TEL 581 Malware Survey on Information Assurance Presented by Gregory Michel Lincoln Jean Louis...

TEL 581

Malware

Survey on Information Assurance

Presented by

Gregory Michel

Lincoln Jean Louis

Viswesh Prabhu Subramanian

Software Designed to infiltrate or damage a computer systemwithout the owner's informed consent.

The expression is a general term used by computer professionals tomean a variety of forms of hostile, intrusive, or annoying softwareor program code.

Many normal computer users are however still unfamiliar with theterm, and most never use it.

Instead, “virus” is used in common parlance and often in thegeneral media to describe all kinds of malware.

Malware

Introduction:

Malware content ref: http://ocw.kfupm.edu.sa/user062/COE44901/Malware.pdf

Another term that has been recently coined for malware is Badware

Malware is sometimes known as a computer contaminant (law language)

Malware should not be confused with defective software, that is,software which has a legitimate purpose but contains harmful bugs

Introduction to Malware (Cont’d)

Types of Malware

• Computer viruses

• Worms

• trojan horses

• Rootkit

• Ransomware

• Adware

• Spyware

• Botnets

• Key loggers

• Dialers

Infectious malware viruses and worms

The best-known types of malware, viruses and worms, are knownfor the manner in which they spread, rather than any otherparticular behavior.

Originally, the term computer virus was used for a program whichinfected other executable software, while a worm transmitted itselfover a network to infect other computers.

More recently, the words are often used interchangeably.

Today, some draw the distinction between viruses and worms bysaying that a virus requires user intervention to spread, whereas aworm spreads automatically.

computer virus

A computer program that can copy itself and infect a computer without permission or knowledge of the user.

The term comes from the term virus in biology.

The original may modify the copies or the copies may modify themselves, as occurs in a metamorphic virus.

A virus can spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or carrying it on a removable medium.

Some sources use virus as any form of self-replicating malware

computer virus (Cont’d)

Viruses may take advantage of network services such as the World Wide Web, e-mail, network/sharing file systems to spread

Usually viruses are programmed to damage the computer bydamaging programs, deleting files, or reformatting the hard disk.

Why people create computer viruses

Viruses have been written as •research projects,

•pranks,

•vandalism,

•to attack the products of specific companies,

•to distribute political messages,

•financial gain from identity theft,

•spyware,

“Harmless” computer virus

Some viruses are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio, messages.

Even these benign viruses can create problems for the computer user.

They typically take up computer memory used by legitimate programs.

As a result, they often cause erratic behavior and can result in systemcrashes.

In addition, many viruses are bug-ridden, and these bugs may lead to systemcrashes and data loss.

Types of viruses

•Macro viruses

•Network viruses

•Logic bomb

•Cross-site scripting virus

•Sentinels

•Boot sector viruses

•Multipartite viruses

Macro viruses

•A macro virus, often written in the scripting languages for programs such as Word and Excel, is spread by infecting documents and spreadsheets.

•Since macro viruses are written in the language of the application and not in that of the operating system, they are known to be platform-independent.

•Today, there are thousands of macro viruses in existence—some examples are Relax, Melissa.A and Bablas.

Network viruses

This kind of virus is proficient in quickly spreading across a Local Area Network (LAN) or even over the Internet.

Usually, it propagates through shared resources, such as shared drives and folders.

Once it infects a new system, it searches for potential targets by searching the network for other vulnerable systems.

Once a new vulnerable system is found, the network virus infects the other system, and thus spreads over the network.

Some of the most notorious network viruses are Nimda and SQLSlammer.

http://www.clearview.co.uk/images/Network_VirusWall_1.jpg

Logic bomb

A logic bomb employs code that lies inert until specific conditions are met.

The resolution of the conditions will trigger a certain function such as printing a message to the user and/or deleting files.

Logic bombs may reside within standalone programs, or they may be part of worms or viruses.

An example of a logic bomb would be a virus that waits to execute until it has infected a certain number of hosts.

A time bomb is a subset of logic bomb, which is set to trigger on a particular date and/or time.

Cross-site scripting virus

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. (eg. HTML code)

A cross-site scripting virus (XSSV) is a type of virus that utilizescross-site scripting vulnerabilities to replicate.

A XSSV is spread between vulnerable web applications and webbrowsers creating a symbiotic relationship

Sentinels

A sentinel is a highly advanced virus capable of empowering the creator or perpetrator of the virus with remote access control over the computers that are infected.

They are used to form vast networks of zombie or slave computers which in turn can be used for malicious purposes.

Boot sector viruses

A boot sector virus alters or hides in the boot sector, usually the 1st sector, of a bootable disk or hard drive.

The boot sector is where your computer starts reading your operating system.

By inserting its code into the boot sector, a virus guarantees that it loads into memory during every boot sequence.

A boot virus does not affect files; instead, it affects the disks that contain them.

In the 1980s boot sector viruses were common and spread rapidly from one computer to another on rewritable floppy disks which contained programs.

With the CD-ROM revolution, it became impossible to infect read-only CDs.

Multipartite viruses

Multipartite viruses are a combination of boot sector viruses and file viruses.

