CIS 3500 1rowdysites.msudenver.edu › ~fustos › cis3500 › pdf › chapter01.pdfKeylogger nA keylogger is a piece of software that logs all of the keystrokes that a user enters

.

CIS 3500 1

Malware and Indicators of Compromise

Chapter #1:

Threats, Attacks, and Vulnerabilities

Always Remember …

There is no 100 percent secure

system, and there is nothing that is

foolproof!

Malware and Indicators of Compromise2

OSI Layers


This graphic is taken from The Abdus Salam International Centre for Theoretical Physics.

Security+ Exam

n CompTIA

n Site

n Apply credits

n Job

n MCSx (MCSA, MCSE etc.)


http://www.ictp.trieste.it/~radionet/1998_school/networking_presentation/index.html

http://certification.comptia.org/getCertified/certifications/security.aspx

https://www.microsoft.com/en-us/learning/browse-all-certifications.aspx

.

CIS 3500 2

Changes in Requirements

Domain % of Examinationin 301

% of Examination in 401

% of Examination in 501

1.0 Network Security 21% 20% 22%

2.0 Compliance and Operational Security 18% 18% 14%

3.0 Threats and Vulnerabilities 21% 20% 21%

4.0 Application, Data and Host Security 16% 15% 15%

5.0 Access Control and Identity Management 13% 15% 16%

6.0 Cryptography 11% 12% 12%

Total 100% 100% 100%


Chapter Objectives

n Examine the types of malware

n Understand the different types of malicious software that

exist, including viruses, worms, Trojan horses, logic bombs,

and rootkits

n Learn how artifacts called indicators of compromise (IOC)

can tell you if a system has been attacked


Malware and Indicators of Compromise

n We will examine the various types of malware (malicious

software) and indicators of compromise that demonstrate a

system has been attacked


Malware

n Malware refers to software that has been designed for some

nefarious purpose …

n cause damage to a system (e.g. deleting files/all files)

n create a backdoor in the system to grant access to

unauthorized individuals

n disable computers

n Generally the installation of malware is done so that it is

not obvious to the authorized users


.

CIS 3500 3

Malware

n Several different types of malicious software can be used

n Viruses

n Trojan horses

n logic bombs

n Spyware

n Worms

n They differ in the ways they are installed and their

purposes


Polymorphic Malware

n The detection of malware is primarily done through the use

of a signature

n Files are scanned for known code that act as markers,

unique patterns that enable detection

n Malware writers are aware of this functionality and have

adapted methods to defeat it


Polymorphic Malware

n One of the primary means of avoiding detection by sensors

is the use of polymorphic code

n The code changes on a regular basis – e.g. after each run,

or each restart of the OS ..

n These mutations are designed not to affect the functionality

of the code – but they will mask any signature from

detection

n Each replicant different from a detection point of view


Viruses

n Best-known type of malicious code – McAfee info

n A virus is a piece of malicious code that replicates by attaching

itself to another piece of executable code

n The virus executes with the execution of the infected program and

performs actions it was designed to do

n The specific way that a virus infects other files, and the type of

files it infects, depends on the type of virus

n The first viruses created were of two types—boot sector viruses

and program viruses


https://home.mcafee.com/virusinfo

.

CIS 3500 4

Armored Virus

n New form of malware/virus needs to researched by

antivirus companies

n Security researchers will decompile the program and try to

reverse engineer

n functionality

n where the malware came from

n how it works

n how it communicates,

n how it spreads etc.


Armored Virus

n Armoring malware can make the process much more

difficult, if not impossible

n Some malware, such as the Zeus Trojan, employs

encryption in ways to prevent even other criminals from

stealing the intellectual property of the very malware that

they use


Crypto-malware

n Crypto-malware is an early name of a malware that encrypts files

on a system

n It can act as a denial of service, or make computers temporarily

unusable until a ransom is paid, making it ransomware

n Crypto-malware is typically completely automated

n The only repair mechanism is to rebuild the system which can be

time consuming and/or impractical in some cases, making this

attack mechanism equivalent to physical destruction of assets


Ransomware

n Ransomware is a form of malware that performs some

action and extracts ransom from a user

n E.g. CryptoLocker is a Trojan horse that will encrypt certain

files using RSA public key encryption

n When the user attempts to get the files, they are provided

with a message instructing them how to purchase the

decryption key


.

