- Malware is a malicious software that damages or disables computer systems and give limited control or full control of the systems to the attacker for the purpose of theft or fraud
- Examples of Malware: Trojan Horse, Backdoor, Rootkit, Ransomware, Adware, Virus, Worms, Spyware, Botnet, Crypter
- Common techniques attackers use to distribute malware: Blackhat SEO, Social Engineer Clickjacking, Spear Phishing sites, Malvertising, Compromised legitimate websites, Drive by downloads on browser vulnerabilities
- A trojan is a program which the malicious or harmful code is contained inside an apparently harmless program or in such a way it can get control and cause damage, such as ruining a file allocation table on your hard disk
- Trojans get activated upon user’s certain predefined actions, and conduct abnormal activities on the system
- When a trojan is installed, they attacker can basically do anything to your computer
- How to infect systems using a trojan
- Create a new trojan packet using a trojan horse construction kit
- Create a dropper, which is part in a trojanized packet that installs the malicious code on the target system
- A wrapper binds a trojan executable with an innocent looking .EXE application such as games or office applications. When an EXE is executed, it first installs the trojan in the background.
- Attackers use crypters to hide viruses, spyware, keyloggers to make them undetectable by antivirus
- Attackers can deploy a trojan by creating a malicious link/email attachments
- Exploit kit: Platform to deliver exploits and payloads such as trojans, backdoors, bots, buffer overflow scripts,etc
- Evading Anti-Virus Techniques:
- Break the trojan file into multiple pieces and zip them as a single file
- ALWAYS write your own Trojan, and embed it into an application
- Change the Trojans Syntax
- Convert EXE to VB script
- Change the content of the Trojan using Hex Editor and also change the checksum and encrypt the file
- Never use trojans downloaded from the web (antivirus can detect these easily)
- Command shell trojans give remote control of a command shell
- Trojan server is installed on the victim’s machine, which opens a port for attacker to connect.
- Defacement Trojans: Can destroy or change entire content present in a database. Much more dangerous when attackers target websites
- Botnet Trojans: infect a large number of computers to create a network of bots(chewbacca)
- Proxy Server Trojans: Converts user’s computer into proxy servers, thus making them accessible to specific attackers.
- VNC Trojan: VNC trojan starts a VNC server daemon in the infected systems. Attacker can connect to the victim using any VNC viewer
- HTTP/HTTPS Trojans: bypass firewall, spawn a child program and child program appears to be a user to the firewall
- ICMP Tunneling
- Covert channels are methods in which an attacker can hide the data in a protocol that is undetectable
- They rely on techniques called tunneling, which allow on protocol be carried over to another protocol . very stealthy
- Remote Access Trojans: provide attackers with full control over the victim’s system
- E Banking Trojans - intercept a victim’s account information before it is encrypted
- Steals victim’s data such as credit card information
- Notification Trojans: Sends the location of the victim’s IP address to attacker
- Whenever victim’s computer connected to the internet, the attacker receives the notification
- Virus: A self replicating program that produces its own copy by attacking itself to another program, computer boot sector or document
- Transmitted through downloads, infected flash drives, email attachments
- Stages of Virus Life
- Design: creating the virus
- Replication: Replicating the virus on target system
- Launch: launching/running the virus (.exe file)
- Detection: Target system identifies virus
- Incorporation : Anti-virus softwares update
- Elimination: users install anti-virus update to eliminate virus
- Indications of a virus attack: abnormal activities (slow, anti virus alerts, folders missing, etc)
- There are many Fake Anti-Viruses that are actually viruses
- Ransomware restrict computer files until a sum is paid
- Boot Sector Viruses: moves MBR to another location on hard disk
- File Virus: Infects files which are executed or interpreted on the system such as (COM, EXE, SYL, OVL, OBJ, MNU and BAT files
- Multipartite Virus: Infect the system boot sector and the executable files at the same time (hybrid, top 2 combined))
- Macro Viruses: Infect files created by Microsoft Word or Excel. Most of these are written in macro language Visual Basic for Applications (VBA)
- Infect Templates, convert infected documents into template files
- Cluster Viruses: These modify directory table contents so that it points users to system processes to the virus code isntead of the actual program
- There is only one copy of the virus on the disk infecting all the programs in the computer system
- Will launch itself first when any program on the computer system is started
- Stealth/Tunneling Virus: This virus evades anti-virus software by intercepting its requests to the operating system
- Virus can return an uninfected version of the file to the anti-virus software, so it appears as if the file is “clean”
- Encryption Viruses: uses simple encryption to encipher the code. Virus is encrypted with different key for each infected file. AV Scanner cannot directly detect these types fo viruses using signature detection methods
- Polymorphic Code: Code that mutates while keeping the original algorithm intact. Well written polymorphic code has no parts that stay the same on each infection
- Metamorphic Viruses: Rewrite themselves completely each they are to infect new executable
- Can Reprogram itself by translating its own code into a temporary representation and then back to the normal code again
- File Overwriting or Cavity Virus: Overwrites a part of the host file that is constant (usually nulls), without increasing the length of the file and preserving its functionality
- Sparse Infector Viruses: Infects only occasionally, or only files whose length falls within a narrow range. By infection less often, they try to minimize the probability of being discovered
- Companion/camouflage Viruses: Creates a companion file for each executable file the viruses infects. Therefor, a companion virus may save itself as notepad.com and every time the user executes notepad.exe (good program), the computer will load the virus notepad.com and infect
- Shell Viruses: Virus code forms a shell around the target host program’s code, making itself the original program and host code as its sub-routine. Almost all boot program are shell viruses
- File Extension Viruses: changes the extensions of files. Ex. .TXT is a safe file. Virus file is BAD.TXT.VBS but will only show up as bad.txt . When opened a script executes.
