2.4 An Overview of Malware

Question 1

Malware

Answer 1

Malicious software
– These can be very bad
* Gather information
– Keystrokes
* Show you advertising
– Big money
* Viruses and worms
– Encrypt your data
– Ruin your day

Question 2

Malware types and methods

Answer 2

Viruses
* Worms
* Ransomware
* Trojan Horse
* Rootkit
* Keylogger
* Spyware
* Bloatware
* Logic bomb

Question 3

How you get malware

Answer 3

These all work together
– A worm takes advantage of a vulnerability
– Installs malware that includes a remote access
backdoor
– Additional malware may be installed later
* Your computer must run a program
– Email link - Don’t click links
– Web page pop-up
– Drive-by download
– Worm
* Your computer is vulnerable
– Operating system - Keep your OS updated!
– Applications - Check with the publisher

Question 4

Your data is valuable

Answer 4

Personal data
– Family pictures and videos
– Important documents
* Organization data
– Planning documents
– Employee personally identifiable information (PII)
– Financial information
– Company private data
* How much is it worth?
– There’s a number

Question 5

Ransomware

Answer 5

A particularly nasty malware
– Your data is unavailable until you provide cash
* Malware encrypts your data files
– Pictures, documents, music, movies, etc.
– Your OS remains available
– They want you running, but not working
* You must pay the attackers to obtain the decryption key
– Untraceable payment system
– An unfortunate use of public-key cryptography

Question 6

Protecting against ransomware

Answer 6

Always have a backup
– An offline backup, ideally
– Keep your operating system up to date
– Patch those vulnerabilities
* Keep your applications up to date
– Security patches
* Keep your anti-virus/anti-malware signatures up to date
– New attacks every hour
* Keep everything up to date

Question 7

Virus

Answer 7

Malware that can reproduce itself
– It needs you to execute a program
* Reproduces through file systems or the network
– Just running a program can spread a virus
* May or may not cause problems
– Some viruses are invisible, some are annoying
* Anti-virus is very common
– Thousands of new viruses every week
– Is your signature file updated?

Question 8

Virus types

Answer 8

Program viruses - It’s part of the application
* Boot sector viruses - Who needs an OS?
* Script viruses - Operating system and browser-based
* Macro viruses - Common in Microsoft Office

Question 9

Fileless virus

Answer 9

A stealth attack
– Does a good job of avoiding anti-virus detection
* Operates in memory
– But never installed in a file or application

Question 10

Worms

Answer 10

Malware that self-replicates
– Doesn’t need you to do anything
– Uses the network as a transmission medium
– Self-propagates and spreads quickly
* Worms are pretty bad things
– Can take over many systems very quickly
* Firewalls and IDS/IPS can mitigate many worm infestations
– Doesn’t help much once the worm gets inside

Question 11

Spyware

Answer 11

Malware that spies on you
– Advertising, identity theft, affiliate fraud
* Can trick you into installing
– Peer to peer, fake security software
* Browser monitoring
– Capture surfing habits
* Keyloggers
– Capture every keystroke
– Send your keystrokes back to the attacker

Question 12

Protecting against spyware

Answer 12

Maintain your anti-virus / anti-malware
– Always have the latest signatures
* Always know what you’re installing
– And watch your options during the installation
* Where’s your backup?
– You might need it someday
– Cleaning adware isn’t easy
* Run some scans - Malwarebytes

Question 13

Bloatware

Answer 13

A new computer or phone
– Includes the operating system and important apps
* Also includes applications you didn’t expect
– And often don’t need
* Apps are installed by the manufacturer
– You don’t get a choice
* Uses valuable storage space
– May also add to overall resource usage
– The system may be slower than expected
– Could open your system to exploits

Question 14

Removing bloatware

Answer 14

Identify and remove - This may be easier said than done
* Use the built-in uninstaller - Works for most applications
* Some apps have their own uninstaller
– That’s how bad they are
* Third-party uninstallers and cleaners
– Probably not the first option
– Always have a backup