CIS 3500 5

Ransomware

n Because the system is using 2048-bit RSA encryption, brute

force decryption is out of the realm of recovery options

n The system is highly automated and users have a short

time to pay for the decryption key

n Failure to get the key will result in the loss of the data

n CDOT


Ransomware

n An IBM study noted that a quarter of business executives would be

willing to pay between $20,000 and $50,000 to regain access to

encrypted data. (Source: IBM)

n 70 percent of businesses paid to get their data back in 2016.

(Source: IBM)

n FedEx attributed a $300 million loss in its Q1 2017 earnings report to

the NotPetya ransomware attack. The company reportedly did not

have cybersecurity insurance. (Source: Reuters)

n NotPeyta’s losses could exceed $1 billion. (Source: eWeek)


Ransomware

n The average ransomware demand in 2017 was half of what it was

in 2016, changing from over $1,000 on average to $522. This

marks a potential new focus on more high-value targets by

cybercriminals. (Source: Symantec)

n After getting hit by the SamSam ransomware in March 2018,

Atlanta, Georgia, has spent more than $5 million rebuilding its

computer network, including spending nearly $3 million hiring

emergency consultants and crisis managers. (Source: Statescoop)

n A Massachusetts school district paid $10,000 in Bitcoin after a

ransomware attack in April 2018. (Source: Cyberscoop)Malware and Indicators of Compromise19

Worm

n Worms are pieces of code that attempt to penetrate

networks and computer systems

n Once a penetration occurs, the worm will create a new copy

of itself on the penetrated system

n Reproduction of a worm does not rely on the attachment of

the virus to another piece of code or to a file, which is the

definition of a virus


https://www.denverpost.com/2018/03/01/cdot-samsam-ransomware-attack/

https://www-03.ibm.com/press/us/en/pressrelease/51230.wss

https://www-01.ibm.com/marketing/iwm/dre/signup?source=mrs-form-10908&S_PKG=ov55738

https://www.reuters.com/article/us-fedex-results/cyber-attack-hurricane-weigh-on-fedex-quarterly-profit-idUSKCN1BU2RG

http://www.eweek.com/security/2017-year-in-review-cyber-security-faces-challenges-old-and-new

http://images.mktgassets.symantec.com/Web/Symantec/%7B3a70beb8-c55d-4516-98ed-1d0818a42661%7D_ISTR23_Main-FINAL-APR10.pdf?aid=elq_

https://statescoop.com/atlanta-was-not-prepared-to-respond-to-a-ransomware-attack

https://www.cyberscoop.com/leominster-ransomware-massachusetts-bitcoin/

.

CIS 3500 6

Worm

n Some examples of worms that have had high profiles

n the Sobig worm of 2003

n the SQL Slammer worm of 2003

n the 2001 attacks of Code Red and Nimba, and

n the 2005 Zotob worm that took down CNN Live

n Nimba used five different methods to spread: (1) via e-mail,

(2) via open network shares, (3) from browsing infected websites,

(4) using the directory traversal vulnerability of Microsoft IIS

4.0/5.0, and most impressively through (5) the use of backdoors

left by Code Red II and sadmind worms


Trojan

n Trojan is a piece of software that appears to do one thing

(and may, in fact, actually do that thing) but hides some

other functionality

n A Trojan is a stand-alone program that must be copied and

installed by the user—it must be “brought inside” the

system by an authorized user

n The challenge for the attacker is enticing the user to copy

and run the program


Trojan

n This generally means that the program must be disguised as

something that the user would want to run — e.g. a special utility or

game

n A good example of a Trojan is Back Orifice (BO), originally created in

1999 and now offered in several versions

n BO will create a way for unauthorized individuals to take over the

system remotely

n It was is designed to work with Windows-based systems

n Many Trojans communicate to the outside through a port that the

Trojan opens, and this is one of the ways Trojans can be detected


Rootkit

n Rootkits are a form of malware that is specifically designed to

modify the operation of the operating system in some fashion to

facilitate nonstandard functionality

n The history goes back to the beginning of the UNIX

n Originally designed to allow a program to take greater control

over operating system function when it fails or becomes

unresponsive

n A rootkit can do many things — in fact, it can do virtually anything

that the operating system does


.

