11/10/2024

 

Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE

 Intruder
 Hacker: 4 phases
 Malicious Software:
o Malicious Software - Introduction
o Malware Terminology
o Where malware lives
o What to Infect
o Taxonomy of Malicious Software

 Modern Malware
 Malware analysis

10/10/2024 2

1
 11/10/2024

 A significant security problem for networked systems is:

o hostile,
o or at least unwanted, trespass by users or software.

 User trespass (intrude) can take the form of:

o unauthorized logon to a machine or,
o an authorized user gaining of privileges or
o performance of actions beyond (pass) those that have been
authorized.

 Software trespass can take the form of a:

o virus,
o worm, or
o Trojan horse

10/10/2024 3

 The two most publicized threats to security:

o the intruder: often referred to as a hacker or cracker
o (the other is viruses).
 3 classes of intruders:
o Masquerader: A person penetrates a system’s access controls to exploit
a legitimate user’s account -> outsider
o Misfeasor: A legitimate user who accesses data, programs, or resources
for which such access is not authorized, or who is authorized for such
access but misuses his or her privileges -> insider
o Clandestine user: An individual who seizes supervisory control of the
system and uses this control to evade auditing and access controls ->
outsider or insider
 Other class: benign vs. serious

10/10/2024 4

2
 11/10/2024

 

Nguyen Thi Thanh Van - Khoa CNTT

10/10/2024

 Benign intruders might be tolerable, although they do

consume resources and may slow performance for
legitimate users.
 However, there is no way in advance to know whether an
intruder will be benign or harmful.
 IDSs and IPSs are designed to counter this type of hacker
threat.
 One of the results of the growing awareness of the
intruder problem has been the establishment of a number
of Computer Emergency Response Teams (CERTs).
o collect / disseminate vulnerability info / responses

10/10/2024 6

3
 11/10/2024

Foot printing/Reconnaissance

Scanning and Enumeration

Gaining access

Maintaining access

Covering track
10/10/2024 7

 

4
 11/10/2024

 Malicious Software - Introduction

 Malware Terminology
 Where malware lives
 What to Infect
 Taxonomy of Malicious Software

10/10/2024 9

 programs exploiting system vulnerabilities

 known as malicious software or malware
o program fragments that need a host program
• e.g. viruses, logic bombs, and backdoors
o independent self-contained programs
• e.g. worms, bots
o replicating or not
 sophisticated threat to computer systems

5
 11/10/2024

• Portable Executable in Windows - Q1, 2022

(Avira Cyber Threat Report)

12

6
 11/10/2024

 Folder auto - start

 Win.ini: run =[backdoor]" or "load =[backdoor]".

 System.ini: shell =”myexplorer. exe”

 Autoexec.bat

 Config.sys

 Init.d

10/10/2024 13

 • Executable
• Interpreted file
• Kernel
• Service
• Master Boot Record

10/10/2024 14

7
 11/10/2024

Virus

Trojan
Applet
Logic
bombs Replication
Malicious Trap door

Worm
Alone
Zombie
10/10/2024 15

 piece of software that infects other programs

o modifying them to include a copy of the virus
o so it executes secretly when host program is run
 specific to operating system and hardware
o taking advantage of their details and weaknesses

8
 11/10/2024

Dormant Propagation Triggering Execution

 Dormant:
o The virus is idle. It will eventually be activated by some event

 Propagation:
o The virus places an identical copy of itself into other programs or into
certain system areas
 Triggering:
o The virus is activated to perform the function for which it was
intended (such as a date, the presence of another program or file)
 Execution
o The function is performed, which may be harmless

9
 11/10/2024

 components:
o infection mechanism - enables replication
o trigger - event that makes payload activate
o payload - what it does, malicious or benign
 prepended / postpended / embedded
 when infected program invoked, executes virus code
then original program code
 can block initial infection (difficult)
 or propogation (with access controls)

10
 11/10/2024

 Virus V:
o 1: go to “main” of virus program
o 2: a special flag (infected or not)

 Main:
o Find uninfected programs - infect
them
o Do something damaging to the
system
o “Go to“ first line of the host
program - do normal work

 Avoid detection by looking at

size of program
• Compress/decompress the
host program

P1 is infected with the virus CV,

1. P2 (uninfected) is found, the virus
compresses that file to P2’.
2. A copy of the virus is prepended to the
compressed program.
3. The compressed version of the original
infected program, is uncompressed.
4. The uncompressed program is executed.

