Malware and Intrusion

Detection

Chapter Three
Understanding Malware and Social
Engineering
Understanding Malware
 Malicious Software (Malware)
• Installed through devious means
• Symptoms:
– System runs slower
– Unknown processes start
– Sends out email by itself
– Random reboots
– more…

Guide to Firewalls and VPNs, 3rd Edition

Guide to Firewalls and VPNs, 3rd Edition 4
 Viruses
• Code attaches to a host application
• Virus acts and spreads when the host application is
run
• Payload
– Causes damage or delivers a message
– May join computer to a botnet
– Often delayed, so virus can spread

Guide to Firewalls and VPNs, 3rd Edition

 USB Malware
• Can run automatically when the USB device is
plugged in
• Since Win XP SP3, "Autorun" is off by default in
Windows (http://www.zdnet.com/blog/security/microsoft-disables-
autorun-on-windows-xpvista-to-prevent-malware-infections/8123)

Guide to Firewalls and VPNs, 3rd Edition

 Virus Characteristics
• Replication mechanism
– Infects other applications
• Activation mechanism
– Executes its objective
• Objective mechanism
– Payload: do damage

Guide to Firewalls and VPNs, 3rd Edition

 Virus Characteristics (cont’d.)
1) Size: The sizes of the program code required for computer viruses are very
small.
2) Versatility: Computer viruses have appeared with the ability to generically
attack a wide variety of applications.
3) Propagation: Once a computer virus has infected a program, while this
program is running, the virus is able to spread to other programs and files
accessible to the computer system.
4) Effectiveness: Many of the computer viruses have far-reaching and
catastrophic effects on their victims, including total loss of data, programs,
and even the operating systems.
5) Functionality: A wide variety of functions has been demonstrated in virus
programs. Some virus programs merely spread themselves to applications
without attacking data files, program functions, or operating system
activities. Other viruses are programmed to damage or delete files, and
even to destroy systems.
6) Persistence: In many cases, especially networked operations, eradication
of viruses has been complicated by the ability of virus program to
repeatedly spread and reoccur through the networked system from a single
copy.
 Detailed Description
Virus/Worm types overview :
• Binary File Virus and Worm: They are able to infect over
networks. Normally these are written in machine code.

• Binary Stream Worms: Stream worms are a group of network

spreading worms that never manifest as files.

• Script File Virus and Worm: A script virus is technically a file

virus, but script viruses are written as human readable text.

• Macro Virus: Macro Viruses infect data files, documents and

spreadsheets.

• Boot Virus: The first known successful computer virus . These are not
able to infect over networks. These take the boot process of personal
computers.

• Multipartite Viruses: infect both executable files and boot sectors.

 File Infection Techniques of Viruses

Overwriting Viruses: These locate another file on the disk and overwrite with
their own copy.

Random Overwriting Viruses: This is another rare variation of the overwriting

method does not change the code at the top of the file but it chooses a random
location in the host program and overwrites that location.
Appending Viruses: In this technique the virus code is appended at the end
of the program and the first instruction of the code is changed to a jump or call
instruction which will be pointing to the starting address of the viral code.

Prepending Viruses: A common virus infection technique uses the principle

of inserting virus code at the front of host programs. Such viruses are called
Prepending Viruses.
Cavity Viruses: These typically don’t increase the size of the program they
infect. Instead they will overwrite a part of the code that can be used to store
the virus code safely.

Amoeba Infection Technique: This is a rarely seen infection technique where

the head part of the viral code is stored at the starting of the host program and
the tail part is stored after the end of the host program.
 Delivery of Viruses
• Attached to email
• Links in spam go to infected websites
• USB drives with viruses

Guide to Firewalls and VPNs, 3rd Edition

 Buckshot Yankee
• US Military compromised by USB-borne virus
• Led to a ban on USB sticks for a while
– http://www.washingtonpost.com/national/national-security/cyber-
intruder-sparks-response-debate/2011/12/06/gIQAxLuFgO_story.html

Guide to Firewalls and VPNs, 3rd Edition

 Virus Hoaxes
• Scary email message
• Recommending some unwise action, such as
deleting system files
• To detect hoaxes:
– Antivirus vendor sites
– Urban legend sites like snopes.com

Guide to Firewalls and VPNs, 3rd Edition

 Worms
• Self-replicating malware
• Does not need a host application or user
interaction
• Consumes network bandwidth
• Unlike viruses, worms don't need to be replicated

