Assignment 6: Malware & Sandboxing PDF

Name : Ioan-Radu Bocu Student number : s1104958 Assignment 6 1) So “Zero Days, Thousands nights” says that a vulnerability is “a type of bug that creates a security weakness in the design, the implementation or operation of a system or application”. On the other hand, according to our source, an exploit is a malicious piece of code that takes advantage of the vulnerabilities in order to infect, disrupt or take control over someone’s computer without his/her consent. 2) A Zero day exploit is a type of exploit that takes advantage of a Zero-day vulnerability by disrupting the whole system, injecting malicious code, executing task with root privileges and so on. Zero-Day exploits concerns Zero-Day vulnerabilities which may be unknown to the vendors. Zero-Day exploits are hard to detect and stop, it is like nding a cure for a new illness that has been discovered. For a regular exploit, you need exactly what kind of measures you need to take (just applying the cure of the known disease) in order to x it, but for a zero-day exploit you don’t have these pre-established measures, you need to nd them rst. 3) Yes and No, depending on the type of malware, the victim being targeted and the risk of the Zero-Day vulnerability to be discovered. For instance, if your target is the government or other important institution, then it is worth employing a zero-day vulnerability. Otherwise, if your target is your neighbor/friend/mate , then it is not worth using such an exploit, because you just risk wasting valuable information(exploit) for a low reward. fi fi fi fi 4) These families achieve destructive e ect in 2 stages : rst, by overwriting the Master Boot Record in order to display a faked ransom note and the execution of a le corrupter malware. The rst stage makes the operating system inoperable. Master Boot record is overwritten with a ransom note containing a Bitcoin wallet and a Tox Id. The second stage implies the execution of stage2.exe, which downloads a malicious le corrupter malware. When this malware is executed, les with certain extensions are targeted (“zip”, “.PAS”, “.TXT”). These contents of these les are overwritten with a xed number of “0xCC”. After the content is overwritten, the destructor renames each le with with a four-byte random extension. 5) Not really, I would say that use of such destructive malware is an indicator of nation state threat actors.The reason I think this is because attacked conducted using such malware are non-pro t, as their main aim is destruct existing strategic infrastructure. 6) Other high pro le malware attack that made use of EternalBlue was WannaCry ransomware attack that was traced to North Korean Government. 7) The CVE number associated with the vulnerability that EternalBlue exploits is CVE-2017-0144. 8) EtternalBlue tricks a Windows Computer into making a mistake when it processes special network messages. These mistakes allow an attacker to take control over a computer. The rst mistake is estimating poorly the memory that is needed. EternalBlue sends a message pretending to have a list of items that Windows needs to process. Windows needs to calculate how much memory it needs to process these les, but the computation is done incorrectly. Then the second mistake is given by 2 overlapping commands, which when processed, windows starts writing in the memory beyond its bounds. So, in essence, if an attacker carefully crafts a message, he/she can cause a bu er over ow, by injecting his/her own code beyond the bounds. 9) One important measure someone could take is to make sure that he/she made the upgrade to a Windows version that applies the security patch of MS17-10. Other mitigations might be disabling SBMv1 and not exposing any vulnerable machines to internet. 10) By how they spread, NotPetya extract credentials and uses them to gain access to devices on network, while WannaCry spreads automatically to other vulnerable devices by simply doing a network scanning. By what they do, NotPetya overwrites the Master Boot Record, on the other hand, wannaCry ransomware was a pure ransomware attach by demanding money for the decryption key. fi fi fi ff fi fi fl fi ff fi fi fi fi fi fi 11) Disclosure means revealing information about a discovered vulnerability in software or hardware. Arguments pro-disclosure : If the information is disclosed, then it becomes known to people which would put some more pressure on the vendors to release patches as soon as possible. If the information is disclosed, then it will be an alarm signal for the companies to start applying the latest security patches released. Arguments against-disclosure : Disclosing can be a very bad strategic move especially if no patches have been implemented or they have not been shared and nor applied massively by companies Not all companies have the means to apply the security patches, and by disclosing information these small companies would become certain victims of the attacks 12) Forcing disclosure could be a very bad move unless corresponding security patches have been shared massively. So keeping information secret would be a good choice, given the low probability of a vulnerability to be rediscovered. 13) Pegasus is a spyware used for surveillance and spying, so it is a tool used to collect personal information such as browsing history. 