These viruses come in through infected media and reside in memory then move on to the boot sector of the hard drive.

From there, the virus infects executable files on the hard drive and spreads across the system.

Computer worms

A self-replicating computer program.

It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any userintervention.

Unlike a virus, it does not need to attach itself to an existing program.

Worms always harm the network, whereas viruses always infect or corrupt files on a targeted computer.

Type of Worms

•Email Worms

•Instant messaging worms

•IRC worms

•File-sharing networks worms

•Internet Worms

http://stuff.mit.edu/afs/sipb/user/yoz/odd/abc_computer_worms_060202_t.jpg

Email Worms

Spread via email messages.

Typically the worm will arrive as email, where the message body or attachment contains the worm code, but it may also link to code on an external website.

Poor design aside, most email systems requires the user to explicitly open an attachment to activate the worm, but "social engineering" can often successfully be used to encourage this;

Once activated the worm will send itself out using either local email systems (e.g. MS Outlook services, Windows MAPI {Messaging Application Programming Interface} functions), or directly using SMTP.

IRC (Internet Relay Chat) worms

Chat channels are the main target and the same infection/spreadingmethod is used as above — sending infected files or links to infected websites.

Infected file sending is less effective as the recipient needs to confirm receipt, save the file and open it before infection will take place.

File-sharing networks worms

Copies itself into a shared folder, most likely located on the localmachine.

The worm will place a copy of itself in a shared folder under a harmless name.

Now the worm is ready for download via the P2P network and spreading of the infected file will continue.

Internet Worms

Those which target low level TCP/IP ports directly, rather than going via higher level protocols such as email or IRC.

An infected machine aggressively scans random computers on both its local network and the public Internet attempting an exploit against port 135 which, if successful, spreads the worm to that machine.

Trojan horse

A program that contains or installs a malicious program

Trojan horse programs cannot operate autonomously, the victim must activate them.

As such, if trojans replicate and even distribute themselves, each new victim must run the program/trojan.

Trojan horses may appear to be useful or interesting programs (or at the very least harmless) to an unsuspecting user, but are actuallyharmful when executed.

There are two common types of Trojan horses.

Useful software that has been corrupted by a cracker insertingmalicious code that executes while the program is used.

Standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives.

Rootkit

A set of software tools intended to conceal running processes, files or system data from the operating system.

Rootkits have their origin in relatively benign applications, but in recent years have been used increasingly by malware to help intruders maintain access to systems while avoiding detection.

Rootkits exist for a variety of operating systems, such as Linux, Solaris and versions of Microsoft Windows.

Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules.

Ransomware

A type of malware that uses a weak (breakable) cryptosystem to encrypt the data belonging to an individual, demanding a ransom for its restoration.

This type of ransom attack can be accomplished by attaching a specially crafted file/program to an e-mail message and sending this to the victim.

If the victim opens/executes the attachment, the program encrypts a number of files on the victim's computer.

A ransom note is then left behind for the victim.

The victim will be unable to open the encrypted files without the correct decryption key.

Adware

advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used.

It is usually seen by the programmer as a way to recover programming development costs, and in some cases it may allow the program to be provided to the user free of charge or at a reduced price.

The advertising income may allow or motivate the programmer to continue to write, maintain and upgrade the software product.

Some adware is also shareware, and so the word may be used as term of distinction to differentiate between types of shareware software

Adware

What differentiates adware from other shareware is that it is primarily advertising-supported.

Users may also be given the option to pay for a "registered" or "licensed" copy to do away with the advertisements.

There are concerns about adware because it often takes the form of spyware, in which information about the user's activity is tracked, reported, and often re-sold, often without the knowledge or consent of the user.

It may interfere with the function of other software applications, in order to force users to visit a particular web site.

Spyware

a computer software that collects personal information about userswithout their informed consent.

Personal information is secretly recorded with a variety of techniques, including logging keystrokes, recording Internet web browsing history, and scanning documents on the computer's harddisk.

Purposes range from overtly criminal (theft of passwords andfinancial details) to the merely annoying (recording Internet search history for targeted advertising, while consuming computerresources).

Spyware may collect different types of information. Some variantsattempt to track the websites a user visits and then send this information to an advertising agency.

Spyware

Number of companies have incorporated forms of spyware into their products.

These programs are not considered malware, but are still spyware as they watch and observe for advertising purposes.

It is debatable whether such 'legitimate' uses of adware/spyware are malware since the user often has no knowledge of these 'legitimate' programs being installed on his/her computer and is generally unaware that these programs are infringing on his/her privacy.

In any case, these programs still use the resources of the host computer without permission.

Botnet

A collection of software robots, or bots, which run autonomously.This can also refer to the network of computers using distributed computing software.

While the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure.

A botnet's originator can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". through, the more valuable it becomes to a botnet controllercommunity.

Often the command and control takes place via an IRC server or aspecific channel on a public IRC network.

Keystroke logging

A diagnostic used in software development that captures the user'skeystrokes.

It can be useful to determine sources of error in computer systems

Used to measure employee productivity on certain clerical tasks.

Useful for law enforcement

Spying; obtaining passwords or encryption keys

Keyloggers are widely available on the internet and can be used byanyone for the same purposes.

