Chapter 2 Malware and Social Engineering Attacks
Image spam
- uses graphical images of text in order to circumvent text-based filters Often contains nonsense text so it appears legitimate
Collect Data
A keylogger can be a small hardware device or a software program As a hardware device, it is inserted between the computer keyboard connection and U S B port Software keyloggers are programs installed on the computer that silently capture information An advantage of software keyloggers is that they do not require physical access to the user's computer Often installed as a Trojan or virus, can send captured information back to the attacker via Internet
Users disapprove of adware because
Adware can display objectionable content Frequent popup ads can interfere with a user's productivity Popup ads can slow a computer or even cause crashes and the loss of data Unwanted advertisements can be a nuisance
Launch Attacks
Bot or zombie - an infected computer that is under the remote control of an attacker
Worms may:
Consume resources or Leave behind a payload to harm infected systems
Collect Data
Different types of malware are designed to collect important data from the user's computer and make it available to the attacker This type of malware includes: Spyware Adware
Dumpster diving
Digging through trash to find information that can be useful in an attack An electronic variation of dumpster diving is to use Google's search engine to look for documents and data posted online Called Google dorking
Tailgating
Following behind an authorized individual through an access door An employee could conspire with an unauthorized person to allow him to walk in with him (called piggybacking) Watching an authorized user enter a security code on a keypad is known as shoulder surfing
Attacks Using Malware
Malicious software (malware) Enters a computer system without the owner's knowledge or consent Uses a threat vector to deliver a malicious "payload" that performs a harmful function once it is invoked Malware is a general term that refers to a wide variety of damaging or annoying software Malware can be classified by using the primary trait that the malware possesses: Circulation - spreading rapidly to other systems in order to impact a large number of users Infection - how it embeds itself into a system Concealment - avoid detection by concealing its presence from scanners Payload capabilities - what actions the malware performs
(Virus)armored virus
Most viruses today go to great lengths to avoid detection
Additional enhancements
Not only encrypts the user's local hard drive but also ANY network or attached device that is connected to that computer Also are infecting mobile devices such as smartphones and tablets.
Psychological Approaches
Psychological approaches goal: to persuade the victim to provide information or take action Attackers use a variety of techniques to gain trust without moving quickly: Provide a reason Project confidence Use evasion and diversion Make them laugh Psychological approaches often involve: Impersonation, phishing, spam, hoaxes, and watering hole attacks
Special type of Trojan:
Remote access Trojan (RAT)- gives the threat actor unauthorized remote access to the victim's computer by using specially configured communication protocols
Variations on phishing attacks:
Spear phishing - targets specific users Whaling - targets the "big fish" Vishing - instead of using email, uses a telephone call instead
armored virus infection techniques :
Swiss cheese infection Split infection Mutation
Payload Capabilities
The destructive power of malware can be found in its payload capabilities Primary payload capabilities are to: Collect data Delete data Modify system security settings Launch attacks
Delete Data
The payload of other types of malware deletes data on the computer
Once infected with crypto-malware:
The software connects to the threat actor's command and control (C&C) server to receive instructions or updated data A locking key is generated for the encrypted files and that key is encrypted with another key that has been downloaded from the C&C Second key is sent to the victims once they pay the ransom
Infection
Three examples of malware that have the primary trait of infection: Trojans Ransomware Crypto-malware
Physical Procedures
Two of the most common physical procedures are: Dumpster diving Tailgating
Circulation
Two types of malware have the primary traits of circulation: Viruses Worms
Viruses perform two actions:
Unloads a payload to perform a malicious action Reproduces itself by inserting its code into another file on the same computer
FACTS
Viruses cannot automatically spread to another computer Relies on user action to spread Viruses are attached to files Viruses are spread by transferring infected files
Hoaxes
a false warning, usually claiming to come from the I T department Attackers try to get victims to change configuration settings on their computers that would allow the attacker to compromise the system Attackers may also provide a telephone number for the victim to call for help, which will put them in direct contact with the attacker
Watering hole attack
a malicious attack that is directed toward a small group of specific individuals who visit the same website
Social engineering
a means of gathering information for an attack by relying on the weaknesses of individuals Social engineering attacks can involve psychological approaches as well as physical procedures
Crypto-malware
a more malicious form of ransomware where threat actors encrypt all files on the device so that none of them could be opened
(Virus)Macro
a series of instructions that can be grouped together as a single command Common data file virus is a macro virus that is written in a script known as a macro
Trojans
an executable program that does something other than advertised Contain hidden code that launches an attack Sometimes made to appear as data file
Impersonation
attacker pretends to be someone else: Help desk support technician Repairperson I T support Manager Trusted third party Fellow employee Attacker will often impersonate a person with authority because victims generally resist saying "no" to anyone in power
Metamorphic Virus
can rewrite its own code and appear different each time it is executed
Keylogger
captures and stores each keystroke that a user types on the computer's keyboard Attacker searches the captured text for any useful information such as passwords, credit card numbers, or personal information
oligomorphic virus
changes its internal code to one of a set number of predefined mutations whenever executed
polymorphic virus
completely changes from its original form when executed
Logic bomb
computer code that lies dormant until it is triggered by a specific logical event Difficult to detect before it is triggered Often embedded in large computer programs, some containing tens of thousands of lines of code, which are not routinely scanned
(Virus)Program virus
infects an executable program file
(Virus)Computer virus
malicious computer code that reproduces itself on the same computer without any human intervention
Worm
malicious program that uses a computer network to replicate Sends copies of itself to other network devices
Ransomware
prevents a user's device from properly operating until a fee is paid Is highly profitable A variation of ransomware displays a fictitious warning that a software license has expired or there is a problem and users must purchase additional software online to fix the problem
Adware
program that delivers advertising content in a manner unexpected and unwanted by the user Typically displays advertising banners and pop-up ads May open new browser windows randomly
Phishing
sending an email claiming to be from a legitimate source Tries to trick user into giving private information The emails and fake websites are difficult to distinguish from those that are legitimate
Spyware
software that gathers information without user consent Uses the computer's resources for the purposes of collecting and distributing personal or sensitive information
(Concealment )Rootkits
software tools used by an attacker to hide actions or presence of other types of malicious software Hide or remove traces of log-in records, log entries May alter or replace operating system files with modified versions that are specifically designed to ignore malicious activity Users can no longer trust their computer that contains a rootkit The rootkit is in charge and hides what is occurring on the computer
Mutation
some viruses can mutate or change
Spam
unsolicited e-mail Primary vehicles for distribution of malware Sending spam is a lucrative business Cost spammers very little to send millions of spam messages Filters look for specific words and block the email
(Virus)Virus infection method:Appender infection
virus appends itself to the end of a file Easily detected by virus scanners
Split infection
virus splits into several parts Parts placed at random positions in host program The parts may contain unnecessary "garbage" code to mask their true purpose
Swiss cheese infection
viruses inject themselves into executable code Virus code is "scrambled" to make it more difficult to detect