Full Transcript

Information and Awareness 1949: Information and Awareness started with an IDEA called Self-Reproducing Automatons FIRST WORM: infected and crashed 6,000 computers. 1995: Hollywood introduced us to hackers Zero Cool, Crash Override, Cereal Killer and Lord Nikon TROJAN: came first before virus, bu...

Information and Awareness 1949: Information and Awareness started with an IDEA called Self-Reproducing Automatons FIRST WORM: infected and crashed 6,000 computers. 1995: Hollywood introduced us to hackers Zero Cool, Crash Override, Cereal Killer and Lord Nikon TROJAN: came first before virus, but it was never called “trojan” yet MOTHER VIRUS: created to inject the malicious infection code to a target host file. “A program that do bad things is useless if it does not have a victim” WHAT MAKES A MALWARE A MALICIOUS SOFTWARE? User is not AWARE of its activities Causes DAMAGE or DESTRUCTIVE to your computer STEALS information Gain REMOTE ACCESS MODIFY SYSTEM settings MODIFY FILES in your computer without user’s knowledge like a VIRUS WHAT IS A VIRUS? Computer program that reproduces its malicious infecting codes to a host file CYBER WORLD VIRUS: Boot Virus Infects the Master Boot Record of a bootable device Replaces the original Boot Record with its malicious code that infects another bootable DISK that it comes to contact with. DOS Virus Infects a DOS based or a 16-bit platform file Copies its malicious code that infects another DOS based file that it comes to contact or meets its file structure requirement Portable Executable Virus Infects a 32-bit or 64-bit platform file Copies its malicious code that infects another PE file that it comes to contact or meets its file structure requirement. Script Virus Infects non-Binary based applications like Macro script in Word Documents, HTML, JAVA Script, VB Script or any text-based programs. Copies its malicious code that infects another Script file. It should meet its program platform that will allow to execute its infecting script code ❖ TYPES OF VIRUS INFECTION ▪ PREPENDING Pushes the host’s code at the bottom and then adds its file infection code or routine above it ▪ CAVITY Inserts the file infection code or routine to blank spaces of the Host’s code ▪ APPENDING Adds the file infection code or routine at the bottom of the Host’s code ▪ OVERWRITING Puts its file infection code or routine directly on top of the Host’s code This will cause the Host code or program to be corrupted and can no longer be restored ▪ SANDWICH Adds the file infection code or routine between the Host’s code EVOLUTION OF VIRUS o Multi-Partite Virus: infects both the MBR and Files o Blended Threat Virus: infect files and spread copies of an infected file like a worm malware o Virus can encrypt its own code or use a file packer to protect its infection code against AV detection and disinfection o Virus disinfects itself when opened for analysis SYMPTOMS OF A VIRUS INFECTION 1. Change in FILE Size 2. Increase in Disk Space used 3. Computer responds slower 4. Programs not running or corrupted EVOLUTION OF VIRUS TO MALWARE Viruses are: I. Too obvious to notice its symptoms ✓ Slowing the computer’s performance ✓ Applications don’t work properly ✓ Disk Space instantly consumed II. Gives too much attention ✓ Pop-up messages ✓ Early Attacks focuses more on Showing OFF III. Became way too Popular ✓ Method of infection got too familiar EVOLUTION OF VIRUS TO MALWARE TO GREYWARE 1981: ELK CLONER 1988: Morris WORM 1989: AIDS Trojan 2003: Spywares WHAT IS A WORM? A computer program that reproduces itself to execute its malicious Payload An animal (cka) Most of the time, it is unwanted (ay shak ata) IN THE CYBER WORLD Spreads or Distributes copies of itself thru: ✓ EMAIL ✓ Exploiting a Vulnerability ✓ USB drives ✓ Peer to Peer ✓ Shared Folders ✓ Shared Drives Able to run and survive after reboot Does not infect any host file ARPANET Worm Spreads by exploiting a vulnerability thru the internet Payload crashed 6,000 computers Happy99 First known WORM that spreads thru email Payload hides the changes being made to the system Wishes the infected user a Happy New Year Followed by WORM_MELISSA(2nd WORM) which nearly infected a million computer “I Love You Virus” (ehem) Not really a file infector A.K.A Love Bug Spreads thru email Stole username and password Deletes JPG, MP2 and MP3 files WORM_DOWNAD A.K.A Conficker Spreads copies itself by exploiting a vulnerability and USB drives Capable of downloading files from the internet WORM_STUXNET Hack of the Century Spreads copies itself by exploiting a vulnerability and USB drives Capable of controlling a machinery that shapes a nuclear bomb component Not meant to infect other computers globally ABOUT VIRUS WORMS Notorious file infectors, not only infect files, but they also use WORM behavior to infect more victims Sometimes Hackers go against Hackers. In 2004, WORM_NETSKY and WORM_BAGLE started stopping each other’s infection WHAT IS A TROJAN HORSE? A supposed gift for the city of Troy to trick them into opening their impenetrable gate IN REAL LIFE: Huge wooden Horse From the Trojan War Payload of Greek Soldiers IN THE CYBER WORLD: Tricks users into executing