ch02

Malware and Intrusion
Detection
Chapter Two
Introduction to Computer Viruses &
Vulnerabilities
Objectives
• Explain the component parts of computer virus and
vulnerabilities in general
• Define the key terms and critical concepts of
computer virus and vulnerabilities
• Describe the types of computer virus and
vulnerabilities
Guide to Firewalls and VPNs, 3rd Edition 2

Overview
• Viruses/Malware are software programs which attack
vulnerabilities in legitimate software and human
behavior
• Computer Viruses/Malware (Malicious Software) have
evolved into Crimeware and RansomWare
• No longer created just for fun by bored youths with too
much spare time and something to prove
• Today, legitimate technologies are used as Tools for
online crime by organized crime and terror
organizations, and aggressive governments
• Intrusion Detection is a good soldier in a losing battle
against malicious attackers
Stages of a typical Crimeware attack
1. Crimeware is distributed
2. Infiltrates/Infects a computer platform
3. Crimeware Executes
– Scan the user’s hard drive for sensitive information
– Intercept the user’s keystrokes
– Transmits collected information
• Directly to the attacker
• Indirectly to the attacker via a misused legitimate
server
– Man-in-the-Middle Attack

Stages of a typical Crimeware attack

Malware Threats
Some categories of malicious software threats:

• Keyloggers and Screenscrapers
• Email and Instant Messaging Redirectors
• Session Hijackers
• Web Trojans
• Transaction Generators
• Rootkits
• System Reconfiguration Attacks

Keyloggers (Software/ Hardware)
Keyloggers (Software/ Hardware)
• programs that monitor data being input into a machine
• Install themselves into a web browser or as a device
driver
• Send data to a remote server

Software Keyloggers
• Application-Level Keylogger Software
– Use hooking mechanism to intercept keystroke data
– System hooks
• a mechanism which allows interception of Windows
messages, commands or process transactions –
including associated keyboard events
– Browser-helper object
• Detect changes to the URL and log information when
a URL is affiliated with a designated credential
collection site

Hardware Keyloggers
• Kernel-Level Device Driver
– Receive data directly from the keyboard
– Creates a layered device driver that inserts itself into
the chain of devices that process keystrokes
– Store keyboard and mouse inputs while monitoring
user activities

Screenscraper
• Monitors both the user’s inputs and portions of the
display

Redirectors
• Used for Corporate espionage and Personal
Surveillance
• Email Redirectors
– Programs that intercept and relay outgoing emails
– Sends an additional copy to an unintended address
to which an attacker has access
• Instant Messaging Redirectors
– Monitor instant messaging applications and transmit
transcripts to an attacker

Session Hijackers
• An attack in which a legitimate user session is
commandeered
• A user’s activities are monitored by a malicious browser
component
• When the user logs into his/her account or initiates a
transaction, the malware ‘hijacks’ the session to
perform malicious actions (e.g. transferring money)
once the user has legitimately established his/her
credentials

Session Hijackers (cont’d.)
• Implementation:
• Locally on a computer by a malware
• Remotely in a Man-in-the-Middle attack

Web Trojans
• Malicious programs that pop up over login screens to
collect credentials
• When installed on a machine, the trojan silently waits
for the user to visit a particular web site (a set of web
sites)
• When a user visits that site, the trojan places a fake
login window on top of the site’s actual login window
• The user tries to login normally thinking he/she is
entering information onto the website but information is
entered locally and transmitted to the attacker for
misuse
– E.g. Infostealer.Banker.D
Transaction Generators
• Does not target an end-user’s computer but targets
a computer inside a transaction-processing center
like a credit card processing server.
• Generates fraudulent transactions for the benefit of
the attacker from within the payment processor
• Could be installed on an end-user’s machine as
some type of web browser extension or plug-in

Rootkits
• Software that hides the presence and activity of
malicious software
• Types:
– Simple crude replacements of administrative
software commonly used to monitor running
processes on a computer
– Complex sophisticated kernel-level patches that
enforce invisibility of protected malicious code to
detectors with access to kernel-level data structures

