Page 1
.
CIS 3500 1
Malware and Indicators of Compromise
Chapter #1:
Threats, Attacks, and Vulnerabilities
Always Remember …
There is no 100 percent secure
system, and there is nothing that is
foolproof!
Malware and Indicators of Compromise2
OSI Layers
Malware and Indicators of Compromise3
This graphic is taken from The Abdus Salam International Centre for Theoretical Physics.
Security+ Exam
n CompTIA
n Site
n Apply credits
n Job
n MCSx (MCSA, MCSE etc.)
Malware and Indicators of Compromise4
Page 2
.
CIS 3500 2
Changes in Requirements
Domain % of Examinationin 301
% of Examination in 401
% of Examination in 501
1.0 Network Security 21% 20% 22%
2.0 Compliance and Operational Security 18% 18% 14%
3.0 Threats and Vulnerabilities 21% 20% 21%
4.0 Application, Data and Host Security 16% 15% 15%
5.0 Access Control and Identity Management 13% 15% 16%
6.0 Cryptography 11% 12% 12%
Total 100% 100% 100%
Malware and Indicators of Compromise5
Chapter Objectives
n Examine the types of malware
n Understand the different types of malicious software that
exist, including viruses, worms, Trojan horses, logic bombs,
and rootkits
n Learn how artifacts called indicators of compromise (IOC)
can tell you if a system has been attacked
Malware and Indicators of Compromise6
Malware and Indicators of Compromise
n We will examine the various types of malware (malicious
software) and indicators of compromise that demonstrate a
system has been attacked
Malware and Indicators of Compromise7
Malware
n Malware refers to software that has been designed for some
nefarious purpose …
n cause damage to a system (e.g. deleting files/all files)
n create a backdoor in the system to grant access to
unauthorized individuals
n disable computers
n Generally the installation of malware is done so that it is
not obvious to the authorized users
Malware and Indicators of Compromise8
Page 3
.
CIS 3500 3
Malware
n Several different types of malicious software can be used
n Viruses
n Trojan horses
n logic bombs
n Spyware
n Worms
n They differ in the ways they are installed and their
purposes
Malware and Indicators of Compromise9
Polymorphic Malware
n The detection of malware is primarily done through the use
of a signature
n Files are scanned for known code that act as markers,
unique patterns that enable detection
n Malware writers are aware of this functionality and have
adapted methods to defeat it
Malware and Indicators of Compromise10
Polymorphic Malware
n One of the primary means of avoiding detection by sensors
is the use of polymorphic code
n The code changes on a regular basis – e.g. after each run,
or each restart of the OS ..
n These mutations are designed not to affect the functionality
of the code – but they will mask any signature from
detection
n Each replicant different from a detection point of view
Malware and Indicators of Compromise11
Viruses
n Best-known type of malicious code – McAfee info
n A virus is a piece of malicious code that replicates by attaching
itself to another piece of executable code
n The virus executes with the execution of the infected program and
performs actions it was designed to do
n The specific way that a virus infects other files, and the type of
files it infects, depends on the type of virus
n The first viruses created were of two types—boot sector viruses
and program viruses
Malware and Indicators of Compromise12
Page 4
.
CIS 3500 4
Armored Virus
n New form of malware/virus needs to researched by
antivirus companies
n Security researchers will decompile the program and try to
reverse engineer
n functionality
n where the malware came from
n how it works
n how it communicates,
n how it spreads etc.
Malware and Indicators of Compromise13
Armored Virus
n Armoring malware can make the process much more
difficult, if not impossible
n Some malware, such as the Zeus Trojan, employs
encryption in ways to prevent even other criminals from
stealing the intellectual property of the very malware that
they use
Malware and Indicators of Compromise14
Crypto-malware
n Crypto-malware is an early name of a malware that encrypts files
on a system
n It can act as a denial of service, or make computers temporarily
unusable until a ransom is paid, making it ransomware
n Crypto-malware is typically completely automated
n The only repair mechanism is to rebuild the system which can be
time consuming and/or impractical in some cases, making this
attack mechanism equivalent to physical destruction of assets
Malware and Indicators of Compromise15
Ransomware
n Ransomware is a form of malware that performs some
action and extracts ransom from a user
n E.g. CryptoLocker is a Trojan horse that will encrypt certain
files using RSA public key encryption
n When the user attempts to get the files, they are provided
with a message instructing them how to purchase the
decryption key
Malware and Indicators of Compromise16
Page 5
.