Dialer

One way of stealing money from the infected PC owner is to take control of the modem and dial an expensive toll call.

Dialer software dials up a premium-rate telephone number such as a "900 number" and leave the line open, charging the toll to the infected user.

Vulnerability to malware

Homogeneity – e.g. when all computers in a network run the sameOS, if you can break that OS, you can break into any computerrunning it.

Bugginess – most systems containing errors which may beexploited by malware.

Unconfirmed code – code from a floppy disk, CD or USB devicemay be executed without the user’s agreement.

Over-privileged users – some systems allow all users to modifytheir internal structures.

Over-privileged code – most popular systems allow code executedby a user all rights of that user.

Future Malware TrendFuture Malware Trend

Malware and the futureMalware and the future

Metamorphic MalwareMetamorphic Malware

Peer-to-peer BotnetsPeer-to-peer Botnets

Cell Phones and Mobile devicesCell Phones and Mobile devices

RootkitRootkit

Open-source MalwareOpen-source Malware


CharacteristicsCharacteristics has the ability to modify its code to making it difficult to find consistent has the ability to modify its code to making it difficult to find consistent

pattern in its new versionpattern in its new version

The actual algorithm stays the same but everything else within the The actual algorithm stays the same but everything else within the malware changmalware chang

Some has the ability to query the attacker-controlled Web sites for the Some has the ability to query the attacker-controlled Web sites for the latest updateslatest updates


Characteristics (continued…)Characteristics (continued…)

Malware rearranges itself by inserting random variable in its codeMalware rearranges itself by inserting random variable in its code

Logical structure of code is reorganized Logical structure of code is reorganized

Dead code is insertedDead code is inserted

Many other possibilitiesMany other possibilities

Metamorphic Malware Metamorphic Malware

Advantages Advantages

More effective than polymorphic codeMore effective than polymorphic code

More difficult to detect by signature-based anti-virusMore difficult to detect by signature-based anti-virus

Might offer the capability of infecting executables from different Might offer the capability of infecting executables from different operating systems operating systems

Peer 2 Peer BotnetPeer 2 Peer Botnet

Botnet definitionBotnet definition

A collection of zombie computers connected to a network. A collection of zombie computers connected to a network.

A network of compromised computer controlled by an attacker either for A network of compromised computer controlled by an attacker either for distributed denial of services or Spam purposesdistributed denial of services or Spam purposes

Historically controlled through IRC or a Web graphical interface. Historically controlled through IRC or a Web graphical interface.


Source: http://www.cert.org/archive/pdf/Botnets.pdf


DefinitionDefinition In contrast to traditional Botnet, P2P Botnet are organized in a In contrast to traditional Botnet, P2P Botnet are organized in a

decentralized, self-sustaining network. decentralized, self-sustaining network. A P2P becomes harder to detect and more resilient to response than A P2P becomes harder to detect and more resilient to response than

centrally controlled Botnets.centrally controlled Botnets.

P2P BotnetsP2P Botnets

Considered next step in the evolution of BotnetsConsidered next step in the evolution of Botnets

Decentralised network with no central point of failureDecentralised network with no central point of failure

Hard to trackHard to track

Automatic recruitment processAutomatic recruitment process

P2P BotnetP2P Botnet

P2P how to maintain networkP2P how to maintain network Out-of-band: Out-of-band:

Use other means such as GWebCache to locate each otherUse other means such as GWebCache to locate each other

In-band:In-band: The peer list is carried by the bot. The peer list is carried by the bot. The list is cached when the Bot goes offline The list is cached when the Bot goes offline Scanning the internet like a worm is another optionScanning the internet like a worm is another option Topology can be created during malware propagationTopology can be created during malware propagation

P2P BotnetP2P Botnet

P2P Botnets leads to the creation of really big Botnets with over a million P2P Botnets leads to the creation of really big Botnets with over a million systemssystems

Advantages of creating such big botnet system include the ability of Advantages of creating such big botnet system include the ability of generating powerful DOS attacks, crack crypto keys and passwordsgenerating powerful DOS attacks, crack crypto keys and passwords

Cell Phones & Mobile DevicesCell Phones & Mobile Devices

Malware affecting Mobile devices is an increasing threatMalware affecting Mobile devices is an increasing threat

There is around one hundred variants (2007) of malicious code targeting There is around one hundred variants (2007) of malicious code targeting mobile devices such as phones and PDA’smobile devices such as phones and PDA’s

There are variants with the ability of jumping from mobile devices to There are variants with the ability of jumping from mobile devices to Windows desktop systemsWindows desktop systems

Cell Phones & Mobile DevicesCell Phones & Mobile Devices

As Mobile online banking is getting more popular a major upswing is As Mobile online banking is getting more popular a major upswing is expected to comeexpected to come

However:However:

There are several variant of phonesThere are several variant of phones

A malware for one type of phone may not be compatible with other A malware for one type of phone may not be compatible with other phonesphones

Mobile has not yet reached a critical stageMobile has not yet reached a critical stage

