Chapter 5 Malicious Software.pdf

Full Transcript

Welcome!

Security Principles and Practice—ITBP301
Fall 2024, Section (01)
Malicious Software—Chapter 5

Ali Ismail Awad & Norziana Jamil
Associate Professor
College of Information Technology—UAEU
[email protected]

1
1
Topics to be covered

What is malware
Types of malware
Advanced Persistent Threat
Propagation – Infected Content: Viruses
Propagation – Vulnerability Exploit - Worms
Propagation – Social Engineering – Spam e-mail,
Trojan Horse
Payload – Attack Agent – Zombie, Bots
Payload – Stealthing – Backdoors, Rootkits
Countermeasure

2
 Malware

[NIST05] defines malware as:
“a program that is inserted into a system, usually
covertly, with the intent of compromising the
Confidentiality, Integrity, or Availability of the
victim’s data, applications, or operating system
or otherwise annoying or disrupting the victim.”

3
 Your Experience!
⚫ What is your experience with Malwares?

4
 Malware
Terminology

5
 Classification of Malware
Classified into two
Also classified by:
broad categories:

Based first on how it spreads or
propagates to reach the desired Those that need a host program
targets (parasitic code such as viruses)

Those that are independent, self-
Then on the actions or payloads it
contained programs (worms,
performs once a target is reached trojans, and bots)

Malware that does not replicate
(trojans and spam e-mail)

Malware that does replicate
(viruses and worms)

6
 Types of Malicious Software
(Malware)
Infection of existing content by viruses that is subsequently spread to
other systems
Exploit of software vulnerabilities by worms or drive-by-downloads to
Propagation allow the malware to replicate
mechanisms Social engineering attacks that convince users to bypass security
include: mechanisms to installTrojans or to respond to phishing attacks

Corruption of system or data files
Theft of service/make the system a zombie agent of attack as part of a
botnet
Payload actions Theft of information from the system/keylogging
performed by
malware once it Stealthing/hiding its presence on the system
reaches a target
system can
include:

7
Advanced Persistent Threats (APTs)

Well-resourced, persistent application of a wide
variety of intrusion technologies and malware to
selected targets (usually business or political)
Typically attributed to state-sponsored organizations
and criminal enterprises
Differ from other types of attack by their careful
target selection and stealthy intrusion efforts over
extended periods
High profile attacks include Aurora, RSA, APT1, and
Stuxnet
8
APT Characteristics
Advanced
Used by the attackers of a wide variety of intrusion technologies and malware
including the development of custom malware if required
The individual components may not necessarily be technically advanced but are
carefully selected to suit the chosen target

Persistent
Determined application of the attacks over an extended period against the chosen
target in order to maximize the chance of success
A variety of attacks may be progressively applied until the target is compromised

Threats
Threats to the selected targets as a result of the organized, capable, and well-
funded attackers intent to compromise the specifically chosen targets
The active involvement of people in the process greatly raises the threat level
from that due to automated attacks tools, and also the likelihood of successful
attacks
9
APT Attacks
Aim:
Varies from theft of intellectual property or security and infrastructure related
data to the physical disruption of infrastructure.

Techniques used:
Social engineering
Spear-phishing email
Drive-by-downloads from selected compromised websites likely to be visited by
personnel in the target organization.

Intent:
To infect the target with sophisticated malware with multiple propagation
mechanisms and payloads.
Once they have gained initial access to systems in the target organization a
further range of attack tools are used to maintain and extend their access.
10
 Viruses
⚫ Piece of software that infects programs
⚫ Modifies them to include a copy of the virus
⚫ Replicates and goes on to infect other content
⚫ Easily spread through network environments

⚫ When attached to an executable program a virus can do
anything that the program is permitted to do
⚫ Executes secretly when the host program is run

⚫ Specific to operating system and hardware
⚫ Takes advantage of their details and weaknesses

11
 Virus Components
Infection mechanism

Means by which a virus spreads or propagates
Also referred to as the infection vector

Trigger

Event or condition that determines when the payload is activated or
delivered
Sometimes known as a logic bomb