Guide to Firewalls and VPNs, 3rd Edition

 LoveBug Worm

• http://www.pcworld.idg.com.au/article/345399/
lovebug_worm_hit_10_years_ago_during_simpler_time/
Guide to Firewalls and VPNs, 3rd Edition
 Trojan Horse
• Appears to be a good program, but does
something nasty instead
• Very common in warez (pirated games & apps),
keygens, pirated movies, etc.
• Rogue antivirus "scareware"

Guide to Firewalls and VPNs, 3rd Edition

 Fake Antivirus

• http://www.fixrogues.com/internet-security-2012-virus-removal-guide
Guide to Firewalls and VPNs, 3rd Edition
 Mac Flashback Trojan

• http://www.forbes.com/sites/adriankingsleyhughes/2012/04/05/why-you-should-install-
antivirus-on-your-mac/
Guide to Firewalls and VPNs, 3rd Edition
 Logic Bombs
• Code that waits for some event, like a certain date
• Planted by malicious insiders
• Then executes payload
– May destroy data, etc.

Guide to Firewalls and VPNs, 3rd Edition

• http://www.wired.com/threatlevel/2009/01/fannie/

Guide to Firewalls and VPNs, 3rd Edition

 Rootkits
• Malware that alters system files
• Hides from the user and antivirus
• Conceals files, running processes, and network
connections
• Very difficult to detect and remove

Guide to Firewalls and VPNs, 3rd Edition

 File Integrity Checker
• Can detect system file alterations
• Records hash values of system files, and detects
changes
• Included in some HIDS and antivirus

Guide to Firewalls and VPNs, 3rd Edition

• http://www.tripwire.com/it-security-software/security-configuration-management/file-
integrity-monitoring/
Guide to Firewalls and VPNs, 3rd Edition
• http://news.cnet.com/FAQ-Sonys-rootkit-CDs/2100-1029_3-5946760.html

Guide to Firewalls and VPNs, 3rd Edition

 Spam and Spam
Filters
• Much spam is
malicious
• Malicious attachment
and links
• Spam filters are useful
– Network-based spam filters
• https://www.barracuda.com/products
– Spam filters on end-user machines

Guide to Firewalls and VPNs, 3rd Edition

 Spim
• Spam over Instant Messaging
• Can be reduced by whitelisting in the IM client
– Image from hotforsecurity.com

Guide to Firewalls and VPNs, 3rd Edition

 Yahoo Messenger Whitelisting

Guide to Firewalls and VPNs, 3rd Edition 29

 Spyware
• Reports on user's activity to a remote server
• Actions:
– Changing a browser home page
– Redirecting browser
– Installing browser toolbars
– Keylogger to steal passwords
– Often included with a Trojan

Guide to Firewalls and VPNs, 3rd Edition

• http://blogs.telegraph.co.uk/technology/shanerichmond/100005766/eric-
schmidt-getting-close-to-the-creepy-line/
Guide to Firewalls and VPNs, 3rd Edition
 Adware
• Pop-up ads
• Annoying, but not malicious
• Pop-up blockers in browsers are common
• Some software is free, but includes ads
– Not illegal

Guide to Firewalls and VPNs, 3rd Edition

 Backdoors
• Allow an attacker to access system covertly
• Sometimes manufacturers include secret
backdoors in devices
– Poor security practice

Guide to Firewalls and VPNs, 3rd Edition

• http://threatpost.com/hp-storage-hardware-harbors-secret-back-door-121510/

Guide to Firewalls and VPNs, 3rd Edition

 http://world.time.com/2013/04/04/huawei-the-chinese-company-that-
scares-washington/
Guide to Firewalls and VPNs, 3rd Edition 35
 Protection against Malware
• Mail servers
– Scan email for malicious attachments
• All systems
– Put antivirus on all workstations and servers
• Boundaries or firewalls
– Web security gateways block malicious files and
sites

Guide to Firewalls and VPNs, 3rd Edition

 Antivirus Software (most popular)
• Detects viruses, Trojans, worms, spyware, rootkits,
and adware
– But some malware gets past it, especially rootkits
• Real-time protection
– Checks every file and device accessed
• Scheduled and manual scans
– Scan the file system

Guide to Firewalls and VPNs, 3rd Edition

 Generations of Antivirus

First generation: (simple scanners) scanner uses virus signature to

identify virus or change in length of programs

Second generation: (heuristic scanners) uses heuristic rules to spot

viral infection or uses crypto hash of program to spot changes

Third generation: (activity traps) memory-resident programs identify

virus by actions

Fourth generation: (full featured protection) packages with a variety

of antivirus techniques like access control capability. E.g. scanning &
activity traps, access-controls.
 Signature-based Detection
• Signature files
– Also called data definition files
– Contain patterns that match known viruses
– Must be updated frequently
• When a matching file is detected
– It is deleted, or quarantines
– Quarantined files can be inspected, but won't do any
harm