Cell Phones & Mobile DevicesCell Phones & Mobile DevicesS

ou

rce

: h

ttp

://w

ww

.vir

us

lis

t.c

om

/en

/an

aly

sis

?p

ub

id=

20

01

19

91

6

Mobile MalwareMobile Malware

Challenges will be facedChallenges will be faced

Mobile users are less knowledgeable of technologyMobile users are less knowledgeable of technology

It will be difficult to patch phones already soldIt will be difficult to patch phones already sold

Mobiles are always connectedMobiles are always connected

Mobile Environment change consistentlyMobile Environment change consistently

Rootkit TechnologiesRootkit Technologies

Functionality:Functionality:

System access is maintainedSystem access is maintained

Processes, files, registry keys and open ports are hidden from Processes, files, registry keys and open ports are hidden from administrator administrator

Attack other systemsAttack other systems

May provide a covert channel as communication mean between the May provide a covert channel as communication mean between the compromised computer and attackercompromised computer and attacker


Objective:Objective:

The longer the malware remain undetected on victim computer the more The longer the malware remain undetected on victim computer the more effective it will beeffective it will be

Advance rootkit will be capable of surviving drive reformats and Advance rootkit will be capable of surviving drive reformats and replacementsreplacements

Provide the ability hide files, network usage and process from Provide the ability hide files, network usage and process from administratoradministrator


Bios RootkitsBios Rootkits The Bios is replaced with a different codeThe Bios is replaced with a different code

Rootkit is hidden in BiosRootkit is hidden in Bios

Implementation is difficult and it is system dependentImplementation is difficult and it is system dependent

BIOS have some checksBIOS have some checks

Signing hasn’t doesn’t exist in BIOS environmentSigning hasn’t doesn’t exist in BIOS environment


ChallengesChallenges

Antivirus programs are created on the assumption that some layer of Antivirus programs are created on the assumption that some layer of the system can be trustedthe system can be trusted

Most antivirus programs based their scanning on high-level file-system Most antivirus programs based their scanning on high-level file-system service.service.

Using Virtual Machine Monitor one could take over the host Operating Using Virtual Machine Monitor one could take over the host Operating System then it could potentially hide a rootkit by keeping it within the System then it could potentially hide a rootkit by keeping it within the VMM VMM


http://academia.wikia.com/wiki/Virtual_Machine_Monitor

Open Source MalwareOpen Source Malware

Currently there are malware being released under the GNU Public License Currently there are malware being released under the GNU Public License (Open Source software)(Open Source software)

Anyone can modify the malware source codeAnyone can modify the malware source code

Malware can be easily downloaded online, or requested offline.Malware can be easily downloaded online, or requested offline.

Open Source MalwareOpen Source Malware

Advantage to the attackerAdvantage to the attacker

Open source Malware contributes to anonymity of malware authorsOpen source Malware contributes to anonymity of malware authors

Distract attention from other growing malwareDistract attention from other growing malware

60

Malware PreventionMalware Prevention

61

Introduction Introduction

Whether you have a stand-alone computer, home or enterprise Whether you have a stand-alone computer, home or enterprise network, it is important that you properly implement and maintain a good network, it is important that you properly implement and maintain a good

and solid security strategy and implementation.and solid security strategy and implementation.

62

Why?Why?

Dangerous people develop new tools and Dangerous people develop new tools and techniques with the intentions of techniques with the intentions of destroying or stealing your home or destroying or stealing your home or corporate information. corporate information.

63

How?How?

Using MalwareUsing Malware

64

Problem!!!Problem!!!

According to surveys done, “it is very common today to find home computer systems as well as enterprise business systems that do have quality antiviral products installed from major manufactures such as Symantec or McAFee”. (Security+ Exam Guide – Test Takers Guide series)

65

Problem!!!Problem!!!

Security is improperly configured Security is improperly configured and mismanagedand mismanaged This results in systems that appear to be protected, when in This results in systems that appear to be protected, when in

reality, they are not. For example, virus software not configured reality, they are not. For example, virus software not configured to auto-update; firewalls badly configured; operating systems to auto-update; firewalls badly configured; operating systems are not updated with most recent service packs, etc.are not updated with most recent service packs, etc.

This results in a lack of protection against new viruses and This results in a lack of protection against new viruses and variations of older viruses and other threats presented by other variations of older viruses and other threats presented by other Malware software. Malware software.

No Anti-virusNo Anti-virus Anti-spyware software. Anti-spyware software. No Firewalls installed.No Firewalls installed.

66

How does one protect their How does one protect their computer/network?computer/network?

Install Anti-Virus Software.Install Anti-Virus Software. Install Anti-Spyware Software.Install Anti-Spyware Software. Operating System Security.Operating System Security. Install Firewall.Install Firewall. Intrusion Detection System (IDS)Intrusion Detection System (IDS) Implement Security policy.Implement Security policy.

67

Proper Anti-Virus practicesProper Anti-Virus practices

Install, update, and maintain reputable quality Install, update, and maintain reputable quality antivirus software to servers and workstations. antivirus software to servers and workstations. This includes setting up daily antivirus definition This includes setting up daily antivirus definition updates, enabling real-time protection, setting up updates, enabling real-time protection, setting up schedules scans of all system drives, and schedules scans of all system drives, and enabling e-mail and attachment scanning.enabling e-mail and attachment scanning.