Payload

What the virus does (besides spreading)
May involve damage or benign but noticeable activity

12
Virus Phases

13
Virus Structure

14
Compression Virus Logic

15
 Virus Classifications
Classification by target Classification by concealment
strategy
⚫ Boot sector infector
⚫ Infects a master boot record or ⚫ Encrypted virus
boot record and spreads when a ⚫ A portion of the virus creates a
system is booted from the disk random encryption key and
encrypts the remainder of the
containing the virus virus
⚫ File infector ⚫ Stealth virus
⚫ Infects files that the operating ⚫ A form of virus explicitly designed
system or shell considers to be to hide itself from detection by
executable anti-virus software
⚫ Macro virus ⚫ Polymorphic virus
⚫ Infects files with macro or ⚫ A virus that mutates with every
scripting code that is interpreted infection
by an application ⚫ Metamorphic virus
⚫ A virus that mutates and rewrites
⚫ Multipartite virus itself completely at each iteration
⚫ Infects files in multiple ways and may change behavior as well
as appearance
16
 Macro/Scripting Code Viruses
⚫ Very common in mid-1990s
⚫ Platform independent
⚫ Infect documents (not executable portions of code)
⚫ Easily spread

⚫ Exploit macro capability of MS Office applications
⚫ More recent releases of products include protection

⚫ Various anti-virus programs have been developed so these are no
longer the predominant virus threat

17
 Worms
⚫ Program that actively seeks out more machines to infect and each
infected machine serves as an automated launching pad for attacks on
other machines
⚫ Exploits software vulnerabilities in client or server programs

⚫ Can use network connections to spread from system to system

⚫ Spreads through shared media (USB drives, CD, DVD data disks)

⚫ E-mail worms spread in macro or script code included in attachments
and instant messenger file transfers
⚫ Upon activation the worm may replicate and propagate again

⚫ Usually carries some form of payload

⚫ First known implementation was done in Xerox Palo Alto Labs in the
early 1980s
18
 Worm Replication
Worm e-mails a copy of itself to other systems
Electronic mail or instant Sends itself as an attachment via an instant message
messenger facility service

Creates a copy of itself or infects a file as a virus on
File sharing removable media

Worm executes a copy of itself on another system
Remote execution
capability

Worm uses a remote file access or transfer service to
Remote file access or copy itself from one system to the other
transfer capability

Worm logs onto a remote system as a user and then uses
Remote login capability commands to copy itself from one system to the other

19
Worm Propagation Model

20
 Morris Worm
⚫ Earliest significant worm infection

⚫ Released by Robert Morris in 1988

⚫ Designed to spread on UNIX systems
⚫ Attempted to crack local password file to use login/password to
logon to other systems
⚫ Exploited a bug in the finger protocol which reports the
whereabouts of a remote user
⚫ Exploited a trapdoor in the debug option of the remote process
that receives and sends mail
⚫ Successful attacks achieved communication with the operating
system command interpreter
⚫ Sent interpreter a bootstrap program to copy worm over

21
Worm Technology
Multiplatform

Multi-exploit

Ultrafast
spreading
Polymorphic

Metamorphic

22
 Mobile Code
⚫ Programs that can be shipped unchanged to a variety of
platforms

⚫ Transmitted from a remote system to a local system and then
executed on the local system

⚫ Often acts as a mechanism for a virus, worm, orTrojan horse

⚫ Takes advantage of vulnerabilities to perform it own exploits

⚫ Popular vehicles include Java applets, ActiveX, JavaScript and
VBScript

23
 Mobile Phone Worms
⚫ First discovery was Cabir worm in 2004

⚫ Then Lasco and CommWarrior in 2005

⚫ Communicate through Bluetooth wireless connections or MMS

⚫ Target is the smartphone

⚫ Can completely disable the phone, delete data on the phone, or
force the device to send costly messages

⚫ CommWarrior replicates by means of Bluetooth to other
phones, sends itself as an MMS file to contacts and as an auto
reply to incoming text messages

24
 Drive-By-Downloads
⚫ Exploits browser vulnerabilities to download and install
malware on the system when the user views a Web page
controlled by the attacker

