Chapter 6
Social Engineering
- "tricking" users to assist in the compromise of their own systems or personal information. -when a user views and responds to some SPAM e-mail, or permits the installation and execution of some Trojan horse program - Spam (Unsolicited Bulk) E-Mail + significant carrier of malware + may be used in a phishing attack --> directing the user either to a fake Web site that mirrors some legitimate service; or to complete some form with sufficient personal details to allow the attacker to impersonate the user in an identity theft. - Trojan Horses + program or utility containing hidden code that, when invoked, performs some unwanted or harmful function. + used to accomplish functions indirectly that the attacker could not accomplish directly. --> For example, to gain access to personal information stored in the files of a user, an attacker could create a Trojan horse program that, when executed, scans the user's files for the desired sensitive information and sends a copy of it to the attacker via a Web form or e-mail or text message. - Mobile Phone Trojans + first appeared in 2004 with the discovery of Skuller. + the target is the smartphone + usually distributed via one or more of the app marketplaces for the target phone O/S.
Stealthing rootkit
- A rootkit is a set of programs installed on a system to maintain covert access to that system with administrator (or root) privileges, while hiding evidence of its presence to the greatest extent possible. - alters the host's standard functionality in a malicious and stealthy way. - With root access, an attacker has complete control of the system and can add or change programs and files, monitor processes, send and receive network traffic, and get backdoor access on demand. - hides by subverting the mechanisms that monitor and report on the processes, files, and registries on a computer.
APT Attacks
- Aim: + varies from theft of intellectual property or security and infrastructure related data to the physical disruption of infrastructure. - Techniques: + social engineering + spear-phishing emails + drive-by-downloads from selected compromised websites likely to be visited by personnel in the target organization. - Intent + to infect the target with sophisticated malware with multiple propagation mechanisms and payloads. + Once they have gained initial access to systems in the target organization, a further range of attack tools are used to maintain and extend their access. - harder to defend against due to this specific targeting and persistence
Worm Countermeasures
- Considerable overlap in techniques for dealing with viruses and worms - Once a worm is resident on a machine anti-virus software can be used to detect and possibly remove it. -Perimeter network activity and usage monitoring can form the basis of a worm defense - Worm defense approaches include: + Signature-based worm scan filtering -- generates a worm signature, which is then used to prevent worm scans from entering/leaving a network/host. -- vulnerable to the use of polymorphic worms + Filter-based worm containment -- focuses on worm content rather than a scan signature. -- the filter checks a message to determine if it contains worm code. + Payload-classification-based worm containment -- examine packets to see if they contain a worm. + Threshold random walk (TRW) scan detection -- exploits randomness in picking destinations to connect to as a way of detecting if a scanner is in operation + Rate limiting -- limits the rate of scanlike traffic from an infected host. -- limiting the number of new machines a host can connect to in a window of time, -- limiting the number of unique IP addresses a host can scan in a window of time + Rate halting -- immediately blocks outgoing traffic when a threshold is exceeded either in outgoing connection rate or in diversity of connection attempts
Generic Decryption (GD)
- Enables the anti-virus program to easily detect complex polymorphic viruses and other malware while maintaining fast scanning speeds. - Executable files are run through a GD scanner which contains the following elements: + CPU emulator -- A software-based virtual computer. -- Instructions in an executable file are interpreted by the emulator rather than executed on the underlying processor. + Virus signature scanner -- A module that scans the target code looking for known malware signatures. + Emulation control module. -- Controls the execution of the target code. - The most difficult design issue with a GD scanner is to determine how long to run each interpretation. + The longer the scanner emulates a particular program, the more likely it is to catch any hidden malware. + users might complain of degraded system performance
Ingress monitors
- Located at the border between the enterprise network and the Internet - One technique is to look for incoming traffic to unused local IP addresses
Egress monitors
- Located at the egress point of individual LANs as well as at the border between the enterprise network and the Internet - Monitors outgoing traffic for signs of scanning or other suspicious behavior
malware
- Malicious software - "a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system or otherwise annoying or disrupting the victim." - threats including viruses, worms, trojans
APT characteristics
- Pursues its objectives repeatedly over an extended period - Adapts to defenders efforts to detect it - Maintains a level of interactions with the attacker's command and control infrastructure to control its objectives • Advanced: Use by the attackers of a wide variety of intrusion technologies and malware, including the development of custom malware if required. + The individual components may not necessarily be technically advanced but are carefully selected to suit the chosen target. • Persistent: Determined application of the attacks over an extended period against the chosen target in order to maximize the chance of success. + A variety of attacks may be progressively, and often stealthily, applied until the target is compromised. • Threats: Threats to the selected targets as a result of the organized, capable, and well-funded attackers intend to compromise the specifically chosen targets. + The active involvement of people in the process greatly raises the threat level from that due to automated attacks tools, and also the likelihood of successful attack.
