Chapter 03 - Malicious Code.pdf

Full Transcript

Chapter 3
Malicious Code

THE COMPTIA SECURITY+ EXAM OBJECTIVES COVERED IN THIS
CHAPTER INCLUDE:
Domain 2.0: Threats, Vulnerabilities, and Mitigations
2.4. Given a scenario, analyze indicators of malicious activity.
Malware attacks (Ransomware, Trojan, Worm, Spyware, Bloatware, Virus,
Keylogger, Logic bomb, Rootkit)

Malware comes in many forms, from ransomware and worms to spyware, viruses,
keyloggers, and rootkits that help ensure that attackers can retain access to systems
once they've gained a foothold.
In this chapter, you will explore the various types of malware, as well as the
distinguishing elements, behaviors, and traits of each malware type. You will learn about
the indicators that you should look for, and the response methods that organizations use
to deal with each type of malware, as well as controls that can help protect against them.

Malware
The term malware describes a wide range of software that is intentionally designed to
cause harm to systems and devices, networks, or users. Malware can also gather
information, provide illicit access, and take a broad range of actions that the legitimate
owner of a system or network may not want to occur. The SY0-701 Security+ exam
objectives include a number of the most common types of malware, and you will need to
be familiar with each of them, how to tell them apart, how you can identify them, and
common techniques used in combatting them.

Exam Note

This objective introduces many types of malware and asks you to analyze potential
indicators to determine the type of attack. When you tackle malware-based
questions, you will need to know the distinctive characteristics of each type of
malware, and what might help you tell them apart. For example, a Trojan is
disguised as legitimate software, whereas ransomware is aimed at getting payment
from a victim. As you read this section, remember to pay attention to the differences
between each type of malware, what common indicators of compromise are
associated with them, and how you would answer questions about them on the
exam!
Ransomware
Ransomware is malware that takes over a computer and then demands a ransom. There
are many types of ransomware, including crypto malware, which encrypts files and then
holds them hostage until a ransom is paid. Other ransomware techniques include
threatening to report the user to law enforcement due to pirated software or
pornography, or threatening to expose sensitive information or pictures from the
victim's hard drive or device.
A significant portion of ransomware attacks are driven by phishing campaigns, with
unsuspecting victims installing malware delivered via phishing emails or links in the
email. That's not the only way that ransomware is delivered as malicious actors continue
to use direct attack methods like Remote Desktop Protocol, vulnerable services, or front-
facing applications that they can compromise.
Indicators of compromise (IoCs) for ransomware include, but are not limited to:
Command and control (C&C) traffic and/or contact to known malicious IP addresses
Use of legitimate tools in abnormal ways to retain control of the compromised
system
Lateral movement processes that seek to attack or gain information about other
systems or devices inside the same trust boundaries
Encryption of files
Notices to end users of the encryption process with demands for ransom
Data exfiltration behaviors, including large file transfers

You can read an example of a ransomware advisory provided by the
U.S. Cybersecurity & Infrastructure Security Agency (CISA) about the Royal
Ransomware variant, including a detailed list of specific IoCs, at
www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a.

One of the most important defenses against ransomware is an effective backup system
that stores files in a separate location that will not be impacted if the system or device it
backs up is infected and encrypted by ransomware. Organizations that are preparing to
deal with ransomware need to determine what their response will be; in some cases,
paying ransoms has resulted in files being returned, and in others attackers merely
demanded more money.

Some ransomware has been defeated, and defenders may be able to
 use a preexisting decryption tool to restore files. Antivirus and antimalware
providers as well as others in the security community provide anti-ransomware
tools.

Trojans
Trojans, or Trojan horses, are a type of malware that is typically disguised as legitimate
software. They are called Trojan horses because they rely on unsuspecting individuals
running them, thus providing attackers with a path into a system or device. Figure 3.1
shows an example of a Trojan infection path starting with a user downloading an
application from the Android app store that appears to be legitimate through automated
download of malicious add-ons and remote control of the device.
 FIGURE 3.1 Trojan application download and infection process
An example of this type of malware is the Triada Trojan, which is often distributed in the
guise of a modified, feature-enhanced WhatsApp version. When the application is
launched, the Trojan gathers information about the host device including device IDs,
subscriber IDs, and the device's hardware address. This information is used to register
the device with a remote server. With that information ready, the Trojan is downloaded,
decrypted, and run, allowing further actions to take place depending on what the
malicious actor wants to occur. Those activities include everything from displaying ads
to signing up for paid subscriptions to services.
Indicators of compromise for Trojans often include:
Signatures for the specific malware applications or downloadable files
Command and control system hostnames and IP addresses
Folders or files created on target devices