- Add-on Virus: adds on their code to the host code without making any changes to the latter or relocate the host code to insert their own code at the beginning
- Intrusive Viruses: Overwrite the host code partly or completely with the viral code
- Transient/Direct Action Virus: Transfers all the controls of the host code to where it resides in the memory. Virus runs when the host code is run and terminates itself or exits memory as soon as host code execution ends
- Terminate and Stay Resident Virus: remains permanently in the memory during entire work session even after the host’s program is executed and terminated. Removed only by rebooting system.
- Computer Worms: Malicious programs that replicate, execute, and spread across network connections independently without human interaction. Most are created only to replicate and spread, but some have payloads
- Attackers use payloads to install backdoors which turns them into a zombie for a botnet
- A worm is a special type of malware that can replicate itself and use memory, but cannot attach itself to other programs
- A worm takes advantage of file or information transport features on a computer and spreads through the infected network
- Sheep Dipping refers to the analysis of suspect files, incoming messages, for malware
- A sheep dip computer is installed with port monitors, file monitors, network monitors and antivirus software and connects to a network only under strictly controlled conditions
- Anti-Virus Sensor Systems: Collection of computer software that detects and analyzes malicious code threats
- Malware Analysis Procedure:
- Perform static analysis when the malware is inactive
- Collect info of string values found in binary with tools
- Setup network connection and check there are no errors
- Run the virus and monitor the process actions and system information with help of process monitor/explorer
- Record network traffic information using monitoring tools (TCP view, netResident)
- Determine the files added, processes spawn, and changes to registry with tools
- Collect Service requests and DNS tables information, attempts for incoming and outgoing connections using tools
- Trojans open unused ports in victims machine to connect back to Trojan handlers
- Look for connection established to unknown or suspicious IP addresses
- You can use a port monitoring tool
- Scanning for Suspicious Processes
- Trojans camouflage themselves as genuine Windows services
- Some trojans use Portable Executable to inject into various processes
- Processes are visible but may look like a legitimate processes and helps bypass desktop firewalls
- Trojans can also use rootkit methods to hide their processes
- Use process monitoring tools to detect hidden trojans and backdoors
- Trojans are installed along with device drivers downloaded from untrusted sources
- Scan suspicious drivers and verify they are genuine and downloaded from publishers original site
- Trojans normally modify system’s files and folders. Use these tools to detect changes
- SIGVERIF: checks integrity of critical files digitally signed by microsoft
- FCIV - Computes MD5 or SHA-1 cryptographic hashes for files
- TRIPWIRE: system integrity verifier that scan and reports critical system file for changes
- Scanning for suspicious network activities
- Trojans connect back to handlers and send confidential info to attackers
- Use network scanners
- Virus Detection Methods
- Anti-virus executes the malicious code to simulate. Effective for dealing with encrypted and polymorphic viruses
- Heuristic Analysis: Can be static or dynamic. In static, anti-virus analyzes the file format and code structure to determine is code is viral. In dynamic, the AV performs a code emulation
- Trojan Countermeasures
- Avoid opening email attachments from unknown senders
- Block unnecessary ports
- Avoid accepting programs transferred by instant messaging
- Hard weak default configs and unused functionality including protocols/services
- Monitor internal network traffic for odd ports
- Avoid downloading and executing apps from untrusted sources
- Install security updates
- Scan CD’s and DVD’s w/ antivirus software
- Restrict permissions within desktop environment
- Manage local workstation file integrity
- Run Host-Based Antivirus
- Backdoor Countermeasures
- Anti-viruses
- Educate users not to download from untrusted sites
Norton, Mcafee, Nessus etc.