is expected to be released by the operating system company,
Microsoft. Some infrastructures may still use legacy applications that are not forward compatible with modern operating systems such as Windows 10. The upgrade of the legacy software is expensive, and the company may not be able to pay for it.
It is a tragedy to witness the statistical diagram by NetMarketShare that Over 50% of the machines are still run on unsupported versions of the Microsoft operating system [4].
1.4. S
COPEThe focus of this thesis is to expose new malware methods and most basic protection techniques against malware for the everyday users. Advanced infection methods are excluded. Most importantly, the decryption method is not within the thesis. Although it is implemented in the original malware, there is no point in explaining the decryption process in this thesis where only encryption is essential.
Infection methods by taking over an application entry point are omitted. Infection through a network is omitted.
The suggested methods and implemented malware are targeted for Windows operating systems from Windows Vista, 7, 8, 8.1, 10. Explained methods for the operating systems, e.g., Mac OS X, Linux, etc. may not be suited to inherit.
8
2. RESEARCH QUESTIONS
The research questions in this thesis are:
1. When ransomware is encrypting the victim’s machine, the CPU is usually spiking. Is there any way to covert the CPU usage?
2. What other methods exist to easily disguise malware executables among the task manager process list without injecting any rootkit which would completely hide the malware from the process list?
3. How to make keylogger and ransomware cooperate in a machine to deliver damage?
2.1. O
BJECTIVESDuring the thesis, the demonstration of how ransomware and keylogger can cooperate to deliver damage. The critical standpoint is when the ransomware strikes the system, there is no guarantee that the user will pay the fee to restore their files and even so, the keylogger will not capture accurate information as the user will most likely isolate the machine. The primary goal of this problem is to schedule the ransomware to run at a later point in time while the keylogger operates until determined date. This way, information is siphoned off of the targeted machine until ransomware execution date reach.
As the ransomware is created, the ways to mitigate the CPU usage, that is occupied by the encryption functionality, is revealed.
3. RESEARCH METHOD
This thesis is based on exploratory research. To reveal solutions to subsequent questions, construction of different malware is deemed necessary.
For the ransomware implementation, CryptoPP [6] library for C++ is used for the encryption routine. Keylogger is constructed using C++ with Win32 API [7].
Trojan horse is built in C# with .NET framework.
Windows developer site MSDN and CryptoPP site are fetched for information towards implementation.
Visual Studio 2017 has been used as an IDE to construct all of the malware.
9
4. LITERATURE REVIEW
The study [11] reports the effectiveness of the protection offered by some top-tier antiviruses (Avast, Kaspersky Internet Security, McAfee, Norton, Symantec, Trend Micro) against contemporary malware. The study quantifies the fraction of malware detected successfully by the antiviruses during the study period and the time required for detection after the malware’s initial appearance. The study also records the antiviruses responses to malware’s execution.
Windows Defender antivirus is excluded within the study [11], however, it is included with this thesis. Additionally, Kaspersky antivirus will be tested against the custom ransomware and the custom keylogger. Its response time to detect the malware will be compared with the Windows Defender.
Antiviruses use different detection techniques. According to the study [11],
signature-based detection, and behavior-based detection techniques are used by antiviruses.
The website, [13], about the virus detection techniques, confirms the same claims and explains same methods which [11] claims.
Signature-based detection is a static method most commonly used by antiviruses. When a computer receives a new file, the signature-based detector scans the file. If the file contains a byte sequence that matches one of the known malware byte-based identifications, the file is considered a risk and is quarantined. These byte-based identifications are commonly known as signatures. Traditional signatures are typically derived by analyzing the contents of files that have been confirmed to be malicious. This file analysis takes time. This detection technique cannot detect new, not-previously-identified malware for which no signature is available.
Behavior-based detection has the potential to detect new malware by monitoring system activities, configuration changes, network communications, and user interaction. It can also provide swift protection against dangerous executions by preventing actions that violate predefined execution restrictions.
Additionally, the report claims Kaspersky’s behavior-based detection provides protection for registry keys and denies 40.38% of the malware which tries to modify the registry entry
\Software\Microsoft\Windows\CurrentVersion\Run. The results for the keylogger’s autostart registration are presented in chapter 5.5. Virus Detection of Windows Defender and Kaspersky.
10
Image 1 taken from the empirical study [11] displays the percentage of malware detection by respective antivirus. Since Kaspersky is chosen to test keylogger and ransomware, the statistics for Kaspersky is important.
Image 1. Percentage of the malware detected by the AVs at a different number of days from zero days.
According to the graph, more than 60% of the malware was detected by Kaspersky within the zero-day where it required days or even weeks to detect the rest.