CIS 3500 7

Rootkit

n Rootkits can load before the operating system loads, acting as a

virtualization layer

n They can exist in firmware

n Rootkits can exist as loadable library modules, effectively changing

portions of the operating system outside the kernel

n Because of rootkits’ invasive nature, and the fact that many aspects

of rootkits are not easily detectable, most system administrators don’t

even attempt to clean up or remove a rootkit

n It is far easier to reimage the machine than attempt to fix individual

files


Keylogger

n A keylogger is a piece of software that logs all of the keystrokes that

a user enters

n What makes a keylogger a malicious piece of software is when its

operation is 1) unknown to the user, and 2) not under the user’s

control

n Malicious keyloggers have several specific characteristics; they are

frequently hidden from the user’s view and they are used against the

end-user’s interests

n Hackers use keyloggers to obtain passwords and other sensitive

pieces of information


Adware

n Software that is supported by advertising is called adware

n Adware comes in many different forms:

n the user is aware of the advertising and agrees to

the arrangement in return for free use of the software

n it can also refer to a form of malware, which is characterized

by software that presents unwanted ads

n Frequently, these ads are in the form of pop-up browser

windows, and in some cases they cascade upon any user

action


Spyware

n Spyware is software that “spies” on users, recording and

reporting on their activities

n Typically installed without user knowledge

n It can record keystrokes (commonly called keylogging);

it can monitor how a user applies a specific piece of

software, such as to monitor attempts to cheat at games


.

CIS 3500 8

Spyware

n Many uses of spyware seem innocuous at first, but the

unauthorized monitoring of a system can be abused

n In other cases, the spyware is specifically designed to steal

information

n Many states have passed legislation banning the

unapproved installation of software, but spyware can

circumvent this issue through complex and confusing end-

user license agreements


Bots

n A bot is a functioning piece of software that performs some task, under

the control of another program

n A series of bots is controlled across the network in a group, and the entire

assembly is called a botnet (combining the terms bot and network)

n Some botnets are legal and perform desired actions in a distributed

fashion

n Illegal botnets work in the same fashion, with bots distributed and

controlled from a central set of servers

n Bots can do a wide array of things, from spam to fraud to spyware and

more


Bots

n Botnets continue to advance malware threats

n Some of the latest botnets are designed to mine bitcoins, using

distributed processing power for gain

n Some of the more famous botnets include Zeus that performs

keystroke logging and is used primarily for the purpose of stealing

banking information

n Zeus has been linked to the delivery of cryptolocker ransomware

n The Conficker botnet is one of the most studied pieces of malware,

with a joint industry–government working group convened to battle it


RAT

n A remote-access Trojan (RAT) is a toolkit designed to

provide the capability of covert surveillance and/or the

capability to gain unauthorized access to a target system

n RATs often mimic similar behaviors of keylogger or packet

sniffer applications using the automated collection of

keystrokes, usernames, passwords, screenshots, browser

history, e-mails, chat logs, and more, but they also do so

with a design of intelligence


.

CIS 3500 9

RAT

n A RAT should be considered as another form of malware

n It has an operator behind it, guiding it to do even more persistent

damage

n RATs can be delivered via phishing e-mails, watering holes, or any of

a myriad of other malware infection vectors

n They create a hidden file structures on a system and are vulnerable to

detection by modern anti-malware programs

n It is not uncommon to find RAT packages that have been modified for

specific use, such as the program used in the Ukraine electric grid

attack in 2015


Logic Bomb

n A logic bomb is a piece of code that sits dormant for a

period of time until some event or date invokes its

malicious payload

n If the event is a specific date or time, the program will

often be referred to as a time bomb

n Logic bombs are difficult to detect because they are often

installed by authorized users and, in particular, have been

installed by administrators


Backdoor

n Backdoors were/are methods used by software developers to

ensure that they could gain access to an application even if

something were to happen in the future to prevent normal access

methods

n E.g. hard-coded password that could be used to gain access to the

program in the event that administrators forgot their own system

password

n Since it is hard-coded, it cannot be removed or changed – and it

can be discovered


Indicators of Compromise (IOCs)

n IOCs act as bread crumbs for investigators, providing clues

that can help identify the presence of an attack on a system

n Unusual outbound network traffic

n Anomalies in privileged user account activity

n Geographical irregularities in network traffic

n Account login red flags

n Increases in database read volumes

n HTML response sizes


.

CIS 3500 10

Indicators of Compromise (IOCs)

n Large numbers of requests for the same file

n Mismatched port-application traffic, including encrypted traffic on plain

ports

n Suspicious registry or system file changes

n Unusual DNS requests

n Unexpected patching of systems

n Mobile device profile changes

n Bundles of data in the wrong place

n Web traffic with nonhuman behavior

n Signs of DDoS activity, even if temporary


Stay Alert!

There is no 100 percent secure system, and

there is nothing that is foolproof!

CIS 3500 1rowdysites.msudenver.edu › ~fustos › cis3500 › pdf › chapter01.pdfKeylogger nA keylogger is a piece of software that logs all of the keystrokes that a user enters

Documents