4.3 malware and anti-malware

Question 1

Virus

Answer 1

• Defined as any piece of software that, “to survive and propagate, must insert itself into other executable code.” For example, if Microsoft’s Word.exe is infected and you run that program, you unknowingly execute the virus code as well. The virus typically becomes memory-resident and remains in RAM even after you close Microsoft Word. Hours later, you execute some other piece of software and the virus inserts itself into that executable at that time. Because of this reliance on other software, viruses are often referred to as “parasitic in nature.”

Question 2

Worm

Answer 2

• Worm: By contrast, a worm is self-standing software that is self-propagating. Much like a network vulnerability scanner, it scans through your network, looking for a system that has a vulnerability it knows how to take advantage of. When it finds “Windows 10, patch level 2,” for example, it then exploits a vulnerability that it is aware of in that specific OS and patch level. Most worms know how to take advantage of one or two things, occasionally three at most. There are a few exceptions to that, though.
• Worms are binary and their electrical impulses that travel at the speed of light. The worm notpetya – designed to attack infrastructure in Ukraine and shut it down, broke into one server at an international company in England.
  o Compromise over 2800 servers on 3 contionents in under 12 seconds
  o Don’t even realize it’s happening so you can’t stop anything, most important is to coordinate an incident response

Question 3

Trojan horse

Answer 3

• Trojan horse: Any piece of software that has a “known desired function, as well as an unknown undesired function” is defined as a Trojan Horse. According to a Panda Security report referenced earlier, Trojans accounted for 78.97% of all malware in 2013. A common example: You download a free screensaver. When you install the screensaver, you also install malware that tracks your internet surfing activity. We will see other examples as we proceed through the materials.
• This is the most common infection vector
  o A PDF document causes an infection when you open it
  o The PDF is the known desired function
  o The malware infection is the uknown, undesired function
• PDF files become a huge culprit for spreading malware. Windows 10 in the summer of 2019 put limitations on PDF which prevented what it could do like contacting the internet, running certain functions and so on. But that’s a script and so you can disable it – and a lot of organizations have that disabled.
• For MS documents like word or excel – for a long time macros were disabled but because of the pandemic and other reasons, more and more organizations and disabling macros.

Question 4

Logic Bomb

Answer 4

• Any piece of malware that “waits for a preconfigured event or date” before executing is defined as a logic bomb. Of course, with logic bombs, they are said to “detonate” instead of execute. An old but famous example of this kind of malware comes from 1991 (meaning, these are not new). The Michelangelo virus would execute only on March 6, which is Michelangelo’s birthday. There was no other reference to the famous artist in the malware. The Michelangelo virus also illustrates the point from earlier that malware can fall into multiple categories. This virus spreads by infecting the boot sector of floppy disks and hard drives, which falls within the definition of virus. (Boot sectors are executable.) It is also a logic bomb in that it executes only on a preconfigured date
• Other examples include: The programmer who put the trigger into the employee management software that said, “If my name is removed from the employee database, delete the employee database.” A disgruntled network administrator who placed a logic bomb that would have formatted every hard drive on the Fannie-Mae network at 1 minute after midnight, 2010. Also, a logic bomb triggered to go off at exactly 1400 hours on March 20, 2013, wiping the hard drives of three banks and two media companies in South Korea.
• When you have admins leaving the organization a) get their accounts locked before you even tell them they’re fired b) look for any logic bombs

Question 5

Rootkits

Answer 5

• Rootkits come in many variations as well. There are file-level, user-level, and kernel-level rootkits. Each works and behaves a little differently. However, there tend to be some similarities among rootkits: * They almost always insert a backdoor on the system to allow the attacker easy access. * They commonly hide the attacker’s files, system processes, and so on from the administrator. * They tend to actively “fight” against removal.
• From there, variations abound. Some, such as NetBus that we see on the next slide, provide for remote control of a computer. Think of something such as PC Anywhere with a bad attitude—and legitimate users cannot see what the attacker is doing with NetBus the way they can with PC Anywhere. They can also come from unexpected places. In 2005, it was discovered that several Sony music CDs had a rootkit. If you put them into your PC, they would infect you. Sony could use the backdoor to see if you had illegal music. More information, including the list of CDs, is at these links. Other examples include knark for linux/UNIX – very elegant
• The Sony examples shows you that you don’t actually have to do anything wrong to be a victim of malware