CIS 3500 5
Ransomware
n Because the system is using 2048-bit RSA encryption, brute
force decryption is out of the realm of recovery options
n The system is highly automated and users have a short
time to pay for the decryption key
n Failure to get the key will result in the loss of the data
n CDOT
Malware and Indicators of Compromise17
Ransomware
n An IBM study noted that a quarter of business executives would be
willing to pay between $20,000 and $50,000 to regain access to
encrypted data. (Source: IBM)
n 70 percent of businesses paid to get their data back in 2016.
(Source: IBM)
n FedEx attributed a $300 million loss in its Q1 2017 earnings report to
the NotPetya ransomware attack. The company reportedly did not
have cybersecurity insurance. (Source: Reuters)
n NotPeyta’s losses could exceed $1 billion. (Source: eWeek)
Malware and Indicators of Compromise18
Ransomware
n The average ransomware demand in 2017 was half of what it was
in 2016, changing from over $1,000 on average to $522. This
marks a potential new focus on more high-value targets by
cybercriminals. (Source: Symantec)
n After getting hit by the SamSam ransomware in March 2018,
Atlanta, Georgia, has spent more than $5 million rebuilding its
computer network, including spending nearly $3 million hiring
emergency consultants and crisis managers. (Source: Statescoop)
n A Massachusetts school district paid $10,000 in Bitcoin after a
ransomware attack in April 2018. (Source: Cyberscoop)Malware and Indicators of Compromise19
Worm
n Worms are pieces of code that attempt to penetrate
networks and computer systems
n Once a penetration occurs, the worm will create a new copy
of itself on the penetrated system
n Reproduction of a worm does not rely on the attachment of
the virus to another piece of code or to a file, which is the
definition of a virus
Malware and Indicators of Compromise20
Page 6
.
CIS 3500 6
Worm
n Some examples of worms that have had high profiles
n the Sobig worm of 2003
n the SQL Slammer worm of 2003
n the 2001 attacks of Code Red and Nimba, and
n the 2005 Zotob worm that took down CNN Live
n Nimba used five different methods to spread: (1) via e-mail,
(2) via open network shares, (3) from browsing infected websites,
(4) using the directory traversal vulnerability of Microsoft IIS
4.0/5.0, and most impressively through (5) the use of backdoors
left by Code Red II and sadmind worms
Malware and Indicators of Compromise21
Trojan
n Trojan is a piece of software that appears to do one thing
(and may, in fact, actually do that thing) but hides some
other functionality
n A Trojan is a stand-alone program that must be copied and
installed by the user—it must be “brought inside” the
system by an authorized user
n The challenge for the attacker is enticing the user to copy
and run the program
Malware and Indicators of Compromise22
Trojan
n This generally means that the program must be disguised as
something that the user would want to run — e.g. a special utility or
game
n A good example of a Trojan is Back Orifice (BO), originally created in
1999 and now offered in several versions
n BO will create a way for unauthorized individuals to take over the
system remotely
n It was is designed to work with Windows-based systems
n Many Trojans communicate to the outside through a port that the
Trojan opens, and this is one of the ways Trojans can be detected
Malware and Indicators of Compromise23
Rootkit
n Rootkits are a form of malware that is specifically designed to
modify the operation of the operating system in some fashion to
facilitate nonstandard functionality
n The history goes back to the beginning of the UNIX
n Originally designed to allow a program to take greater control
over operating system function when it fails or becomes
unresponsive
n A rootkit can do many things — in fact, it can do virtually anything
that the operating system does
Malware and Indicators of Compromise24
Page 7
.
CIS 3500 7
Rootkit
n Rootkits can load before the operating system loads, acting as a
virtualization layer
n They can exist in firmware
n Rootkits can exist as loadable library modules, effectively changing
portions of the operating system outside the kernel
n Because of rootkits’ invasive nature, and the fact that many aspects
of rootkits are not easily detectable, most system administrators don’t
even attempt to clean up or remove a rootkit
n It is far easier to reimage the machine than attempt to fix individual
files
Malware and Indicators of Compromise25
Keylogger
n A keylogger is a piece of software that logs all of the keystrokes that
a user enters
n What makes a keylogger a malicious piece of software is when its
operation is 1) unknown to the user, and 2) not under the user’s
control
n Malicious keyloggers have several specific characteristics; they are
frequently hidden from the user’s view and they are used against the
end-user’s interests
n Hackers use keyloggers to obtain passwords and other sensitive
pieces of information
Malware and Indicators of Compromise26
Adware
n Software that is supported by advertising is called adware
n Adware comes in many different forms:
n the user is aware of the advertising and agrees to
the arrangement in return for free use of the software
n it can also refer to a form of malware, which is characterized
by software that presents unwanted ads
n Frequently, these ads are in the form of pop-up browser
windows, and in some cases they cascade upon any user
action
Malware and Indicators of Compromise27
Spyware
n Spyware is software that “spies” on users, recording and
reporting on their activities
n Typically installed without user knowledge
n It can record keystrokes (commonly called keylogging);
it can monitor how a user applies a specific piece of
software, such as to monitor attempts to cheat at games
Malware and Indicators of Compromise28
Page 8
.
