beh-review-kan.pdf

Full Transcript

Information and Awareness

1949: Information and Awareness started with an IDEA called Self-Reproducing Automatons

FIRST WORM: infected and crashed 6,000 computers.

1995: Hollywood introduced us to hackers Zero Cool, Crash Override, Cereal Killer and Lord Nikon

TROJAN: came first before virus, but it was never called “trojan” yet

MOTHER VIRUS: created to inject the malicious infection code to a target host file.

“A program that do bad things is useless if it does not have a victim”

WHAT MAKES A MALWARE A MALICIOUS SOFTWARE?

User is not AWARE of its activities
Causes DAMAGE or DESTRUCTIVE to your computer
STEALS information
Gain REMOTE ACCESS
MODIFY SYSTEM settings
MODIFY FILES in your computer without user’s knowledge like a VIRUS

WHAT IS A VIRUS?

Computer program that reproduces its malicious infecting codes to a host file
CYBER WORLD VIRUS:

Boot Virus
Infects the Master Boot Record of a bootable device
Replaces the original Boot Record with its malicious code that infects another bootable DISK that
it comes to contact with.
DOS Virus
Infects a DOS based or a 16-bit platform file
Copies its malicious code that infects another DOS based file that it comes to contact or meets
its file structure requirement
Portable Executable Virus
Infects a 32-bit or 64-bit platform file
Copies its malicious code that infects another PE file that it comes to contact or meets its file
structure requirement.
Script Virus
Infects non-Binary based applications like Macro script in Word Documents, HTML, JAVA Script,
VB Script or any text-based programs.
Copies its malicious code that infects another Script file. It should meet its program platform that
will allow to execute its infecting script code
❖ TYPES OF VIRUS INFECTION
▪ PREPENDING
Pushes the host’s code at the bottom and then adds its file infection code or
routine above it
▪ CAVITY
Inserts the file infection code or routine to blank spaces of the Host’s code
▪ APPENDING
Adds the file infection code or routine at the bottom of the Host’s code
▪ OVERWRITING
Puts its file infection code or routine directly on top of the Host’s code
This will cause the Host code or program to be corrupted and can no longer be
restored
▪ SANDWICH
Adds the file infection code or routine between the Host’s code

EVOLUTION OF VIRUS

o Multi-Partite Virus: infects both the MBR and Files
o Blended Threat Virus: infect files and spread copies of an infected file like a worm malware
o Virus can encrypt its own code or use a file packer to protect its infection code against AV detection and
disinfection
o Virus disinfects itself when opened for analysis
SYMPTOMS OF A VIRUS INFECTION

1. Change in FILE Size
2. Increase in Disk Space used
3. Computer responds slower
4. Programs not running or corrupted

EVOLUTION OF VIRUS TO MALWARE

Viruses are:

I. Too obvious to notice its symptoms
✓ Slowing the computer’s performance
✓ Applications don’t work properly
✓ Disk Space instantly consumed
II. Gives too much attention
✓ Pop-up messages
✓ Early Attacks focuses more on Showing OFF
III. Became way too Popular
✓ Method of infection got too familiar

EVOLUTION OF VIRUS TO MALWARE TO GREYWARE

1981: ELK CLONER

1988: Morris WORM

1989: AIDS Trojan

2003: Spywares

WHAT IS A WORM?

A computer program that reproduces itself to execute its malicious Payload
An animal (cka)
Most of the time, it is unwanted (ay shak ata)
IN THE CYBER WORLD
Spreads or Distributes copies of itself thru:
✓ EMAIL
✓ Exploiting a Vulnerability
✓ USB drives
✓ Peer to Peer
✓ Shared Folders
✓ Shared Drives
Able to run and survive after reboot
Does not infect any host file

ARPANET Worm

Spreads by exploiting a vulnerability thru the internet
Payload crashed 6,000 computers

Happy99

First known WORM that spreads thru email
Payload hides the changes being made to the system
Wishes the infected user a Happy New Year
Followed by WORM_MELISSA(2nd WORM) which nearly infected a million computer

“I Love You Virus” (ehem)

Not really a file infector
A.K.A Love Bug
Spreads thru email
Stole username and password
Deletes JPG, MP2 and MP3 files

WORM_DOWNAD

A.K.A Conficker
 Spreads copies itself by exploiting a vulnerability and USB drives
Capable of downloading files from the internet

WORM_STUXNET

Hack of the Century
Spreads copies itself by exploiting a vulnerability and USB drives
Capable of controlling a machinery that shapes a nuclear bomb component
Not meant to infect other computers globally

ABOUT VIRUS WORMS

Notorious file infectors, not only infect files, but they also use WORM behavior to infect more victims
Sometimes Hackers go against Hackers. In 2004, WORM_NETSKY and WORM_BAGLE started stopping each
other’s infection

WHAT IS A TROJAN HORSE?

A supposed gift for the city of Troy to trick them into opening their impenetrable gate
IN REAL LIFE:
Huge wooden Horse
From the Trojan War
Payload of Greek Soldiers
IN THE CYBER WORLD:
Tricks users into executing their malicious code
✓ Double extension
✓ Change ICON
Does not spread or reproduce itself
✓ Attached in a SPAM email
✓ Drive by Downloads vie the Internet
Does not Infect any host file

TSPY_FAKEAV

A trojan spyware capable of logging keyboard inputs
Targets Credit Card information
Also, a SCAREWARE where its pop-ups an Anti-Virus like window, that pretends to be scanning and detecting
malwares that does not exist.