System Reconfiguration attacks
• Modify settings on a user’s computer which causes
information to be compromised
• Types:
– Proxy Attacks
• Man-in-the-middle attack
• Install a proxy (e.g. HTTP proxy, TCP/IP drivers,
browser helper objects, etc.) through which the user’s
network traffic will be passed
– Hostname Lookup Attacks/Pharming

Hostname Lookup Attacks/ Pharming
• Intrusion
– Interferes with the DNS (Domain Name System)
lookup service by compromising a DNS server and
modifying its records
– Alter system configuration of victim’s computer to
change DNS server to a malicious server
• Malware
– Polluting the user’s DNS cache
– Modifies host files on a victim’s PC (a PC uses a
hosts file to check if a domain or hostname is known
before consulting the DNS)
Vulnerabilities
• Infection point = Where System State is altered
(permanently or temporarily) to include malicious
code or poisoned date
• Data Compromise Point = Where the attacker
actually obtains sensitive information
• Jargon: zero day vulnerabilities and exploits

Attacks - Types of Malicious Software
Name Description
Virus •Malware that tries to replicate itself into other executable code when
executed
•When it succeeds the code is said to be infected.
•When the infected code is executed, the virus also executes.
Worm •A computer program that runs independently
•Can propagate a complete working version of itself onto other hosts on a
network
Logic-Bomb •A program inserted into software by an intruder.
•A logic bomb lies dormant until a predefined condition is met
•The program then triggers an unauthorized act
Trojan •A computer program that appears to have a useful function
Horse •It also has a hidden and potentially malicious function that evades
security mechanisms
•Sometimes exploits legitimate authorizations of a system entity that
invokes the Trojan horse program

Name Description
Backdoor (Trapdoor) •Any mechanism that bypasses a normal security check
•May allow unauthorized access to functionality
Mobile Code Software (e.g. script, macro, or other portable instruction) that
can be shipped unchanged to a heterogeneous collection of
platforms and execute with identical semantics
Exploits Code specific to a single vulnerability or set of vulnerabilities
Downloaders •Program that installs other items on a machine that is under
attack
•Usually sent in an email
Auto-rooter Malicious hacker tools used to break into new machines
remotely
Kit(virus generator) Set of tools for generating new viruses automatically
Spammers Used to send large volumes of unwanted e-mail

Name Description
Flooders Used to attack networked computer systems with a large volume
of traffic to carry out a denial-of-service (DoS) attack
Keyloggers Captures keystrokes on a compromised system
Rootkit Set of hacker tools used after an attacker has broken into a
computer system and gained root-level access
Zombie, Program activated on an infected machine that is activated to
Bot launch attacks on other machines
Spyware Software that collects information from a computer and transmits
it to another system
Adware •Advertising that is integrated into software.
•Results in pop-up ads or redirection of a browser to a
commercial site

General Countermeasures
1. Interfere with the Distribution of Malware and
Prevent Infection of Computing Platform
– Spam filters
– Intrusion Detection
– Patching
– Firewall
– Antivirus
2. Prevent Malware from executing
– A low-level mechanism ensuring that only certified
code can execute – may prevent attacks but too
restrictive for legitimate uses of uncertified code
General Countermeasures (cont’d.)
3. Prevent removal of confidential data from storage

– Specialized hardware - Trusted computing
4. Prevent user from providing confidential
information
– “White-hat keyloggers”
– Hardware-level trusted path that ensures keyboard
data is encrypted for intended data recipient
5. Interfere with the ability of the attacker to receive
and use confidential data

Intrusion Threats and Vulnerabilities
• The following vulnerabilities in coding opens doors
to malicious attacks:
1. Input Validation and Representation
2. API Abuse
3. Security Features
4. Time and State
5. Error Handling
6. Code Quality
7. Encapsulation
8. Environment
Input Validation and Representation
• Cased by metacharacters, alternate encodings and
numeric representations
• Examples:
– Buffer Overflow
• Writing outside the bounds of allocated memory
• Corrupts data, crash programs, cause execution of
attack payload
– Command Injection
• Executing commands from an untrusted source or in
an untrusted environment can cause an application to
execute malicious commands on behalf of an attacker
(cont’d.)
– Cross-Site Scripting
• Sending unvalidated data to a web browser
• Results in browser executing malicious code (scripts)
– Format String
• Allows attacker to control a function’s format string
• Results in a buffer overflow
– HTTP Response Splitting
• Writing unvalidated data into an HTTP header
• Allows attacker to specify entire HTTP response
displayed by browser

