malicious malware softwareathena.csus.edu/~cookd/115/notes/csc 115 - summer...malware that spreads a...

1

Malware

Week 1 – Part 2

Malicious

Software

Basics of Dangerous Software

Malware

Malware refers to any malicious software

• designed to damage or destroy data

• designed to steal data

• designed to scam or extort the user

Primary objectives of malware

• infecting systems

• concealing its purpose

• making profit

5/30/2018 3Sacramento State - Cook - CSc 115 - Summer 2018

Classifying Malware

Malware can be as complex as any application

As a result, the dangerous features it can have varies greatly

In the following slides…• these "categories" should be considered

attributes

• malware can have multiple attributes

• all can destroy


Types of Malware

Malware that Spreads

• Viruses

• Worms

Malware that Steals

• Spyware

• Keyloggers

Malware that Controls

• Botnets

5/30/2018 Sacramento State - Cook - CSc 115 - Summer 2018 5

Types of Malware

Malware that Deceives

• Trojans

• Adware

• Rogueware

Malware that Conceals

• Rootkits

• Logic Bomb

• Backdoor


2

Viruses


A virus is a malicious

program that is able to infect files with copies of itself

Attributes:

• infects a program (executable)

• doesn’t spread over networks

• relies on user action to spread

• viruses are spread by

transferring infected files5/30/2018 Sacramento State - Cook - CSc 115 - Summer 2018 8

Viruses

When an Infected Program Runs…

Virus executes…

• it might wait for a trigger event which is a specific date/event that determines if it attacks

• or it might attack immediately

Virus replicates

• looks for more programs to infect

• once found, it copies itself to the victim

program


Example Virus Actions

Display a political message

Cause a computer to

repeatedly crash or behave

poorly

Destroy/corrupt data or

format the hard drive

Turn off computer’s security

settings


Example Virus Diatribe


Duuuuuuuude!

Symptoms of a Virus Infection

Files

• files are deleted and/or modified

• files "appear" out of nowhere

Performance degradation

Application software changes

• some applications disappear

• browser reconfiguration


3

Common Virus Variants

File virus

• attaches itself to an application program

• not as common now as in the past

Macro virus / Script virus

• infects users by running a script

• misuses scripting technology

• e.g. the "I Love You" virus



Resident virus

• infects files used by the operating system

• since the OS is always running, so is the virus

Companion virus

• adds copycat programs to the operating

system

• knowing the real and fake is difficult



Boot virus

• infects the Master Boot Record

• every time the computer boots, its runs

Multipartite virus

• can infect and spread multiple ways

• e.g. boot sector, files, etc…


Stealth Viruses

Stealth viruses contain features designed to

hide from security

Some features:

• self-modifying – change signature each time

• polymorphic – encrypt randomly

• metamorphic – they rewrite themselves!

• tunneling – intercepts OS calls (trick security)

• armored – thwarts attempts to examine it


An appender infection

appends itself to end of a file

Start of the program is

modified so it jumps to the end of the file (the virus)

After the virus runs, it returns to the host programs code

Host code executes properly


File Virus Infection Methods

A swiss cheese infection

viruses inject themselves into executable code

Original code stored inside virus code



File Virus Infection Methods

4

A split infection virus splits

into several parts

Parts placed at random

positions in host program

Head of virus code starts at

beginning of file



File Virus Infection Methods ILOVEYOU Virus

Attacked in May, 2000

Global epidemic!

Came as an e-mail

• titled simply I Love You

• it came from some you know!

• came with an attachment



LOVE-LETTER-FOR-YOU.TXT.vbs

ILOVEYOU Virus: How it attacked

Attachment was active

• Visual Basic Script file

• used Windows Scripting Host

• no security – full control on your computer!

ILOVEYOU Virus: What it did

Sent copies of itself to everyone in your

Outlook list

Infected your computer

• replaced all JPG, JPEG, etc..

• new file had same name – well, they kindadid…

• parents.jpg parents.jpg.vbs


Worms


Worms

Named after a tapeworm

Spreads like a virus, but has

some different attributes

It breaks into your computer

• exploits application or

operating system vulnerability

• sends copies over a network

• does not need a host document


5

Worms

Worms may:

• consume resources or

• leave behind a payload to harm infected

systems

Examples of worm actions

• delete computer files

• allowing remote control of a computer by an

attacker


Viruses vs. Worm


Attaches itself to filesBreaks into computers

over a network

Virus Worm

Inserts copies of itself into files

Exploit vulnerabilities in an application or system

Yes No

No Yes

Attribute

How it spreads

How it infects

Does it need user action?