their malicious code ✓ Double extension ✓ Change ICON Does not spread or reproduce itself ✓ Attached in a SPAM email ✓ Drive by Downloads vie the Internet Does not Infect any host file TSPY_FAKEAV A trojan spyware capable of logging keyboard inputs Targets Credit Card information Also, a SCAREWARE where its pop-ups an Anti-Virus like window, that pretends to be scanning and detecting malwares that does not exist. TROJ_YOKABABS Infects computer thru user visiting a compromised website or a drive by download Payload is to open ports of the infected computer for download and eventually remote access RANSOM_PETYA Invades the master boot record of the infected system Users are asked to pay in bitcoin to be able to regain and reactivate the computer’s MBR, thus able to reboot back to Windows OS EVOLUTION OF TROJAN A. BACKDOOR ✓ A.KA. remote access TROJAN ✓ Provides remote access to infected computer B. BOT OR BOTNETS ✓ Robot or Zombie Trojans ✓ Activated only when botmaster issues a task C. ROOTKIT ✓ Trojan that establishes itself in the Root level to be able to hide its physical file, process and registry entry D. TROJAN SPYWARE ✓ A trojan that logs keyboard inputs, monitor user activity and system settings E. PATCH ✓ A trojan that inserts a malicious code routine into a windows system file F. RANSOMWARE ✓ A trojan that encrypts files with a ransom note G. GREYWARE OR POTENTIALLY UNWANTED PROGRAMS ✓ Normal applications and user are fully aware of its intent ✓ Normal applications that could be annoying to a user but does not do any damage H. TURNING INTO WORM ✓ Effectivity of some Trojan Payloads, especially those into cybercrime, needed to infect more victims POTENTIALLY UNWANTED PROGRAMS (wow unwanted) 1) Normal and legitimate programs 2) Written and published by a software company 3) User may have accompanied by an end user license agreement 4) Sometimes they could be annoying 5) Sometimes they can be used for a malicious attack ADW_BBINSTALL Adware is an Advertising Software Pop-ups a graphical image to show its downloaded advertisement Arrives upon visiting a legitimate website Usually, users are also not aware of its installation SPY_STARRMON Logs keystrokes, windows title and system activities Ideally for securing a computer environment thru spying HKTL_FLOODER An application that is used to automate message sending Used to flood messages instead CURRENT AND MOST DANGEROUS MALWARES a. RANSOMEWARE b. BOTNET c. MBR SWIPERS d. WOMR_DISTTRACK PREVENTION a. ANTI-VIRUS APPLICATIONS ✓ Software that protects devices against malwares ✓ Commonly used as the first line of defense ✓ A necessity b. FIREWALL ✓ Protects computers on the network side ✓ Can be in a hardware or software or both ✓ Filters network traffic based on user’s security settings ✓ Proactive but with high false positives PREPARATION i. APPLYING UPDATES ii. APPLYING PATCH UPDATES iii. APPLYING UPGRADES iv. CONTINUOUS IMPROVEMENT OF SECURITY DETECTION It is important to identify and detect a malware infection not just thru a software, but also thru education SENSORS i. FIREWALL o Helps you identify the source of infection and understand how the infection occurred ii. NEW ANTI-VIRUS FEATURES MALWARE SYMPTOMS 1. VIRUS / FILE INFECTOR ✓ Host file size have changed ✓ Slower execution of infected files ✓ Slower Computer processing 2. WORM ✓ Mass mail with attached executed file ✓ Files using unusual or system file names ✓ Unsigned running processes ✓ Files with pornographic titles shared and peer to peer folders ✓ Computers in the network have the same copy of the malware ✓ Slower network communication ✓ Slower computer processing time 3. TROJAN ✓ Files using unusual or system file names ✓ Unsigned running processes ✓ Slower network communication ✓ Slower computer processing time MALWARE INFECTION Can come from a pop-up message from anti-virus program ANTI-VIRUS DETECTION 1) Files Detection 2) Behavioral Monitoring Detection 3) Firewall Detection CONFIRM MALWARE INFECTION a) Running Process b) Unknown Network Communication c) Autostart Techniques OTHER MALWARE INFECTION Opened PORTs ✓ Used to gain remote access to the victim computer Lowered Browsing Security Settings ✓ Allow download and execution of other malwares Modification of HOSTS file ✓ Used to prevent Anti-Virus updates Termination of Anti-Virus programs ✓ Evade detection MALWARE PAYLOAD KEYLOGGER ✓ Gain user credentials EXTRACT DATA ✓ Important data that could be used against the victim REMOTE ACCESS ✓ Control Victims computer DOWNLOAD FILE FROM THE INTERNET ✓ Update malware copy or download other malwares MITIGATION 1. Identifying the Infected Environment 2. Analysis that Leads to the Declaration of Incident 3. Network Scanning 4. Minimizing the Damage 5. Network Isolation 6. Malware Removal MALWARE ENTRY POINT ✓ Email ✓ URL links ✓ USB or Storage devices ✓ Social Engineering PATIENT ZERO ✓ First to experience the infection ✓ Probable cause of the infection ✓ Entry point started here IDENTIFY THE HOLE IN YOUR VULNERABILITY ✓ Vulnerability ✓ Email Attachments ✓ Malicious URL links ✓ USB drives ✓ Poor Security PREVENT RE-INFECTION ✓ Educate ✓ Update ✓ Upgrade

Use Quizgecko on...
Browser
Browser