A full writeup about the Triada Trojan that was deployed via modified
WhatsApp versions can be found at:
https://securelist.com/triada-trojan-in-whatsapp-mod/103679

And additional detail can be found here:
https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate-
apps/107690

In addition to traditional Trojans, remote access Trojans (RATs) provide attackers
with remote access to systems. Some legitimate remote access tools are used as
RATs, which can make it difficult to identify whether a tool is a legitimate remote
support tool or a tool being used for remote access by an attacker. Antimalware
tools may also cause false positives when they find remote access tools that may be
used as RATs, but disabling this detection can then result in RATs not being
detected. Security practitioners often combat Trojans and RATs using a
combination of security awareness training to encourage users not to download
untrusted software and antimalware or endpoint detection and response (EDR)
tools that detect Trojan and RAT-like behavior and known malicious files.

Mitigation practices for Trojans typically starts with awareness practices that help
ensure that downloading and running Trojans are less likely. Controlling the software
and applications that users can acquire can be a helpful option in many cases, but is
often balanced with the need to allow for flexibility for users. Anti-malware, EDR, and
other tools used to identify and stop malicious software from running or which can
discover it based on behavior and stop it are also commonly used as a final line of
defense.

Bots, Botnets, and Command and Control

Many types of malware use command and control (C&C) techniques and systems to
allow attackers to tell them what to do. These groups of systems that are under
central command are called botnets, and individual systems are called bots.
C&C increasingly uses encrypted HTTP connections, which are then used to connect
to a frequently changing set of remote hosts to attempt to avoid observation, but use
 of Internet Relay Chat (IRC) via port 6667 and similar techniques remain popular
too. As a defender you'll need to know how to search for C&C communications and
to identify why a system reaching out to unknown hosts may be a sign of a system
you're responsible for being part of a botnet.

Worms
Unlike Trojans that require user interaction, worms spread themselves. While worms
are often associated with spreading via attacks on vulnerable services, any type of spread
via automated means is possible, meaning that worms can spread via email
attachments, network file shares, vulnerable devices like IoT (Internet of Things) and
phones, or other methods as well. Worms also self-install, rather than requiring users to
click on them, making them quite dangerous.

Stuxnet: Nation-State-Level Worm Attacks

The 2010 Stuxnet attack is generally recognized as the first implementation of a
worm as a cyber weapon. The worm was aimed at the Iranian nuclear program, and
copied itself to thumb drives to bypass air-gapped (physically separated systems
without a network connection) computers. Stuxnet took advantage of a number of
advanced techniques for its time, including using a trusted digital certificate,
searching for specific industrial control systems (ICSs) that were known to be used
by the Iranian nuclear program, and specific programming to attack and damage
centrifuges while providing false monitoring data to controllers to ensure that the
damage would not be noticed until it was too late.
While Stuxnet was specifically designed to bypass physically separated networks,
firewalls and network-level controls remain one of the best ways to mitigate worm
attacks. If compromised devices cannot communicate with other vulnerable devices,
the infection can't spread!
You can read about Stuxnet in more depth at
www.wired.com/2014/11/countdown-to-zero-day-stuxnet
https://spectrum.ieee.org/the-real-story-of-stuxnet

An example of a modern worm is Raspberry Robin, a worm that is used as part of pre-
ransomware activity. Raspberry Robin's spread was initially through infected USB
drives using a LNK file. Once running, it uses built-in Windows tools to accomplish
further tasks and to obtain persistency, ensuring it will survive past reboots.
Common IoCs for worms like Raspberry Robin include:
Known malicious files
Downloads of additional components from remote systems
Command and control contact to remote systems
 Malicious behaviors using system commands for injection and other activities,
including use of cmd.exe, msiexec.exe, and others
Hands-on-keyboard attacker activity

Microsoft provides a detailed write-up of the Raspberry Robin worm,
including recommendations for defensive actions to be taken, at
www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-
of-larger-ecosystem-facilitating-pre-ransomware-activity

Mitigating worm infections frequently starts with effective network-level controls
focused on preventing infection traffic. Firewalls, IPS devices, network segmentation,
and similar controls are the first layer of defense. Patching and configuring services to
limit attack surfaces is also a best practice for preventing worms. After an infection
responses may include use of antimalware, EDR, and similar tools to stop and
potentially remove infections. Depending on the complexity of the malware, removal
may be nearly impossible, and as with many types of malware reinstallation or resetting
to original firmware may be required for some devices.

