Chapter 2 Malware and Social Engineering Attacks

Image spam

- uses graphical images of text in order to circumvent text-based filters Often contains nonsense text so it appears legitimate

Collect Data

A keylogger can be a small hardware device or a software program As a hardware device, it is inserted between the computer keyboard connection and U S B port Software keyloggers are programs installed on the computer that silently capture information An advantage of software keyloggers is that they do not require physical access to the user's computer Often installed as a Trojan or virus, can send captured information back to the attacker via Internet

Users disapprove of adware because

Adware can display objectionable content Frequent popup ads can interfere with a user's productivity Popup ads can slow a computer or even cause crashes and the loss of data Unwanted advertisements can be a nuisance

Launch Attacks

Bot or zombie - an infected computer that is under the remote control of an attacker

Worms may:

Consume resources or Leave behind a payload to harm infected systems

Collect Data

Different types of malware are designed to collect important data from the user's computer and make it available to the attacker This type of malware includes: Spyware Adware

Dumpster diving

Digging through trash to find information that can be useful in an attack An electronic variation of dumpster diving is to use Google's search engine to look for documents and data posted online Called Google dorking

Tailgating

Following behind an authorized individual through an access door An employee could conspire with an unauthorized person to allow him to walk in with him (called piggybacking) Watching an authorized user enter a security code on a keypad is known as shoulder surfing

Attacks Using Malware

Malicious software (malware) Enters a computer system without the owner's knowledge or consent Uses a threat vector to deliver a malicious "payload" that performs a harmful function once it is invoked Malware is a general term that refers to a wide variety of damaging or annoying software Malware can be classified by using the primary trait that the malware possesses: Circulation - spreading rapidly to other systems in order to impact a large number of users Infection - how it embeds itself into a system Concealment - avoid detection by concealing its presence from scanners Payload capabilities - what actions the malware performs

(Virus)armored virus

Most viruses today go to great lengths to avoid detection

Additional enhancements

Not only encrypts the user's local hard drive but also ANY network or attached device that is connected to that computer Also are infecting mobile devices such as smartphones and tablets.

Psychological Approaches

Psychological approaches goal: to persuade the victim to provide information or take action Attackers use a variety of techniques to gain trust without moving quickly: Provide a reason Project confidence Use evasion and diversion Make them laugh Psychological approaches often involve: Impersonation, phishing, spam, hoaxes, and watering hole attacks

Special type of Trojan:

Remote access Trojan (RAT)- gives the threat actor unauthorized remote access to the victim's computer by using specially configured communication protocols

Variations on phishing attacks:

Spear phishing - targets specific users Whaling - targets the "big fish" Vishing - instead of using email, uses a telephone call instead

armored virus infection techniques :

Swiss cheese infection Split infection Mutation

Payload Capabilities

The destructive power of malware can be found in its payload capabilities Primary payload capabilities are to: Collect data Delete data Modify system security settings Launch attacks

Delete Data

The payload of other types of malware deletes data on the computer

Once infected with crypto-malware:

The software connects to the threat actor's command and control (C&C) server to receive instructions or updated data A locking key is generated for the encrypted files and that key is encrypted with another key that has been downloaded from the C&C Second key is sent to the victims once they pay the ransom

Infection

Three examples of malware that have the primary trait of infection: Trojans Ransomware Crypto-malware

Physical Procedures

Two of the most common physical procedures are: Dumpster diving Tailgating

Circulation

Two types of malware have the primary traits of circulation: Viruses Worms

Viruses perform two actions:

Unloads a payload to perform a malicious action Reproduces itself by inserting its code into another file on the same computer

FACTS

Viruses cannot automatically spread to another computer Relies on user action to spread Viruses are attached to files Viruses are spread by transferring infected files

Hoaxes

a false warning, usually claiming to come from the I T department Attackers try to get victims to change configuration settings on their computers that would allow the attacker to compromise the system Attackers may also provide a telephone number for the victim to call for help, which will put them in direct contact with the attacker

Watering hole attack

a malicious attack that is directed toward a small group of specific individuals who visit the same website

Social engineering

a means of gathering information for an attack by relying on the weaknesses of individuals Social engineering attacks can involve psychological approaches as well as physical procedures

Crypto-malware

a more malicious form of ransomware where threat actors encrypt all files on the device so that none of them could be opened

(Virus)Macro

a series of instructions that can be grouped together as a single command Common data file virus is a macro virus that is written in a script known as a macro

Trojans

an executable program that does something other than advertised Contain hidden code that launches an attack Sometimes made to appear as data file

Impersonation

attacker pretends to be someone else: Help desk support technician Repairperson I T support Manager Trusted third party Fellow employee Attacker will often impersonate a person with authority because victims generally resist saying "no" to anyone in power

Metamorphic Virus

can rewrite its own code and appear different each time it is executed

Keylogger

captures and stores each keystroke that a user types on the computer's keyboard Attacker searches the captured text for any useful information such as passwords, credit card numbers, or personal information

oligomorphic virus

changes its internal code to one of a set number of predefined mutations whenever executed

polymorphic virus

completely changes from its original form when executed

Logic bomb

computer code that lies dormant until it is triggered by a specific logical event Difficult to detect before it is triggered Often embedded in large computer programs, some containing tens of thousands of lines of code, which are not routinely scanned

(Virus)Program virus

infects an executable program file

(Virus)Computer virus

malicious computer code that reproduces itself on the same computer without any human intervention

Worm

malicious program that uses a computer network to replicate Sends copies of itself to other network devices

Ransomware

prevents a user's device from properly operating until a fee is paid Is highly profitable A variation of ransomware displays a fictitious warning that a software license has expired or there is a problem and users must purchase additional software online to fix the problem

Adware

program that delivers advertising content in a manner unexpected and unwanted by the user Typically displays advertising banners and pop-up ads May open new browser windows randomly

Phishing

sending an email claiming to be from a legitimate source Tries to trick user into giving private information The emails and fake websites are difficult to distinguish from those that are legitimate

Spyware

software that gathers information without user consent Uses the computer's resources for the purposes of collecting and distributing personal or sensitive information

(Concealment )Rootkits

software tools used by an attacker to hide actions or presence of other types of malicious software Hide or remove traces of log-in records, log entries May alter or replace operating system files with modified versions that are specifically designed to ignore malicious activity Users can no longer trust their computer that contains a rootkit The rootkit is in charge and hides what is occurring on the computer

Mutation

some viruses can mutate or change

Spam

unsolicited e-mail Primary vehicles for distribution of malware Sending spam is a lucrative business Cost spammers very little to send millions of spam messages Filters look for specific words and block the email

(Virus)Virus infection method:Appender infection

virus appends itself to the end of a file Easily detected by virus scanners

Split infection

virus splits into several parts Parts placed at random positions in host program The parts may contain unnecessary "garbage" code to mask their true purpose

Swiss cheese infection

viruses inject themselves into executable code Virus code is "scrambled" to make it more difficult to detect