Can it be remote controlled?

Keyloggers

Software that Steals

Keylogger

Program that is able to

capture a victim's keystrokes

Everything that the victim

types, is recorded

This data can be…

• saved in a file and later retrieved by the attacker

• or sent over the Internet


Keylogger

Attacker can retrieve

• passwords

• credit card numbers

• instant messages

• personal information

• etc…


Example Keylogger


6

Hardware Keyloggers

Keyloggers can also be implemented as

small hardware devices

These are secretly…

• physically, inserted on a computer between the keyboard cable and computer port

• unlikely to be detected

• must be removed by attacker to collect data

• but…software cannot detect it!


Variants of Hardware Keyloggers

There are also versions for PS/2 (older

port)

For the USB version…

• the keylogger can also act as a thumb drive

• makes it easier to retrieve data

Some hardware keyloggers can transmit data over the Internet using Wi-Fi


Hardware Keyloggers


Keylogger installed

Spyware

Malware that Steals

What is Spyware?

Spyware is software designed to steal your personal data

… and often use this to manipulate you


What Spyware Does

Steals your personal data

• secretly track your online activity

• steal your passwords

• steal your photos and personal files

Exploits you to make money

• private data is sold to advertisers

• private data can be sold on the black-market


7

Symptoms of Spyware

Continuous pop-up windows

• often based on a website's content

• may even appear when you are not using a

browser

Start Page Hijacking

• your start page changes and you cannot change it!

• the page is related to the spyware


Symptoms of Spyware

Poor performance

• computer becomes slow and/or unstable

• your Internet connection becomes slow

Software appears out of nowhere

• software is installed on your computer without

your permission

• in particular, toolbars are added to your

browser


SEVERE

INFESTATION

How Spyware

Installs

How it gets on your computer

How You Get Infested

Hidden is some free software

• software distributor gets money from the spyware maker

• software distributor tends to be unscrupulous

Website links to an executable

• the link will open an installation program!

• never open a link that ends in .exe


8

How You Get Infested

Drive-by downloads

• misuse of ActiveX technology

• website prompts you to download - maybe

Worm attack

• spyware is downloaded and installed secretly

• exploits any bugs in browsers, networks, etc...

• often misuses ActiveX technology


Adware

Software that Deceives

Adware

Adware is malicious software that delivers

advertising content that is unexpected and unwanted by the user

Typically displays advertising banners and pop-up ads

May open new browser windows randomly

Commonly used with spyware


Symptoms of Adware

Performance degradation

Constant pop-up ads

• appear regardless of what

website you are on – or even if you have one open

• may display objectionable content


Trojans


Trojans

Named after the Trojan Horse

Appears safe

• pretends to be legitimate software

• pretends to be safe or beneficial

• ... but it performs "secret" actions

Can carry other malicious code

Does not replicate itself


9

Example Trojan

User downloads “free calendar program”

Program scans system for credit card

numbers and passwords

Transmits information to attacker through

network


Rogueware


Rogueware

Criminals know…

• people are afraid of malware

• it is an omnipresent enemy

• people will buy or download software that will protect them

Danger ...

• some create fake anti-spyware applications

• pretends to find horrible software, but it’s a lie


Malware by Many Different Names

These are officially called "rogue anti-

spyware" or more generally "rogueware"

Also called:

• scamware

• scareware

• ransomware


Rogueware and Trojans

They are similar to Trojans

• pretend to help the user

• but perform malicious actions

What they typically do

• give false positives – fake spyware alerts

• download new software – often spyware

• try to convince user to buy the "full" version


Human Engineering

LIES!


10

Example: Virtumonde / Vundo

Spyware & Rogueware

One of the most dangerous!

How it gets installed

• e-mail attachment

• browser security flaws – Java, etc....

• drive-by downloads



What is does – that you can see

• pop-ups saying your computer is unstable

• screensaver changed to blue screen of death

• hijacks start page

• hijacks searches to spyware sites

• changes the desktop – icon, wallpaper



What is does – attacks security

• deletes security software!

