1. Backdoors, Logic Bombs, and Rootkits
   1. Backdoor
      1. An (often secret) method of bypassing normal authentication or encryption.
      2. Backdoors are often used to:
         1. secure remote access to a computer
         2. obtain access to plain text data in cryptographic systems.
   2. Logic Bomb
      1. Code that sets off malware once specified conditions are met.
      2. Logic bombs are very likely to be inside jobs.
   3. Rootkits
      1. A collection of computer malware, designed to enable high-level access to a computer. Rootkits often mask their existence, and may mask the existence of other software.
      2. Rootkits deliver a variety of payloads:
         1. Backdoors
         2. Botnet Agents
         3. Adware or Spyware
      3. Rootkit Types:
         1. User-Mode Rootkits:
            1. Operates in Ring 3 of the Windows Protection Ring model (user mode).
            2. Privilege must be escalated to own the box.
         2. Kernel-Mode Rootkits:
            1. Operates in Ring 0 of the Windows Protection Ring model (kernel mode).
         3. Boot Rootkits (Bootkits):
            1. Replaces the boot loader with one controlled by the rootkit.
         4. Hypervisor Level Rootkits:
            1. Exploits hardware virtualization features to (technically) run in Ring -1.
            2. Hosts the target OS as a VM.
            3. This rootkit can intercept hardware calls made by the original OS.
            4. Unlike normal hypervisors, they do not have to load before the OS.
         5. Firmware Rootkit:
            1. Uses firmware to create a persistent malware image of a router, NIC, hard drive, or system BIOS.
            2. This type of rootkit is less likely to be detected because firmware is not usually inspected for code integrity.
2. Malware Evasion Methods
   1. Polymorphism
      1. A class of virus that changes its signature when it replicates. This makes it much harder for an anti-virus program to detect.
      2. Most anti-malware software uses signature detection, which compares suspected malware to a malware pattern (signature) database, also called a repository.
      3. Malware is detected only if it matches an existing signature.
      4. Polymorphic malware commonly evades detection using one or both of these methods:
         1. Encryption
         2. Prepending and Appending
   2. Armor
      1. These three types of programs are used by modern attackers to deliver malware. When used, they make it much less likely for malware to be detected:
         1. Wrappers:
            1. A program used to combine two or more executables into a single packaged program.
            2. Also referred to as:
            3. Binders
            4. Packagers
            5. EXE Binders
         2. Packers:
            1. Compress files to obfuscate malware activity.
            2. Similar in function to:
            3. WinZip
            4. Rar
            5. Tar
         3. Crypters:
            1. Encrypt the code.
            2. Some crypters apply an encryption algorithm such as:
            3. AES
            4. RSA
            5. Blowfish
            6. Less sophisticated crypters might use more basic obfuscation techniques such as:
            7. XOR
            8. Base64 Encoding
            9. ROT13
            10. Examples:
            11. Morphine
            12. Trojan Man
            13. Pretty Good Malware Protection
            14. Restorator
            15. CypherX
      2. Other techniques used to armor a piece of malware include:
         1. Writing the malware in assembly language so that it is not detected by signatures.
         2. Blocking the use of system debuggers.
         3. Detecting and preventing the malware from executing within a sandbox environment.