MalawareMonil Adhikari

Understanding Malaware

slide 3

Viruses• Virus propagates by infecting other programs

• Automatically creates copies of itself, but to propagate, a human has to run an infected program

• Self-propagating viruses are often called worms

• Many propagation methods• Insert a copy into every executable (.COM, .EXE)• Insert a copy into boot sectors of disks

• PC era: “Stoned” virus infected PCs booted from infected floppies, stayed in memory, infected every inserted floppy

• Infect common OS routines, stay in memory

slide 4

First Virus: Creeper• Written in 1971 at BBN• Infected DEC PDP-10 machines running TENEX OS• Jumped from machine to machine over ARPANET

• Copied its state over, tried to delete old copy

• Payload: displayed a message “I’m the creeper, catch me if you can!”• Later, Reaper was written to hunt down Creeper

http://history-computer.com/Internet/Maturing/Thomas.html

slide 5

Polymorphic Viruses• Encrypted viruses: constant decryptor followed by the

encrypted virus body• Polymorphic viruses: each copy creates a new random

encryption of the same virus body• Decryptor code constant and can be detected• Historical note: “Crypto” virus decrypted its body by brute-

force key search to avoid explicit decryptor code

A computer worm is malware that is able to distribute itself over a network, normally via e-mail, without a person having run an infected program.

It is able to reproduce itself many times and so your computer could send out hundreds of these worms with devastating effect

This can cause your computer to run very slowly and possibly even crash

Computer Worms

Phishing • Definition from http://www.onguardonline.gov/:

• Phishing is a scam where Internet fraudsters send spam or pop-up messages to lure personal and financial information from unsuspecting victims.

Pharming• Norton Internet Security defines pharming as:

• Pharming (pronounced “farming”) is another form of online fraud, very similar to its cousin phishing. Pharmers rely upon the same bogus Web sites and theft of confidential information to perpetrate online scams, but are more difficult to detect in many ways because they are not reliant upon the victim accepting a “bait” message. Instead of relying completely on users clicking on an enticing link in fake email messages, pharming instead re-directs victims to the bogus Web site even if they type the right Web address of their bank or other online service into their Web browser.

Spam• According to Norton:

• Email Spam is the electronic version of junk mail. It involves sending unwanted messages, often unsolicited advertising, to a large number of recipients. Spam is a serious security concern as it can be used to deliver Trojan horses, viruses, worms, spyware, and targeted phishing attacks.

Protecting Yourself From Phishing• On Guard Online suggests many different ways to protect your

computer and information:• Do not email private information• Be careful when opening attachments, regardless of who sent them• Update all antivirus and antispyware software regularly • Do not reply to email popups

• If you think you have been scammed, report it on http://www.ftc.gov/bcp/edu/microsites/idtheft/

Protecting yourself from Pharming• Norton suggests:

• Keeping your computer updated• Review bank statements carefully and regularly • Remember that online offers that seem too good to be true…usually are.

Controlling Spam• Norton suggests:

• Install a spam blocker• Try reading emails in plain-text• If you think email is spam, do not reply, just delete. • Reject all Instant Messages from those not on your buddy list.

Real-time Examples

Byzantine Hades• 2006-09 cyber-espionage attacks against US

companies and government agencies• Attack websites located in China, use same precise postal

code as People's Liberation Army Chengdu Province First Technical Reconnaissance Bureau

• Targeted email results in installing a Trojan• Gh0stNet / Poison Ivy Remote Access Tool• Stole 50 megabytes of email, documents, usernames and

passwords from a US government agency

• Same tools used to penetrate Tibetan exile groups, foreign diplomatic missions, etc.

slide 14

slide 15

Night Dragon• Started in November 2009• Targets: oil, energy, petrochemical companies• Propagation vectors

• SQL injection on external Web servers to harvest account credentials

• Targeted emails to company executives (spear-phishing)• Password cracking and “pass the hash” attacks

• Install customized RAT tools, steal internal documents, deliver them to China

slide 17

RAT Capabilities• “Dropper” program installs RAT DLL, launches it as

persistent Windows service, deletes itself• RAT notifies specified C&C server, waits for instructions• Attacker at C&C server has full control of the infected machine, can view files, desktop, manipulate registry, launch command shell

slide 18

Who Was Behind Night Dragon?• C&C servers hosted in Heze City, Shandong Province, China• All data exfiltration to IP addresses in Beijing, on

weekdays, between 9a and 5p Beijing time• Uses generic tools from Chinese hacking sites

• Hookmsgina and WinlogonHack: password stealing• ASPXSpy: Web-based RAT

Make in ChinaE-mail: master@rootkit.net.cn

slide 19

Sources say hackers using servers in China gained control of a number of Canadian government computers belonging to top federal officials.The hackers, then posing as the federal executives, sent emails to departmental technical staffers, conning them into providing key passwords unlocking access to government networks.At the same time, the hackers sent other staff seemingly innocuous memos as attachments. The moment an attachment was opened by a recipient, a viral program was unleashed on the network.The program hunts for specific kinds of classified government information, and sends it back to the hackers over the internet.One source involved in the investigation said spear-phishing is deadly in its simplicity: "There is nothing particularly innovative about it. It's just that it is dreadfully effective."

Restricting Malaware• Step 1 – Plan

• Vulnerabilities in client-side software on workstations.• Vulnerabilities in network-accessible software on servers.• Social engineering techniques, which often are part of malware-propagation

tactics.• Removable media, such as USB keys.• Weak passwords of network-accessible accounts.

Restricting Malaware• Step 2 – Resist

• Install and maintain a modern anti-virus suite.• Lock down the configuration of the operating system.• Control what software is installed and allowed to run.• Restrict outbound and inbound network access.• Protect Web browsing activities.• Limit user account access and minimize user privileges.• Keep up with security patches.• Enforce change management practices.• Identify, investigate, and respond to anomalies.

Restricting Malaware• Step 3 – Detect

• Use change detection tool to discover unauthorized modifications• Educating end users• Training the IT Staff• Reviewing security event logs.• Employing intrusion detection systems.• Verifying DNS Logs.

Restricting Malaware• Step 3 – Respond