All users of computer systems (at home or in the All users of computer systems (at home or in the workplace) should be educated/alerted when workplace) should be educated/alerted when particular virus attacks occur or are expected to particular virus attacks occur or are expected to occur. This information can prove invaluable to occur. This information can prove invaluable to administrators who need to apply particular administrators who need to apply particular patches or make updates in preparation for new patches or make updates in preparation for new or anticipated variations of viruses.or anticipated variations of viruses.

A combination of education, training, and management policies with antivirus software and practices are essential to the survival and welfare of computer systems and networks.

68

Proper Anti-Virus practicesProper Anti-Virus practices Teach all users at home or in the workplace Teach all users at home or in the workplace

that opening e-mail attachments as well as that opening e-mail attachments as well as Instant Messaging attachments might be Instant Messaging attachments might be detrimental to your system’s life span.detrimental to your system’s life span.

In a business environment, ensure that your In a business environment, ensure that your corporate security policy is up-to-date and corporate security policy is up-to-date and accurate. Ensure that new and existing accurate. Ensure that new and existing employees sign an addendum that states they employees sign an addendum that states they are familiar with the company’s policies are familiar with the company’s policies regarding computer usage as well as virus regarding computer usage as well as virus policy and procedures.policy and procedures.

69

Anti-VirusAnti-Virus

The most popular way to detect viruses is The most popular way to detect viruses is through the use of virus-scanning through the use of virus-scanning software. Virus scanners use software. Virus scanners use signature signature files files to locate viruses in infected files. to locate viruses in infected files. (Mastering Network Security, Second Edition)(Mastering Network Security, Second Edition)


Signature FileSignature File A signature file is simply a database that lists A signature file is simply a database that lists

all known viruses, along with their specific all known viruses, along with their specific attributes. attributes. (Mastering Network Security, Second Edition)(Mastering Network Security, Second Edition)

These attributes include samples of each These attributes include samples of each virus’s code, the types of files it infects, and virus’s code, the types of files it infects, and any other information that might be helpful in any other information that might be helpful in locating the virus. locating the virus. (Mastering Network Security, Second (Mastering Network Security, Second Edition)Edition)

70


How Anti-Virus worksHow Anti-Virus works The anti-virus scanner:The anti-virus scanner:

1.1. Checks a file by looking to see if any of the code Checks a file by looking to see if any of the code in the file matches any of the entries in the in the file matches any of the entries in the signature file. signature file.

2.2. If a match is found, the virus scanner notifies the If a match is found, the virus scanner notifies the user that a virus has been detected.user that a virus has been detected.

3.3. Depending on the anti-virus’ configuration, the Depending on the anti-virus’ configuration, the scanner runs a separate process that will scanner runs a separate process that will automatically or manually clean the virus.automatically or manually clean the virus.

71


LimitationsLimitations The biggest limitation of virus scanners is that they The biggest limitation of virus scanners is that they

can detect only known viruses. If your system can detect only known viruses. If your system happens to become infected by a newly created happens to become infected by a newly created virus, a scanner may well miss it. virus, a scanner may well miss it. (Mastering Network (Mastering Network Security, Second Edition)Security, Second Edition)

72


LimitationsLimitations Difficulty detecting polymorphic viruses.Difficulty detecting polymorphic viruses. Difficulty detecting viruses within zipped files and Difficulty detecting viruses within zipped files and

encrypted files.encrypted files. An anti-virus program may not detect every possible An anti-virus program may not detect every possible

virus.virus.

73


Variations of ScannersVariations of Scanners

On-demandOn-demand You must initialize on-demand scanners manuallyYou must initialize on-demand scanners manually

Memory ResidentMemory Resident These are programs that run in the background and is These are programs that run in the background and is

initialized at system startup. They remain active at all initialized at system startup. They remain active at all times.times.

74


Variations of ScannersVariations of Scanners Heuristic ScannersHeuristic Scanners

Heuristic scanners perform a statistical analysis to Heuristic scanners perform a statistical analysis to determine the likelihood that a file contains program code determine the likelihood that a file contains program code that may indicate a virus.that may indicate a virus.

Does not compare code with a signature file.Does not compare code with a signature file. Uses a grading system to determine the probability that the Uses a grading system to determine the probability that the

program code being analyzed is a virus.program code being analyzed is a virus. Most of today’s virus scanners include heuristic scanning Most of today’s virus scanners include heuristic scanning

abilityability

75


VariationsVariations Application-Level Virus ScannersApplication-Level Virus Scanners

Instead of being responsible for securing a Instead of being responsible for securing a specific system from viruses, an application-level specific system from viruses, an application-level virus scanner is responsible for securing a virus scanner is responsible for securing a specific service throughout an organization. specific service throughout an organization. (Mastering Network Security, Second Edition)(Mastering Network Security, Second Edition)

76

SpywareSpyware Spyware is computer software that is installed surreptitiously on a Spyware is computer software that is installed surreptitiously on a

personal computer to intercept or take partial control over the user's personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consentinteraction with the computer, without the user's informed consent. . (http://en.wikipedia.org/wiki/Spyware)(http://en.wikipedia.org/wiki/Spyware)

