A Section 6 - Malware.pdf

Full Transcript

Section 6 – Malware

Malware

- Any software that is designed to infiltrate a computer system without the user’s knowledge

Threat Vector

- Specific method used by an attacker to infiltrate a victim’s machine
- Breaks into the system
a. Unpatched Software
b. Installing Code
c. Phishing Campaign
d. Other Vulnerabilities

Attack Vector

- A means by which an attacker gains access to a computer to infect the system with malware
- Breaks into and infects the system

Types of Malware Attacks

1. Virus
a. Malicious software that attaches to clean files and spread into a computer system
2. Worms
a. Standalone malware that replicates and spread to other systems by exploiting software
vulnerabilities
b. A piece of malicious software, much like a virus, but it can replicate itself without any user
interaction
c. Key difference between a virus and a worm is that:
i. A virus requires a user to take action such as opening a file
ii. A worm can replicate itself and spread throughout your network without a user’s
consent or their action
d. Worms are dangerous for two reasons:
i. Can infect the workstation and other computing assets
ii. Can cause disruptions to the normal network traffic since they are constantly
trying to replicate and spread across the network
e. Best known for spreading far and wide over the internet in a relatively short amount of
time
3. Trojans
a. Malicious programs which appear to be legitimate software that allow unauthorized
access to a victim’s system when executed
b. Commonly used today by attackers to exploit a vulnerability in a workstation and then
conducting data exfiltration
c. Always be careful to check for trojans by using a good antivirus or antimalware solution
prior to opening or installing any programs
d. Piece of malicious software that is disguised as a piece of harmless or desirable software
e. Claims that it will perform some needed or desired function for you
 f. Remote Access Trojan (RAT)
i. Widely used by modern attackers because it provides the attacker with remote
control of a victim’s machine
4. Ransomware
a. Encrypts a user’s data and holds it hostage until a ransom is paid to the attacker for
decryption
b. Type of malicious software that is designed to block access to a computer system or its
data by encrypting it until a ransom is paid to the attacker
c. How can we protect ourselves and our organizations against ransomware?
i. Always conducting regular backups
Backup all of important data, files, and systems
ii. Installing software updates regularly
Update all of the software, especially operating system and antivirus
programs
iii. Provide security awareness training to the end users
iv. Implementing Multi-Factor Authentication for the systems
Enable MFA to provide an extra layer of security
d. What should you do if you find yourself or your organization as the victim of a ransomware
attack?
i. Never pay the ransom
Paying the ransom doesn’t actually guarantee that you will ever get your
data back
ii. If you suspect ransomware has infected your machine, you should disconnect it
from the network
iii. Notify authorities
iv. Restore your data and system from known good backups
5. Zombies
a. Compromised computers that are remotely controlled by attackers and used in
coordination to form a botnet
b. Used to perform tasks using remote commands from the attacker without the user’s
knowledge
c. Command and Control Node
i. Responsible for managing and coordinating the activities of other nodes or
devices within a network
6. Botnet
a. Network of zombies and are often used for DDoS attacks, spam distribution, or
cryptocurrency mining
b. Are used for:
i. Pivot points
ii. Disguise the real attacker
iii. To host illegal activities
iv. To spam others by sending out phishing campaigns and other malware
c. Most common use for botnet is to conduct a DDoS attack
 d. Botnets are used by attackers to combine processing power to break through different
types of encryption schemes
e. Attackers usually only use about 20-25% of any zombie’s power
7. Rootkits
a. Malicious tools that hide their activities and operate at the OS level to allow for ongoing
privileged access
b. Designed to gain administrative level control over a given computer system without being
detected
c. Account with the highest level of permissions is called the Administrator Account
i. Allows the person to install programs, open ports, shut ports, and do whatever it
is they want to do on that system
ii. In a UNIX, Linux, or MacOS computer, this type of administrator account is actually
called the root account
d. A computer system has several different rings of permissions throughout the system
i. Ring 3 (Outermost Ring)
Where user level permissions are used
ii. Ring 0 (Innermost or Highest Permission Levels)
Operating in Ring 0 is called “Kernel Mode”
Kernel Mode
o Allows a system to control access to things like device drivers,
your sound card, your video display or monitor, and other similar
things
e. If you login as the administrator or root user on a system, you have root permission and