The study [11] claims the behavior-based detection does not seem to improve the
antiviruses ability to quarantine malicious programs before they are executed. The result of this claim is presented 5.5. Virus Detection of Windows Defender and Kaspersky
11
5. ANALYSIS AND RESULT
This chapter contains the results and used methods for respective malware. Yielded results and their advantage and disadvantages are mostly discussed. Also, how the antiviruses reacted to our malware and the frailty of antiviruses on newly distributed malware are presented.
5.1. R
ANSOMWAREA
NALYSISA
NDR
ESULTSTo answer the question; “When ransomware is encrypting the victim’s machine, the CPU is usually spiking. Is there any way to covert the CPU usage?”, the encryption routine is to be altered.
5.1.1. R
ANSOMWAREA
NALYSISThrough the experiments with the ransomware, it is revealed that it is a better approach to limit the number of files to encrypt. The disadvantage is the wrong files that could aggravate the computer’s health when encrypted. Ransomware developers expecting returning
customers, customers with a healthy computer but only to pay for saving their data. Dump files, temporary files, system files, and executable files are not worthy of encrypting.
Documents, pictures, and movies are among the most commonly referred to be fragile and are among the first fallen victims to the ransomware.
Following file extensions are merely a portion of the files the custom ransomware is targeting.
*.doc, *.avi, *.bik, *.dat, *.h264, *.m4v, *.mkv, *.mk2v *.mod, *.mov, *.mp4, *.mpeg,
*.mpg, *.gif, *.ogv, *.jpg, *.jpeg, *.prproj, *.png, *.rec, *.rmvb, *.swf, *.bpg, *.wmv, *.3ga,
*.aac, *.svg, *.y, *.yy, *.l, *.ll, *.flac, *.gp4,*.gp5, *.gpx, *.logic, *.m4a, *.m4b, *.m4p,
*.mp3, *.ogg, *.wav, *.wma, *.wpl, *.zab, *.arw, *.cr2, *.crw, *.dcr, *.dng, *.fpx, *.mrw,
*.nef, *.orf, *.pcd, *.ptx, *.txt, *.raf, *.raw, *.rw2, *.ai, *.cdr, *.csh, *.csl, *.cs, *.pic, *.svg,
*.svgz, *.wmf, *.icns, *.ico, *.mdi, *.psb, *.max, *.pro, *.stl, *.u3d, *.docm, *.docx, *.dot,
*.dotm, *.dotx, *.epub, *.key, *.keynote, *.odf, *.ods, *.odt, *.ott, *.oxps, *.pages, *.pdf,
*.pmd, *.pot, *.potx, *.pps, *.ppsx, *.ppt, *.pptm, *.pptx, *.prn, *.ps, *.pub, *.rtf, *.sxw,
*.tpl, *.vsd, *.wpd, *.wps, *.wri, *.xps, *.big, *.cab, *.dds, *.hi, *.lng, *.pak, *.res, *.sav,
*.wotreplay, *.wowpreplay, *.asmx, *.ashx, *.aspx, *.py, *.cc, *.src, *.cpp, *.c, *.h, *.hh,
*.jsp, *.jspx, *.wss, *.do, *.action, *.js, *.pl, *.php, *.php4, *.php3, *.vob
12
The common target folders are but not limited to:
C:\Users\AnotherUser\
C:\Users\Username\
C:\Users\Username\Pictures C:\Users\Username\Desktop C:\Users\Username\Document C:\Users\Username\Videos
The custom ransomware does not limit itself to the main disk C:\ and the already encrypted files are not a concern for the ransomware as the encryped files can be re-encrypted;
Exception of the file has the extension .vogu. Each encrypted file must end with an additional extension to distinguish from other files. The extension signature is .vogu for all encrypted files. (.vogu is the extension which is chosen to mark the encrypted files.)
The ransomware iterates through all available disks and performs the same encryption operation on all of the associated files.
How ransomware encrypt files is shown in the Image 2.
Image 2. Encryption process
13
An encryption key is initialized before proceeding with the file encryption for each unique computer. The same encryption key is used for all files. Before the encryption process kicks in, the connection to the internet is monitored by the ransomware. Once the computer is connected, the operation begins hereafter.
The file extension .vogu is set, and creates the encrypted file through the file stream. The file stream encrypts and writes each byte to the new file with the .vogu extension. If the custom ransomware targets the following file:
C:\Users\Volkan\MyWorkProject\Daily report for my company.ppt
After the ransomware encrypts the file, the new file with original file size plus IV size C:\Users\Volkan\MyWorkProject\Daily report for my company.ppt.vogu IV size takes up 1 byte. If a file is 400 KB, the new size with appended IV is 401 KB
5.1.2. R
ANSOMWARER
ESULTTypically, the encryption operation consumes more than 90% of the CPU and halts the speed of the computer which could alert the victim. Running the encryption with a thread prioritizer is one of the solutions.