Question 15

Keyloggers

Answer 15

Your keystrokes contain valuable information
– Web site login URLs, passwords, email messages
* Save all of your input and send it to the bad guys
* Circumvents encryption protections
– Your keystrokes are in the clear
* Other data logging
– Clipboard logging, screen logging, instant messaging,
search engine queries

Question 16

Logic bomb

Answer 16

Waits for a predefined event
– Often left by someone with grudge
* Time bomb - Time or date
* User event - Logic bomb
* Difficult to identify - Difficult to recover if it goes off

Question 17

Real-world logic bombs

Answer 17

March 19, 2013, South Korea
– Email with malicious attachment sent to
South Korean organizations
– Posed as a bank email - Trojan installs malware
* March 20, 2013, 2 p.m. local time
– Malware time-based logic-bomb activates
– Storage and master boot record deleted, system reboots
* Boot device not found.
Please install an operating system on your hard disk.
* December 17, 2016, 11:53 p.m.
– Ukraine high-voltage substation. Logic bomb begins disabling
electrical circuits. Malware mapped out the control network
* Began disabling power at a predetermined time
* Customized for SCADA networks
– Supervisory Control and Data Acquisition

Question 18

Preventing a logic bomb

Answer 18

Difficult to recognize
– Each is unique
– No predefined signatures
* Process and procedures
– Formal change control
* Electronic monitoring
– Alert on changes
– Host-based intrusion detection,
Tripwire, etc.
* Constant auditing
– An administrator can circumvent
existing systems

Question 19

Rootkits

Answer 19

Originally a Unix technique
– The “root” in rootkit
* Modifies core system files
– Part of the kernel
* Can be invisible to the operating system
– Won’t see it in Task Manager
* Also invisible to traditional anti-virus utilities
– If you can’t see it, you can’t stop it

Question 20

Finding and removing rootkits

Answer 20

Look for the unusual
– Anti-malware scans
* Use a remover specific to the rootkit
– Usually built after the rootkit is discovered
* Secure boot with UEFI
– Security in the BIOS

Question 21

Physical attacks

Answer 21

Old-school security
– No keyboard, no mouse, no command line
* Many different ways to circumvent digital security
– A physical approach must be considered
* If you have physical access to a server, you have full
control
– An operating system can’t stop an in-person attack
* Door locks keep out the honest people
– There’s always a way in

Question 22

Brute force

Answer 22

The physical version - No password required
* Push through the obstruction - Brawn beats brains
* Check your physical security
– Check the windows, try the doors
* Attackers will try everything
– You should be prepared for anything

Question 23

RFID cloning

Answer 23

RFID is everywhere - Access badges, key fobs
* Duplicators are on Amazon - Less than $50
* The duplication process takes seconds
– Read one card, copy to another
* This is why we have MFA
– Use another factor with the card

Question 24

Environmental attacks

Answer 24

Attack everything supporting the technology
– The operating environment
* Power monitoring
– An obvious attack
* HVAC (Heating, Ventilation, and Air Conditioning) and
humidity controls
– Large data centers must be properly cooled
* Fire suppression
– Watch for smoke or fire

Question 25

Denial of service

Answer 25

Force a service to fail – Overload the service * Take advantage of a design failure or vulnerability – Keep your systems patched! * Cause a system to be unavailable – Competitive advantage * Create a smokescreen for some other exploit – Precursor to a DNS spoofing attack * Doesn’t have to be complicated – Turn off the power

Question 26

A “friendly” DoS

Answer 26

Unintentional DoSing – It’s not always a ne’er-do-well * Network DoS - Layer 2 loop without STP * Bandwidth DoS – Downloading multi-gigabyte – Linux distributions over a DSL line * The water line breaks – Get a good shop vacuum

Question 27

Distributed Denial of Service (DDoS)