• attempts to hide – massive loss of hard disk

space

• Safe Mode is damaged – blue screen of death

• prevents downloading software it doesn't like

• damages the Windows Control Panel

• will reinstall itself


How Vundo-ful…

Fake Blue Screen of Death Fake Blue Screen of Death

11

Example: SpywareQuake/ VirusBurst

DANGER: fake anti-spyware software

What is does

• attacks your computer with a worm / trojan

• displays fake warning windows

• gives false positives

• tries to convince users to buy the "full" version


DANGER – Malware Website

False Positives

Try to get the victim to pay

Bots &

Botnets

Malware that Controls

Bots

A bot is a program running on

your computer that is controlled by someone else

Infected computer is called a zombie

Generally spread using worms and Trojans


12

Bots

Operates secretly…

• not visible and victims have no idea it is there

• provide means for concealing actions of

attacker

Can remain active for years

Large percentage of zombies…

• are accessible at any given time

• due to growth of always-on Internet services


Botnets

The "bot herder" can have thousands of

computers under their control

The collection of controlled bots is called a

"botnet"

They can do anything from sending spam

to cyber-warfare


Some Common Botnet Actions


DescriptionType of Attack

SpammingHerder sends a spam message to the botnet. Each bot sends it to thousands of people. Almost all spam is sent this way.

Some bots can also harvest e-mail.

Spreading MalwareBotnets can be used to spread malware and create new zombies and botnets. Each bot can download, sent and install

software.

Manipulate Online Polls

Each zombie has a unique IP address, so online polls consider them different computers (which they are).

Denial of Serve Attacks

Botnets can flood a web server with thousands of requests and overwhelm it. When attacked, a server cannot respond to

legitimate requests.

Denial of Service Attacks

Hacker infects multiple

hosts with a bot

All bots send packets

toward the target

Target is overwhelmed

Effectively shut down –

can't talk to other hosts


Target

Rootkits


Rootkits

A rootkit is a collection of

software tools designed to hide attacker activity

Main goals:

• hide malicious actions

• hide the presence malicious

software


13

Hide or remove traces of log-in records or log entries

Alter or replace operating system files with modified versions

Increase the attacker's permissions to "root" – giving them administrator power

Dismantle security


Typical Actions Nuker

Software that is designed to destroy all evidence of an

intrusion

Targets logs, temporary files, etc…

Generally runs on the victim

computer

Evidence of the nuker program will probably still exist


Detecting Rootkits

Rootkits can be detected using programs

that compare file contents with original files

Rootkits that operate at operating system’s

lower levels may be difficult to detect

Hacker’s tend to personalize their software

• which software they choose put in their “kit’

• comments and other information in the software


Removing Toolkits

Removal of a rootkit can be difficult

But, it must be removed

• rootkit files must be erased

• original operating system files must be restored

• reformat hard drive and reinstall operating

system


Backdoors


A backdoor is software code

that circumvents normal security software

Common practice by developers when creating a

new system


Backdoors

14

Why? It helps testing the

final product

They intend to remove them

in the final application

But, they might be forgotten

Dangerous if the attacker

finds out


Backdoors Backdoors

Attackers will often install their own

backdoors on a corrupted system

It will allow them (and their allies) to enter

the system again with ease

The system might be used for additional

attacks, a base of operations, or to host contraband


Logic Bombs


Malware Behavior

A logic bomb is a program

that lies dormant on a system then "detonates" based on a

specific event

Difficult to detect before it is

triggered


Classic Examples (Viruses)

Michelangelo Virus (1991)• bomb exploded on March 6 (his birthday)

• no mention of Michelangelo in the virus code – so probably not what the creator intended

• destroys data

Many Fingers Virus (1999) • counts keypresses and detonates at 3,000

• displays: CRITICAL ERROR 08/15: TOO MANY FINGERS ON KEYBOARD ERROR.

• harmless – albeit rather annoying


Famous Logic Bombs


Caused 1,000 computers to delete critical data a financial services company

A disgruntled employee counted on this to cause the company's stock to drop –which they would profit

Reason for Attack Results

Detonated. The employee was caught and sentenced to 8 years in prison and pay $3.1 million in restitution

What it did

Delete important rocket project data at a defense contractor

Employee's plan was to be hired as a highly paid consultant to fix the problem

Discovered and disabled. Employee was charged with tampering and fined $5,000

Destroy data on the employee's birthday at a health services firm

Employee was angered that they might be laid off (he was not)

Detonated. Employee was sentenced to 30 months in federal prison and pay $81,200 in restitution

malicious malware softwareathena.csus.edu/~cookd/115/notes/csc 115 - summer...malware that spreads a...

Documents