10/4/2017

1

Malware

1

Video

• https://youtu.be/KaUL-YQk7jM

2

10/4/2017

2

What is a Malware?

 A short for malicious software Hostile Intrusive Annoying

 Malware is created to disrupt Computing device operations Gain access to computer system Gather sensitive information

 It can appear in the form of Code Scripts Active content

 Other software

CSC 2003

Malware (contd.)

• Programs planted by an agent with malicious intent to cause unanticipated or undesired effects

• Virus • A program that can replicate itself and pass on malicious code

to other nonmalicious programs by modifying them

• Worm • A program that spreads copies of itself through a network

• Trojan horse • Code that, in addition to its stated effect, has a second,

nonobvious, malicious effect

4

10/4/2017

3

History of Malware

5

History of Malware (cont.)

6

10/4/2017

4

Harm from Malicious Code

• Harm to users and systems: • Sending email to user contacts

• Deleting or encrypting files

• Modifying system information, such as the Windows registry

• Stealing sensitive information, such as passwords

• Attaching to critical system files

• Hide copies of malware in multiple complementary locations

• Harm to the world: • Some malware has been known to infect millions of systems, growing at a geometric

rate

• Infected systems often become staging areas for new infections

7

Transmission and Propagation

• Setup and installer program • Attached file • Document viruses • Autorun • Using nonmalicious programs:

• Appended viruses

• Viruses that surround a program

• Integrated viruses and replacements

8

10/4/2017

5

Malware Activation

• One-time execution (implanting)

• Boot sector viruses

• Memory-resident viruses

• Application files

• Code libraries

9

User-level & Kernel processes

CSC 20010

 A Layered representation of computing devices

 Infection at the inner layer affects more than other layer

 Malware embedded in the hardware layer is most dangerous

 Infection at Application Software/Apps affects the device least.

10/4/2017

6

User-level & Kernel processes

 User (level) Process/application  Runs as user an application program  Or part of an user application program  It may exists as a DLL (dynamic-link library)  Example: autorun.bat

 Kernel (level) Process  Hook themselves into the kernel of the OS  The have highest privileges after infection  Usually modify Interrupt Description Table  Get executed every time the particular Interrupt is

generate  Infection requires administrative/super-user

privileges

CSC 20011

Viruses  It can replicate (like biological counterpart) It is, of course, manmade It can alter your file It can spread from one directory to another

 Modern viruses may do much more Hide inside executable software files Run when the executable file is loaded It can make copy and insert the copy in other excitable

software file It may mutate to evade detection May not spread over the network of the Internet

CSC 20012

10/4/2017

7

Viruses: Operations and Functions  A viable virus must contain a search routine  A viable virus must contain an infection mechanism  It must have a trigger, Logic bomb  For example, activation during execution of a software  May carry a payload  Phases of a virus Dormant phase Propagation phase Trigger phase Execution phase

CSC 20013

Target-based Classification  Compiled viruses  Compiled executable instructions  File infection  Boot sector infection

 Interpreted viruses  Macro  Script

 Multipartite viruses

CSC 20014

10/4/2017

8

Compiled-file infection virus  It can infect executable files by  Appending at the end  Perpending at the beginning  Overwriting some function in the executable  Cavity virus: find a gap and inserts a pointer to the location

of the virus code  Compressing virus: compress host and its own code to keep

file size about same  Amoeba virus: it copies entire host-program in its body after

the header.  Header part of the virus is at the top  Host-program is in the middle  The virus body is at the end

CSC 20015

Compiled-file infection virus  Entry-point Obfuscation or Call hooking  The body of the virus is inserted at a function/subroutine

point in the host-file  Virus may have multiple obfuscation techniques to make

detection harder  Companion virus, if OS support multiple extensions for

executable files  For example: windows have .com, .exe, and .bat files with

decreasing execution-order  A virus may use same file-name but different extension,

usually with highest-priority execution extension  May change extension of existing files

CSC 20016

10/4/2017

9

17

Virus Attachment

18

Surrounding Virus

10/4/2017

10

Compiled-file infection virus  Code Virus: a multi-step process starting with  The virus finds a host-source file  The virus inserts a virus-source file  The virus compiles the infected host-file  The virus replace original host-binary file with infected

source-file  Virus is now active and hidden in the host

CSC 20019

Compiled-file infection virus  Companion virus, if OS support multiple extensions for

executable files  For example: windows have .com, .exe, and .bat files with

decreasing execution-order  A virus may use same file-name but different extension,

usually with highest-priority execution extension  May change extension of existing files