Question 6

Spyware

Answer 6

• Even if you have an active and effective antivirus program in your environment, chances are you still have a problem with spyware. Spyware is the latest twist on the age-old game of getting information from users’ systems without the users knowing about it
• The exact activities tracked varies, but typical uses include logging keystrokes, recording webbrowsing habits, gathering information about installed software, and obtaining personal information about the user. What does the spyware do with all this information? Most spyware apps send it to some unseen central server for use by the spyware creator. From there, the creator can (in the best case) use the data to target marketing information to the user or (in the worst case) use the information against the user in some way
• Unfortunately, a lot of antivirus software either does not look for spyware at all or does so poorly. You have to run a separate anti-spyware utility. There are a number of utilities that do well at finding and eliminating spyware on your system. Perhaps the best known is Spybot Search & Destroy, available from Safer-Networking.1 The program’s operation is automatic, and the results are comprehensive. Not only does Spybot find classic “spyware,” it also looks for tracking cookies, system files, and history lists that may be used to track your activities and your information. If it finds a potential problem, the user can click the listing to see a detailed description of the program along with the potential it has to compromise your system. The price is right (it’s free, although donations are requested) and it (or a program like it) should be considered as vital as antivirus software for an internet-active system

Question 7

Cryptocurrency and blockchain

Answer 7

• Cryptocurrency has undoubtedly been heavily in the news lately. While many have only heard of Bitcoin, it is hardly the only cryptocurrency in existence. There is also Ethereum, Litecoin, Cardano, Polkadot, Stellar, Chainlink, Dogecoin, and many others
• In short, cryptocurrency is a computer file that someone has deemed to have value. Because of that perceived value, it can be a form of money. Cryptocurrency transactions are verifiable and recorded via an inviolable cryptographic process called a blockchain. A blockchain is a digital ledger of transactions that duplicates across a peer-to-peer network. Greatly simplified, a blockchain is a database in which every data record in the database is linked to the data record before and after it, creating a chain. This chain is cryptographically unalterable once created – hence it is inviolable
• Crypto mining – cryptojacking : As you saw on the last slide, it takes a lot of computing power to generate cryptocurrency. Computing power means you need electrical power. Electricity costs money! But hackers don’t want to spend their own money to mine (or mint) their cryptocurrency. Why should they when you can pay the bill for them? One of the types of malware hackers will attempt to put on your computer is called cryptojacking malware. It simply causes your computer to sit there and churn out cryptocurrencies such as bitcoin. The attacker takes the generated money, and you pay the electric bill. From the attacker’s perspective, this is a win-win proposition. Cryptojacking often goes underreported because the malware tends to be very quiet and subtle. It does not generate popup windows on your screen or mess with your data in any way. You, therefore, have little or no reason to suspect you have malware. Ransomware gets a lot of attention from the media, but many experts believe cryptojacking software is more prevalent

Question 8

Ransomware

Answer 8

• Ransomware is a category of malware that makes a computer unavailable for use until a ransom is paid. Most ransomware works by encrypting the files on your computer. When you pay the ransom, the ransomware author provides the decryption key and instructions for recovering your files. Less common, some ransomware uses alternative methods of making your files inaccessible
• Note that most of the variants that utilize encryption will follow a network share. Meaning that if you have a folder of files shared across the network, those files will be encrypted as well. Almost without exception, ransom is paid in the form of Bitcoin. This is an untraceable digital currency that is not controlled by any government. The price of Bitcoin fluctuates more rapidly than the stock market.
• Interestingly enough, the authors of ransomware consider themselves to be “an honest businessman.” (Yes, that is a direct quote from one of the ransomware authors.) They offer exceptional support to their victims. They will walk a victim through the process of obtaining and uploading the Bitcoin to them. They have even been known to accept lower amounts if they can tell the victim is trying to work with them but cannot obtain the required amount of Bitcoin. In at least one case, a ransomware author used one of his victims as a reference, as in: “Call this man; he will tell you that I am an honest businessman who stands behind his word.”
• Name and shame attacks are also doubling – exfiltrate data before encrypt, then threaten to publish it unless youp ay the ransom – they can expose proprietary data or share something embarassing

Question 9

Ransomware defence

Answer 9

• Safe surfing practices can help you avoid ransomware, but they will not completely protect you. Some infections occur when someone visits a completely legitimate web page, but the page has either been defaced with code to cause infection or displays a banner ad that infects them. The best current defense is to have backups that support “versioning.” This means that each time you save a file, that version is backed up and available for recovery. In the case of ransomware, the encrypted version of your files may back up, but the prior unencrypted version will still be available for recovery. This wont help with name and shame though even if you have back ups, but i twill help with business continuity
• NIST guidance includes :
  o Keep A/V running & up to date  Keep patches current  Block access to dangerous sites  Use whitelisting software  Restrict personal devices & personal use  Use non-admin accounts  Don’t open anything from an unknown source  Maintain versioning backup  Plan for recovery

Question 10

Malware development (factories)

Answer 10

• People will make money any way they can. Sometimes, malware authors make their money by writing the malware itself. Sometimes they create software that will create the malware for others and sell it as a product. The authors of malware creation software call them Development Kits, or more commonly, “Factories.”
• It is interesting that some of the factories available on the darknet now work on a royalty basis. For example, the factory creator might get 10% of the ransom. The same smart business practices that work for legitimate businesses unfortunately also work in illegal businesses as well.

