Chapter 03 - Malicious Code.pdf
Document Details
Uploaded by Deleted User
CompTIA
Tags
Full Transcript
Chapter 3 Malicious Code THE COMPTIA SECURITY+ EXAM OBJECTIVES COVERED IN THIS CHAPTER INCLUDE: Domain 2.0: Threats, Vulnerabilities, and Mitigations 2.4. Given a scenario, analyze indicators of malicious activity. Malware attacks (Ransomware, Trojan, Worm, Spyware, Blo...
Chapter 3 Malicious Code THE COMPTIA SECURITY+ EXAM OBJECTIVES COVERED IN THIS CHAPTER INCLUDE: Domain 2.0: Threats, Vulnerabilities, and Mitigations 2.4. Given a scenario, analyze indicators of malicious activity. Malware attacks (Ransomware, Trojan, Worm, Spyware, Bloatware, Virus, Keylogger, Logic bomb, Rootkit) Malware comes in many forms, from ransomware and worms to spyware, viruses, keyloggers, and rootkits that help ensure that attackers can retain access to systems once they've gained a foothold. In this chapter, you will explore the various types of malware, as well as the distinguishing elements, behaviors, and traits of each malware type. You will learn about the indicators that you should look for, and the response methods that organizations use to deal with each type of malware, as well as controls that can help protect against them. Malware The term malware describes a wide range of software that is intentionally designed to cause harm to systems and devices, networks, or users. Malware can also gather information, provide illicit access, and take a broad range of actions that the legitimate owner of a system or network may not want to occur. The SY0-701 Security+ exam objectives include a number of the most common types of malware, and you will need to be familiar with each of them, how to tell them apart, how you can identify them, and common techniques used in combatting them. Exam Note This objective introduces many types of malware and asks you to analyze potential indicators to determine the type of attack. When you tackle malware-based questions, you will need to know the distinctive characteristics of each type of malware, and what might help you tell them apart. For example, a Trojan is disguised as legitimate software, whereas ransomware is aimed at getting payment from a victim. As you read this section, remember to pay attention to the differences between each type of malware, what common indicators of compromise are associated with them, and how you would answer questions about them on the exam! Ransomware Ransomware is malware that takes over a computer and then demands a ransom. There are many types of ransomware, including crypto malware, which encrypts files and then holds them hostage until a ransom is paid. Other ransomware techniques include threatening to report the user to law enforcement due to pirated software or pornography, or threatening to expose sensitive information or pictures from the victim's hard drive or device. A significant portion of ransomware attacks are driven by phishing campaigns, with unsuspecting victims installing malware delivered via phishing emails or links in the email. That's not the only way that ransomware is delivered as malicious actors continue to use direct attack methods like Remote Desktop Protocol, vulnerable services, or front- facing applications that they can compromise. Indicators of compromise (IoCs) for ransomware include, but are not limited to: Command and control (C&C) traffic and/or contact to known malicious IP addresses Use of legitimate tools in abnormal ways to retain control of the compromised system Lateral movement processes that seek to attack or gain information about other systems or devices inside the same trust boundaries Encryption of files Notices to end users of the encryption process with demands for ransom Data exfiltration behaviors, including large file transfers You can read an example of a ransomware advisory provided by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) about the Royal Ransomware variant, including a detailed list of specific IoCs, at www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a. One of the most important defenses against ransomware is an effective backup system that stores files in a separate location that will not be impacted if the system or device it backs up is infected and encrypted by ransomware. Organizations that are preparing to deal with ransomware need to determine what their response will be; in some cases, paying ransoms has resulted in files being returned, and in others attackers merely demanded more money. Some ransomware has been defeated, and defenders may be able to use a preexisting decryption tool to restore files. Antivirus and antimalware providers as well as others in the security community provide anti-ransomware tools. Trojans Trojans, or Trojan horses, are a type of malware that is typically disguised as legitimate software. They are called Trojan horses because they rely on unsuspecting individuals running them, thus providing attackers with a path into a system or device. Figure 3.1 shows an example of a Trojan infection path starting with a user downloading an application from the Android app store that appears to be legitimate through automated download of malicious add-ons and remote control of the device. FIGURE 3.1 Trojan application download and infection process An example of this type of malware is the Triada Trojan, which is often distributed in the guise of a modified, feature-enhanced WhatsApp version. When the application is launched, the Trojan gathers information about the