⚫ In most cases does not actively propagate

⚫ Spreads when users visit the malicious Web page

25
 Social Engineering
⚫ “tricking” users to assist in the compromise of their own
systems
Mobile phone
Spam Trojan horse
trojans
Unsolicited bulk
Program or utility
e-mail First appeared in
containing harmful
hidden code 2004 (Skuller)
Significant carrier
of malware
Used to accomplish
functions that the Target is the
Used for phishing attacker could not smartphone
attacks accomplish directly

26
 Payload System Corruption
⚫ Data destruction
⚫ Chernobyl virus
⚫ First seen in 1998
⚫ Windows 95 and 98 virus
⚫ Infects executable files and corrupts the entire file system when a
trigger date is reached
⚫ Klez
⚫ Mass mailing worm infectingWindows 95 to XP systems
⚫ On trigger date causes files on the hard drive to become empty
⚫ Ransomware
⚫ Encrypts the user’s data and demands payment in order to access the
key needed to recover the information
⚫ PC CyborgTrojan (1989)
⚫ GpcodeTrojan (2006)

27
 Payload System Corruption
⚫ Real-world damage
⚫ Causes damage to physical equipment
⚫ Chernobyl virus rewrites BIOS code
⚫ Stuxnet worm
⚫ Targets specific industrial control system software
⚫ There are concerns about using sophisticated targeted malware for
industrial sabotage

⚫ Logic bomb
⚫ Code embedded in the malware that is set to “explode” when
certain conditions are met

28
 Payload – Attack Agents Bots
⚫ Takes over another Internet attached computer and uses that
computer to launch or manage attacks
⚫ Botnet - collection of bots capable of acting in a coordinated
manner
⚫ Uses:
⚫ Distributed denial-of-service (DDoS) attacks
⚫ Spamming
⚫ Sniffing traffic
⚫ Keylogging
⚫ Spreading new malware
⚫ Installing advertisement add-ons and browser helper objects
(BHOs)
⚫ Attacking IRC chat networks
⚫ Manipulating online polls/games

29
 Remote Control Facility
⚫ Distinguishes a bot from a worm
⚫ Worm propagates itself and activates itself
⚫ Bot is initially controlled from some central facility

⚫ Typical means of implementing the remote control facility is on
an IRC server
⚫ Bots join a specific channel on this server and treat incoming
messages as commands

⚫ More recent botnets use covert communication channels via
protocols such as HTTP

⚫ Distributed control mechanisms use peer-to-peer protocols to
avoid a single point of failure

30
 Payload – Information Theft
Keyloggers and Spyware

Captures keystrokes to allow attacker to monitor
sensitive information
Keylogger Typically uses some form of filtering mechanism
that only returns information close to keywords
(“login”, “password”)

Subverts the compromised machine to allow
monitoring of a wide range of activity on the system
Monitoring history and content of browsing activity
Spyware Redirecting certainWeb page requests to fake sites
Dynamically modifying data exchanged between
the browser and certainWeb sites of interest

31
 Payload – Information Theft
Phishing
⚫ Exploits social engineering ⚫ spear-phishing
to leverage the user’s trust ⚫ recipients are carefully
by masquerading as researched by the attacker
communication from a
trusted source ⚫ e-mail is crafted to
specifically suit its
⚫ Include a URL in a spam e- recipient, often quoting a
mail that links to a fake range of information
Web site that mimics the to convince them of its
login page of a banking, authenticity
gaming, or similar site
⚫ Suggests that urgent action
is required by the user to
authenticate their account
⚫ Attacker exploits the
account using the captured
credentials
32
 Payload – Stealthing Backdoor
⚫ Also known as a trapdoor

⚫ Secret entry point into a program allowing the attacker to gain
access and bypass the security access procedures

⚫ Maintenance hook is a backdoor used by programmers to debug
and test programs

⚫ Difficult to implement operating system controls for backdoors
in applications

33
 Payload – Stealthing Rootkit
⚫ Set of hidden programs installed on a system to maintain covert
access to that system

⚫ Hides by subverting the mechanisms that monitor and report
on the processes, files, and registries on a computer