Tested results showed us that during the encryption process, the CPU usage reduces from about 90% to about 8%. It is more than an improvement with a disadvantage on hand. The time to complete the operation increases by five times. If it takes 10 seconds to encrypt 1 GB file(s), it takes 50 seconds with the thread manager. The CPU serves processes with higher priority as a first-class citizen.
The tested results also revealed that when the range of files by their extensions is filtered, number of files to encrypt in the victim’s machine reduces. It helps to complete the
encryption process in a much shorter time without alerting the user. Another critical point is that by filtering the extensions, the ransomware does not accidentally encrypt system files that could aggravate the system health.
14
5.2. K
EYLOGGERA
NALYSISA
NDR
ESULTSThe question, “What other methods exist to easily disguise malware executables among the task manager process list without injecting any rootkit which would completely hide the malware from the process list?” is answered.
5.2.1. Keylogger Analysis
Since the custom ransomware is a one-shot deal, the keylogger is ideal because it basically runs all the time on the victim’s machine.
Two objects are planned. The first object is to construct a keylogger through a series of states; each state responsible for a specific action. The keylogger operation inside a machine is shown in the image 3.
Image 3. Keylogger operation
The second objective is to find a way to disguise the keylogger inside the process list. It turns out, the Win32 API has a flag named SW_HIDE [8], which can be passed to the second parameter of the function; ShowWindow(handle, SW_HIDE). It will hide the malware from the process list of the task manager.
The essential standpoint is that, even though the malware is hidden from the process list, it is still available on the Details page of the task manager. If the custom keylogger has the name “keyloggerMW.exe”, it is easily traceable even by the most casual computer user. To further camouflage the malware, more modification must be done on the file.
15
Visual Studio has a feature for adding resource file for manipulation of the targeted
operating systems, file attributes, bitmaps etc. The feature extension is .rc [16]. Changing the executable name, description, company name to a trusted Windows service that always runs on most of the Windows computers, will assist to disguise the malware.
svchost.exe is available in most recent operating systems from Windows 7 up to Windows 10. Checking the existence of svchost in Windows operating systems; Windows 7, 8, 8.1, and 10 proved the claim. Because there runs a substantial amount of processes under the name
“svchost.exe”, it is easy to disguise the malware on the Details page. The objective is to change the file name of the keylogger from keyloggerMW.exe to svchost.exe, its description to “Host Process for Windows Services” does make it seem like a genuine windows service.
5.2.2. Keylogger Results
The yielded results indicate that starting an application with the internal flag SW_HIDE, hides the application from the process list thus the executed malware name can be changed to any names from the process list. A substantial amount of processes runs under the name svchost.exe.
Alteration of file signature greatly reinforces the undetectability from the casual computer users, i.e., by changing the file signature to Host process for Windows Services. It suggests that any malware can distinguish under the name svchost or similar Windows services.
5.3. C
OOPERATIONOFK
EYLOGGERANDR
ANSOMWAREA
NALYSISA
NDR
ESULTSThe final part of the research question; “How to make keylogger and ransomware cooperate in a machine to deliver damage?” is answered here.
5.3.1. C
OOPERATION OFK
EYLOGGERANDR
ANSOMWAREAnalysis
In order to set up the environment for the malware, a trojan horse is built.
The trojan horse can be any application as long as it looks legitimate, and convincing users to approach the stooge program. How it functions, what it does, and how it does it, is
inessential as long as the user is convinced into downloading it.
16
For the sake of simplicity, a stooge program can nearly be anything, from games to movies, to music, free license activator. Depending on the developer’s social engineering skills, the advertised trojan horse can be promoted as a genuine application.
When the user downloads the stooge program, additional installation packages for the malware are unpacked; with a series of UAC confirmations from the user, all of the applications are installed. This is a basic bypass method to deliver damage.
It is not important where and how the trojan horse is installed on the computer. The main objective in this context is to run all available UAC-needed malware applications and install them in respective locations on the computer. As shown in the image 4, the ransomware is placed in C:\ProgramData\Windows\ and the keylogger is placed in
C:\ProgramData\Microsoft Events\
Image 4. Trojan horse operation
5.3.2. C
OOPERATION OFK
EYLOGGERANDR
ANSOMWAREResults
The scheduler is an application to schedule the ransomware inside Windows Task
Scheduler. After a successful installation of the malware packages, keylogger operates from the infection date until a determined date, e.g., one month. Meanwhile, the ransomware will reside in the C:\ProgramData\, or any other reliable folder, waiting for Windows Task Scheduler [9] to execute it. Let’s remind ourselves that the term reliable (for the attacker) is for the location where the casual user will most probably not going to visit. E.g.,
ProgramData is a folder inside C:\ that is hidden from the eyesight.