you will be operating at Ring 1 of the operating system
i. Remember, the closer the malicious code is to the kernel, the more permissions
it will have and the more damage it can cause on your system
f. When a rootkit is installed on a system, it tries to move from Ring 1 to Ring 0 so that it can
hide from other functions of the operating system to avoid detection
g. One technique used by rootkits to gain this deeper level of access is a DLL injection
i. DLL Injection
Technique used to run arbitrary code within the address space of another
process by forcing it to load a Dynamic-Link Library
ii. Dynamic-Link Library
Collection of code and data that can be used by multiple programs
simultaneously to allow for code reuse and modularization in software
development
iii. Shim
Piece of software code that is placed between two components and that
intercepts the calls between those components and can be used to
redirect them
h. Rootkits are extremely powerful, and they are very difficult to detect because the
operating system is essentially blinded to them
 i. To detect them, the best way is to boot from an external device and then scan the
internal hard drive to ensure that you can detect those rootkits using a good
antimalware scanning solution from a live boot Linux distribution
i. Rootkit’s primary objective is to seamlessly embed itself into the operating system
8. Backdoors
a. Malicious means of bypassing normal authentication process to gain unauthorized access
to a system
b. Originally placed in computer programs to bypass the normal security and authentication
functions
c. Most often put into systems by designers and programmers
d. RATs act just like a backdoor in our modern networks
i. Can be placed by a threat actor on your computer to help them maintain
persistent access to that system
e. Easter Eggs
i. Insecure coding practice that was used by programmers to provide a joke or a gag
gift to the users
ii. A hidden feature or novelty within a program that is typically inserted by the
software developers as an inside joke
iii. Code often has significant vulnerabilities
f. In our modern applications, we should never include backdoors, easter eggs, or logic
bombs because they do go against our secure coding standards and best practices
9. Logic Bombs
a. Embed code placed in legitimate programs that executes malicious action when a specific
condition or trigger occurs
b. Malicious code that’s inserted into a program and will only execute when certain
conditions have been met
10. Keyloggers
a. Record a user’s keystrokes and are used to capture password or other sensitive
information
b. Piece of software or hardware that records every single keystroke that is made on a
computer or mobile device
c. Can either be software or hardware:
i. Software Keyloggers
Malicious programs that get installed on a victim’s computer
Often bundled with other software or delivered through social
engineering attacks, like phishing or pretexting attacks
ii. Hardware Keyloggers
Physical devices that need to be plugged into a computer
These will resemble a USB drive or they can be embedded within a
keyboard cable itself
d. To protect your organization from keyloggers, ensure the following:
i. Perform regular updates and patches
ii. Rely on quality antivirus and antimalware solutions
iii. Conduct phishing awareness training for your users
 iv. Implement multi-factor authentication systems
v. Encrypt keystrokes being sent to your systems
vi. Perform physical checks of your desktops, laptops, and servers
11. Spyware
a. Secretly monitors and gathers user information or activities and sends data to third parties
b. Malicious software that is designed to gather and send information about a user or
organization without their knowledge
c. Can get installed on a system in several different ways:
i. Bundled with other software
ii. Installed through a malicious website
iii. Installed when users click on a deceptive pop-up advertisement
d. To help protect yourself against spyware, you should only use reputable antivirus and
antispyware tools that are regularly updated to detect and remove any potential threats
12. Bloatware
a. Unnecessary or pre-installed software that consumes system resources and space without
offering any value to the user
b. Any software that comes pre-installed on a new computer or smartphone that you, as the
user, did not specifically request, want, or need
c. Other examples of bloatware are things like unnecessary toolbars or applications that
promote certain services
d. Isn’t malicious, but it can:
i. Waste your storage space
ii. Slow down the performance of your devices
iii. Introduce security vulnerabilities into your systems
e. Remember, anytime a piece of software is installed, that is one more potential threat
vector for an attacker to exploit if you don’t properly update that application
f. To remove bloatware, you can either do the following:
i. Do a manual removal process
ii. Use bloatware removal tools to uninstall the unwanted applications
iii. Perform a clean operating system installation