host device including device IDs, subscriber IDs, and the device's hardware address. This information is used to register the device with a remote server. With that information ready, the Trojan is downloaded, decrypted, and run, allowing further actions to take place depending on what the malicious actor wants to occur. Those activities include everything from displaying ads to signing up for paid subscriptions to services. Indicators of compromise for Trojans often include: Signatures for the specific malware applications or downloadable files Command and control system hostnames and IP addresses Folders or files created on target devices A full writeup about the Triada Trojan that was deployed via modified WhatsApp versions can be found at: https://securelist.com/triada-trojan-in-whatsapp-mod/103679 And additional detail can be found here: https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate- apps/107690 In addition to traditional Trojans, remote access Trojans (RATs) provide attackers with remote access to systems. Some legitimate remote access tools are used as RATs, which can make it difficult to identify whether a tool is a legitimate remote support tool or a tool being used for remote access by an attacker. Antimalware tools may also cause false positives when they find remote access tools that may be used as RATs, but disabling this detection can then result in RATs not being detected. Security practitioners often combat Trojans and RATs using a combination of security awareness training to encourage users not to download untrusted software and antimalware or endpoint detection and response (EDR) tools that detect Trojan and RAT-like behavior and known malicious files. Mitigation practices for Trojans typically starts with awareness practices that help ensure that downloading and running Trojans are less likely. Controlling the software and applications that users can acquire can be a helpful option in many cases, but is often balanced with the need to allow for flexibility for users. Anti-malware, EDR, and other tools used to identify and stop malicious software from running or which can discover it based on behavior and stop it are also commonly used as a final line of defense. Bots, Botnets, and Command and Control Many types of malware use command and control (C&C) techniques and systems to allow attackers to tell them what to do. These groups of systems that are under central command are called botnets, and individual systems are called bots. C&C increasingly uses encrypted HTTP connections, which are then used to connect to a frequently changing set of remote hosts to attempt to avoid observation, but use of Internet Relay Chat (IRC) via port 6667 and similar techniques remain popular too. As a defender you'll need to know how to search for C&C communications and to identify why a system reaching out to unknown hosts may be a sign of a system you're responsible for being part of a botnet. Worms Unlike Trojans that require user interaction, worms spread themselves. While worms are often associated with spreading via attacks on vulnerable services, any type of spread via automated means is possible, meaning that worms can spread via email attachments, network file shares, vulnerable devices like IoT (Internet of Things) and phones, or other methods as well. Worms also self-install, rather than requiring users to click on them, making them quite dangerous. Stuxnet: Nation-State-Level Worm Attacks The 2010 Stuxnet attack is generally recognized as the first implementation of a worm as a cyber weapon. The worm was aimed at the Iranian nuclear program, and copied itself to thumb drives to bypass air-gapped (physically separated systems without a network connection) computers. Stuxnet took advantage of a number of advanced techniques for its time, including using a trusted digital certificate, searching for specific industrial control systems (ICSs) that were known to be used by the Iranian nuclear program, and specific programming to attack and damage centrifuges while providing false monitoring data to controllers to ensure that the damage would not be noticed until it was too late. While Stuxnet was specifically designed to bypass physically separated networks, firewalls and network-level controls remain one of the best ways to mitigate worm attacks. If compromised devices cannot communicate with other vulnerable devices, the infection can't spread! You can read about Stuxnet in more depth at www.wired.com/2014/11/countdown-to-zero-day-stuxnet https://spectrum.ieee.org/the-real-story-of-stuxnet An example of a modern worm is Raspberry Robin, a worm that is used as part of pre- ransomware activity. Raspberry Robin's spread was initially through infected USB drives using a LNK file. Once running, it uses built-in Windows tools to accomplish further tasks and to obtain persistency, ensuring it will survive past reboots. Common IoCs for worms like Raspberry Robin include: Known malicious files Downloads of additional components from remote systems Command and control contact to remote systems Malicious behaviors using system commands for injection and other activities, including use of cmd.exe, msiexec.exe, and others Hands-on-keyboard attacker activity Microsoft provides a detailed write-up of the Raspberry Robin worm, including recommendations for defensive actions to be taken, at www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part- of-larger-ecosystem-facilitating-pre-ransomware-activity Mitigating