Spyware
Spyware is malware that is designed to obtain information about an individual,
organization, or system. Various types of spyware exist, with different types of
information targeted by each. Many spyware packages track users' browsing habits,
installed software, or similar information and report it back to central servers. Some
spyware is relatively innocuous, but malicious spyware exists that targets sensitive data,
allows remote access to web cameras, or otherwise provides illicit or undesirable access
to the systems it is installed on. Spyware is associated with identity theft and fraud,
advertising and redirection of traffic, digital rights management (DRM) monitoring, and
with stalkerware, a type of spyware used to illicitly monitor partners in relationships.
Spyware is most frequently combated using antimalware tools, although user awareness
can help prevent the installation of spyware that is included in installers for software
(thus acting as a form of Trojan), or through other means where spyware may appear to
be a useful tool or innocuous utility.
Spyware comes in many forms, which means that its IoCs can be very similar to other
malicious software types. Common examples of spyware IoCs include:
Remote-access and remote-control-related indicators
Known software file fingerprints
Malicious processes, often disguised as system processes
Injection attacks against browsers

Since spyware uses techniques from other types of malware, defining software as
spyware typically requires understanding its use and motivations rather than just its
behavior. Thus, spyware may use Trojan, worm, or virus-style propagation methods in
some cases, but the intent is to gather information about a user or system, with the
methods used being less important than the goal.
Mitigation practices for spyware focus on awareness, control of the software that is
allowed on devices and systems, and antispyware capabilities built into antimalware
tools. Since spyware is generally perceived as less of a threat than many types of
malware, it is commonly categorized separately and may require specific configuration
to identify and remove it.

An example of a commercialized spyware tool is NSO Group's
Pegasus spyware tool. Amnesty International provides a thorough write-up of
indicators and actions taken by Pegasus here:
www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-
to-catch-nso-groups-pegasus

Bloatware
If you have ever purchased a new computer and discovered preinstalled applications
that you didn't want on it, you've encountered bloatware. The term bloatware is an all-
encompassing term used to describe unwanted applications installed on systems by
manufacturers. They may be part of a commercial relationship the manufacturer has,
they may be programs the manufacturer themselves provide, or they may come later and
be part of installer packages for other applications.
Unlike the other malicious software categories listed in this chapter, bloatware isn't
usually intentionally malicious. It may, however, be poorly written, may call home with
information about your system or usage, or may prove to be vulnerable to exploitation,
adding another attack surface to otherwise secure devices. Uninstalling bloatware or
using a clean operating system image are common practices for organizations as well as
individuals.
Since bloatware isn't really malicious software, it isn't typically associated with IoCs.
Instead it should simply be removed to prevent issues—including simply taking up disk
space, memory, and CPU cycles without providing any benefit. Mitigation techniques for
bloatware focus on awareness and uninstallation or removal of the software.

Exam Note

The Security+ exam outline calls out spyware and bloatware, but they can
sometimes be difficult to tell apart since manufacturers who install bloatware often
have call-home functionality built into the bloatware. The key differentiator is that
spyware's primary intention is to gather information about the user, their use of the
 system and Internet, and the configuration of the system, whereas bloatware is
simply unwanted programs.