(cont’d.)
– Illegal Pointer Value
• A Function which returns a pointer to memory outside
the buffer to be searched
• Subsequent operations on the pointer – unintended
consequences
– Integer Overflow
• Causes Logic errors and Buffer overflows
– Log Forging
• Writing unvalidated user input into log files
• Allows an attacker to forge log entries or inject
malicious content into logs

(cont’d.)
– Path Traversal
• Allows user input to control paths used by the application
• Enables an attacker to access otherwise protected files
– Process Control
• Executing commands or loading libraries from an untrusted
source or in and untrusted environment
• Causes an application to execute malicious commands/
payloads on behalf of an attacker
– Resource Injection
• Allows user input to control resource identifiers
• Enables an attacker to access or modify otherwise
protected system resources
(cont’d.)
– Setting Manipulation
• Allows external control of system settings
• Disrupts service or cause an application to behave in
unexpected ways
– SQL Injection
• Constructing a dynamic SQL statement with user input
• Allows an attacker to modify the statement’s meaning
or execute arbitrary SQL commands
– String Termination Error
• Improper String termination - Reliability
• Buffer overflow
(cont’d.)
– Struts:
• Duplicate Validation Forms
– Multiple validation forms with the same name
– Validation logic is not up-to-date
• Erroneous validate() Method
– The validation form defines a validate() method but
fails to call it properly
• Form Bean Does Not Extend Validator Class
– All Struts forms should extend a Validator class
• Form Field without Validator
– Every field in a form should be validated in the
corresponding validation form
(cont’d.)
– Struts:
• Plug-in Framework not in use
– Use Struts Validator to prevent vulnerabilities that result from
unchecked input
• Unused Validation Form
– Indicates validation logic is not up to date
• Unvalidated Action Form
– Every Action form must have a corresponding validation form
• Validator Turned Off
– This Action form mapping disables the form’s validate()
method
• Validator Without Form Field
– Indicates validation logic is out-of-date

(cont’d.)
– Unsafe JNI
• Improper use of Java Native Interface (JNI)
• Java applications vulnerable to security flaws in other
languages (Language-based encapsulation - broken)
– Unsafe Reflection
• An attacker can create unexpected control flow paths
through the application, bypassing security checks
– XML Validation
• Failure to enable validation when parsing XML
• Attacker can supply malicious input

API (Application Programming
Interface) Abuse
• An API is a contract between a caller and a callee.
Abuses happen when the contract is not followed
exactly
• Examples:
– Dangerous Function
• Unsafe functions should never be used
– Directory Restriction
• Improper use of chroot( ) system call may allow
attackers to escape a chroot jail

Interface) Abuse (cont’d.)
– Heap Inspection
• Do not use realloc() to resize buffers that store sensitive
information
– J2EE Bad Practices
• getConnection ()
– Forbids the direct management of connections
• Sockets
– Socket-based communication in web applications is
prone to error
– Unchecked Return Value
• Ignoring a method’ return value
• Cause program to overlook unexpected states and
conditions
Interface) Abuse (cont’d.)
– Often Misused:
• Authentication
• Exception Handling
– A dangerous function can throw an exception and crash a
program
• Path Manipulation
– Passing an inadequate sized output buffer to a path
manipulation function results in a buffer overflow
• Privilege Management
– Failure to follow the principle of least privilege amplifies risks
posed by other vulnerabilities
• String Manipulation
– Functions that manipulate strings encourage buffer overflows

Security Features
• Insecure Randomness
– Standard pseudo-random generators cannot withstand
cryptographic attacks
• Least Privilege Violation
– The elevated privilege level required to perform operations
such as chroot () should be dropped immediately after the
operation is performed
• Missing Access Control
– The program does not perform access control checks in a
consistent manner across all potential execution paths
• Privacy Violation
– Mishandling private information–compromise privacy, illegal
Security Features (cont’d.)
• Password Management:
– Storing a password in plaintext
• Results in System compromise
– Empty Password in Configuration File
• Using an empty string as a password - insecure
– Hard-Coded Password
• Compromise system security –no remedy
– Password in Configuration File
• Results in System compromise
– Weak Cryptography
• Obscuring a password with trivial encoding does not protect
the password