worm infections frequently starts with effective network-level controls focused on preventing infection traffic. Firewalls, IPS devices, network segmentation, and similar controls are the first layer of defense. Patching and configuring services to limit attack surfaces is also a best practice for preventing worms. After an infection responses may include use of antimalware, EDR, and similar tools to stop and potentially remove infections. Depending on the complexity of the malware, removal may be nearly impossible, and as with many types of malware reinstallation or resetting to original firmware may be required for some devices. Spyware Spyware is malware that is designed to obtain information about an individual, organization, or system. Various types of spyware exist, with different types of information targeted by each. Many spyware packages track users' browsing habits, installed software, or similar information and report it back to central servers. Some spyware is relatively innocuous, but malicious spyware exists that targets sensitive data, allows remote access to web cameras, or otherwise provides illicit or undesirable access to the systems it is installed on. Spyware is associated with identity theft and fraud, advertising and redirection of traffic, digital rights management (DRM) monitoring, and with stalkerware, a type of spyware used to illicitly monitor partners in relationships. Spyware is most frequently combated using antimalware tools, although user awareness can help prevent the installation of spyware that is included in installers for software (thus acting as a form of Trojan), or through other means where spyware may appear to be a useful tool or innocuous utility. Spyware comes in many forms, which means that its IoCs can be very similar to other malicious software types. Common examples of spyware IoCs include: Remote-access and remote-control-related indicators Known software file fingerprints Malicious processes, often disguised as system processes Injection attacks against browsers Since spyware uses techniques from other types of malware, defining software as spyware typically requires understanding its use and motivations rather than just its behavior. Thus, spyware may use Trojan, worm, or virus-style propagation methods in some cases, but the intent is to gather information about a user or system, with the methods used being less important than the goal. Mitigation practices for spyware focus on awareness, control of the software that is allowed on devices and systems, and antispyware capabilities built into antimalware tools. Since spyware is generally perceived as less of a threat than many types of malware, it is commonly categorized separately and may require specific configuration to identify and remove it. An example of a commercialized spyware tool is NSO Group's Pegasus spyware tool. Amnesty International provides a thorough write-up of indicators and actions taken by Pegasus here: www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how- to-catch-nso-groups-pegasus Bloatware If you have ever purchased a new computer and discovered preinstalled applications that you didn't want on it, you've encountered bloatware. The term bloatware is an all- encompassing term used to describe unwanted applications installed on systems by manufacturers. They may be part of a commercial relationship the manufacturer has, they may be programs the manufacturer themselves provide, or they may come later and be part of installer packages for other applications. Unlike the other malicious software categories listed in this chapter, bloatware isn't usually intentionally malicious. It may, however, be poorly written, may call home with information about your system or usage, or may prove to be vulnerable to exploitation, adding another attack surface to otherwise secure devices. Uninstalling bloatware or using a clean operating system image are common practices for organizations as well as individuals. Since bloatware isn't really malicious software, it isn't typically associated with IoCs. Instead it should simply be removed to prevent issues—including simply taking up disk space, memory, and CPU cycles without providing any benefit. Mitigation techniques for bloatware focus on awareness and uninstallation or removal of the software. Exam Note The Security+ exam outline calls out spyware and bloatware, but they can sometimes be difficult to tell apart since manufacturers who install bloatware often have call-home functionality built into the bloatware. The key differentiator is that spyware's primary intention is to gather information about the user, their use of the system and Internet, and the configuration of the system, whereas bloatware is simply unwanted programs. Viruses Computer viruses are malicious programs that self-copy and self-replicate once they are activated. Unlike worms, they don't spread themselves via vulnerable services and networks. Viruses require one or more infection mechanisms that they use to spread themselves, like copying to a thumb drive or network share, and that mechanism is typically paired with some form of search capability to find new places to spread to once they are run. Viruses also typically have both a trigger, which sets the conditions for when the virus will execute, and a payload, which is what the virus does, delivers, or the actions it performs. Viruses come in many varieties, including: Memory-resident viruses, which remain in memory while the system of the device is running Non-memory-resident viruses, which execute, spread, and then shut down Boot sector viruses, which reside inside the boot sector of a drive or storage media Macro viruses, which use macros or code inside word processing software or other tools to spread Email viruses that spread via email either as email attachments or as part of the email itself using flaws inside email clients Fileless virus attacks are similar to traditional viruses in a number of critical ways. They spread via methods like spam email and malicious websites and exploit flaws in browser plug-ins and web browsers themselves. Once they successfully find a way into a system, they inject themselves into memory and conduct further malicious activity, including adding the ability to reinfect the system via the same process at reboot through a Registry entry or other technique. At no point do they require local file storage, as they remain memory resident throughout their entire active life—in fact, the only stored artifact of many fileless attacks would be the artifacts of their persistence techniques like the Registry entry shown in Figure 3.2. FIGURE 3.2 Fileless virus attack chain As you might expect from the infection flow diagram in Figure 3.2, fileless attacks require a vulnerability to succeed, so ensuring that browsers, plug-ins, and other software that might be exploited by attackers are up to date and protected can prevent most attacks. Using antimalware tools that can detect unexpected behavior from scripting tools like Microsoft PowerShell can also help stop fileless viruses. Finally, network level defenses like intrusion prevention systems (IPSs), as well as reputation- based protection systems can prevent potentially vulnerable systems from browsing known malicious sites. IoCs related to viruses are often available in threat feeds from organizations like VirusTotal, where recently discovered viruses and their behaviors are analyzed and indexed to create IoC feeds. You can find examples of VirusTotal's crowdsourced YARA rules in their support article about their community YARA feed dashboard at https://support.virustotal.com/hc/en-us/articles/9853517705117-Crowdsourced-YARA- rules-dashboard. Mitigation for viruses includes both awareness that helps to prevent users from clicking on and activating viruses as well as antimalware tools that can detect them and prevent them both on-disk and in-memory or as they are being executed. Removal varies, with some viruses easy to remove using antimalware tools or dedicated, virus-specific utilities while some may require more significant action. Removing malware can be a challenging task. It can be nearly impossible to determine if every part of a complex infection has been removed. Although it may be tempting to rely on your antivirus or other security tools to remove the infection, that often isn't sufficient. Due to this, many organizations have a standard practice of wiping the drive of an infected machine and restoring it from a known good backup or reinstalling/reimaging it. While there are some scenarios where even that won't be enough, such as with BIOS/UEFI resident malware, in most common scenarios a complete wipe and reinstallation or reimaging will ensure the malware is gone. Keyloggers Keyloggers are programs that capture keystrokes from a keyboard, although keylogger applications may also capture other input such as mouse movement, touchscreen inputs, or credit card swipes from attached devices. Keyloggers work in a multitude of ways, ranging from tools that capture data from the kernel, via APIs or scripts, or even directly from memory. Regardless of how they capture data, the goal of a keylogger is to capture user input to be analyzed and used by an attacker. Preventing software keylogging typically focuses on normal security best practices to ensure that malware containing a keylogger is not installed, including patching and systems management, as well as use of antimalware tools. Since many keyloggers are aimed at acquiring passwords, use of multifactor authentication can help limit the impact of a keylogger, even if it cannot defeat the keylogger itself. In more complex security environments where underlying systems cannot be trusted, use of bootable USB drives can prevent use of a potentially compromised underlying operating system. Much like other malicious software intended to gather information, IoCs related to keyloggers are commonly: File hashes and signatures Exfiltration activity to command and control systems Process names Known reference URLs An example of an analysis of keylogger delivery campaign via PDFs can be found at www.socinvestigation.com/pdf-campaign-delivering-snake-keylogger. In addition to the software-based keyloggers we discussed here, hardware keyloggers are also available and inexpensive. The authors of this book have encountered them on college campuses where students tried to acquire (and in some cases succeeded) credentials for their instructors so that they could change their grades. Logic Bombs Logic bombs, unlike the other types of malware described here, are not independent malicious programs. Instead, they are functions or code placed inside other programs that will activate when set conditions are met. Some other types of malware may use this type of code as part of their function as well. While relatively rare compared to other types of malware, logic bombs are a consideration in software development and systems management, and can