Answer 27

Launch an army of computers to bring down a service – Use all the bandwidth or resources - traffic spike * This is why the attackers have botnets – Thousands or millions of computers at your command – At its peak, Zeus botnet infected over 3.6 million PCs – Coordinated attack * Asymmetric threat – The attacker may have fewer resources than the victim

Question 28

DDoS reflection and amplification

Answer 28

Turn your small attack into a big attack – Often reflected off another device or service * An increasingly common network DDoS technique – Turn Internet services against the victim * Uses protocols with little (if any) authentication or checks – NTP, DNS, ICMP A common example of protocol abuse

Question 29

DNS poisoning

Answer 29

Modify the DNS server – Requires some crafty hacking * Modify the client host file – The host file takes precedent over DNS queries * Send a fake response to a valid DNS request – Requires a redirection of the original request or the resulting response – Real-time redirection – This is an on-path attack

Question 30

Domain hijacking

Answer 30

Get access to the domain registration, and you have control where the traffic flows – You don’t need to touch the actual servers – Determines the DNS names and DNS IP addresses * Many ways to get into the account – Brute force – Social engineer the password – Gain access to the email address that manages the account – The usual things * Saturday, October 22, 2016, 1 PM – Domain name registrations of 36 domains are changed – Brazilian bank – Desktop domains, mobile domains, and more * Under hacker control for 6 hours – The attackers became the bank * 5 million customers, $27 billion in assets – Results of the hack have not been publicly released

Question 31

URL hijacking

Answer 31

Make money from your mistakes – There’s a lot of advertising on the ‘net * Sell the badly spelled domain to the actual owner – Sell a mistake * Redirect to a competitor – Not as common, legal issues * Phishing site – Looks like the real site, please login * Infect with a drive-by download – You’ve got malware!

Question 32

Types of URL hijacking

Answer 32

Typosquatting / brandjacking – Take advantage of poor spelling * Outright misspelling – professormesser.com vs. professormessor.com * A typing error – professormeser.com * A different phrase – professormessers.com * Different top-level domain – professormesser.org

Question 33

Wireless Attacks It started as a normal day

Answer 33

Surfing along on your wireless network – And then you’re not * And then it happens again - And again * You may not be able to stop it – There’s (almost) nothing you can do – Time to get a long patch cable * Wireless deauthentication – A significant wireless denial of service (DoS) attack

Question 34

802.11 management frames

Answer 34

802.11 wireless includes a number of management features – Frames that make everything work – You never see them * Important for the operation of 802.11 wireless – How to find access points, manage QoS, associate/ disassociate with an access point, etc. * Original wireless standards did not add protection for management frames – Sent in the clear – No authentication or validation

Question 35

Protecting against deauth attacks

Answer 35

IEEE has already addressed the problem – 802.11w - July 2014 * Some of the important management frames are encrypted – Disassociate, deauthenticate, channel switch announcements, etc. * Not everything is encrypted – Beacons, probes, authentication, association * 802.11w is required for 802.11ac compliance – This will roll out going forward

Question 36

Radio frequency (RF) jamming

Answer 36

Denial of Service – Prevent wireless communication * Transmit interfering wireless signals – Decrease the signal-to-noise ratio at the receiving device – The receiving device can’t hear the good signal * Sometimes it’s not intentional – Interference, not jamming – Microwave oven, fluorescent lights * Jamming is intentional – Someone wants your network to not work

Question 37

Wireless jamming

Answer 37

Many different types – Constant, random bits / Constant, legitimate frames – Data sent at random times - random data and legitimate frames – Reactive jamming - only when someone else tries to communicate * Needs to be somewhere close – Difficult to be effective from a distance * Time to go fox hunting – You’ll need the right equipment to hunt down the jam – Directional antenna, attenuator

Question 38

On-path network attack

Answer 38

How can an attacker watch without you knowing? – Formerly known as man-in-the-middle * Redirects your traffic – Then passes it on to the destination – You never know your traffic was redirected * ARP poisoning – On-path attack on the local IP subnet – ARP has no security