Payload System Corruption
- The Chernobyl virus is an early example of a destructive parasitic memory-resident Windows-95 and 98 virus, that was first seen in 1998. + It infects executable files when they're opened. + when a trigger date is reached, it deletes data on the infected system by overwriting the hard drive. - the Klez mass-mailing worm is an early example of a destructive worm infecting Windows-95 to XP systems + first seen in October 2001. + spreads by e-mailing copies of itself to addresses found in the address book and in files on the system. + On trigger dates, it causes files on the local hard drive to become empty. - Ransomware + encrypts the user's data, and demands payment in order to access the key needed to recover this information. + The PC Cyborg Trojan seen in 1989 was an early example of this. + the Gpcode Trojan (2006), that used public-key cryptography with increasingly larger key sizes to encrypt data. + often spread via "drive-by-downloads." • Real-world damage - Causes damage to physical equipment + Chernobyl virus rewrites BIOS code - Stuxnet worm: targets specific industrial control system software - There are concerns about using sophisticated targeted malware for industrial sabotage • Logic bomb - Code embedded in the malware that is set to "explode" when certain conditions are met
Malware Countermeasure Approaches
- The ideal solution to the threat of malware is prevention - 4 main elements of prevention: + Policy + Awareness + Vulnerability mitigation + Threat mitigation - If prevention fails, then technical mechanisms can be used to support the following threat mitigation options: • Detection: Once the infection has occurred, determine that it has occurred and locate the malware. • Identification: Once detection has been achieved, identify the specific malware that has infected the system. • Removal: Once the specific malware has been identified, remove all traces of malware virus from all infected systems so that it cannot spread further.
Worms
- a program that actively seeks out more machines to infect, and then each infected machine serves as an automated launching pad for attacks on other machines. - exploit software vulnerabilities in client or server programs - use network connections to spread from system to system. - can also spread through shared media, such as USB drives or CD and DVD data disks. - E-mail worms spread in macro or script code included in documents attached to e-mail or to instant messenger file transfers. - Upon activation, the worm may replicate and propagate again. - usually carries some form of payload - The first known worm implementation was done in Xerox Palo Alto Labs in the early 1980s.
Stealthing backdoor
- a trapdoor - a secret entry point into a program that allows someone who is aware of the backdoor to gain access without going through the usual security access procedures. - Programmers have used backdoors legitimately for many years to debug and test programs; called a maintenance hook - become threats when unscrupulous programmers use them to gain unauthorized access. - difficult to implement operating system controls for backdoors in applications.
Clickjacking
- a user-interface (UI) redress attack - a vulnerability used by an attacker to collect an infected user's clicks. -The attacker can force the user to do a variety of things from adjusting the user's computer settings to unwittingly sending the user to Web sites that might have malicious code. - an attacker could even place a button under or over a legitimate button, making it difficult for users to detect. - A typical attack uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. - the attacker is hijacking clicks meant for one page and routing them to another page. - Using a similar technique, keystrokes can also be hijacked. - a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.
Attack Agents bots
- bot (robot), zombie or drone + secretly takes over another Internet-attached computer and then uses that computer to launch or manage attacks that are difficult to trace to the bot's creator. + planted on hundreds or thousands of computers belonging to unsuspecting third parties. - Botnet: The collection of bots often is capable of acting in a coordinated manner
Virus Classification
- classification by target: • Boot sector infector: Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus. • File infector: Infects files that the operating system or shell consider to be executable. • Macro virus: Infects files with macro or scripting code that is interpreted by an application. • Multipartite virus: Infects files in multiple ways. Typically, the multipartite virus is capable of infecting multiple types of files, so that virus eradication must deal with all of the possible sites of infection. - classification by concealment strategy • Encrypted virus: A form of virus that uses encryption to obscure it's content. A portion of the virus creates a random encryption key and encrypts the remainder of the virus. The key is stored with the virus. • Stealth virus : A form of virus explicitly designed to hide itself from detection by anti-virus software. Thus, the entire virus, not just a payload is hidden. It may use code mutation, compression, or rootkit techniques to achieve this. • Polymorphic virus: A form of virus that creates copies during replication that are functionally equivalent but have distinctly different bit patterns, in order to defeat programs that scan for viruses. Mutates with every infection • Metamorphic virus: A virus that mutates and rewrites itself completely at each iteration and may change behavior as well as appearance.
Payload actions performed by malware once it reaches a target system can include:
- corruption of system or data files; - theft of service in order to make the system a zombie agent of attack as part of a botnet; - theft of information from the system, especially of logins, passwords, or other personal details by keylogging or spyware programs; - stealthing/hiding where the malware hides its presence on the system from attempts to detect and block it.
Remote Control facility
- distinguishes a bot from a worm. + A worm propagates itself and activates itself + a bot is controlled by some form of commandand-control (C&C) server network. - means of implementing the remote control facility used an IRC server. + All bots join a specific channel on this server and treat incoming messages as commands. + More recent botnets use covert communication channels via protocols such as HTTP. + Distributed control mechanisms use peer-to-peer protocols to avoid a single point of failure.
drive-by download
- exploits browser vulnerabilities to download and install malware on the system when the user views a Web page controlled by the attacker, - In most cases, this malware does not actively propagate as a worm does, but rather waits for unsuspecting users to visit the malicious Web page in order to spread to their systems. - aimed at anyone who visits a compromised site and is vulnerable to the exploits used. - Watering-hole attacks + The attacker researches their intended victims to identify web sites they are likely to visit + then wait for one of their intended victims to visit one of the compromised sites. - Malvertising + The attacker pays for advertisements that are highly likely to be placed on their intended target websites, and which incorporate malware in them.
propagation mechanism
- infection of existing content by viruses that is subsequently spread to other systems; - exploit of software vulnerabilities either locally or over a network by worms or drive-by-downloads to allow the malware to replicate; - social engineering attacks that convince users to bypass security mechanisms to install trojans, or to respond to phishing attacks.
information theft
- keylogger + captures keystrokes on the infected machine to allow an attacker to monitor this sensitive information. + typically implement some form of filtering mechanism that only returns information close to desired keywords (e.g., "login" or "password" or "paypal.com"). - spyware + subvert the compromised machine to allow monitoring of a wide range of activity on the system. + monitoring the history and content of browsing activity + redirecting certain Web page requests to fake sites controlled by the attacker + dynamically modifying data exchanged between the browser and certain Web sites of interest. - phishing attack + exploits social engineering to leverage user's trust by masquerading as communications from a trusted source + Include a URL in a spam e-mail that links to a fake Web site that mimics the login page of a banking, gaming, or similar site + Suggests that urgent action is required by the user to authenticate their account + Attacker exploits the account using the captured credentials - spear-phishing attack. + the recipients are carefully researched by the attacker + each e-mail is carefully crafted to suit its recipient specifically, often quoting a range of information to convince them of its authenticity.
Viruses
- parasitic software fragments that attach themselves to some existing executable content. + machine code that infects some existing application, utility, or system program + form of scripting code, typically used to support active content within data files such as Microsoft Word docs, Excel spreadsheets, or Adobe PDF docs. - a piece of software that can "infect" other programs, + modify them to include a copy of the virus + Replicates and goes on to infect other content + Easily spread through network environments - When attached to an executable program, a virus can do anything that the program is permitted to do. + It executes secretly when the host program is run. + Once the virus code is executing, it can perform any function, such as erasing files and programs, that is allowed by the privileges of the current user. - Specific to operating system and hardware + Takes advantages of their details and weaknesses
Mobile code
- programs that can be shipped unchanged to a variety of platforms and execute with identical semantics. - transmitted from a remote system to a local system and then executed on the local system without the user's explicit instruction - often acts as a mechanism for a virus, worm, or Trojan horse to be transmitted to the user's workstation. - takes advantage of vulnerabilities to perform its own exploits, such as unauthorized data access or root compromise. - Popular vehicles include Java applets, ActiveX, JavaScript, and VBScript. - The most common ways for malicious operations on local system are cross-site scripting, interactive and dynamic Web sites, e-mail attachments, and downloads from untrusted sites or of untrusted software.
Target discovery
- scanning or fingerprinting + the first function in the propagation phase for a network worm + search for other systems to infect - scanning strategies: • Random: Each compromised host probes random addresses in the IP address space, using a different seed. + This technique produces a high volume of Internet traffic, which may cause generalized disruption even before the actual attack is launched. • Hit-List: The attacker first compiles a long list of potential vulnerable machines. + This can be a slow process done over a long period to avoid detection that an attack is underway. + Once the list is compiled, the attacker begins infecting machines on the list. + Each infected machine is provided with a portion of the list to scan. + This strategy results in a very short scanning period, which may make it difficult to detect that infection is taking place. • Topological: This method uses information contained on an infected victim machine to find more hosts to scan. • Local subnet: If a host can be infected behind a firewall, that host then looks for targets in its own local network. + The host uses the subnet address structure to find other hosts that would otherwise be protected by the firewall.
Attack Sources
- the change from attackers being individuals, often motivated to demonstrate their technical competence to their peers, to more organized and dangerous attack sources. + politically motivated attackers, criminals, and organized crime; organizations that sell their services to companies and nations, and national government agencies. - significantly changed the resources available and motivation behind the rise of malware, and indeed has led to development of a large underground economy involving the sale of attack kits, access to compromised hosts, and to stolen information.
classification of malware
- two broad categories + based first on how it spreads or propagates to reach the desired targets; + and then on the actions or payloads it performs once a target is reached. - also classified by: + those that need a host program, being parasitic code such as viruses + those that are independent, self-contained programs run on the system such as worms, trojans, and bots. - Another distinction + malware that does not replicate, such as trojans and spam e-mail +malware that does, including viruses and worms.
Blended attack
- uses multiple methods of infection or propagation, to maximize the speed of contagion and the severity of the attack.
Worm Phase
- uses the same phases as a computer virus: dormant, propagation, triggering, and execution. - Propagation phase • Search for appropriate access mechanisms to other systems to infect by examining host tables, address books, buddy lists, trusted peers; by scanning possible target host addresses; or by searching for suitable removable media devices to use. • Use the access mechanisms found to transfer a copy of itself to the remote system, and cause the copy to be run. - In a multiprogramming system, it can also disguise its presence by naming itself as a system process - can inject their code into existing processes on the system
Advanced Persistent Threat (APT)
An organized group of attackers who are highly motivated, skilled, and patient. They are often sponsored by a government, are focused on a specific target, and will continue attacking for a very long time until they achieve their goal. - well-resourced, persistent application of a wide variety of intrusion technologies and malware to selected targets, usually business or political. - typically attributed to state-sponsored organizations and criminal enterprises - differ from other types of attack by their careful target selection, and persistent, often stealthy, intrusion efforts over extended periods. - high profile attacks : Aurora, RSA, APT1, and Stuxnet
Attack kit
Set of tools for generating new malware automatically using a variety of supplied propagation and payload mechanisms. - Initially, the development and deployment of malware required considerable technical skill by software authors. - This changed with the development of virus-creation toolkits in the early 1990s, and then later of more general attack kits in the 2000s, that greatly assisted in the development and deployment of malware. - known as "crimeware" - include a variety of propagation mechanisms and payload modules that even novices can deploy. - can also easily be customized - greatly enlarged the population of attackers able to deploy malware. - Known toolkits: + Zeus: used to generate a wide range of very effective, stealthed, malware that facilitates a range of criminal activities, in particular capturing and exploiting banking credentials. + Blackhole, Sakura, and Phoenix
Uses of Bots
• Distributed denial-of-service (DDoS) attacks • Spamming: With the help of a botnet and thousands of bots, an attacker is able to send massive amounts of bulk e-mail (spam). • Sniffing traffic: Bots can also use a packet sniffer to watch for interesting cleartext data passing by a compromised machine. The sniffers are mostly used to retrieve sensitive information like usernames and passwords. • Keylogging • Spreading new malware: Botnets are used to spread new bots. • Installing advertisement add-ons and browser helper objects (BHOs): Botnets can also be used to gain financial advantages. + This works by setting up a fake Web site with some advertisements: The operator of this Web site negotiates a deal with some hosting companies that pay for clicks on ads. + these clicks can be "automated" so that instantly a few thousand bots click on the pop-ups. • Attacking Internet Relay Chat (IRC) chat networks: + clone attack: In this kind of attack, the controller orders each bot to connect a large number of clones to the victim IRC network. The victim is flooded by service requests from thousands of bots • Manipulating online polls/games
Virus Phases
• Dormant phase: + The virus is idle. + The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit. + Not all viruses have this stage. • Triggering phase: + The virus is activated to perform the function for which it was intended. + can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself. • Propagation phase: + The virus places a copy of itself into other programs or into certain system areas on the disk. + The copy may not be identical to the propagating version; viruses often morph to evade detection. + Each infected program will now contain a clone of the virus, which will itself enter a propagation phase. • Execution phase: + The function is performed. + may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files. - specific to a particular operating system or a particular hardware platform. - take advantage of the details and weaknesses of particular systems.
Worm replication
• Electronic mail or instant messenger facility: A worm e-mails a copy of itself to other systems, or sends itself as an attachment via an of instant message service, so that its code is run when the e-mail or attachment is received or viewed. • File sharing: A worm either creates a copy of itself or infects other suitable files as a virus on removable media such as a USB drive; it then executes when the drive is connected to another system using the autorun mechanism by exploiting some software vulnerability, or when a user opens the infected file on the target system. • Remote execution capability: A worm executes a copy of itself on another system, either by using an explicit remote execution facility or by exploiting a program flaw in a network service to subvert its operations • Remote file access or transfer capability: A worm uses a remote file access or transfer service to another system to copy itself from one system to the other, where users on that system may then execute it. • Remote login capability: A worm logs onto a remote system as a user and then uses commands to copy itself from one system to the other, where it then executes.
Generations of Anti-virus software
• First generation: simple scanners - requires a malware signature to identify the malware. - limited to the detection of known malware. maintains a record of the length of programs and looks for changes in length as a result of virus infection. • Second generation: heuristic scanners - does not rely on a specific signature. - uses heuristic rules to search for probable malware instances. - Another approach is integrity checking. -- A checksum can be appended to each program. -- If malware alters or replaces some program without changing the checksum, then an integrity check will catch this change. • Third generation: activity traps - memory-resident programs that identify malware by its actions rather than its structure in an infected program. • Fourth generation: full-featured protection - packages consisting of a variety of anti-virus techniques used in conjunction. - include scanning and activity trap components and access control capability, which limits the ability of malware to penetrate a system and then limits the ability of a malware to update files in order to propagate.
Virus components
• Infection mechanism: The means by which a virus spreads or propagates, enabling it to replicate (infection vector). • Trigger: The event or condition that determines when the payload is activated or delivered, sometimes known as a logic bomb. • Payload: What the virus does, besides spreading. May involve damage or may involve benign but noticeable activity.
Worm technology
• Multiplatform: Newer worms are not limited to Windows machines but can attack a variety of platforms, especially the popular varieties of UNIX; or exploit macro or scripting languages supported in popular document types. • Multi-exploit: New worms penetrate systems in a variety of ways, using exploits against Web servers, browsers, e-mail, file sharing, and other network-based applications; or via shared media. • Ultrafast spreading: Exploit various techniques to optimize the rate of spread of a worm to maximize its likelihood of locating as many vulnerable machines as possible in a short time period. • Polymorphic: To evade detection, skip past filters, and foil real-time analysis, worms adopt the virus polymorphic technique. Each copy of the worm has new code generated on the fly using functionally equivalent instructions and encryption techniques. • Metamorphic: In addition to changing their appearance, metamorphic worms have a repertoire of behavior patterns that are unleashed at different stages of propagation. • Transport vehicles: Because worms can rapidly compromise a large number of systems, they are ideal for spreading a wide variety of malicious payloads, such as distributed denial-of-service bots, rootkits, spam e-mail generators, and spyware. • Zero-day exploit : To achieve maximum surprise and distribution, a worm should exploit an unknown vulnerability that is only discovered by the general network community when the worm is launched.