Malware Exploitation Techniques

- Involve methods by which malware infiltrates and infects targeted systems
- Specific method by which malware code penetrates and infects a targeted system
- Some malware focuses on infecting the system’s memory to leverage remote procedure calls over
the organization’s network
a. Most modern malware uses fileless techniques to avoid detection by signature-based
security software
b. Fileless Malware is used to create a process in the system memory without relying on the
local file system of the infected host
- How does this modern malware work?
a. When a user accidentally clicks on a malicious link or opens a malicious file, the specific
type of malware being installed is known as a stage one dropper or downloader
▪ Stage 1 Dropper or Downloader
 Piece of malware that is usually created as lightweight shellcode that can
be executed on a given system
▪ Dropper
Specific malware type designed to initiate or run other malware forms
within a payload on an infected host
▪ Downloader
Retrieve additional tools post the initial infection facilitated by a dropper
▪ The primary function of a stage one dropper or downloader is to retrieve
additional portions of the malware code and trick the user into activating it
▪ Shellcode
Broader term that encompasses lightweight code meant to execute an
exploit on a given target
▪ Stage 2 Downloader
Downloads and installs a Remote Access Trojan to conduct command and
control on the victimized system
▪ “Actions on Objectives” Phase
Threat actors will execute primary objectives to meet core objectives like
data exfiltration or file encryption
▪ Concealment
Used to help the threat actor prolong unauthorized access to a system by:
o Hiding tracks
o Erasing log files
o Hiding any evidence of malicious activity
▪ “Living off the land”
A strategy adopted by many Advanced Persistent Threats and criminal
organizations
The threat actors try to exploit the standard tools to perform intrusions

Indications of Malware Attacks

- 9 Common Indicators of Malware Attacks
a. Account Lockouts
▪ Malware, especially those designed for credential theft or brute force attacks, can
trigger multiple failed logins attempts that would result in a user’s account being
locked out
b. Concurrent Session Utilization
▪ If you notice that a single user account has multiple simultaneous or concurrent
sessions open, especially from various geographic locations
c. Blocked Content
▪ If there is a sudden increase in the amount of blocked content alerts you are
seeing from your security tools
d. Impossible Travel
▪ Refers to a scenario where a user’s account is access from two or more
geographically separated locations in an impossibly short period of time
e. Resource Consumption
 ▪ If you are observing any unusual spikes in CPU, memory, or network bandwidth
utilization that cannot be linked back to a legitimate task
f. Resource Inaccessibility
▪ Ransomware
Form of malware that encrypts user files to make them inaccessible to
the user
▪ If a large number of files or critical systems suddenly become inaccessible or if
users receive messages demanding payment to decrypt their data
g. Out-of-Cycle Logging
▪ If you are noticing that your logs are being generated at odd hours or during time
when no legitimate activities should be taking place such as in the middle of the
night when no employees are actively working
h. Missing Logs
▪ If you are conducting a log review as a cybersecurity analyst and you see that
there are gaps in your logs or if the logs have been cleared without any authorized
reason
i. Published or Documented Attacks
▪ If a cybersecurity research or reporter published a report that shows that your
organization’s network has been infected as a part of a botnet or other malware-
based attacks

Computer Virus

- Malicious code that run on a machine without the user’s knowledge and this allows the code to
infect the computer whenever it has been run

Boot Sector Virus

- Stored in the first sector of a hard drive and is then loaded into memory whenever the computer
boots up
- To find and remove these viruses, use an anti-virus that specifically looks for boot sector viruses

Macro Virus

- A form of code that allows a virus to be embedded inside another document so that when that
document is opened by the user, the virus is executed

Program Virus

- Tries to find executables or application files to infect with their malicious code

Multipartite Virus

- A combination of a boot sector type virus and a program virus
- Even if a cybersecurity professional finds the program part of the virus and cleans it out from
within the operating system, they may have missed the boot sector portion

Encrypted Virus
 - Designed to hide itself from being detected by encrypting its malicious code or payloads to avoid
detection by any antivirus software

Polymorphic Virus

- Advanced version of an encrypted virus, but instead of just encrypting the contents, it will actually
change the virus’s code each time it is executed by altering the decryption module in order for it
to evade detection

Metamorphic Virus

- Able to rewrite itself entirely before it attempts to infect a given file

Stealth Virus

- Not necessarily a specific type of virus as much as it is a technique used to prevent the virus from
being detected by the antivirus software

Armored Virus

- Has a layer of protection to confuse a program or a person who’s trying to analyze it

Hoax

- A form of technical social engineering that attempts to scare end users into taking undesirable
action on their system