Question 39

On-path browser attack

Answer 39

What if the middleman was on the same computer as the victim? – Malware/Trojan does all of the proxy work – Formerly known as man-in-the-browser * Huge advantages for the attackers – Relatively easy to proxy encrypted traffic – Everything looks normal to the victim * The malware in your browser waits for you to login to your bank – And cleans you out

Question 40

Replay attack

Answer 40

Useful information is transmitted over the network – A crafty hacker will take advantage of this * Need access to the raw network data – Network tap, ARP poisoning, – Malware on the victim computer * The gathered information may help the attacker – Replay the data to appear as someone else * This is not an on-path attack – The actual replay doesn’t require the original workstation

Question 41

Browser cookies and session IDs

Answer 41

Cookies – Information stored on your computer by the browser * Used for tracking, personalization, session management – Not executable, not generally a security risk – Unless someone gets access to them * Could be considered be a privacy risk – Lots of personal data in there * Session IDs are often stored in the cookie – Maintains sessions across multiple browser sessions

Question 42

Header manipulation

Answer 42

Information gathering – Wireshark, Kismet * Exploits – Cross-site scripting * Modify headers – Tamper, Firesheep, Scapy * Modify cookies – Cookies Manager+ (Firefox add-on)

Question 43

Prevent session hijacking

Answer 43

Encrypt end-to-end – They can’t capture your session ID if they can’t see it – Additional load on the web server (HTTPS) – Firefox extension: HTTPS Everywhere, Force-TLS – Many sites are now HTTPS-only * Encrypt end-to-somewhere – At least avoid capture over a local wireless network – Still in-the-clear for part of the journey – Personal VPN

Question 44

Exploiting a vulnerability

Answer 44

An attacker can use many techniques – Social engineering – Default credentials – Misconfiguration * These don’t require technical skills – The door is already unlocked * There are still ways to get into a well-secured system – Exploit with malicious code – Knock the pins out of a door hinge Malicious code * The attackers use any opportunity – The types of malicious code are varied and many * Many different forms – Executable, scripts, macro viruses, worms, Trojan horse, etc. Protection comes from many different sources – Anti-malware – Firewall – Continuous updates and patches – Secure computing habits

Question 45

Malicious code examples

Answer 45

WannaCry ransomware – Executable exploited a vulnerability in Windows SMBv1 – Arbitrary code execution * British Airways cross-site scripting – 22 lines of malicious JavaScript code placed on checkout pages – Information stolen from 380,000 victims * Estonian Central Health Database – SQL injection – Breached all healthcare information for an entire country

Question 46

Injection attacks

Answer 46

Code injection – Adding your own information into a data stream * Enabled because of bad programming – The application should properly handle input and output * So many different injectable data types – HTML, SQL, XML, LDAP, etc.

Question 47

SQL injection

Answer 47

SQL - Structured Query Language – The most common relational database management system language * SQL injection (SQLi) – Put your own SQL requests into an existing application – Your application shouldn’t allow this * Can often be executed in a web browser – Inject in a form or field

Question 48

Buffer overflows

Answer 48

Overwriting a buffer of memory – Spills over into other memory areas * Developers need to perform bounds checking – The attackers spend a lot of time looking for openings * Not a simple exploit – Takes time to avoid crashing things – Takes time to make it do what you want * A really useful buffer overflow is repeatable – Which means that a system can be compromised

Question 49

Replay attack

Answer 49

Useful information is transmitted over the network – A crafty hacker will take advantage of this * Need access to the raw network data – Network tap, ARP poisoning, – Malware on the victim computer * The gathered information may help the attacker – Replay the data to appear as someone else * This is not an on-path attack – The actual replay doesn’t require the original workstation