11
 11/10/2024

 Elk Cloner (1982): The first known microcomputer virus that spread “in the wild,”
 Brain (1986): The first MS-DOS based virus, which targeted IBM PC systems.
 Morris Worm (1988): One of the first worms distributed via the Internet,
 CIH or Chernobyl Virus (1998): A destructive virus that rendered machines unbootable.
 ILOVEYOU or Love Letter Virus (2000): attacked tens of millions of Windows PCs via email.
 Code Red and Code Red II (2001): Worms that exploited a vulnerability in Microsoft’s IIS
 Slammer or Sapphire (2003): A worm that caused a DoS .
 Blaster Worm or MSBlast (2003): a vulnerability in Windows => amount of network traffic.
 Sobig.F (2003): circulated through emails as viral spam,
 Mydoom (2004): An extremely rapidly spreading email-based worm.
 Sasser and Netsky (2004): caused problems in networks (in Windows systems)
 Conficker (2008): A worm that targeted Windows and consuming network resources.
 Stuxnet (2010): it was responsible for causing substantial damage to Iran’s nuclear program.
 CryptoLocker (2013): A ransomware.
 WannaCry (2017): A ransomware infected hundreds of thousands of computers worldwide.
 NotPetya (2017): Masqueraded as ransomware, targeted Ukraine but had global effects.
 Bad Rabbit (2017): A ransomware attack, believed to be a variant of NotPetya,
10/10/2024 23

• Based on the Target, there are the following types of viruses:

• Boot Sector
• Macro
• Resident
• Browser hijacking
• Multipartive
• File Infector • Web scripting

• Based on concealment:
• Encrypted • Polymorphic
• Stealth • Meta-polymo

12
 11/10/2024

 Boot Sector Virus: Infects master boot record / boot record (boot
sector) of a disk and spreads when a system is booted with an
infected disk (original DOS viruses).

10/10/2024 25

 Memory-resident Virus:
o Reside in RAM
o is infect running programs
 File Infector:
o Infects executable files. .com, .exe, .pif, .sys,…
o They attach their self to executable files as part of their code.
o Runs whenever the host program is executed.
 Multipartive:
o This virus infects the entire system and spreads by performing
unauthorized actions on your operating system, folders, and
programs

10/10/2024 26

13
 11/10/2024

 Macro Virus:
o became very common in mid-1990s
o platform independent, infect documents (Word…)
o easily spread, often a form of Basic
o more recent releases include protection
o recognized by many anti-virus programs
 Browser hijacking:
o This is a type of computer virus that attacks the browser and automatically
redirects to other websites.
 Web scripting:
o This virus infiltrates the background of popular websites - usually social
media platforms.
o They disguise themselves as normal links, luring users to click on them,
where the virus enters the computer and starts spreading.

 Resides in operating systems and modifies OS code and data

structure
 set of programs installed for admin access and may hide its existence
o difficult to determine that the rootkit is present and to identify what
changes have been made
o disrupting report mechanisms on processes, files, registry entries…
 can be classified on whether survive a reboot and execution mode:
o Persistent: Activates each time the system boots, store code in a persistent store
o memory-based: Has no persistent code and therefore cannot survive a reboot
o user mode: Intercepts calls to APIs and modifies returned results.
o kernel mode: Can intercept calls to native APIs in kernel mode; may hide the malware process by
removing it from the kernel's list of active processes.
 installed by user via Trojan or intruder on system
 range of countermeasures needed

14
 11/10/2024

Rootkit filters
call and results

Modify the system call table

Modify system call table targets
Redirect the system call table

 more recent development

 e.g. Melissa
o exploits MS Word macro in attached doc
o if attachment opened, macro activates
o sends email to all on users address list
o and does local damage
 then saw versions triggered reading email
 hence much faster propagation
 file types should never be opened if …
.E XE, .PIF, . BAT, .VBS, .COM

15
 11/10/2024

 Encrypted Virus - A portion of virus creates a random

encryption key and encrypts the remainder of the virus. The
key is stored with the virus. When the virus replicates, a
different random key is generated.