14) The general method was receiving/sending SMS messages with Pegasus exploit domains, or URL redirects 15) One method of exploitation is via SMS (sending and receiving malicious SMS) and the other method is via URL redirects and the access of decoys websites that take control over the user’s device without his/her consent 1) Sandboxes address the following issues : malware detection, app testing in terms of security, protection against exploits, testing code (in terms of security), zero-day vulnerability mitigation (running application in sandbox, companies can reduce the potential damage caused by these vulnerabilities since the exploit is contained in a controlled environment). 2) 2 ways in which sandboxes address issues is : malware isolation (the malware in trapped in a controlled environment and is prevented from infecting the whole system or other devices from the network) and detection of malware behavior detection (because les and suspicious code can be executed in a controlled environment, a proper analysis can be conducted in order to identify the threats) 3) In most of systems, chrooted programs with su cient privileges could perform a second chroot to break out. In order to mitigate this security issue , the privileges of chromed programs should be removed once they are “imprisoned” ffi fi 4) A FreeBSD jail acts more like a virtual machine than Linux Chroot Jail. So, it is an independent and isolated partition of the system. So the root user inside this jail has administration rights on just other objects inside this cell ; it has no power over other objects outside its cell. 5) The Sandbox in Android is based on user separation of processes and le permissions(separation based on applications). If an app tries to access resources allocated to another app, it will not be allowed. On the other hand, Linux sandboxing is more focused on isolated groups os users rather than individual processed. 6) Yes they can, for instance mount namespace (MNT) can be used in order to separate processes. When used in combination with chroot, even if the program attempts a second chroot, then the operation will have a ect only on its isolated environment. In this sense, this combination behaves similarly with Android sandboxing, case each process is separated from the others. 7) Sandoxing was introduced in order to create a completely isolated environment where Zero- Day exploits (if found), their magnitude will be reduced as they only have e ect in an isolated environment and not the global system. 8) I would say : Document Editors, Media Players, messaging apps ff ff fi 1) Containerization means that each individual process is run in a container, where a container is a isolated user-space environment. The thing is that an application that runs in such a container will believe that is the only application running in the whole system. This means that these containers associated with processes are not placed and run in a sandbox, but in a global system. So it is not necessary that the containers are placed in sandbox. Containers were designed for operational isolation and not for security. 2) One use case would be application deployment, where the app and together with its dependencies are packaged in a container. This ensures that the application runs consistently in di erent environments. One example of a technology that implements the use case is Docker. 3) Two types of attacks on Containerized environments : escape attacks and image dependency attacks 4) An immutable OS implies the following : running system cannot be modi ed directly by the users, atomic updates (all applied successfully at once or none), predictable (core operating system does not change) and isolated applications (applications run in containers). In contrast to a classic Linux system, an immutable OS ensures isolation, prevention of authorized changes (because of how updates work), and detection of tampering (modi ed les are easy to detect as the system is expected not the be changed) 5) Containers provide isolation of processes, each process in run inside a container, but the degree of isolation is given by how the container is implemented. 6) First , the exploit locates the current_task and pcpu_base_addr in the kernel’s ksymtabl(the table containing the symbols). These symbols are important when identifying the process’s task structure, cause this contains information about the credentials and le system state. pcpu_base_addr is unique for each CPU, the exploit used pins the process to a single core using command sched_seta nity(). This gives process’ task structure address. Task structure contains the cred object and the fs pointer. The cred object is overwritten such that root access is gained on the host system and the overwriting of fs with the address in init just allows the attacker to access les that are out of the container. ff ffi fi fi fi fi fi References : https://www.drivelock.com/en/blog/sandbox-in-the-cybersecurity https://www.sentinelone.com/blog/eternalblue-nsa-developed-exploit-just-wont-die/ https://www.decryptedlayer.com/eternalblue-and-a-lesson-in-vulnerability-management/ https://stackover ow.com/questions/6392944/whats-the-di erence-between-a-linux-chroot-jail- and-a-freebsd-jail fl ff

Assignment 6: Malware & Sandboxing PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue