k. salah1 malware. 2 malcode taxonomy k. salah3
Post on 15-Jan-2016
219 views
TRANSCRIPT
K. Salah 1
MalwareMalware
K. Salah 2
Malcode TaxonomyMalcode Taxonomy
K. Salah 3
K. Salah 4
K. Salah 5
The Ten Most Common Critical Cyber The Ten Most Common Critical Cyber Security ThreatsSecurity Threats1.1. Malware attack with Social Engineering TacticsMalware attack with Social Engineering Tactics2.2. SPAMSPAM3.3. DoS and DDoS attackDoS and DDoS attack4.4. Phishing and Pharming (identity theft)Phishing and Pharming (identity theft)5.5. BotnetsBotnets6.6. IM and P2P attackIM and P2P attack7.7. Mobile and Wireless attack (Wi-Fi and Bluetooth)Mobile and Wireless attack (Wi-Fi and Bluetooth)8.8. RootkitsRootkits9.9. Web Application HackingWeb Application Hacking10.10. Hacking with GoogleHacking with Google
K. Salah 6
Most Advanced Critical Cyber Security Most Advanced Critical Cyber Security ThreatsThreats
1.1. Zero Day AttackZero Day Attack2.2. Web 2.0 AttackWeb 2.0 Attack3.3. VoIP AttackVoIP Attack4.4. Web Services AttackWeb Services Attack5.5. USB AttackUSB Attack
K. Salah 7
Attack on the Critical InfrastructureAttack on the Critical Infrastructure
Government OperationsGovernment OperationsTelecommunicationsTelecommunicationsElectrical EnergyElectrical EnergyGas & Oil Storage and DeliveryGas & Oil Storage and DeliveryWater Supply SystemsWater Supply SystemsBanking & FinanceBanking & FinanceTransportationTransportation
K. Salah 8
Virus, Spam and Spyware RelationshipVirus, Spam and Spyware Relationship
Antispam
Antivirus
Antispyware
Spam
Virus Spyware
Worm Phish/ Adware
Zombie/ Trojan
K. Salah 9
Digital Forensics AnalysisDigital Forensics Analysis1.1. Incident NotificationIncident Notification
2.2. Understand Nature of IncidentUnderstand Nature of Incident
3.3. InterviewInterview
4.4. Obtain AuthorizationObtain Authorization
5.5. Verify ScopeVerify Scope
6.6. Team AssemblyTeam Assembly
7.7. Document work areaDocument work area
8.8. Document Incident EquipmentDocument Incident Equipment
9.9. Move EquipmentMove Equipment
10.10. Prepare two imagesPrepare two images
11.11. Preserve/ Protect First ImagePreserve/ Protect First Image
12.12. Use second Image for restoration and ExaminationUse second Image for restoration and Examination
13.13. Data Extraction and AnalysisData Extraction and Analysis
14.14. Watch Assumptions – Date /timeWatch Assumptions – Date /time
15.15. Review Log / InterviewReview Log / Interview
16.16. AnalysisAnalysis
17.17. Prepare findingsPrepare findings
18.18. Lesson LearnedLesson Learned
K. Salah 10
Anti-forensic techniquesAnti-forensic techniques Anti-forensic techniquesAnti-forensic techniques try to frustrate try to frustrate forensic investigatorsforensic investigators and and
their their techniquestechniques1.1. Overwriting Data and MetadataOverwriting Data and Metadata
1. Secure Data Deletion2. Overwriting Metadata3. Preventing Data Creation
2.2. Cryptography, Steganography, and other Data Hiding Cryptography, Steganography, and other Data Hiding ApproachesApproaches
1. Encrypted Data2. Encrypted Network Protocols3. Program Packers4. Steganography5. Generic Data Hiding
ExamplesExamples Timestomp
Changes the dates of computer files (4 timestamps of NTFS). Encase shows blanks. Slacker
Store files in the slack of disk blocks
K. Salah 11
Virus TechniquesVirus Techniques
TSRTSR Virus can hide in memory even if program has stopped
or been detected Stealth VirusesStealth Viruses
Execute original code Size of file stays the same after infection Hide in memory within a system process
Virus infects OS so that if a user examines the infected file, it appears normal
Encrypted/Polymorphic VirusesEncrypted/Polymorphic Viruses To hide virus signatures encrypt the code Have the code mutate to prevent signatures scanning
K. Salah 12
Polymorphic VirusesPolymorphic Viruses
K. Salah 13
Virus CleaningVirus Cleaning
Remove virus from fileRemove virus from fileRequires skills in software reverse Requires skills in software reverse
engineeringengineering Identify beginning/end of payload and Identify beginning/end of payload and
restore to originalrestore to original
K. Salah 14
How hard is it to write a virus?How hard is it to write a virus?
