A Section 6 - Malware.pdf

Full Transcript

Section 6 – Malware Malware - Any software that is designed to infiltrate a computer system without the user’s knowledge Threat Vector - Specific method used by an attacker to infiltrate a victim’s machine - Breaks into the system a. Unpatched Software b. Ins...

Section 6 – Malware Malware - Any software that is designed to infiltrate a computer system without the user’s knowledge Threat Vector - Specific method used by an attacker to infiltrate a victim’s machine - Breaks into the system a. Unpatched Software b. Installing Code c. Phishing Campaign d. Other Vulnerabilities Attack Vector - A means by which an attacker gains access to a computer to infect the system with malware - Breaks into and infects the system Types of Malware Attacks 1. Virus a. Malicious software that attaches to clean files and spread into a computer system 2. Worms a. Standalone malware that replicates and spread to other systems by exploiting software vulnerabilities b. A piece of malicious software, much like a virus, but it can replicate itself without any user interaction c. Key difference between a virus and a worm is that: i. A virus requires a user to take action such as opening a file ii. A worm can replicate itself and spread throughout your network without a user’s consent or their action d. Worms are dangerous for two reasons: i. Can infect the workstation and other computing assets ii. Can cause disruptions to the normal network traffic since they are constantly trying to replicate and spread across the network e. Best known for spreading far and wide over the internet in a relatively short amount of time 3. Trojans a. Malicious programs which appear to be legitimate software that allow unauthorized access to a victim’s system when executed b. Commonly used today by attackers to exploit a vulnerability in a workstation and then conducting data exfiltration c. Always be careful to check for trojans by using a good antivirus or antimalware solution prior to opening or installing any programs d. Piece of malicious software that is disguised as a piece of harmless or desirable software e. Claims that it will perform some needed or desired function for you f. Remote Access Trojan (RAT) i. Widely used by modern attackers because it provides the attacker with remote control of a victim’s machine 4. Ransomware a. Encrypts a user’s data and holds it hostage until a ransom is paid to the attacker for decryption b. Type of malicious software that is designed to block access to a computer system or its data by encrypting it until a ransom is paid to the attacker c. How can we protect ourselves and our organizations against ransomware? i. Always conducting regular backups Backup all of important data, files, and systems ii. Installing software updates regularly Update all of the software, especially operating system and antivirus programs iii. Provide security awareness training to the end users iv. Implementing Multi-Factor Authentication for the systems Enable MFA to provide an extra layer of security d. What should you do if you find yourself or your organization as the victim of a ransomware attack? i. Never pay the ransom Paying the ransom doesn’t actually guarantee that you will ever get your data back ii. If you suspect ransomware has infected your machine, you should disconnect it from the network iii. Notify authorities iv. Restore your data and system from known good backups 5. Zombies a. Compromised computers that are remotely controlled by attackers and used in coordination to form a botnet b. Used to perform tasks using remote commands from the attacker without the user’s knowledge c. Command and Control Node i. Responsible for managing and coordinating the activities of other nodes or devices within a network 6. Botnet a. Network of zombies and are often used for DDoS attacks, spam distribution, or cryptocurrency mining b. Are used for: i. Pivot points ii. Disguise the real attacker iii. To host illegal activities iv. To spam others by sending out phishing campaigns and other malware c. Most common use for botnet is to conduct a DDoS attack d. Botnets are used by attackers to combine processing power to break through different types of encryption schemes e. Attackers usually only use about 20-25% of any zombie’s power 7. Rootkits a. Malicious tools that hide their activities and operate at the OS level to allow for ongoing privileged access b. Designed to gain administrative level control over a given computer system without being detected c. Account with the highest level of permissions is called the Administrator Account i. Allows the person to install programs, open ports, shut ports, and do whatever it is they want to do on that system ii. In a UNIX, Linux, or MacOS computer, this type of administrator account is actually called the root account d. A computer system has several different rings of permissions throughout the system i. Ring 3 (Outermost Ring) Where user level permissions are used ii. Ring 0 (Innermost or Highest Permission Levels) Operating in Ring 0 is called “Kernel Mode” Kernel Mode o Allows a system to control access to things like device drivers, your sound card, your video display or monitor, and other similar things e. If you login as the administrator or root user on a system, you have