Spyware programs can collect various types of personal Spyware programs can collect various types of personal information.information.

interfere with user control of the computer in other ways, interfere with user control of the computer in other ways, such as:such as: installing additional software onto computersinstalling additional software onto computers redirecting Web browser activity, accessing websites blindly that redirecting Web browser activity, accessing websites blindly that

may cause more harmful virus infections from infected websites.may cause more harmful virus infections from infected websites. Changing a computer’s settings which can result in slow Changing a computer’s settings which can result in slow

connection speeds. connection speeds. Changing your home page to a different home page.Changing your home page to a different home page. Causing loss of Internet connection. Causing loss of Internet connection.

Anti-SpywareAnti-SpywareAnti-spyware programs can combat spyware in two ways:Anti-spyware programs can combat spyware in two ways:

They can provide real time protection against the installation of They can provide real time protection against the installation of spyware software on your computer. spyware software on your computer. Works the same way as real-time anti-virus softwareWorks the same way as real-time anti-virus software

Anti-spyware software programs can be used solely for detection Anti-spyware software programs can be used solely for detection and removal of spyware software that has already been installed and removal of spyware software that has already been installed onto your computer. This type of spyware protection is normally onto your computer. This type of spyware protection is normally much easier to use and more popular. much easier to use and more popular. This type of anti-spyware software scans the contents of the windows This type of anti-spyware software scans the contents of the windows

registry, operating system files, and installed programs on your registry, operating system files, and installed programs on your computer and will provide a list of any threats found, allowing you to computer and will provide a list of any threats found, allowing you to choose what you want to delete and what you want to keep. choose what you want to delete and what you want to keep.

Fake Anti-SpywareFake Anti-SpywareAntiVirus Gold

ContraVirus (spreads through USB storage devices)

errorsafe (AKA system doctor)

Malware

PAL Spyware Remover

Pest Trap

PSGuard

SpyAxe

SpywareStrike

Spyware Quake

Spydawn

Spylocked

SpyShredder

Spy Sheriff

Spy Wiper

UltimateCleaner

WinAntiVirus Pro 2006

WinFixer

WorldAntiSpy

Anti-SpywareAnti-Spyware

AdwareAdware Windows DefenderWindows Defender SpybotSpybot SpydoctorSpydoctor SuperAntiSpywareSuperAntiSpyware Most Anti-Virus ProgramsMost Anti-Virus Programs

Operating System SecurityOperating System Security

The following are some basic practices which The following are some basic practices which will provide computer/network system a will provide computer/network system a greater measure of security:greater measure of security:

Stop or remove any unneeded services.Stop or remove any unneeded services. Many Many default operating system installs include and run default operating system installs include and run services such as FTP, Web services, and Telnet. services such as FTP, Web services, and Telnet. These services require hardening and continuous These services require hardening and continuous patches. Many operating system services provide patches. Many operating system services provide weakness and leave systems open to attack. weakness and leave systems open to attack. Regardless of the operating systems you are using, Regardless of the operating systems you are using, consider removing or stopping any unneeded services. consider removing or stopping any unneeded services. (Security+ Exam Guide – Test Takers Guide series)(Security+ Exam Guide – Test Takers Guide series)

Operating Software SecurityOperating Software Security

Keep your service packs and patches up-to-date, no Keep your service packs and patches up-to-date, no matter what operating systems you are running.matter what operating systems you are running. Variants Variants of viruses and blended threats are developed continuously to of viruses and blended threats are developed continuously to take advantage of operating system weaknesses. Operating take advantage of operating system weaknesses. Operating system software vendors recognize this and develop patches system software vendors recognize this and develop patches to secure inherent weaknesses. to secure inherent weaknesses. (Security+ Exam Guide – Test Takers (Security+ Exam Guide – Test Takers Guide series)Guide series)

Set up e-mail servers to scan e-mail attachments.Set up e-mail servers to scan e-mail attachments. Also Also configure e-mail servers to block attachments with configure e-mail servers to block attachments with extensions that are known threats. These usually include extensions that are known threats. These usually include attachments with extensions such as attachments with extensions such as .bat.bat, , .vbs.vbs, , .exe.exe, , .hta.hta, , and and .scr.scr. . ((Mastering Network Security, Second editionMastering Network Security, Second edition))


Isolate any system that is known to be infected—this is Isolate any system that is known to be infected—this is important in order to reduce the chances of other systems important in order to reduce the chances of other systems being infected.being infected. Disconnect the infected system from the network. Disconnect the infected system from the network. Then follow your corporate or business policy. Then follow your corporate or business policy. (Security+ Exam Guide – Test (Security+ Exam Guide – Test Takers Guide series)Takers Guide series)

Rename the Administrator/Root Account - Rename the Administrator/Root Account - The most powerful The most powerful account included with Microsoft Windows, Unix is the Administrator account included with Microsoft Windows, Unix is the Administrator or Root account. Malware will often target these accounts in order to or Root account. Malware will often target these accounts in order to compromise your computer/network systems. It is good practice to compromise your computer/network systems. It is good practice to rename the Administrator account to something less obvious, in rename the Administrator account to something less obvious, in order to reduce possible threats and access to this powerful account.order to reduce possible threats and access to this powerful account.