Time and State
• Distributed Computation – time and state important
– shared for communication
• Examples:
– Deadlock
• Inconsistent locking discipline leads to deadlock
– Failure to Begin a New Session Upon Authentication
• Using the same session ID across an authentication
boundary
• Attacker can hijack authenticated sessions

Time and State (cont’d.)
• File Access Race Condition:TOCTOU
– The window of time between when a file property is
checked and when the file is used to launch a
privilege escalation attack
• Insecure Temporary File
– Creating and using insecure temporary files
– Application and system data vulnerable to attack
• Signal-Handling Race Conditions
– Signal handlers may change a shared state relied
upon by other signal handlers/application code
– Causes unexpected behaviour
Time and State (cont’d.)
• J2EE Bad Practices:
– System.exit ()
• A web application should not attempt to shut down its
container
– Threads
• Thread management in a web application is forbidden
in some circumstances
• Highly error-prone

Error Handling
• Forgetting to handle errors or producing errors that
give out too much information to possible attackers.
• Examples:
– Catch NullPointer Exception
• Should not be used as an alternative to programmatic
checks to prevent dereferencing a null pointer
– Empty Catch Block
• Ignore exceptions and other error conditions
• Allows attacker to cause unexpected behaviour
unnoticed

Error Handling (cont’d.)
– Overly Broad Catch Block
• Catching overly broad exceptions promotes complex
error-handling code
• More chances of security vulnerabilities
– Overly Broad Throws Declaration
• Throwing overly broad exceptions promotes complex
error-handling code
• More chances of security vulnerabilities
– Unchecked Return Value
• Ignoring a method’s return value
• Cause program to overlook unexpected states and
conditions
Code Quality
• Poor code quality leads to unpredictable behaviour and an
opportunity for the attacker to stress the system in unexpected
ways
• Malicious code that targets poor-quality code is more common
than malicious code that targets high-quality code
• Examples:
– Double Free
• Calling free () twice on the same memory address
• Leads to buffer overflow
– Inconsistent implementations
• Functions with inconsistent implementations across OS and OS
versions
• Portability Problems

Code Quality (cont’d.)
– Memory Leak
• Memory is allocated but never freed
• Leads to resource exhaustion
– Null Dereference
• The program can potentially dereference a null pointer
• Raises a NullPointer Exception
– Obsolete
• Use of deprecated or obsolete functions
• Indicates neglected code
– Undefined Behaviour
• The behaviour of this function is undefined unless its control
parameter is set to a specific value

Code Quality (cont’d.)
– Uninitialized Variable
• The program can potentially use a variable before it
has been initialized
– Unreleased Resource
• The program can potentially fail to release a resource
– Use After Free Referencing
• Memory, after it has been freed, can cause a program
to crash

Encapsulation
• Encapsulation deals with drawing strong boundaries
between things and setting up barriers between them
• Examples:
– Comparing Classes by Name
• Leads a program to treat two classes as the same when
they are actually different
– Data Leaking Between Users
• Data can leak from one session to another through member
variables of singleton objects (i.e. servlets) and objects
from a shared pool
– Leftover Debug Code
• Debug code can create unintended entry points in an
application
Encapsulation (cont’d.)
– Mobile code:
• Object Hijack
– Attackers can use cloneable objects to create new
instances of an object without calling its
constructor
• Use of Inner Class
– Inner classes are translated into classes that are
accessible at package scope
– Exposes private code to attackers
• Nonfinal Public Field
– An attacker can manipulate nonfinal public
variables to inject malicious values
Encapsulation (cont’d.)
– Private Array-Typed Field Returned from a Public Method
• Contents of a private array is altered unexpectedly through
a reference returned from a public method
– Public Data Assigned to Private Array-Typed Field
• Equivalent to giving public access to the array
– System Information Leak
• Revealing system data or debugging information helps an
attacker learn about the system and form an attack plan
– Trust Boundary Violation
• Mixing trusted and untrusted data in the same data
structure encourages programmers to mistakenly trust
unvalidated data