Simple Google search for “virus Simple Google search for “virus construction toolkit”construction toolkit”
www.pestpatrol.comwww.pestpatrol.comTons of othersTons of othersConclusion: Not hardConclusion: Not hard
K. Salah 15
Attaching codeAttaching code
K. Salah 16
Integrate itselfIntegrate itself
K. Salah 17
Completely replaceCompletely replace
K. Salah 18
Boot Sector VirusBoot Sector Virus
K. Salah 19
How viruses workHow viruses work
AttachAttach Append to program, e-mail
Executes with program Surrounds program
Executes before and after program Erases its tracks
Integrates or replaces program code
Gain controlGain control Virus replaces target
ResideReside In boot sector Memory Application program Libraries
K. Salah 20
Cont’dCont’d
DetectionDetection Virus signatures Storage patterns Execution patterns Transmission patterns
PreventionPrevention Don’t share executables Use commercial software from reliable sources Test new software on isolated computers Open only safe attachments Keep recoverable system image in safe place Backup executable system file copies Use virus detectors Update virus detectors often
K. Salah 21
Virus Effects and CausesVirus Effects and Causes
Virus EffectVirus Effect How it is causedHow it is causedAttach to executableAttach to executable
Modify file directoryModify file directoryWrite to executable program fileWrite to executable program file
Attach to data/control fileAttach to data/control fileModify directoryModify directoryRewrite dataRewrite dataAppend to dataAppend to dataAppend data to selfAppend data to self
Remain in memoryRemain in memoryIntercept interrupt by modifying interrupt handler address tableIntercept interrupt by modifying interrupt handler address tableLoad self in non-transient memory areaLoad self in non-transient memory area
Infect disksInfect disksIntercept interruptIntercept interruptIntercept OS call (to format disk, for example)Intercept OS call (to format disk, for example)Modify system fileModify system fileModify ordinary executable programModify ordinary executable program
Conceal selfConceal self Intercept system calls that would reveal self and falsify resultsIntercept system calls that would reveal self and falsify results
Classify self as “hidden” fileClassify self as “hidden” file
Spread selfSpread selfInfect boot sectorInfect boot sectorInfect systems programInfect systems programInfect ordinary programInfect ordinary programInfect data ordinary program reads to control its executableInfect data ordinary program reads to control its executable
Prevent deactivationPrevent deactivationActivate before deactivating program and block deactivationActivate before deactivating program and block deactivationStore copy to reinfect after deactivationStore copy to reinfect after deactivation
K. Salah 22
Virus vs. WormVirus vs. Worm
Both are Malicious Code Virus does harm Worm consumes resources
K. Salah 23
Exploitation of Flaws:Exploitation of Flaws: Targeted Malicious Code Targeted Malicious Code TrapdoorsTrapdoors
Undocumented entry point in code Program stubs during testing Intentionally or unintentionally left
Forgotten Left for testing or maintenance Left for covert access
Salami attackSalami attack Merges inconsequential pieces to get big results A salami attack is a series of minor data-security attacks that
together results in a larger attack. • For example, a fraud activity in a bank where an employee steals a
small amount of funds from several accounts, can be considered a salami attack, i.e. deliberate diversion of fractional cents
Too difficult to audit
K. Salah 24
Covert ChannelsCovert Channels An example of human/student covert channel Programs that leak information
Trojan horse Discovery
Analyze system resources for patterns Flow analysis from a program’s syntax
(automated) Difficult to close
Not much documented Potential damage is extreme
Exploitation of Flaws:Exploitation of Flaws: Targeted Malicious Code Targeted Malicious Code (cont’d.)(cont’d.)
K. Salah 25
File lock covert channelFile lock covert channel
K. Salah 26
Race ConditionsRace Conditions
In wu-ftpd v2.4 In wu-ftpd v2.4 Allows root accessAllows root accessSignal handlingSignal handling
SIGPIPE EUID=user changes to EUID=root to logout the user
and access privileged operations and files It takes some time to do this
SIGURG Logging out is broken/stopped and prompt is gotten
back with EIUD=root