Operating System SecurityOperating System Security Verify That the Guest Account Is Disabled Verify That the Guest Account Is Disabled

In the Windows environment the guest account is disabled by default In the Windows environment the guest account is disabled by default but it is still very important that you verify that this account is disabled but it is still very important that you verify that this account is disabled and remains disabled. and remains disabled.

If the Guest account is enabled, it can be used to access shared If the Guest account is enabled, it can be used to access shared resources without entering a password for authentication. This is resources without entering a password for authentication. This is a major security issue. For example, Nimda enables the guest a major security issue. For example, Nimda enables the guest account and takes advantage of its inherent weaknesses. account and takes advantage of its inherent weaknesses.

Remove full control permissions for the Everyone group. For even Remove full control permissions for the Everyone group. For even stronger security, remove the Everyone group from directories stronger security, remove the Everyone group from directories altogether. altogether. (Security+ Exam Guide – Test Takers Guide series)(Security+ Exam Guide – Test Takers Guide series)

Operating System SecurityOperating System Security Enable auditing and logging.Enable auditing and logging.

Remove access to default administrative shares.Remove access to default administrative shares.

Use strong passwords that use a combination of letters, numbers, Use strong passwords that use a combination of letters, numbers, and symbols.and symbols.

Allow administrative access to systems by local sign-on only.Allow administrative access to systems by local sign-on only.

Operating system SecurityOperating system Security Checksum Verification - Checksum Verification - A A checksumchecksum, or cyclic , or cyclic

redundancy check (CRC), is a mathematical verification redundancy check (CRC), is a mathematical verification of the data within a file. A checksum allows the contents of the data within a file. A checksum allows the contents of the file to be expressed as a numeric quantity. If a of the file to be expressed as a numeric quantity. If a single byte of data within the file changes, the checksum single byte of data within the file changes, the checksum value changes, even if the file size remains constant. value changes, even if the file size remains constant. Typically, you first create a baseline of a noninfected Typically, you first create a baseline of a noninfected system. The CRC is then performed at regular intervals system. The CRC is then performed at regular intervals to look for file changes. to look for file changes.

A couple of drawbacks are associated with this method. A couple of drawbacks are associated with this method. First, a CRC cannot actually detect file infection; it can First, a CRC cannot actually detect file infection; it can only look for changes.only look for changes.


Process Monitoring - Process Monitoring - Process monitoring observes system activity Process monitoring observes system activity and intercepts anything that looks suspicious. For example, the and intercepts anything that looks suspicious. For example, the BIOS in most of today’s desktop computers contains an antivirus BIOS in most of today’s desktop computers contains an antivirus setting. When enabled, this setting allows the computer to intercept setting. When enabled, this setting allows the computer to intercept all write attempts to the master boot record. If a boot sector virus all write attempts to the master boot record. If a boot sector virus attempts to save itself to this area, the BIOS interrupts the request attempts to save itself to this area, the BIOS interrupts the request and prompts the user for approval.and prompts the user for approval. (Mastering Network Security, Second Edition)(Mastering Network Security, Second Edition)

FirewallFirewall

Firewalls are usually “a combination of hardware or software or Firewalls are usually “a combination of hardware or software or both, placed between two networks in order to protect an internal both, placed between two networks in order to protect an internal network from outside influences”. network from outside influences”. (Security+ Network Exam Guide)(Security+ Network Exam Guide)

FirewallsFirewalls Three types of firewalls:Three types of firewalls:

Packet FiltersPacket Filters This type of firewall, examines UDP and TCP ports and packet This type of firewall, examines UDP and TCP ports and packet

header information. Based on those information and security header information. Based on those information and security policies, determinations are made as to which traffic traverses the policies, determinations are made as to which traffic traverses the network. network.

Stateful packet filtersStateful packet filters ““Have the ability to remember detailed information about packets Have the ability to remember detailed information about packets

that have previously passed through them. Then, they are able to that have previously passed through them. Then, they are able to compare and analyze this information and decide whether to let compare and analyze this information and decide whether to let certain packets through the firewall. In other words, a stateful certain packets through the firewall. In other words, a stateful firewall can compare incoming requests to outbound messages and firewall can compare incoming requests to outbound messages and see if there is a relationship between the two. If not, the firewall can see if there is a relationship between the two. If not, the firewall can block the incoming” or outgoing requests. block the incoming” or outgoing requests. (Security+ Network Exam Guide)(Security+ Network Exam Guide)

FirewallsFirewalls

Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) A A Demilitarized Zone (DMZ)Demilitarized Zone (DMZ) is a neutral area between is a neutral area between

an internal network and the Internet that typically an internal network and the Internet that typically contains one host system or a small network of contains one host system or a small network of systems. The DMZ sits between a private and a systems. The DMZ sits between a private and a public network and can be made up of one or several public network and can be made up of one or several systems that house Web pages and non-critical systems that house Web pages and non-critical company data that can be accessed from outside an company data that can be accessed from outside an intranet or LAN. intranet or LAN. (Security+ Exam Guide)(Security+ Exam Guide)

Know what your company’s Security Know what your company’s Security Policy is and configure network firewalls Policy is and configure network firewalls accordingly.accordingly.