CSC 20020

10/4/2017

11

Interpreted viruses  Interpreted Macro virus

 Entry-point Obfuscation or Call hooking

CSC 20021

File Viruses  Compiled viruses  File infection  Boot sector infection

 Interpreted viruses  Macro  Script

 Multipartite viruses

CSC 20022

10/4/2017

12

Swapping Memory Viruses

 Swapping Memory Viruses  Only a part of the code is loaded into the memory

on occurrences of a certain event  Then infects the files present in memory, and  Unload the code from memory  They can be spotted by increased disk activity due to

loading and unloading viral code  Non-Resident Mode  User (level) Process  Kernel (level) Process

CSC 20023

24

Swapping Memory - Virus V replacing target T

10/4/2017

13

Non-Resident Virus  Non-Resident Mode  Do not exists in the physical memory  Have an offline mechanism to search for, and  Infect files present in the hard disk  They have two key sub-routines  A search sub-routine, and  A copy sub-routine

 They are also known as Direct Action viruses  Examples: Virdem, Vienna

 User (level) Process  Kernel (level) Process

CSC 20025

Virus Signatures

26

Original Program

IF (--) JUMP

Separate Virus

Module

Original Program

Attached Virus Code

Recognizable signature elements

10/4/2017

14

Viruses  Counter measures Antivirus Software Recovery strategies and Methods Removal Operating system reinstallation

It can spread from one directory to another  Modern viruses may do much more Hide inside executable software files Run when the executable file is loaded It can make copy and insert the copy in other excitable

software file It may mutate to evade detection May not spread over the network of the Internet

CSC 20027

Worms

CSC 20028

10/4/2017

15

Worms  Like virus it can replicate and spread It is, of course, manmade It takes advantage of security weakness It always cause harm to the network  Can consume bandwidth

 Harm worms may cause It may carry a payload For example, it may carry a virus as payload Payload could be anything For example, the payload may open a backdoor

CSC 20029

Worms: Some Examples  Stuxnet: June 2010  Supernova worm: July 2010  Win32.Alcara.F: Feb 2006  Koobface: Dec 2008

CSC 20030

10/4/2017

16

Trojan Horses

CSC 20031

Trojan Horses  A malicious application software

 Apparently have some usefulness  But have hidden malicious software  The malicious part can be anything

 Virus, worm, adware, ransomware, key logger, spyware, bot

 How do they spread?  Most of the time software we download from internet  Drive-by download --- user authorized download and

installation  Any download without a person’s knowledge  Could be an included with a software user installing

 What are the common malicious software in Trojan horses

CSC 20032

10/4/2017

17

Trojan Horses  What are the common malicious software in

Trojan horses?  Usually small executable file, such as  Droppers  Backdoors  Rootkits

 How do they compare with viruses and worms?  Trojan horses don’t inject themselves  Don’t spread in your computer  But the payload (hidden malicious executables) can spread!  Don’t spread in your network  But the payload may spread in your network

CSC 20033

Trojan Horses: Some Examples  What are the common malicious software of

Trojan Horses?  Usually small executable file, such as  Droppers  Backdoors  Rootkits

 How do they compare with viruses and worms?  Trojan horses don’t inject themselves  Don’t spread in your computer  But the payload (hidden malicious executables) can spread!  Don’t spread in your network  But the payload may spread in your network

CSC 20034

10/4/2017

18

Trojan Horses – In the recent news

• Nemucod now spreading banking trojans in Brazil • On the morning of Friday 12th August 2016, ESET researchers noticed a huge

outbreak of a new Spy.Banker variant, detected as Spy.Banker.ADEA. It happened at around 12pm CET.

• This new variant is similar to previous ones used by other banking trojans in South America. During execution, the malware checks if the system’s settings are in Portuguese and proceeds with the injection of the banker’s payload.

• The banking trojan spreads along with two modified versions of a popular utility software, which are used to extract usernames and passwords from browsers (Chrome, Firefox, Internet Explorer, and Opera), as well as credentials for local email clients like Outlook. For that, it uses emails with attached files that contain a variant of JS/Danger.ScriptAttachment, whose purpose is to download and execute other malware in the system.

Types of Malware

36

10/4/2017

19

Types of Malware (cont.)

37

Adware

 Adware is short for “Advertising-Supported-Software

 This type of malware delivers advertisements

 The most common example is pop-up ads that comes up on websites

10/4/2017

20

Spyware

 Spyware is a kind of malware that steals information, usually confidential information such as usernames, passwords, browser history, financial information.

 They also have additional capabilities such as modifying security settings, interfering network connections.

