This week's module covered malware. It discussed what malware is, laws created around malware, the components of malware, tools for malware and the analysis of malware as well how to defend a system against it.
Laws were created to protect and establish standards on the rapidly evolving and changing field of technology. In this chapter, it highlighted laws surrounding those related to malware.
The Computer Fraud and Abuse Act addresses computer-related offenses on a federal level.
The Patriot Act from 2001 added more upon the CFAA, essentially updating this act which had been established back in 1984.
CAN-SPAM Act, which stands for Controlling the Assault of Non-Solicited Pornography And Marketing Act, tackled the issues of spam, setting some guidelines on the legality of the presentation of content.
Malware is software created to create a disruption or execute malicious actions. It comes in many forms, and people mistake some forms of malware for others, particularly the case of worms vs. viruses.
Generally malware is comprised of:
- Crypter
The 'shell' or shield which makes it difficult to reverse-engineer or analyze the malicious code and also makes it harder to detect.
- Exploit
Uses bugs or vulnerabilities to its advantage when executing.
-Injector
Inserts the malware within running processes with vulnerabilities.
-Obfuscator
Conceals the malware.
-Packer
Compresses to help hide the malware, particularly by minimizing its size.
-Payload
The malicious portion which delivers the malicious intent. The damaging part.
-Malicious Code
The written instructions or programming directing the actions of the malware.
Forms of Malware:
Virus
Best known form, often misinterpreted as synonymous to the over encompassing term malware. Viruses are self-replicating and attach to legitimate applications to run. Unique viruses are harder for antivirus programs to distinguish and detect.
The Virus life cycle:
1. Design
2. Replication
3. Launch (delivers payload)
4. Detection (symptoms: slow system, BSOD, deleted files, OS fails to load)
5. Incorporation (AV software developers create defense)
6. Execute the damage routine (eliminate virus)
Type of Viruses:
-Direct Action (runs only when the infected application runs with the goal to infect as many files/directories as possible)
-Logic bomb (event-driven, set to a specific date/time of a program being launched, also called a time bomb)
-Overwrite (overwrites the infected file or directory with the only remedy being to delete the overwritten data)
-Browser hijacker (targets web browsers and redirects users to a fake web page)
-Web scripting (lives in ads/videos/backgrounds of web pages, infects through client-side scripting. There are persistent - this case cookies are stolen, can lead to session hijacking - and non-persistent - this case the user is unaware of the attack)
-Boot sector (relocates MBR, embeds in the original MBR's location so the virus runs first)
-Cavity (overwriting virus, fills empty spaces in files/apps)
-Email (exists in an attachment)
-Sparese-infector (infects at random times/triggers to hide from AV software)
-Polymorphic (difficult to detect, original code remains intact while the copies mutate)
-Encryption (cryptovirus, attacks user files/directions by encrypting them - decryption keys are needed for recovery)
Plus there are many more - Macro, Cluster, File infector, Companion, FAT, Multipartite, Stealth/tunneling, Metamorphic, Armored, Terminate and Stay Resident (TSR), etc...
Worms
Similar to virus, but more independent/standalone. They self-replicate without dependency. Through networks, malware and speed it can spread. Not so destructive as resource consuming if left unchecked. Viruses are much more destructive.
Trojans
The purpose of a Trojan horse is to create backdoors into systems to gain/maintain access. They can be used to steal data, install other software, create backdoors, record from webcams and modify files.
HTTP RAT & ProRat are tools which a user can create their own Trojans.
Symptoms: self-changing screen settings, appearing chat boxes, passwords changed, accounts accessed without permission, unknown purchases on statements, Ctrl+Alt+Del not functioning, general abnormal system behavior
Types: Remote access Trojans, Backdoor, Botnet, DDoS (Distributed Denial of Service), Destructive, Banker, IoT (internet of things), Proxy server, Defacement, Gaming, Mobile, Security software disabler, Command shell
Construction kits are a common way to create Trojans. The creation steps are:
1. Create the server (drops on target device)
2. Create the dropper (installs malicious code on target)
3. Wrap the dropper and server into a genuine application file
Rootkits
Dangerous type. Grants administrative/root access to a device. These tend to install keyloggers and much more. It does have administrative permissions after all...
Spyware
Collects information and returns it to the hacker about the activities on the target system. This type is not as dangerous as it is invasive.
Adware
Invasive and common. Silently installs in the background and causes pop-up and pop-under advertisements.
Scareware
Uses fear to manipulate a user to take a directed action under the pretense that something harmful could happen to their device.
Ransomware
Scans and encrypts files on a user's device. The hacker then makes demands for which the user must oblige to have their data returned with the decryption key. Typically money is demanded.
Defenses:
The best defense and strategies against worms and viruses is to install antivirus applications, create an antivirus policy, read instructions carefully when downloading from the internet, update AV apps regularly.
For Trojans: avoid opening email attachments, block unused or non-essential ports on the firewall, don't install unknown apps, monitor network traffic, install and maintain malware software.
Ways that malware can infect a computer or device:
Portable devices (USB flash drives), phishing emails, installs/downloads from websites
Malware Analysis:
Sheep Dipping - the analysis of emails, suspect files and systems for malware. A special, isolated computer is used. It has port monitors, file monitors, network monitors and AV software. Connects to networks under very strict circumstances. An antivirus sensor system (a malware detector and analyzing collection of software) is used alongside this.
1. Static Analysis
- code analysis, reviewing the code but not executing it
-Techniques: fiel fingerprinting, scanning, string searching, identify obfuscation/packing & malware disassembly
2. Dynamic Analysis
- runs the malware to analyze the effects on a sheep dip computer
- creates a baseline for the system before the execute malicious code
- host integrity monitoring - involves taking a before and after snapshot of the sheep dip system.
- host integrity monitoring components: ports, processes, registry, windows services, startup programs, event logs, installation, files and folders, device drivers, network traffic, DNS, application program interface (API) calls.
No comments:
Post a Comment