root permission and you will be operating at Ring 1 of the operating system i. Remember, the closer the malicious code is to the kernel, the more permissions it will have and the more damage it can cause on your system f. When a rootkit is installed on a system, it tries to move from Ring 1 to Ring 0 so that it can hide from other functions of the operating system to avoid detection g. One technique used by rootkits to gain this deeper level of access is a DLL injection i. DLL Injection Technique used to run arbitrary code within the address space of another process by forcing it to load a Dynamic-Link Library ii. Dynamic-Link Library Collection of code and data that can be used by multiple programs simultaneously to allow for code reuse and modularization in software development iii. Shim Piece of software code that is placed between two components and that intercepts the calls between those components and can be used to redirect them h. Rootkits are extremely powerful, and they are very difficult to detect because the operating system is essentially blinded to them i. To detect them, the best way is to boot from an external device and then scan the internal hard drive to ensure that you can detect those rootkits using a good antimalware scanning solution from a live boot Linux distribution i. Rootkit’s primary objective is to seamlessly embed itself into the operating system 8. Backdoors a. Malicious means of bypassing normal authentication process to gain unauthorized access to a system b. Originally placed in computer programs to bypass the normal security and authentication functions c. Most often put into systems by designers and programmers d. RATs act just like a backdoor in our modern networks i. Can be placed by a threat actor on your computer to help them maintain persistent access to that system e. Easter Eggs i. Insecure coding practice that was used by programmers to provide a joke or a gag gift to the users ii. A hidden feature or novelty within a program that is typically inserted by the software developers as an inside joke iii. Code often has significant vulnerabilities f. In our modern applications, we should never include backdoors, easter eggs, or logic bombs because they do go against our secure coding standards and best practices 9. Logic Bombs a. Embed code placed in legitimate programs that executes malicious action when a specific condition or trigger occurs b. Malicious code that’s inserted into a program and will only execute when certain conditions have been met 10. Keyloggers a. Record a user’s keystrokes and are used to capture password or other sensitive information b. Piece of software or hardware that records every single keystroke that is made on a computer or mobile device c. Can either be software or hardware: i. Software Keyloggers Malicious programs that get installed on a victim’s computer Often bundled with other software or delivered through social engineering attacks, like phishing or pretexting attacks ii. Hardware Keyloggers Physical devices that need to be plugged into a computer These will resemble a USB drive or they can be embedded within a keyboard cable itself d. To protect your organization from keyloggers, ensure the following: i. Perform regular updates and patches ii. Rely on quality antivirus and antimalware solutions iii. Conduct phishing awareness training for your users iv. Implement multi-factor authentication systems v. Encrypt keystrokes being sent to your systems vi. Perform physical checks of your desktops, laptops, and servers 11. Spyware a. Secretly monitors and gathers user information or activities and sends data to third parties b. Malicious software that is designed to gather and send information about a user or organization without their knowledge c. Can get installed on a system in several different ways: i. Bundled with other software ii. Installed through a malicious website iii. Installed when users click on a deceptive pop-up advertisement d. To help protect yourself against spyware, you should only use reputable antivirus and antispyware tools that are regularly updated to detect and remove any potential threats 12. Bloatware a. Unnecessary or pre-installed software that consumes system resources and space without offering any value to the user b. Any software that comes pre-installed on a new computer or smartphone that you, as the user, did not specifically request, want, or need c. Other examples of bloatware are things like unnecessary toolbars or applications that promote certain services d. Isn’t malicious, but it can: i. Waste your storage space ii. Slow down the performance of your devices iii. Introduce security vulnerabilities into your systems e. Remember, anytime a piece of software is installed, that is one more potential threat vector for an attacker to exploit if you don’t properly update that application f. To remove bloatware, you can either do the following: i. Do a manual removal process ii. Use bloatware removal tools to uninstall the unwanted applications iii. Perform a clean operating system installation Malware Exploitation Techniques - Involve methods by which malware infiltrates and infects targeted systems - Specific method by which malware code penetrates and infects a targeted system - Some malware focuses on infecting the system’s memory to