Viruses
Computer viruses are malicious programs that self-copy and self-replicate once they are
activated. Unlike worms, they don't spread themselves via vulnerable services and
networks. Viruses require one or more infection mechanisms that they use to spread
themselves, like copying to a thumb drive or network share, and that mechanism is
typically paired with some form of search capability to find new places to spread to once
they are run. Viruses also typically have both a trigger, which sets the conditions for
when the virus will execute, and a payload, which is what the virus does, delivers, or the
actions it performs. Viruses come in many varieties, including:
Memory-resident viruses, which remain in memory while the system of the device is
running
Non-memory-resident viruses, which execute, spread, and then shut down
Boot sector viruses, which reside inside the boot sector of a drive or storage media
Macro viruses, which use macros or code inside word processing software or other
tools to spread
Email viruses that spread via email either as email attachments or as part of the
email itself using flaws inside email clients

Fileless virus attacks are similar to traditional viruses in a number of critical ways. They
spread via methods like spam email and malicious websites and exploit flaws in browser
plug-ins and web browsers themselves. Once they successfully find a way into a system,
they inject themselves into memory and conduct further malicious activity, including
adding the ability to reinfect the system via the same process at reboot through a
Registry entry or other technique. At no point do they require local file storage, as they
remain memory resident throughout their entire active life—in fact, the only stored
artifact of many fileless attacks would be the artifacts of their persistence techniques like
the Registry entry shown in Figure 3.2.

FIGURE 3.2 Fileless virus attack chain
As you might expect from the infection flow diagram in Figure 3.2, fileless attacks
require a vulnerability to succeed, so ensuring that browsers, plug-ins, and other
software that might be exploited by attackers are up to date and protected can prevent
most attacks. Using antimalware tools that can detect unexpected behavior from
scripting tools like Microsoft PowerShell can also help stop fileless viruses. Finally,
network level defenses like intrusion prevention systems (IPSs), as well as reputation-
based protection systems can prevent potentially vulnerable systems from browsing
known malicious sites.
IoCs related to viruses are often available in threat feeds from organizations like
VirusTotal, where recently discovered viruses and their behaviors are analyzed and
indexed to create IoC feeds. You can find examples of VirusTotal's crowdsourced YARA
rules in their support article about their community YARA feed dashboard at
https://support.virustotal.com/hc/en-us/articles/9853517705117-Crowdsourced-YARA-
rules-dashboard.

Mitigation for viruses includes both awareness that helps to prevent users from clicking
on and activating viruses as well as antimalware tools that can detect them and prevent
them both on-disk and in-memory or as they are being executed. Removal varies, with
some viruses easy to remove using antimalware tools or dedicated, virus-specific utilities
while some may require more significant action.

Removing malware can be a challenging task. It can be nearly
impossible to determine if every part of a complex infection has been removed.
Although it may be tempting to rely on your antivirus or other security tools to
remove the infection, that often isn't sufficient.
Due to this, many organizations have a standard practice of wiping the drive of an
infected machine and restoring it from a known good backup or
reinstalling/reimaging it. While there are some scenarios where even that won't be
enough, such as with BIOS/UEFI resident malware, in most common scenarios a
complete wipe and reinstallation or reimaging will ensure the malware is gone.

Keyloggers
Keyloggers are programs that capture keystrokes from a keyboard, although keylogger
applications may also capture other input such as mouse movement, touchscreen
inputs, or credit card swipes from attached devices. Keyloggers work in a multitude of
ways, ranging from tools that capture data from the kernel, via APIs or scripts, or even
directly from memory. Regardless of how they capture data, the goal of a keylogger is to
capture user input to be analyzed and used by an attacker.
Preventing software keylogging typically focuses on normal security best practices to
ensure that malware containing a keylogger is not installed, including patching and
systems management, as well as use of antimalware tools. Since many keyloggers are
aimed at acquiring passwords, use of multifactor authentication can help limit the
impact of a keylogger, even if it cannot defeat the keylogger itself.
In more complex security environments where underlying systems cannot be trusted,
use of bootable USB drives can prevent use of a potentially compromised underlying
operating system.
Much like other malicious software intended to gather information, IoCs related to
keyloggers are commonly:
File hashes and signatures
Exfiltration activity to command and control systems
Process names
Known reference URLs

An example of an analysis of keylogger delivery campaign via PDFs can be found at
www.socinvestigation.com/pdf-campaign-delivering-snake-keylogger.

In addition to the software-based keyloggers we discussed here,
hardware keyloggers are also available and inexpensive. The authors of this book
have encountered them on college campuses where students tried to acquire (and in
some cases succeeded) credentials for their instructors so that they could change
their grades.

Logic Bombs
Logic bombs, unlike the other types of malware described here, are not independent
malicious programs. Instead, they are functions or code placed inside other programs
that will activate when set conditions are met. Some other types of malware may use this
type of code as part of their function as well. While relatively rare compared to other
types of malware, logic bombs are a consideration in software development and systems
management, and can have a significant impact if they successfully activate.
Since logic bombs are found in code, IoCs for logic bombs are less common—they
require analysis of the code or logic in the application, meaning that mitigation
processes are also primarily focused on code review.