⚫ Gives administrator (or root) privileges to attacker
⚫ Can add or change programs and files, monitor processes, send and
receive network traffic, and get backdoor access on demand

34
Rootkit Classification Characteristics

Persistent
Memory based

User mode

Kernel mode

Virtual machine based

External mode

35
 Malware Countermeasure
Approaches
⚫ Ideal solution to the threat of malware is prevention

Four main elements of prevention:

Policy
Awareness
Vulnerability mitigation
Threat mitigation

⚫ If prevention fails, technical mechanisms can be used to support
the following threat mitigation options:
⚫ Detection
⚫ Identification
⚫ Removal
36
Generations of Anti-Virus Software
First generation: Simple scanners
Requires a malware signature to identify the malware
Limited to the detection of known malware

Second generation: Heuristic scanners
Uses heuristic rules to search for probable malware instances
Another approach is integrity checking

Third generation: Activity traps
memory-resident programs that identify malware by its actions
rather than its structure in an infected program

Fourth generation: Full-featured protection
Packages consisting of a variety of anti-virus techniques used in
conjunction
Include scanning and activity trap components and access control
capability
37
Host-Based Behavior-Blocking Software
⚫ Integrates with the operating system of a host computer and
monitors program behavior in real time for malicious action
⚫ Blocks potentially malicious actions before they have a chance to
affect the system
⚫ Blocks software in real time so it has an advantage over anti-virus
detection techniques such as fingerprinting or heuristics

Limitations
Because malicious code must run on the target machine
before all its behaviors can be identified, it can cause
harm before it has been detected and blocked

38
 Perimeter Scanning Approaches
⚫ Anti-virus software typically
included in e-mail and Web Ingress Egress
proxy services running on monitors monitors
an organization’s firewall
and IDS
Located at the egress
point of individual
⚫ May also be included in the Located at the
border between the LANs as well as at the
traffic analysis component enterprise network border between the
of an IDS and the Internet enterprise network
and the Internet

⚫ May include intrusion
prevention measures,
blocking the flow of any One technique is to Monitors outgoing
look for incoming traffic for signs of
suspicious traffic traffic to unused scanning or other
local IP addresses suspicious behavior
⚫ Approach is limited to
scanning malware
39
 Worm Countermeasures
⚫ Considerable overlap in techniques for dealing with viruses and
worms
⚫ Once a worm is resident on a machine anti-virus software can be
used to detect and possibly remove it
⚫ Perimeter network activity and usage monitoring can form the
basis of a worm defense
⚫ Worm defense approaches include:
⚫ Signature-based worm scan filtering
⚫ Filter-based worm containment
⚫ Payload-classification-based worm containment
⚫ Threshold random walk (TRW) scan detection
⚫ Rate limiting
⚫ Rate halting
40
Worm Countermeasure Architecture

41
 Summary
⚫ Types of malicious software (malware) ⚫ Payload – attack agent
⚫ Bots
⚫ Terminology for malicious software ⚫ Remote control facility
⚫ Viruses – infected content ⚫ Payload – information theft
⚫ Infection mechanism, trigger, payload ⚫ Credential theft, keyloggers,
⚫ Dormant, propagation, triggering, and spyware
execution phases ⚫ Phishing, identity theft
⚫ Boot sector infector, file infector, macro
virus, and multipartite virus ⚫ Payload – stealthing
⚫ Encrypted, stealth, polymorphic, and ⚫ Backdoor/trapdoor
metamorphic viruses ⚫ Rootkit
⚫ Worms – vulnerability exploit ⚫ Kernel mode rootkits
⚫ Virtual machine/external rootkits
⚫ Replicates via remote systems
⚫ E-mail, file sharing, remote execution, ⚫ Countermeasures
remote file access, remote login capability ⚫ Prevention
⚫ Scanning/fingerprinting ⚫ Detection, identification, removal
⚫ Spam e-mail/trojans – social engineering ⚫ Host based scanners/behavior
blocking software
⚫ Payload – system corruption ⚫ Digital immune system
⚫ Data destruction, real world damage
⚫ Ramsomware, logic bomb
42