 Stealth Virus - explicitly designed to hide from Virus

Scanning programs.

 Polymorphic Virus - mutates with every new host to prevent

signature detection, signature detection is useless.

 Metamorphic Virus – Rewrites itself completely with every

new host, may change their behavior and appearance.

10/10/2024 31

 prevention - ideal solution but difficult

 realistically need:
o detection
o identification
o Removal
 if detect but can’t identify or remove, must discard and
replace infected program
 Solutions:
o Anti-Virus
o Generic Decryption
o Digital Immune System
o Behavior-Blocking Software

16
 11/10/2024

 virus & antivirus tech have both evolved

 early viruses simple code, easily removed
 as become more complex, so must the countermeasures
 Generations
o Scanner:
• first - signature scanners
• second - heuristics
o Real time Monitors
• third - identify actions
• fourth - combination packages

 Kaspersky

10/10/2024 34

17
 11/10/2024

 runs executable files through GD scanner:

o CPU emulator to interpret instructions
o virus scanner to check known virus signatures
o emulation control module to manage process
 lets virus decrypt itself in interpreter
 periodically scan for virus signatures
 issue is long to interpret and scan
o tradeoff chance of detection vs time delay

captures it, analyzes it, adds detection and

shielding for it, removes it,

and passes information

about that virus to other
systems
so that it can be detected before it is
allowed to run elsewhere

18
 11/10/2024

 —
Secret entry point into a program

 Allows those who know access by passing usual security

procedures

 Remains hidden to casual inspection

 Can be a new program to be installed

 Can modify an existing program

 Trap doors can provide access to a system for unauthorized

procedures
 Very hard to block in O/S

10/10/2024 38

19
 11/10/2024

 One of oldest types of malicious software

 Piece of code that executes itself when predefined conditions
are met
 Logic Bombs that execute on certain days are known as Time
Bombs
 Activated when specified conditions met
– E.g., presence/ absence of some file
– particular date/ time
– particular user
 When triggered typically damage system
– modify/ delete files / disks , halt machine, etc.

10/10/2024 39

 the gift horse left outside the gates of Troy by the Greeks, Trojan
Horses appear to be useful or interesting to an unsuspecting user,
10/10/2024 but are actually harmful. 40

20
 11/10/2024

 Trojan horse is a malicious program

that is designed as authentic, real and
honest software.
 Common features of Trojan
Programs :
• Capturing screenshots of your
computer.
• Recording key strokes and sending
files to the hacker
• Giving full Access to all your drives
and files.
• Ability to use your computer to do
other hacking related activities
10/10/2024 41

 What Trojan scan do ?

o Erase or overwrite data on a computer
o Spread other viruses or install a backdoor. ('dropper'. )
o Networks of zombie computers in order to launch DoS attacks or
send Spam.
o Logging keystrokes to steal information such as passwords and
credit card numbers (known as a key logger)
o Phish for bank or other account details, which can be used for
criminal activities.
o Or simply to destroy data
o Mail the password file

10/10/2024 42

21
 11/10/2024

10/10/2024 43

 replicating program that propagates over net

o using email, remote exec, remote login
 has 4 phases like a virus
 may disguise itself as a system process
 Once active:
o It can behave as a computer virus or bacteria,
o Iit could implant Trojan horse programs
o Perform any number of disruptive or
o Destructive actions
 The features:
o Do not require a host application to perform their activities
o Do not necessarily require any user interaction, direct or
otherwise, to function
o Replicate extremely rapidly across networks and hosts
o Consume bandwidth and resources