Analyzing Malware

A number of techniques are commonly used to analyze malware:
Online analysis tools like VirusTotal can be used to check whether the malware
is a known tool and to see what it is identified as by multiple AV tools.
Sandbox tools can be used to analyze malware behavior in a protected
environment.
 Manual code analysis is common, particularly with scripts and interpreted code
like Python and Perl.
Malware can be analyzed using tools like strings to look for recoverable artifacts
that may be useful for the analysis

Many other tools and techniques are used to analyze malicious code and software,
but these are a good starting point for security analysts who need to determine
whether a given executable or block of code might be malicious.

Rootkits
Rootkits are malware that is specifically designed to allow attackers to access a system
through a backdoor. Many modern rootkits also include capabilities that work to conceal
the rootkit from detection through any of a variety of techniques, ranging from hooking
filesystem drivers to ensure that users cannot see the rootkit files to infecting startup
code in the Master Boot Record (MBR) of a disk, allowing attacks against full-disk
encryption systems.
Rootkit detection can be challenging, because a system infected with malware like this
cannot be trusted. That means that the best way to detect a rootkit is to test the
suspected system from a trusted system or device. In cases where that isn't possible,
rootkit detection tools look for behaviors and signatures that are typical of rootkits.
Techniques like integrity checking and data validation against expected responses can
also be useful for rootkit detection, and anti-rootkit tools often use a combination of
these techniques to detect complex rootkits.
Once a rootkit is discovered, removal can be challenging. While some antimalware and
anti-rootkit tools are able to remove specific rootkits, the most common
recommendation whenever possible is to rebuild the system or to restore it from a
known good backup. As virtual machines, containers, system imaging, and software-
defined environments have become more common, this has simplified restoration
processes, and in many cases may be as fast, or faster than ensuring that a system
infected with a rootkit has been properly and fully cleaned.

Some rootkits are intentionally installed, either as part of DRM
systems or as part of anti-cheating toolkits for games, or because they are part of a
tool used to defeat copy protection mechanisms. While these tools are technically
rootkits, you will normally be focused on tools used by malicious actors instead of
intentional installation for purposes like these.

Like many of the other malware types, the best way to prevent rootkits is to use normal
security practices, including patching, use of secure configurations, and ensuring that
privilege management is used. Tools like Secure Boot and techniques that can validate
live systems and files can also be used to help prevent rootkits from being successfully
installed or remaining resident.
Common IoCs for rootkits include:
File hashes and signatures
Command and control domains, IP addresses, and systems
Behavior-based identification like the creation of services, executables, configuration
changes, file access, and command invocation
Opening ports or creation of reverse proxy tunnels

An example of a rootkit used on automatic teller machines (ATMs) with example
indicators can be found here:
www.socinvestigation.com/unc2891-atm-rootkit-mandiant-advanced-practices-team-
tracks-latest-indicators

Since rootkits are specifically designed to avoid detection, mitigation can be particularly
challenging. While antimalware and similar tools can sometimes gain an edge in
detecting rootkits, detection and removal can be difficult to ensure. Preventing rootkits
from being installed by taking proactive action to secure systems and prevent malicious
activity is a key element of rootkit mitigation.

Since rootkits often invade operating systems and use hooks to make
the operating system help hide them, one technique that can help to find them is to
remove the drive and connect it to another system. This means that the infected
operating system won't be running and that the tool may be revealed. Similar
techniques can be accomplished through system images or snapshots of virtual
machines.

Summary
Security professionals need to be aware of the most common forms of malware. This
includes understanding how to identify common indicators of malicious activity related
to malware attacks and malware itself.
The Security+ exam objectives focus on a few different types of malware. These include
ransomware, which most frequently targets victims by encrypting files and holding them
for ransoms paid via cryptocurrency. Trojans are malware that is disguised to look like
legitimate software but that takes malicious action once downloaded and run.
Worms are malware that spread themselves on networks via vulnerable services, email,
or file shares. Viruses are similar but only infect local systems and often require user
action like running an application to infect a system.
Spyware is malicious software that is intended to gather information about users,