The chosen folder names Microsoft Events and Windows, are to further disguise the locations of the malware. Ransomware is placed inside Windows folder whereas the
17
keylogger is placed inside the folder Microsoft Events. These two folders (irrespective of the folders exists) are created upon installation.
In due course, the ransomware will start. Necessary encryption and system-check protocols (Internet status, disk size, number of hard drives) will be launched. Once the protocols are finished, the encryption routine will start performing, and finally, the ransomware will encrypt the private key and send it to the database.
The keylogger is put into the registry to start up within the restart of the computer. The keylogger operates until a date, in the case of this thesis, one month. When the time is up, the scheduler starts the ransomware.
5.4. The Frailty of Antiviruses
Most antiviruses are only detecting threats that have already been detected which means the virus signature exists in their database. If the malware is not yet detected, the antivirus does not arouse. Some advanced antiviruses such as Bitdefender uses machine learning algorithm to detect even newly distributed malware, but also that process takes some time.
A legitimate question could be raised to ask; how would a malware developer check the detection status of the application with most of the available antiviruses on the market? It turns out to be quite easy with the existence of the site; Virus Total [10]. Upon uploading a file, the files are sent to a server for analysis and returns the results from which antiviruses detected the program as a threat. It gives the developer an insight of portioning the current application in many small files with a third-party tool, to identify precisely where in the code antivirus flags it as a threat, thus altering the very part, and service it again.
File Splitter and Joiner is a great tool to divide the executable program into smaller parts, thus scanning each file individually with Virus Total. The process may take some time depending on the size and exact location of the code that triggers antiviruses event. In the end, the obfuscation or reconstruction of the whole malware is averted.
The empirical study [11] claimed the antiviruses detects and acts upon applications if their signature matches any of the detected signatures on the antivirus database. The chapter 5.5.
Virus Detection of Windows Defender proves the claim as it detects it only if the signature is available. Image 5 is taken from the empirical study [11].
18
Image 5. Antivirus operation
5.5. V
IRUSDetection of Windows Defender and Kaspersky
Windows Defender detected the keylogger and flagged it after the keylogger running continuously for three weeks where it took two days for the Kaspersky to detect it. The ransomware’s file encryption is blocked immediately by Kaspersky, where for the Windows Defender, the encryption process by the ransomware was successfully completed without blockage. The ransomware, however, is detected by neither of the antiviruses when the application is passive.
After using File Splitter and Joiner to split the keylogger into smaller .exe files and sent them to Virus Total. Altering the names of the flagged variables and some hardcoded string values, rescanning the malware did not trigger any virus threats by the Windows Defender or Kaspersky.
When the keylogger registers into \Software\Microsoft\Windows\CurrentVersion\Run neither Kaspersky or Windows Defender triggers any warning or blocked the application from registering. This indicates that Kaspersky and Windows Defender does not always block applications from registering keys inside register editor.
19
5.6. Basic Virus Protection
The inexperienced computer users are not deliberate to upgrade the operating system or at least fetch the updates to halt common threats from infecting the system. Users usually weight more trust in the antiviruses. The defects of the antiviruses are already mentioned in the previous chapter, 5.4. The Frailty of Antiviruses.
Image 4 shows the process by which the user is downloading a file from an untrusted site and malware files are activated and installed on the user’s computer when the user accepts a series of UAC commands.
The following recommendations are among the basic protection methods to avoid fetching an infection. Whenever the user wants to download a file, i.e., TeamViewer, do not approach sites that have the link like [14] (or any similar websites).
According to the author of the article "Is Softonic Safe?” [12], the survey about the site turned out to be mostly negative due to a substantial amount of ads the Softonic downloader is showing while downloading a file.
At any time the user wishes to download a file, he/she should not use torrent sites, sites like en.softonic, or sites with eccentric links. As those sites may bring external data that could compromise the machine. Pay attention to the first link that indexes from the google search.
As for the TeamViewer, the link [15] (official website) is trusted.
20
6. CONCLUSION
All of the three research questions are answered. Advantages and implications of running the encryption method as a background thread are revealed. This makes sure that the method runs with the lowest possible priority.