22
 11/10/2024

 one of best know worms, released by Robert Morris in 1988

 various attacks on UNIX systems
o cracking password file to use login/password to logon to other systems
o exploiting a bug in the finger protocol
o exploiting a bug in sendmail
o used a number of different techniques for propagation
 if succeed have remote shell access
o sent bootstrap program to copy worm over
 Effects of the worm
o $100,000–10,000,000.
o 6,000 major UNIX machines were infected
o Clifford Stoll fight the worm removing the virus often took two days."[7

 The speed of propagation and the total number of hosts

infected depend on a number of factors, including
o the mode of propagation,
o the vulnerability
or vulnerabilities exploited,
o the degree of similarity
to preceding attacks.

23
 11/10/2024

 Code Red
o July 2001 exploiting MS IIS bug
o probes random IP address, does DDoS attack
o consumes significant net capacity when active
 Code Red II variant includes backdoor
 SQL Slammer
o early 2003, attacks MS SQL Server
o compact and very rapid spread
 Mydoom
o mass-mailing e-mail worm that appeared in 2004
o installed remote access backdoor in infected systems

 Multiplatform: attack a variety of platforms (UNIX)

 multi-exploit: worms penetrate systems in a variety of
ways
 ultrafast spreading: accelerate the spread of a worm
 Polymorphic: To evade detection, skip past filters, and
foil real-time analysis
 Metamorphic: have a repertoire of behavior patterns that
are unleashed at different stages of propagation
 transport vehicles: ideal for spreading other distributed
attack tools, such as distributed denial of service bots
 zero-day exploit: To achieve maximum surprise and
distribution

24
 11/10/2024

 overlaps with anti-virus techniques

 once worm on system A/V can detect
 worms also cause significant net activity
 worm defense approaches include:
o signature-based worm scan filtering
o filter-based worm containment
o payload-classification-based worm containment
o threshold random walk scan detection
o rate limiting and rate halting

25
 11/10/2024

 The program which secretly takes over another networked

computer and force it to run under a common command and
control infrastructure.

 Uses it to indirectly launch aNacks, e.g., DDoS, phishing,

spamming, cracking
 Difficult to trace zombie’ s creator)
 Infected computers — mostly Windows machines — are
now the major delivery method of spam.
 Zombies have been used extensively to send e-mail
spam; between 50% to 80% of all spam worldwide is now
sent by zombie computers.

10/10/2024 52

26
 11/10/2024

Zombies

Attacker Handler Victim

Russia Bulgaria United

States

Can barrage a victim

server with requests,
causing the network Zombies
to fail to respond to anyone

 Bot: a program secretly takes over hundreds or thousands

of computer then uses that computer to launch attacks that
are difficult to trace to the bot's creator.
 Botnet: The collection of bots
 Botnet has characteristics:
o the bot functionality
o remote control facility
• via IRC/HTTP etc
o spreading mechanism
• attack software, vulnerability, scanning strategy
 various counter-measures applicable
 Some uses of bots include:
o DDoS attacks, spamming, sniffing traffic, keylogging, spreading
new malware, installing advertisement add-ons .

27
 11/10/2024

Botnets: Bots

Handler
Attacker

China Hungary
Bots: Host illegal movies,
music, pornography,
criminal web sites, …
Forward Spam for
financial gain
Zombies

10/10/2024 56

28
 11/10/2024

10/10/2024 57

10/10/2024 58

29
 11/10/2024

 a type of malicious software from cryptovirology that

threatens to publish the victim's data or perpetually block
access to it unless a ransom is paid.

