Malicous software Flashcards
Malware
program inserted into a system, covertly, compromising the CIA of the victim’s data, apps, OS/ annoying or disrupting the victim.
Payloads -> system corruption, bots, phishing, spyware and rootkits.
Classified by propagation technique and payload action.
Blended attacks use multiple methods of infection or propagation to maximize speed
Attack Kits & attack sources
Virus-creation toolkits
toolkits known as crimeware
Individuals -> organized crime/groups
Advanced Persistent Threat
Intrustion technologies and malware to selected (often political/business) targets.
Advanced -> carefully selected
Persistent -> determined over an extended period to max success
Propagation - Infected content - Virus
Parasitic sw fragments that attach themselves to some existing exec content
infects programs by modifying them
Components:
Infection mechanism -> means of propagation (infection vector)
trigger -> logic bomb, when it is activated
payload -> damage or benign but noticeable activity
Lifecycle phases
Dormant -> idle activated by event,data,presence
Propagation -> copies into other programs or in certain system areas
Triggering -> performs function caused by many events
Macro viruses -> platform independent, documents more easily spread, automatically opened/trusted
Target discovery -> scanning or fingerprinting.
Random (high traffic), hit-list (slow gather and then attack), topological (moves through hosts and related), local subnet (bypassing firewall and finding machines in subnets)
exponential growth
Propagation - Infected Content - Virus - Melissa
Introduce to system as word doc sent by email
code contained in the Document_Open automatically run
Disables macro menu and related sec features
check to see if running in infected machine copies to the global template file
every time a new document opens it gets infected
it checks for key Melissa to check if has run before
if it is a new computer is uses outlook to email the first 50 addresses
it checks current time and date and generates a simpson quote (if minute in hour equals day of month)
Propagation - Infected Content - Virus - Classification
By Target
Boot sector infector -> master boot record, spreads when system is booted
File infector -> executable file
macro virus -> files w/ macro or scripting code
multipartite virus -> multiple types of files
By Concealment strategy
Encrypted virus -> part of code generates random key, encrypts other part of content with it
stealth virus -> designed to hide (code mutation, compression, rootkit
polymorphic virus -> replicates, same behavior but different instructions (encryption might be used)
metamorphic virus -> replicates, diff instructions and behavior
Propagation - Infected Content - Worm - Study Cases
Morris worm (Robert Morris 1988)
UNIX systems using multiways to propagate
find other known trusted hosts
Tried to log on to systems cracking passwords, assuming multisystem usage of passwords
exploited UNIX finger protocol and trapdoor in the debug option of the process that receives mail
executed, downloaded other part of worm and executed
Code Red (2001). security hole in IIS. disables system file checker in windows, probes other ip hosts it spreads slowly and start a DDoS attack against gov websites
Code Red II (Aug 2001). installs backdoor, remotely execute commands
Nimda (Sep 2001). propagates through email, windows share, web servers/clients, backdoors. Uses backdoors created by previous worms.
SQL Slammer (2003). Buffer overflow in Microsoft SQL Server.
Sobig.F (2003). infect proxy servers into spam engines
Mydoom (2004). mass-mailing email, backdoor -> remote access to data.
Warezov family (2006). creates exec in system dirs startup run. can have trojans and adware.
Conficker (Downadup) (2008) buffer overflow windows, via USB drives of network file shares.
Stuxnet (2010) hide spread rate. attack industrial control systems to control them. first use of cyberwarfare.
Duqu (2011) cyber-espionage
WannaCry ( 2017) aggressively scans and encrypts files, demanding ransom
Propagation - Infected Content - Worm - State
Multiplatform, multi-exploit (ways to propagate), polymorphic (evade detection skip past filters), metamorphic (changing appearance), ideal for DDoS, rootkits, spam generators and spyware
Mobile
Cabir, Lasco and CommWarrior -> communicate through Bluetooth wireless or Multimedia Messaging Service (MMS) Symbian OS
Can disable the phone, delete data, force the device to send messages. Use trojan apps to install themselves
Propagation - Infected Content - Client Vulnerabilities
Drive-by-download. when the user visits a page controlled by the attacker it downloads the malware exploiting vulnerabilities.
Watering-hole attacks, targets common visited websites with targeted subjects.
Malvertising, attacker pays for ads that will appear to targets
Attacks through PDF viewers
Clickjacking. an opaque layer infront of a button or a hidden input capturing clicks or keystrokes
Propagation - Social Engineering
Tricking users to assist in the compromise of their own systems or personal information.
Spam e-mails, trick users to propagate malware or trojan executing scripts and programs. Phishing attacks, sending scams for products.
Trojans, useful or apparently useful applications containing hidden code. scans files for sensitive information. It can continue doing the expected behavior or replace it completely. Sometimes it does not need user interaction and does not replicate
tech support scams
Malware - Payload - System Corruption
Chernobyl virus (1998) infects executable files, when date is reached, deletes data on infected system overwriting the 1st MB with zeroes, massive corruption of the entire file system.
Attempts to rewrite the BIOS code
Klez (2001) emails copies to addresses. On the 13th of several months deletes all files on the local hard drive. It can stop and delete antiviruses. Destroys or ransomwares (Cyborg Trojan - 1989)
Wannacry (2017) ransomware certain type of files and request payment in bitcoin
Logic bombs -> executes when specified trigger occurs
Malware - Payload - Attack - Zombie, bots
subverts network resources infected by attacker turning system into zombie
DDoS, spamming, sniffing sensitive information, logging keystrokes, spreading new malware, clickjacking advertisements, flooding IRC chats, manipulation of games/polls.
Remote Control Facility -> Command and Control server network, distributed to avoid single point of failure
countermeasure -> reverse name generation (fast-flux dns), take-over or shutdown the C&C network.
Malware - Payload - Information Theft - Keyloggers, phishing, spyware
Gathers data to steal or impersonate user, searches target documents or system config for espionage. Targets confidentiality of the information
Capture text with a filtering mechanism to monitor sensitive information. General spyware payloads monitors wide range of activities significant compromise.
Deployed by spam e-mails or drive-by-download.
Phishing
capture sensitive information through social engineering by leveraging user’s trust by masquerading as communications from a trusted source.
Spear-phishing
carefully crafted e-mail
Exploiting their legitimate access rights to release information for ideological reasons.
Malware - Payload - Stealthing - Backdoors, rootkits
Hides presence on system and provides covert access
Attacks integrity of system
Backdoor -> allows someone to bypass authentication procedures
Triggered by user using special seq of inputs, from certain user ID
Network service on some non-standard port the attacker connects and issues commands
Rootkit
maintain covert access to admin privileges
subverting what monitors reports on processes, files, and registries
It can be persistent, memory based, user/kernel intercepting mode, virtual machine based and external mode.
Kernel mode interception
- attacker modifies certain syscall addresses from the system call table
- overwrite system calls with custom code
- redirects references to the entire system call table w/new table new kernel mem location
entire boot process must be secure/monitor loading of hypervisor to ensure legitimacy
Malware - Countermeasures
Components for prevention
- Policy -> defines appropriate rules to prevent introducing malware
- Awareness
- Vulnerability mitigation
Detection -> detect and find malware
Identification -> identify malware
Removal -> remove all traces
- Threat mitigation
Requirements -> General, Timeliness (fast), Resilient, Minimal DDoS costs, transparent, global/local coverage