Guide to Firewalls and VPNs, 3rd Edition

 Heuristic-based Detection
• Detects suspicious behavior
• Similar to anomaly-based detection in IDS
• Runs questionable code in a virtualized
environment
• Detects "viral activities"
• Prone to false positives

Guide to Firewalls and VPNs, 3rd Edition

 Anti-spyware Software
• Some overlap with antivirus software
• Examples
– Ad-Aware
– Windows Defender
– Spybot—Search and Destroy

Guide to Firewalls and VPNs, 3rd Edition

 Privilege Escalation
• Moving from "User" to "Administrator"
• Not necessary if user logs in as "Administrator" in
Windows XP or earlier versions

Guide to Firewalls and VPNs, 3rd Edition

 User Account Control
• Windows 7's "User Account Control" monitors
privilege escalation attempts and warns the user

Guide to Firewalls and VPNs, 3rd Edition

 Trusted Operating System
• Provides multilevel security
• Appropriate for a Mandatory Access Control
environment
• Security-Enhanced Linux (SELinux)
– Created by the NSA
– Some features included in Linux kernel v. 2.6

Guide to Firewalls and VPNs, 3rd Edition

 Linux Kernel
Versions
• http://en.wikipedia.org/wiki/
Linux_kernel#Timeline

Guide to Firewalls and VPNs, 3rd Edition

 Other Technologies
Installed antivirus software running on an individual computer is only
one method of guarding against viruses. Other methods are also
used, including cloud-based antivirus, firewalls and on-line scanners.

1.Cloud antivirus: Cloud antivirus is a technology that uses

lightweight agent software on the protected computer, while
offloading the majority of data analysis to the provider's
infrastructure.

2.Network firewall: Network firewalls prevent unknown programs

and processes from accessing the system. However, they are not
antivirus systems and make no attempt to identify or remove
anything.
An illustration of where a firewall would be located in a network.
Recognizing Social
Engineering Tactics
 Social Engineering Methods
• Flattery and conning
• Assuming a position of authority
• Encouraging someone to perform a risky action
• Encouraging someone to reveal sensitive
information
• Impersonating someone authorizes
• Tailgating—following others into a secure area

Guide to Firewalls and VPNs, 3rd Edition

 Education and Awareness Training

• The single best protection against social

engineering

Guide to Firewalls and VPNs, 3rd Edition

 Social Engineering Tactics
• Rogueware and Scareware
– Tricks users into thinking their system is infected
• Phishing
– Email looks like real mail from Paypal, mostly
– Tricks user into logging in to a fake site
– May link to malware

Guide to Firewalls and VPNs, 3rd Edition

 Phishing to Get Money
• Nigerian "419" scam
– Someone has millions of dollars in Nigeria
– Wants to use your bank account to smuggle it to the
USA
• Lottery scams
• "Money Mules"
– People who repackage stolen goods and send them
to criminals

Guide to Firewalls and VPNs, 3rd Edition

Guide to Firewalls and VPNs, 3rd Edition
 Spear Phishing
• Spear phishing
– Target a specific set of users with a customized
message
– One risk caused by database breaches that reveal
email addresses

Guide to Firewalls and VPNs, 3rd Edition

 Whaling
• Targeting high-level executives with phishing
attacks

Guide to Firewalls and VPNs, 3rd Edition

 Vishing
• Free, untraceable VoIP (Voice over IP) phone calls
• Spoof Caller ID
• Try to trick target into revealing credit card number,
SSN, birthday, etc.

Guide to Firewalls and VPNs, 3rd Edition

 Tailgating
• Following another person closely through a door
without showing credentials
• Also called piggybacking
• Can be prevented with mantraps, turnstiles, or
security guards

Guide to Firewalls and VPNs, 3rd Edition

 Dumpster Diving
• Searching through trash to find useful documents
– Company directories
– Preapproved credit card applications
– Any Personally Identifiable Information (PII)
• Countermeasures
– Shredding documents
– Burning documents

Guide to Firewalls and VPNs, 3rd Edition

 Impersonation
• Wear a uniform
– Phone repair technician
– Janitor
– Etc.

Guide to Firewalls and VPNs, 3rd Edition

 Shoulder Surfing
• Looking over a person's
shoulder
• See passwords typed in
• Countermeasure
– Privacy screens
• http://www.amazon.com/3M-
Privacy-Filter-Standard-PF14-1/
dp/B00006B8A9Password
masking

• Passwords appear as
dots

Guide to Firewalls and VPNs, 3rd Edition