CIS 3500 8
Spyware
n Many uses of spyware seem innocuous at first, but the
unauthorized monitoring of a system can be abused
n In other cases, the spyware is specifically designed to steal
information
n Many states have passed legislation banning the
unapproved installation of software, but spyware can
circumvent this issue through complex and confusing end-
user license agreements
Malware and Indicators of Compromise29
Bots
n A bot is a functioning piece of software that performs some task, under
the control of another program
n A series of bots is controlled across the network in a group, and the entire
assembly is called a botnet (combining the terms bot and network)
n Some botnets are legal and perform desired actions in a distributed
fashion
n Illegal botnets work in the same fashion, with bots distributed and
controlled from a central set of servers
n Bots can do a wide array of things, from spam to fraud to spyware and
more
Malware and Indicators of Compromise30
Bots
n Botnets continue to advance malware threats
n Some of the latest botnets are designed to mine bitcoins, using
distributed processing power for gain
n Some of the more famous botnets include Zeus that performs
keystroke logging and is used primarily for the purpose of stealing
banking information
n Zeus has been linked to the delivery of cryptolocker ransomware
n The Conficker botnet is one of the most studied pieces of malware,
with a joint industry–government working group convened to battle it
Malware and Indicators of Compromise31
RAT
n A remote-access Trojan (RAT) is a toolkit designed to
provide the capability of covert surveillance and/or the
capability to gain unauthorized access to a target system
n RATs often mimic similar behaviors of keylogger or packet
sniffer applications using the automated collection of
keystrokes, usernames, passwords, screenshots, browser
history, e-mails, chat logs, and more, but they also do so
with a design of intelligence
Malware and Indicators of Compromise32
Page 9
.
CIS 3500 9
RAT
n A RAT should be considered as another form of malware
n It has an operator behind it, guiding it to do even more persistent
damage
n RATs can be delivered via phishing e-mails, watering holes, or any of
a myriad of other malware infection vectors
n They create a hidden file structures on a system and are vulnerable to
detection by modern anti-malware programs
n It is not uncommon to find RAT packages that have been modified for
specific use, such as the program used in the Ukraine electric grid
attack in 2015
Malware and Indicators of Compromise33
Logic Bomb
n A logic bomb is a piece of code that sits dormant for a
period of time until some event or date invokes its
malicious payload
n If the event is a specific date or time, the program will
often be referred to as a time bomb
n Logic bombs are difficult to detect because they are often
installed by authorized users and, in particular, have been
installed by administrators
Malware and Indicators of Compromise34
Backdoor
n Backdoors were/are methods used by software developers to
ensure that they could gain access to an application even if
something were to happen in the future to prevent normal access
methods
n E.g. hard-coded password that could be used to gain access to the
program in the event that administrators forgot their own system
password
n Since it is hard-coded, it cannot be removed or changed – and it
can be discovered
Malware and Indicators of Compromise35
Indicators of Compromise (IOCs)
n IOCs act as bread crumbs for investigators, providing clues
that can help identify the presence of an attack on a system
n Unusual outbound network traffic
n Anomalies in privileged user account activity
n Geographical irregularities in network traffic
n Account login red flags
n Increases in database read volumes
n HTML response sizes
Malware and Indicators of Compromise36
Page 10
.
CIS 3500 10
Indicators of Compromise (IOCs)
n Large numbers of requests for the same file
n Mismatched port-application traffic, including encrypted traffic on plain
ports
n Suspicious registry or system file changes
n Unusual DNS requests
n Unexpected patching of systems
n Mobile device profile changes
n Bundles of data in the wrong place
n Web traffic with nonhuman behavior
n Signs of DDoS activity, even if temporary
Malware and Indicators of Compromise37
Stay Alert!
There is no 100 percent secure system, and
there is nothing that is foolproof!