 They spread by software vulnerability and by attaching to legitimate software or Trojans.

Keyloggers

A hardware device or small program that monitors each keystroke a user types on a specific computer's keyboard.

Can be downloaded on purpose by someone who wants to monitor activity on a particular computer or

Can be downloaded unwittingly as spyware and executed as part of a rootkit or remote administration (RAT) Trojan horse.

• https://securelist.com/analysis/publications/36138/keylo ggers-how-they-work-and-how-to-detect-them-part-1/

10/4/2017

21

Malicious Keyloggers in the news

Dubbed iSpy, the keylogger is equipped to steal passwords, capture screenshots, and monitor clipboards and webcams on victim systems,

Bots  Bots are software programs created to perform specific operations automatically.

They can perform tasks like making a dinner reservation, adding appointments to your calendar etc.

 Increasingly common bots are chatbots which are used to simulate conversation.

 The ability to mimic actual human conversation and avoid detection has resulted in the use of bots as tools of covert manipulation. On the internet today bots are used to artificially alter, disrupt or even silence legitimate online conversations.

 Recently Taco Bell released a bot that allows users to order and pay for tacos using a chat conversation

 But Bots are being used maliciously too. They are being used for DDOS attacks, as spambots to deliver spam and also as web spiders to scrape web data

10/4/2017

22

How Bots steal information ?

 Webscraping or Content Scraping

 Capturing information on Autofill / Auto-forms

 Click-Fraud

 Data Aggregation and Price Aggregation

Bots Attack – in the news

Porn Spambots Have Taken Over At Least 2,500 Twitter Accounts In Two Weeks

In the span of two weeks, hackers have broken into more than 2,500 Twitter accounts with large followings, including those of electro-funk duo Chromeo, comedian Azeem Banatwala, football star Cecil Shorts III, and late New York Times journalist David Carr, according to new research by security firm Symantec.

The hacked accounts were then replaced with porn and sexbots, and used to tweet links to adult dating sites. The victims had their display names changed, with their profile pictures swapped for pictures of scantily-clad women.

10/4/2017

23

Rootkits

 Rootkits are advance type of malware that are very difficult to detect

 They are designed to remotely access or control a computer without being detected by users or security programs.

 Once installed rootkits can execute files, steal information, change system configurations, install malware etc.

 Since security software cannot detect these, removal will have to be done manually by monitoring computer behavior, signature scanning and storage dump analysis

Rootkits – In the news

• Android malware HummingBad infects 10 million phones • Security companies have noticed a sudden surge in the number

of phones infected by the malware.

• When it’s on a person’s phone, HummingBad installs apps on their device and spies on their browsing habits. It also generates fake clicks for online adverts and research suggests it’s making around $300,000 (£232,000) a month for its creators through this.

10/4/2017

24

Phases of Malware Attack

How Malware – Sneak in ?

Wrapping Ex: CleanMyMac - IceFog

Obfuscation Packers Anti-debugging Ex: ZeroAccess

Targeted Attacks

10/4/2017

25

Portability of Malware Across Platforms

 Malware can be portable across platform and devices

 For example, a android malicious app that can perform an attack on a android phone can also infect the computer when it is connected to a PC. The malware triggers when it is connect via USB and end payload might be to switch on a microphone/camera to record personal information

 Malware can be designed for any operating systems. People have a misconception that the windows computers are the ones that get affected, but cybercriminals have figured a way to infect any operating system.

 It’s a myth that devices manufactured by Apple Inc. (Mac, iPhone, iPad etc.,) don’t need protection

 All devices and platforms are equally vulnerable

Countermeasures for Users

• Use software acquired from reliable sources • Test software in an isolated environment • Only open attachments when you know them to be safe • Treat every website as potentially harmful • Create and maintain backups • Have good anti-virus and scans on your devices • Do not insert unknown media such as flash drives into

your devices

50

10/4/2017

26

Countermeasures for Developers

• Modular code: Each code module should be • Single-purpose • Small • Simple • Independent

• Encapsulation • Information hiding • Mutual Suspicion • Confinement • Genetic diversity

51

Code Testing

• Unit testing • Integration testing • Function testing • Performance testing • Acceptance testing • Installation testing • Regression testing • Penetration testing

52

10/4/2017

27

Design Principles for Security

• Least privilege • Economy of mechanism • Open design • Complete mediation • Permission based • Separation of privilege • Least common mechanism • Ease of use

53

Other Countermeasures

• Good • Proofs of program correctness—where possible

• Defensive programming

• Design by contract

• Bad • Penetrate-and-patch

• Security by obscurity

54