10/10/2024 59

10/10/2024 60

30
 11/10/2024

 1. Crypto malware. it encrypts things like your files, folders, and hard-drives.
Victims were asked to pay ransom in Bitcoin to retrieve their data.
 2. Lockers: is known for infecting your operating system to completely lock you
out of your computer or devices, making it impossible to access any of your files
or applications. Ex, Android-based.
 3. Scareware. fake software acts like an antivirus or a cleaning tool, It often
claims to have found issues on your computer, demanding money to resolve the
problems, some types of scareware lock your computer, flood your screen with
annoying alerts and pop-up messages.
 4. Doxware. It threatens to publish your stolen information online if you don’t pay
the ransom.
 5. RaaS. is a type of malware hosted anonymously by a hacker. These
cybercriminals handle everything from distributing the ransomware and
collecting payments to managing decryptors — software that restores data
access — in exchange for their cut of the ransom.
 6. Mac ransomware. Mac operating systems were infiltrated by their first
ransomware in 2016.
 Known as KeRanger infected Apple user systems through an app called
Transmission
 7. Ransomware on mobile devices

10/10/2024 61

10/10/2024 62

31
 11/10/2024

 Mitigation and Prevention

10/10/2024 63

 Malware Analysis
o The process of understanding the behavior and purpose of a
suspicious file or URL.
o The output of the analysis aids in the detection and mitigation of the
potential threat.

 The key benefit of malware analysis is that it helps incident

responders and security analysts:

o Pragmatically triage incidents by level of severity

o Uncover hidden indicators of compromise (IOCs) that should be
blocked
o Improve the efficacy of IOC alerts and notifications
o Enrich context when threat hunting

10/10/2024 64

32
 11/10/2024

 Static Analysis
o does not require that the code is actually run.
o examines the file for signs of malicious intent.
o can be useful to identify malicious infrastructure, libraries or
packed files.
o Limit: sophisticated malware can include malicious runtime
behavior that can go undetected
 Dynamic malware
o analysis executes suspected malicious code in a safe
environment called a sandbox.
o enables security professionals to watch the malware in action
without the risk of letting it infect their system or escape into the
enterprise network.
 Hybrid
10/10/2024 Analysis (includes both of the techniques above) 65

 Static Properties Analysis

o Static properties include strings embedded in the malware code, header details, hashes, metadata, etc.
o can indicate whether a deeper investigation using more comprehensive techniques is necessary and
determine which steps should be taken next.

 Interactive Behavior Analysis

o understand the sample’s registry, file system, process and network activities.
o conduct memory forensics to learn how the malware uses memory
o Behavioral analysis requires a creative analyst with advanced skills.
o The process is time-consuming and complicated => be performed effectively with automated tools.

 Fully Automated Analysis

o Will be quickly and simply assesses suspicious files.
o can determine potential repercussions \
o Fully automated analysis is the best way to process malware at scale.

 Manual Code Reversing

o analysts reverse-engineer code using debuggers, disassemblers, compilers and specialized tools to
decode encrypted data,
o determine the logic behind the malware algorithm and understand any hidden capabilities that the
malware has not yet exhibited.

10/10/2024 66

33
 11/10/2024

 Malware Detection

 Threat Alerts and Triage (Cảnh báo và thử thách mối đe dọa)
o teams can save time by prioritizing the results of these alerts over other
technologies.

 Incident Response
o aids in the efficiency and effectiveness of the effort in analysing root cause

 Threat Hunting
o Help threat hunters find similar activity, such as access to a particular
network connection, port or domain.

 Malware Research
o to gain an understanding of the latest techniques, exploits and tools used by
adversarie

10/10/2024 67

 Intruder
 Hacker: 4 phases
 Attack: many types
 Malicious Software: many types
 Malware Analysis

34
 11/10/2024

 Creating a Simple Virus:

o Message loop
o Restart the Computer
o To block/redirect website (HOSTS File)
o …..
 A Trojan:
o appears as an antivirus program to eat up the hard disk space
o appears as a backdoor for remote accessing
• Use metasploit exploit multi/handler to victim computer
 Backdoor
o After sending Trojan to victim as backdoor
 Keyloggers
o Record keypress of victim

10/10/2024 69

10/10/2024 70

35