have a significant impact if they successfully activate. Since logic bombs are found in code, IoCs for logic bombs are less common—they require analysis of the code or logic in the application, meaning that mitigation processes are also primarily focused on code review. Analyzing Malware A number of techniques are commonly used to analyze malware: Online analysis tools like VirusTotal can be used to check whether the malware is a known tool and to see what it is identified as by multiple AV tools. Sandbox tools can be used to analyze malware behavior in a protected environment. Manual code analysis is common, particularly with scripts and interpreted code like Python and Perl. Malware can be analyzed using tools like strings to look for recoverable artifacts that may be useful for the analysis Many other tools and techniques are used to analyze malicious code and software, but these are a good starting point for security analysts who need to determine whether a given executable or block of code might be malicious. Rootkits Rootkits are malware that is specifically designed to allow attackers to access a system through a backdoor. Many modern rootkits also include capabilities that work to conceal the rootkit from detection through any of a variety of techniques, ranging from hooking filesystem drivers to ensure that users cannot see the rootkit files to infecting startup code in the Master Boot Record (MBR) of a disk, allowing attacks against full-disk encryption systems. Rootkit detection can be challenging, because a system infected with malware like this cannot be trusted. That means that the best way to detect a rootkit is to test the suspected system from a trusted system or device. In cases where that isn't possible, rootkit detection tools look for behaviors and signatures that are typical of rootkits. Techniques like integrity checking and data validation against expected responses can also be useful for rootkit detection, and anti-rootkit tools often use a combination of these techniques to detect complex rootkits. Once a rootkit is discovered, removal can be challenging. While some antimalware and anti-rootkit tools are able to remove specific rootkits, the most common recommendation whenever possible is to rebuild the system or to restore it from a known good backup. As virtual machines, containers, system imaging, and software- defined environments have become more common, this has simplified restoration processes, and in many cases may be as fast, or faster than ensuring that a system infected with a rootkit has been properly and fully cleaned. Some rootkits are intentionally installed, either as part of DRM systems or as part of anti-cheating toolkits for games, or because they are part of a tool used to defeat copy protection mechanisms. While these tools are technically rootkits, you will normally be focused on tools used by malicious actors instead of intentional installation for purposes like these. Like many of the other malware types, the best way to prevent rootkits is to use normal security practices, including patching, use of secure configurations, and ensuring that privilege management is used. Tools like Secure Boot and techniques that can validate live systems and files can also be used to help prevent rootkits from being successfully installed or remaining resident. Common IoCs for rootkits include: File hashes and signatures Command and control domains, IP addresses, and systems Behavior-based identification like the creation of services, executables, configuration changes, file access, and command invocation Opening ports or creation of reverse proxy tunnels An example of a rootkit used on automatic teller machines (ATMs) with example indicators can be found here: www.socinvestigation.com/unc2891-atm-rootkit-mandiant-advanced-practices-team- tracks-latest-indicators Since rootkits are specifically designed to avoid detection, mitigation can be particularly challenging. While antimalware and similar tools can sometimes gain an edge in detecting rootkits, detection and removal can be difficult to ensure. Preventing rootkits from being installed by taking proactive action to secure systems and prevent malicious activity is a key element of rootkit mitigation. Since rootkits often invade operating systems and use hooks to make the operating system help hide them, one technique that can help to find them is to remove the drive and connect it to another system. This means that the infected operating system won't be running and that the tool may be revealed. Similar techniques can be accomplished through system images or snapshots of virtual machines. Summary Security professionals need to be aware of the most common forms of malware. This includes understanding how to identify common indicators of malicious activity related to malware attacks and malware itself. The Security+ exam objectives focus on a few different types of malware. These include ransomware, which most frequently targets victims by encrypting files and holding them for ransoms paid via cryptocurrency. Trojans are malware that is disguised to look like legitimate software but that takes malicious action once downloaded and run. Worms are malware that spread themselves on networks via vulnerable services, email, or file shares. Viruses are similar but only infect local systems and often require user action like running an application to infect a system. Spyware is malicious software that is intended to gather information about users,