leverage remote procedure calls over the organization’s network a. Most modern malware uses fileless techniques to avoid detection by signature-based security software b. Fileless Malware is used to create a process in the system memory without relying on the local file system of the infected host - How does this modern malware work? a. When a user accidentally clicks on a malicious link or opens a malicious file, the specific type of malware being installed is known as a stage one dropper or downloader ▪ Stage 1 Dropper or Downloader Piece of malware that is usually created as lightweight shellcode that can be executed on a given system ▪ Dropper Specific malware type designed to initiate or run other malware forms within a payload on an infected host ▪ Downloader Retrieve additional tools post the initial infection facilitated by a dropper ▪ The primary function of a stage one dropper or downloader is to retrieve additional portions of the malware code and trick the user into activating it ▪ Shellcode Broader term that encompasses lightweight code meant to execute an exploit on a given target ▪ Stage 2 Downloader Downloads and installs a Remote Access Trojan to conduct command and control on the victimized system ▪ “Actions on Objectives” Phase Threat actors will execute primary objectives to meet core objectives like data exfiltration or file encryption ▪ Concealment Used to help the threat actor prolong unauthorized access to a system by: o Hiding tracks o Erasing log files o Hiding any evidence of malicious activity ▪ “Living off the land” A strategy adopted by many Advanced Persistent Threats and criminal organizations The threat actors try to exploit the standard tools to perform intrusions Indications of Malware Attacks - 9 Common Indicators of Malware Attacks a. Account Lockouts ▪ Malware, especially those designed for credential theft or brute force attacks, can trigger multiple failed logins attempts that would result in a user’s account being locked out b. Concurrent Session Utilization ▪ If you notice that a single user account has multiple simultaneous or concurrent sessions open, especially from various geographic locations c. Blocked Content ▪ If there is a sudden increase in the amount of blocked content alerts you are seeing from your security tools d. Impossible Travel ▪ Refers to a scenario where a user’s account is access from two or more geographically separated locations in an impossibly short period of time e. Resource Consumption ▪ If you are observing any unusual spikes in CPU, memory, or network bandwidth utilization that cannot be linked back to a legitimate task f. Resource Inaccessibility ▪ Ransomware Form of malware that encrypts user files to make them inaccessible to the user ▪ If a large number of files or critical systems suddenly become inaccessible or if users receive messages demanding payment to decrypt their data g. Out-of-Cycle Logging ▪ If you are noticing that your logs are being generated at odd hours or during time when no legitimate activities should be taking place such as in the middle of the night when no employees are actively working h. Missing Logs ▪ If you are conducting a log review as a cybersecurity analyst and you see that there are gaps in your logs or if the logs have been cleared without any authorized reason i. Published or Documented Attacks ▪ If a cybersecurity research or reporter published a report that shows that your organization’s network has been infected as a part of a botnet or other malware- based attacks Computer Virus - Malicious code that run on a machine without the user’s knowledge and this allows the code to infect the computer whenever it has been run Boot Sector Virus - Stored in the first sector of a hard drive and is then loaded into memory whenever the computer boots up - To find and remove these viruses, use an anti-virus that specifically looks for boot sector viruses Macro Virus - A form of code that allows a virus to be embedded inside another document so that when that document is opened by the user, the virus is executed Program Virus - Tries to find executables or application files to infect with their malicious code Multipartite Virus - A combination of a boot sector type virus and a program virus - Even if a cybersecurity professional finds the program part of the virus and cleans it out from within the operating system, they may have missed the boot sector portion Encrypted Virus - Designed to hide itself from being detected by encrypting its malicious code or payloads to avoid detection by any antivirus software Polymorphic Virus - Advanced version of an encrypted virus, but instead of just encrypting the contents, it will actually change the virus’s code each time it is executed by altering the decryption module in order for it to evade detection Metamorphic Virus - Able to rewrite itself entirely before it attempts to infect a given file Stealth Virus - Not necessarily a specific type of virus as much as it is a technique used to prevent the virus from being detected by the antivirus software Armored Virus - Has a layer of protection to confuse a program or a person who’s trying to analyze it Hoax - A form of technical social engineering that attempts to scare end users into taking undesirable action on their system

Use Quizgecko on...
Browser
Browser