IDSIDS

IDS has all been about analyzing network IDS has all been about analyzing network traffic to look for evidence of attack. traffic to look for evidence of attack. Increasingly, however, IDS is also about Increasingly, however, IDS is also about scanning access logs and analyzing the scanning access logs and analyzing the characteristics of files to see if they have characteristics of files to see if they have been compromised.been compromised.

IDSIDS Types of Intrusion Detection SystemsTypes of Intrusion Detection Systems

Network Intrusion Detection System (NIDS)Network Intrusion Detection System (NIDS) Analyzes packets on a network Analyzes packets on a network and tries to determine if a cracker is trying to break into a system or cause a and tries to determine if a cracker is trying to break into a system or cause a denial of service (DoS) attack. An NIDS typically runs on a hub or a router, denial of service (DoS) attack. An NIDS typically runs on a hub or a router, analyzing all traffic flowing through that device. Snort, which we’ll look at later in analyzing all traffic flowing through that device. Snort, which we’ll look at later in this chapter, is an example of an NIDS.this chapter, is an example of an NIDS.

Host Intrusion Detection System (HIDS)Host Intrusion Detection System (HIDS) Similar to an NIDS, an HIDS analyzes Similar to an NIDS, an HIDS analyzes network traffic sent to and from a single machine. Most of today’s commercial network traffic sent to and from a single machine. Most of today’s commercial NIDSs usually have some sort of HIDS element, and these systems are called NIDSs usually have some sort of HIDS element, and these systems are called hybrid IDSs. hybrid IDSs.

System Integrity Verifier (SIV)System Integrity Verifier (SIV) Keeps track of critical system files and notifies Keeps track of critical system files and notifies an administrator when they are altered (usually by a cracker attempting to an administrator when they are altered (usually by a cracker attempting to replace a valid copy with a Trojan horse). Tripwire, which is discussed later in replace a valid copy with a Trojan horse). Tripwire, which is discussed later in this chapter, is an example of an SIV.this chapter, is an example of an SIV.

Security PolicySecurity Policy

In most security conscious businesses, policies In most security conscious businesses, policies and procedures are implemented to provide a and procedures are implemented to provide a set of rules and standards for employees that set of rules and standards for employees that represent management philosophies and represent management philosophies and opinions. Most company policies include opinions. Most company policies include certain sets of guidelines, standards, and certain sets of guidelines, standards, and procedures that should be implemented, procedures that should be implemented, enforced, and updated continuously to reflect enforced, and updated continuously to reflect changes in management wishes and direction changes in management wishes and direction properly. properly. (Security+ Exam Guide)(Security+ Exam Guide)

Security PolicySecurity Policy

A A security policysecurity policy is a detailed document is a detailed document that simply specifies how an organization that simply specifies how an organization will protect the business resources and will protect the business resources and assets. assets. (Security+ Exam Guide)(Security+ Exam Guide)

Security PolicySecurity Policy The security policy creation process typically begins by The security policy creation process typically begins by

assessing the threats or risks that exist and developing a assessing the threats or risks that exist and developing a response team that will be implemented and empowered response team that will be implemented and empowered to respond to security related threats and issues. Next, to respond to security related threats and issues. Next, usage policy statements are often created to identify the usage policy statements are often created to identify the roles and responsibilities of specific employees. All roles and responsibilities of specific employees. All company employees should be educated on the company employees should be educated on the importance of the security policy and their roles importance of the security policy and their roles regarding the security policy. Other statements are often regarding the security policy. Other statements are often added to security policy such as vendor or partner usage added to security policy such as vendor or partner usage statements that specify the roles and responsibilities of statements that specify the roles and responsibilities of clients and other third parties. clients and other third parties. (Security+ Exam Guide)(Security+ Exam Guide)

ConclusionConclusion

ReferenceReference http://www.infosecwriters.com/text_resources/pdf/malware_DDanchev.pdfhttp://www.infosecwriters.com/text_resources/pdf/malware_DDanchev.pdf http://www.securityfocus.com/infocus/1666http://www.securityfocus.com/infocus/1666 http://staff.science.uva.nl/~delaat/sne-2006-2007/p17/report.pdfhttp://staff.science.uva.nl/~delaat/sne-2006-2007/p17/report.pdf

Security + Exam GuideSecurity + Exam Guide http://www.cs.virginia.edu/~robins/Malware_Goes_Mobile.pdfhttp://www.cs.virginia.edu/~robins/Malware_Goes_Mobile.pdf http://www.imconf.net/imc-2006/papers/p33-kalafut.pdfhttp://www.imconf.net/imc-2006/papers/p33-kalafut.pdf

TEL 581 Malware Survey on Information Assurance Presented by Gregory Michel Lincoln Jean Louis...

Documents

Transcript of TEL 581 Malware Survey on Information Assurance Presented by Gregory Michel Lincoln Jean Louis...