Malware

1
Malware
2
Malcode Taxonomy
3
(No Transcript)
4
(No Transcript)
5
The Ten Most Common Critical Cyber Security
Threats

• Malware attack with Social Engineering Tactics
• SPAM
• DoS and DDoS attack
• Phishing and Pharming (identity theft)
• Botnets
• IM and P2P attack
• Mobile and Wireless attack (Wi-Fi and Bluetooth)
• Rootkits
• Web Application Hacking
• Hacking with Google

6
Most Advanced Critical Cyber Security Threats

• Zero Day Attack
• Web 2.0 Attack
• VoIP Attack
• Web Services Attack
• USB Attack

7
Attack on the Critical Infrastructure

• Government Operations
• Telecommunications
• Electrical Energy
• Gas Oil Storage and Delivery
• Water Supply Systems
• Banking Finance
• Transportation

8
Virus, Spam and Spyware Relationship
Spam
Antispam
Worm
Phish/ Adware
Antivirus
Antispyware
Virus
Spyware
Zombie/ Trojan
9
Digital Forensics Analysis

• Incident Notification
• Understand Nature of Incident
• Interview
• Obtain Authorization
• Verify Scope
• Team Assembly
• Document work area
• Document Incident Equipment
• Move Equipment
• Prepare two images
• Preserve/ Protect First Image
• Use second Image for restoration and Examination
• Data Extraction and Analysis
• Watch Assumptions Date /time
• Review Log / Interview
• Analysis
• Prepare findings
• Lesson Learned

10
Anti-forensic techniques

• Anti-forensic techniques try to frustrate
  forensic investigators and their techniques
• Overwriting Data and Metadata
• Secure Data Deletion
• Overwriting Metadata
• Preventing Data Creation
• Cryptography, Steganography, and other Data
  Hiding Approaches
• Encrypted Data
• Encrypted Network Protocols
• Program Packers
• Steganography
• Generic Data Hiding
• Examples
• Timestomp
• Changes the dates of computer files (4 timestamps
  of NTFS). Encase shows blanks.
• Slacker
• Store files in the slack of disk blocks

11
Virus Techniques

• TSR
• Virus can hide in memory even if program has
  stopped or been detected
• Stealth Viruses
• Execute original code
• Size of file stays the same after infection
• Hide in memory within a system process
• Virus infects OS so that if a user examines the
  infected file, it appears normal
• Encrypted/Polymorphic Viruses
• To hide virus signatures encrypt the code
• Have the code mutate to prevent signatures
  scanning

12
Polymorphic Viruses
13
Virus Cleaning

• Remove virus from file
• Requires skills in software reverse engineering
• Identify beginning/end of payload and restore to
  original

14
How hard is it to write a virus?

• Simple Google search for virus construction
  toolkit
• www.pestpatrol.com
• Tons of others
• Conclusion Not hard

15
Attaching code
16
Integrate itself
17
Completely replace
18
Boot Sector Virus
19
How viruses work

• Attach
• Append to program, e-mail
• Executes with program
• Surrounds program
• Executes before and after program
• Erases its tracks
• Integrates or replaces program code
• Gain control
• Virus replaces target
• Reside
• In boot sector
• Memory
• Application program
• Libraries

20
Contd

• Detection
• Virus signatures
• Storage patterns
• Execution patterns
• Transmission patterns
• Prevention
• Dont share executables
• Use commercial software from reliable sources
• Test new software on isolated computers
• Open only safe attachments
• Keep recoverable system image in safe place
• Backup executable system file copies
• Use virus detectors
• Update virus detectors often

21
Virus Effects and Causes
22
Virus vs. Worm

• Both are Malicious Code
• Virus does harm
• Worm consumes resources

23
Exploitation of Flaws Targeted Malicious Code

• Trapdoors
• Undocumented entry point in code
• Program stubs during testing
• Intentionally or unintentionally left
• Forgotten
• Left for testing or maintenance
• Left for covert access
• Salami attack
• Merges inconsequential pieces to get big results
• A salami attack is a series of minor
  data-security attacks that together results in a
  larger attack.
• For example, a fraud activity in a bank where an
  employee steals a small amount of funds from
  several accounts, can be considered a salami
  attack, i.e. deliberate diversion of fractional
  cents
• Too difficult to audit

24
Exploitation of Flaws Targeted Malicious Code
(contd.)

• Covert Channels
• An example of human/student covert channel
• Programs that leak information
• Trojan horse
• Discovery
• Analyze system resources for patterns
• Flow analysis from a programs syntax (automated)
• Difficult to close
• Not much documented
• Potential damage is extreme

25
File lock covert channel
26
Race Conditions

• In wu-ftpd v2.4
• Allows root access
• Signal handling
• SIGPIPE
• EUIDuser changes to EUIDroot to logout the user
  and access privileged operations and files
• It takes some time to do this
• SIGURG
• Logging out is broken/stopped and prompt is
  gotten back with EIUDroot