Question 50

Privilege escalation

Answer 50

Gain higher-level access to a system – Exploit a vulnerability – Might be a bug or design flaw * Higher-level access means more capabilities – This commonly is the highest-level access – This is obviously a concern * These are high-priority vulnerability patches – You want to get these holes closed very quickly – Any user can be an administrator * Horizontal privilege escalation – User A can access user B resources

Question 51

Mitigating privilege escalation

Answer 51

Patch quickly - Fix the vulnerability * Updated anti-virus/anti-malware software – Block known vulnerabilities * Data Execution Prevention – Only data in executable areas can run * Address space layout randomization – Prevent a buffer overrun at a known memory address – Elevation of privilege vulnerability * CVE-2023-29336 – Win32k Elevation of Privilege Vulnerability – May 2023 * Win32k Kernel driver – Server 2008, 2008 R2, 2012, 2012 R2, 2016 – Windows 10 * Attacker would gain SYSTEM privileges – The highest level access

Question 52

Cross-site requests

Answer 52

Cross-site requests are common and legitimate – You visit ProfessorMesser.com – Your browser loads text from ProfessorMesser.com – Your browser loads a video from YouTube – Your browser loads pictures from Instagram * HTML on ProfessorMesser.com directs requests from your browser – This is normal and expected – Most of these are unauthenticated requests

Question 53

The client and the server

Answer 53

Website pages consist of client-side code and server-side code – Many moving parts * Client side – Renders the page on the screen (HTML, JavaScript) * Server side – Performs requests from the client (HTML, PHP) – Transfer money from one account to another – Post a video on YouTube

Question 54

Cross-site request forgery

Answer 54

One-click attack, session riding – XSRF, CSRF (sea surf) * Takes advantage of the trust that a web application has for the user – The web site trusts your browser – Requests are made without your consent or your knowledge – Attacker posts a Facebook status on your account * Significant web application development oversight – The application should have anti-forgery techniques added – Usually a cryptographic token to prevent a forgery

Question 55

Directory traversal

Answer 55

Directory traversal / path traversal – Read files from a web server that are outside of the website’s file directory – Users shouldn’t be able to browse the Windows folder * Web server software vulnerability – Won’t stop users from browsing past the web server root * Web application code vulnerability – Take advantage of badly written code

Question 56

Cryptographic attacks

Answer 56

You’ve encrypted data and sent it to another person – Is it really secure? – How do you know? * The attacker doesn’t have the combination (the key) – So they break the safe (the cryptography) * Finding ways to undo the security – There are many potential cryptographic shortcomings – The problem is often the implementation

Question 57

Birthday attack

Answer 57

In a classroom of 23 students, what is the chance of two students sharing a birthday? – About 50% – For a class of 30, the chance is about 70% * In the digital world, this is a hash collision – A hash collision is the same hash value for two different plaintexts – Find a collision through brute force * The attacker will generate multiple versions of plaintext to match the hashes – Protect yourself with a large hash output size

Question 58

Collisions

Answer 58

Hash digests are supposed to be unique – Different input data should not create the same hash * MD5 hash – Message Digest Algorithm 5 – First published in April 1992 – Collisions identified in 1996 * December 2008: Researchers created CA certificate that appeared legitimate when MD5 is checked – Built other certificates that appeared to be legit and issued by RapidSSL

Question 59

Downgrade attack

Answer 59

Instead of using perfectly good encryption, use something that’s not so great – Force the systems to downgrade their security * 2014 - TLS vulnerability POODLE (Padding Oracle On Downgraded Legacy Encryption) – On-path attack – Forces clients to fallback to SSL 3.0 – SSL 3.0 has significant cryptographic vulnerabilities – Because of POODLE, modern browsers won’t fall back to SSL 3.0

Question 60

Plaintext / unencrypted passwords

Answer 60

Some applications store passwords “in the clear” – No encryption. You can read the stored password. – This is rare, thankfully * Do not store passwords as plaintext – Anyone with access to the password file or database has every credential * What to do if your application saves passwords as plaintext: – Get a better application