TROJ_YOKABABS

Infects computer thru user visiting a compromised website or a drive by download
Payload is to open ports of the infected computer for download and eventually remote access

RANSOM_PETYA

Invades the master boot record of the infected system
Users are asked to pay in bitcoin to be able to regain and reactivate the computer’s MBR, thus able to reboot
back to Windows OS

EVOLUTION OF TROJAN

A. BACKDOOR
✓ A.KA. remote access TROJAN
✓ Provides remote access to infected computer
B. BOT OR BOTNETS
✓ Robot or Zombie Trojans
✓ Activated only when botmaster issues a task
C. ROOTKIT
✓ Trojan that establishes itself in the Root level to be able to hide its physical file, process and registry
entry
D. TROJAN SPYWARE
✓ A trojan that logs keyboard inputs, monitor user activity and system settings
E. PATCH
✓ A trojan that inserts a malicious code routine into a windows system file
 F. RANSOMWARE
✓ A trojan that encrypts files with a ransom note
G. GREYWARE OR POTENTIALLY UNWANTED PROGRAMS
✓ Normal applications and user are fully aware of its intent
✓ Normal applications that could be annoying to a user but does not do any damage
H. TURNING INTO WORM
✓ Effectivity of some Trojan Payloads, especially those into cybercrime, needed to infect more victims

POTENTIALLY UNWANTED PROGRAMS (wow unwanted)

1) Normal and legitimate programs
2) Written and published by a software company
3) User may have accompanied by an end user license agreement
4) Sometimes they could be annoying
5) Sometimes they can be used for a malicious attack

ADW_BBINSTALL

Adware is an Advertising Software
Pop-ups a graphical image to show its downloaded advertisement
Arrives upon visiting a legitimate website
Usually, users are also not aware of its installation

SPY_STARRMON

Logs keystrokes, windows title and system activities
Ideally for securing a computer environment thru spying

HKTL_FLOODER

An application that is used to automate message sending
Used to flood messages instead

CURRENT AND MOST DANGEROUS MALWARES

a. RANSOMEWARE
b. BOTNET
c. MBR SWIPERS
d. WOMR_DISTTRACK

PREVENTION

a. ANTI-VIRUS APPLICATIONS
✓ Software that protects devices against malwares
✓ Commonly used as the first line of defense
✓ A necessity
b. FIREWALL
✓ Protects computers on the network side
✓ Can be in a hardware or software or both
✓ Filters network traffic based on user’s security settings
✓ Proactive but with high false positives

PREPARATION

i. APPLYING UPDATES
ii. APPLYING PATCH UPDATES
iii. APPLYING UPGRADES
iv. CONTINUOUS IMPROVEMENT OF SECURITY

DETECTION

It is important to identify and detect a malware infection not just thru a software, but also thru education

SENSORS

i. FIREWALL
o Helps you identify the source of infection and understand how the infection occurred
ii. NEW ANTI-VIRUS FEATURES
MALWARE SYMPTOMS

1. VIRUS / FILE INFECTOR
✓ Host file size have changed
✓ Slower execution of infected files
✓ Slower Computer processing
2. WORM
✓ Mass mail with attached executed file
✓ Files using unusual or system file names
✓ Unsigned running processes
✓ Files with pornographic titles shared and peer to peer folders
✓ Computers in the network have the same copy of the malware
✓ Slower network communication
✓ Slower computer processing time
3. TROJAN
✓ Files using unusual or system file names
✓ Unsigned running processes
✓ Slower network communication
✓ Slower computer processing time

MALWARE INFECTION

Can come from a pop-up message from anti-virus program
ANTI-VIRUS DETECTION
1) Files Detection
2) Behavioral Monitoring Detection
3) Firewall Detection

CONFIRM MALWARE INFECTION

a) Running Process
b) Unknown Network Communication
c) Autostart Techniques

OTHER MALWARE INFECTION

Opened PORTs
✓ Used to gain remote access to the victim computer
Lowered Browsing Security Settings
✓ Allow download and execution of other malwares
Modification of HOSTS file
✓ Used to prevent Anti-Virus updates
Termination of Anti-Virus programs
✓ Evade detection

MALWARE PAYLOAD

KEYLOGGER
✓ Gain user credentials
EXTRACT DATA
✓ Important data that could be used against the victim
REMOTE ACCESS
✓ Control Victims computer
DOWNLOAD FILE FROM THE INTERNET
✓ Update malware copy or download other malwares

MITIGATION

1. Identifying the Infected Environment
2. Analysis that Leads to the Declaration of Incident
3. Network Scanning
4. Minimizing the Damage
5. Network Isolation
6. Malware Removal
MALWARE ENTRY POINT

✓ Email
✓ URL links
✓ USB or Storage devices
✓ Social Engineering

PATIENT ZERO

✓ First to experience the infection
✓ Probable cause of the infection
✓ Entry point started here

IDENTIFY THE HOLE IN YOUR VULNERABILITY

✓ Vulnerability
✓ Email Attachments
✓ Malicious URL links
✓ USB drives
✓ Poor Security

PREVENT RE-INFECTION

✓ Educate
✓ Update
✓ Upgrade