Through different experiments with starting the encryption routine, the results were astonishing. The CPU prioritized other processes that had higher priority and gave less time to the encryption function which only took 5-8% of the CPU time and not close to 100%.
When other processes are running, the CPU time shrinks to lower than 5% for the
ransomware application. Disadvantage of this method is that it takes five times more time to finish the task.
Another disclosed topic is the API flag SW_HIDE does hide the malware from showing up in windows process list. Most of the running applications are displayed in the list. It is
revealed that to hide a process from the windows process list does not require a rootkit to do so. The disadvantage is that, though the malware is hidden from the process list, it is visible in task manager Details tab. Because an advanced user can easily spot the running malware from the Details page, it is revealed that changing the file signature and its description to svchost or other Windows applications does camouflage it to seem legitimate, and traceability becomes difficult.
The last research question indicates the ways a keylogger and ransomware can cooperate to deliver damage. The basic method to register the keylogger in autostart which automatically starts up the malware within restart of the machine is revealed. Very first time the fake antivirus is installed on the victim’s computer, the ransomware is saved in
C:\ProgramData\Microsoft Events\ with the name svchost.exe.
When the keylogger is run, it is revealed that Windows Defender does act to identify running keylogger after a period of three weeks, never identified passive malware;
ransomware. However, Kaspersky identified the running keylogger in the second day and failed to detect the passive ransomware.
7. FUTURE WORK
More advanced techniques to bypass UAC is needed. Infection methods and spread patterns through network could be implemented on the next version of this thesis. More research on the optimization of the encryption is also needed.
21
8. REFERENCES
● [1] "Children's Use of the Internet" - by Sonia Livingstone.
● [2] How Fast Does Ransomware Encrypt Files? Faster than ... - Barkly Blog."
https://blog.barkly.com/how-fast-does-ransomware-encrypt-files. Last accessed 25 May. 2018.
● [3] “Why hospitals are so vulnerable to ransomware attacks”
http://money.cnn.com/2017/05/16/technology/hospitals-vulnerable-wannacry-ransom ware/index.html - CNN Money. 16 May. 2017, Last accessed 25 May. 2018.
● [4] “NetMarketShare”
https://www.netmarketshare.com/operating-system-market-share.aspx?options=%7B
%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7 B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2 C%22dateLabel%22%3A%22Trend%22%2C%22attributes%22%3A%22share%22%
2C%22group%22%3A%22platformVersion%22%2C%22sort%22%3A%7B%22shar e%22%3A-1%7D%2C%22id%22%3A%22platformsDesktopVersions%22%2C%22d ateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222017-05%22%
2C%22dateEnd%22%3A%222018-04%22%2C%22segments%22%3A%22-1000%22
%7D” - Last accessed 25 May. 2018.
● [5] "What is a Trojan Virus | Trojan Virus Definition | Kaspersky Lab US."
https://usa.kaspersky.com/resource-center/threats/trojans. Last accessed 25 May.
2018.
● [6] "CryptoPP." https://www.cryptopp.com/. Last accessed 25 May. 2018.
● [7] "Windows API Index (Windows) - MSDN - Microsoft."
https://msdn.microsoft.com/en-us/library/windows/desktop/ff818516(v=vs.85).aspx.
Last accessed 25 May. 2018.
● [8] “ShowWindow function”
https://msdn.microsoft.com/en-us/library/windows/desktop/ms633548%28v=vs.85%2 9.aspx?f=255&MSPPError=-2147217396. Last accessed 25 May. 2018.
● [9] "Task Scheduler (Windows) - MSDN ...."
https://msdn.microsoft.com/en-us/library/windows/desktop/aa383614(v=vs.85).aspx.
Last accessed 25 May. 2018.
● [10] "VirusTotal." https://www.virustotal.com/. Last accessed 25 May. 2018.
● [11] “An Empirical Study of Commercial Antivirus Software Effectiveness” - by Orathai Sukwong, Hyong S. Kim, James C. Hoe
● [12] “Is Softonic Safe?” - https://windowsinstructed.com/softonic-safe/. Last accessed 25 May. 2018.
● [13] “How antivirus software works: Virus detection techniques” -
https://searchsecurity.techtarget.com/tip/How-antivirus-software-works-Virus-detecti on-techniques. Last accessed - 30 May 2018
● [14] “Softonic teamviewer” - http://teamviewer.en.softonic.com.
Last accessed - 30 May 2018
● [15] “TeamViewer” - https://www.teamviewer.com/en/. Last accessed - 30 May 2018
22
● [16] “Resource File” - https://msdn.microsoft.com/en-us/library/y3sk7e6b.aspx Last accessed - 30 May 2018