Question 61

Hashing a password

Answer 61

Hashes represent data as a fixed-length string of text – A message digest, or “fingerprint” * Will not have a collision (hopefully) – Different inputs will not have the same hash * One-way trip – Impossible to recover the original message from the digest – A common way to store passwords

Question 62

A hash example

Answer 62

SHA-256 hash – Used in many applications

Question 63

The password file

Answer 63

Different across operating systems and applications – Different hash algorithms

Question 64

Spraying attack

Answer 64

Try to login with an incorrect password – Eventually you’re locked out * There are some common passwords – https://en.wikipedia.org/wiki/List_of_the_most_ common_passwords * Attack an account with the top three (or more) passwords – If they don’t work, move to the next account – No lockouts, no alarms, no alerts

Question 65

Brute force

Answer 65

Try every possible password combination until the hash is matched * This might take some time – A strong hashing algorithm slows things down – The hash:

Question 66

Brute force attacks - Online

Answer 66

Keep trying the login process – Very slow – Most accounts will lockout after a number of failed attempts

Question 67

Brute force the hash - Offline

Answer 67

Obtain the list of users and hashes – Calculate a password hash, compare it to a stored hash – Large computational resource requirement

Question 68

Indicators of compromise (IOC)

Answer 68

An event that indicates an intrusion – Confidence is high – He’s calling from inside the house * Indicators – Unusual amount of network activity – Change to file hash values – Irregular international traffic – Changes to DNS data – Uncommon login patterns – Spikes of read requests to certain files

Question 69

Account lockout

Answer 69

Credentials are not working – It wasn’t you this time * Exceeded login attempts – Account is automatically locked * Account was administratively disabled – This would be a larger concern * This may be part of a larger plan – Attacker locks account – Calls support line to reset the password

Question 70

Concurrent session usage

Answer 70

It’s challenging to be two places at one time – Laws of physics * Multiple account logins from multiple locations – Interactive access from a single user – You don’t have a clone * This can be difficult to track down – Multiple devices and desktops – Automated processes

Question 71

Blocked content

Answer 71

An attacker wants to stay as long as possible – Your system has been unlocked – Keep the doors and windows open * There’s probably a security patch available – Time to play keep-away * Blocked content – Auto-update connections – Links to security patches – Third-party anti-malware sites – Removal tools

Question 72

Impossible travel

Answer 72

Authentication logs can be telling – Logon and logoff * Login from Omaha, Nebraska, United States – The company headquarters * Three minutes later, a login from Melbourne, Australia – Alarm bells should be ringing * This should be easy to identify – Log analysis and automation

Question 73

Resource consumption

Answer 73

Every attacker’s action has an equal and opposite reaction – Watch carefully for significant changes * File transfers use bandwidth – An unusual spike at 3 AM * Firewall logs show the outgoing transfer – IP addresses, timeframes * Often the first real notification of an issue – The attacker may have been here for months – Resource inaccessibility * The server is down - Not responding * Network disruption - A cover for the actual exploit * Server outage - Result of an exploit gone wrong * Encrypted data - A potential ransomware attack begins * Brute force attack - Locks account access

Question 74

Out-of-cycle logging

Answer 74

Out-of-cycle - Occurs at an unexpected time * Operating system patch logs – Occurring outside of the normal patch day – Keep that exploited system safe from other attackers! * Firewall log activity – Timestamps of every traffic flow – Protocols and applications used

Question 75

Missing logs

Answer 75

Log information is evidence – Attackers will try to cover their tracks by removing logs * Information is everywhere – Authentication logs – File access logs – Firewall logs – Proxy logs – Server logs * The logs may be incriminating – Missing logs are certainly suspicious – Logs should be secured and monitored

Question 76

Published/documented

Answer 76

The entire attack and data exfiltration may go unnoticed – It happens quite often * Company data may be published online * The attackers post a portion or all data – This may be in conjunction with ransomware * Raw data may be released without context – Researchers will try to find the source