Question 11

malware terms
- polymorphic
- retrovirus
- multipartite

Answer 11

• With antivirus software updates unique hex of signatures that looks at malware and stops it – when the list of signatures get too long you have to remove the old ones, and you have to customize depending on regional/location-specific malware
• Polymorphic malware is designed to self-modify via a variety of mechanisms. By doing so, they attempt to fool antivirus software into not detecting them – but there is a portion of polymorphic malware that can’t self modify so AV looks for those and still registers its signatures
• Retrovirus: In biology, a retrovirus is a virus that attacks the human immune system. In computing, a retrovirus actively attacks our antivirus and other endpoint security software, trying to disable it
• Multipartite: This is a fancy way of saying “malware that can infect you in more than one way.” In other words, a virus that is both a file infector and a boot sector infector is multipartite.

Question 12

Anti-malware (antivirus)
- signature
- heuristics

Answer 12

• After the operating system, this is likely the single most important piece of software installed on a computer today. And we do mean any computer, whether it is running Windows, Mac, Apple, Android, or any other operating system. Anti-malware most commonly scans for more than just viruses (hence, we are not using the term antivirus as much). Most of the packages, especially those at the forefront of the marketplace, are scanning for viruses, worms, trojans, spyware, adware, and all other categories of malware.
• Signature: Almost all of them utilize a signature analysis engine. Every virus has some unique string (called a signature) somewhere in its code. The “signature database” contains those unique strings for the malware currently making the rounds. When you do a virus scan, your anti-malware package goes through the executables on your system, looking to see if it can find one of those strings. If it does, you have that virus. Of course, as we have already discussed, there are millions of new malware released every day, and each of them has a new signature. This is why we have to keep our signature databases up-to-date. When the author first installed antivirus software in the late 1980s, he received the signature updates once a quarter on a 5 ¼-inch floppy disk. Today, his antivirus software updates the signatures every 3 minutes by default
• Heuristics: The second common method for looking for malware is called heuristics. This method does not rely on a signature database. Instead, it watches for malware-like activity. A perfect example: There are few times when your computer writes to the boot sector of the hard drive. Specifically, it does that when: * You format the hard drive * You repartition the hard drive * You run a checkdisk command to check the drive for errors * A boot sector virus writes to the boot sector of the drive, infecting your computer To write to the boot sector of the drive, software must use a particular system call. Heuristic antimalware monitors that system call. If anything attempts to use it, it blocks its use until you approve it. The idea being, if you are not doing one of the first three operations listed above, you would not give approval. Of course, this does rely on the knowledge of the user. Heuristics is not a new idea. It does have the advantage of possibly blocking malware that is not in your signature database. But it is far from perfect. Go back to the fact that there are tens of thousands of new malware coming out every day. Each of them behaves a little differently. Exactly which behavior should your endpoint security software watch for?

Question 13

Microsoft defender

Answer 13

• Recently with Windows 10, they introduced Windows Defender and it is actually pretty decent. The best news is that it is free (once you pay for Windows) and installed and enabled by default.
• An important feature of Windows Defender is that it supports the “Microsoft Antimalware Scan Interface (AMSI). Among other things, this allows it to scan for malware that is only in RAM and not on the drive. This way, it can find more malware, such as malicious PowerShell code (which is on the rise). A lot of malware scanners do not do this.
• Because it is a Microsoft included service to the Operating System, there is minimal concern that future updates will break Windows Defender – that is not the case with some other Antimalware products. Also, it provides some (and growing) integration with Microsoft Cloud Services such as Advanced Threat Protection (ATP).

Question 14

Personal firewalls

Answer 14

• Another vital piece of software is the personal firewall. You should NEVER connect a computer to the internet unless the personal firewall is turned on. It takes as little as 3 to 5 minutes for an unprotected system on the internet to be compromised
• The Windows firewall has been enabled by default since it added the feature in Windows XP service pack 2. The XP firewall looks only at traffic into the PC, not traffic leaving it. The Windows 7 (and later) firewall is actually an outstanding protection feature. It is fully stateful inspection (a term we explain fully at another point in the course). When you tell that firewall that you are connected to a public location such as a coffee shop, your computer pretty much becomes a black hole. The only things your system responds to are ARP packets