Environment
• ASP.Net Misconfiguration:
– Creating Debug Binary
• Debugging messages help attackers learn about the
system and plan a form of attack
– Missing Custom Error Handling
• An ASP.NET application must enable custom error pages to
prevent attackers from mining information from the
framework’s built-in responses
– Password in Configuration File
• Do not hard-code password into your software
• Insecure Compiler Optimization
– Improperly scrubbing sensitive data from memory
compromises security
Environment (cont’d.)
• J2EE Misconfiguration:
– Insecure Transport
• The application configuration should ensure that SSL is used for all access-controlled
pages
– Insufficient Session-ID Length
• Session IDs should be at least 128 bits to prevent brute-force session guessing
– Missing Error Handling
• A web application must define a default error page for errors 404 and 500 and to
catch java.lang.throwable exceptions
• Prevent attackers from mining information from the application container’s built-in
error response
– Unsafe Bean Declaration
• Entity beans should not be declared remotely
– Weak Access Permissions
• Permission to invoke EJB methods should not be granted to the ANYONE role

Classifications of Attacks

Classifications of Attacks (cont’d.)
• Intrusion
– Meant to gain unauthorized access to a system through a
breach in the security of that network or machine on the
network.
• Blocking
– These are attacks designed to prohibit legitimate traffic or
access to the network resources. (e.g. DoS, DDoS)
• Malware
– Software with a malicious intent that is installed on a machine.
This software includes all viruses, worms, trojan horses, etc.
This is the most common threat to all types of users connected
to a network or the Internet.

Summary
Figure downloaded from Hackmageddon

ch02

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ch02

Uploaded by

Copyright:

Available Formats

Malware and Intrusion

Guide to Firewalls and VPNs, 3rd Edition 2

Guide to Firewalls and VPNs, 3rd Edition 4

Guide to Firewalls and VPNs, 3rd Edition 5

Some categories of malicious software threats:

Guide to Firewalls and VPNs, 3rd Edition 6

Guide to Firewalls and VPNs, 3rd Edition 7

Guide to Firewalls and VPNs, 3rd Edition 8

Guide to Firewalls and VPNs, 3rd Edition 9

Guide to Firewalls and VPNs, 3rd Edition 10

Guide to Firewalls and VPNs, 3rd Edition 11

Guide to Firewalls and VPNs, 3rd Edition 12

Guide to Firewalls and VPNs, 3rd Edition 13

Guide to Firewalls and VPNs, 3rd Edition 15

Guide to Firewalls and VPNs, 3rd Edition 16

Guide to Firewalls and VPNs, 3rd Edition 17

Guide to Firewalls and VPNs, 3rd Edition 19

Guide to Firewalls and VPNs, 3rd Edition 21

Guide to Firewalls and VPNs, 3rd Edition 22

Guide to Firewalls and VPNs, 3rd Edition 23

3. Prevent removal of confidential data from storage

Guide to Firewalls and VPNs, 3rd Edition 25

Guide to Firewalls and VPNs, 3rd Edition 28

Guide to Firewalls and VPNs, 3rd Edition 29

Guide to Firewalls and VPNs, 3rd Edition 33

Guide to Firewalls and VPNs, 3rd Edition 34

Guide to Firewalls and VPNs, 3rd Edition 35

Guide to Firewalls and VPNs, 3rd Edition 37

Guide to Firewalls and VPNs, 3rd Edition 39

Guide to Firewalls and VPNs, 3rd Edition 40

Guide to Firewalls and VPNs, 3rd Edition 42

Guide to Firewalls and VPNs, 3rd Edition 43

Guide to Firewalls and VPNs, 3rd Edition 45

Guide to Firewalls and VPNs, 3rd Edition 46

Guide to Firewalls and VPNs, 3rd Edition 47

Guide to Firewalls and VPNs, 3rd Edition 50

Guide to Firewalls and VPNs, 3rd Edition 52

Guide to Firewalls and VPNs, 3rd Edition 53

Guide to Firewalls and VPNs, 3rd Edition 54

Figure downloaded from Hackmageddon

Guide to Firewalls and VPNs, 3rd Edition 55

You might also like