Malaware Monil Adhikari

Understanding Malaware

slide 3 Viruses Virus propagates by infecting other programs Automatically creates copies of itself, but to propagate, a human has to run an infected program Self-propagating viruses are often called worms Many propagation methods Insert a copy into every executable (.COM,.EXE) Insert a copy into boot sectors of disks PC era: “Stoned” virus infected PCs booted from infected floppies, stayed in memory, infected every inserted floppy Infect common OS routines, stay in memory

slide 4 First Virus: Creeper Written in 1971 at BBN Infected DEC PDP-10 machines running TENEX OS Jumped from machine to machine over ARPANET Copied its state over, tried to delete old copy Payload: displayed a message “I’m the creeper, catch me if you can!” Later, Reaper was written to hunt down Creeper

slide 5 Polymorphic Viruses Encrypted viruses: constant decryptor followed by the encrypted virus body Polymorphic viruses: each copy creates a new random encryption of the same virus body Decryptor code constant and can be detected Historical note: “Crypto” virus decrypted its body by brute- force key search to avoid explicit decryptor code

A computer worm is malware that is able to distribute itself over a network, normally via , without a person having run an infected program. It is able to reproduce itself many times and so your computer could send out hundreds of these worms with devastating effect This can cause your computer to run very slowly and possibly even crash Computer Worms

Phishing Definition from Phishing is a scam where Internet fraudsters send spam or pop-up messages to lure personal and financial information from unsuspecting victims.

Pharming Norton Internet Security defines pharming as: Pharming (pronounced “farming”) is another form of online fraud, very similar to its cousin phishing. Pharmers rely upon the same bogus Web sites and theft of confidential information to perpetrate online scams, but are more difficult to detect in many ways because they are not reliant upon the victim accepting a “bait” message. Instead of relying completely on users clicking on an enticing link in fake messages, pharming instead re-directs victims to the bogus Web site even if they type the right Web address of their bank or other online service into their Web browser.

Spam According to Norton: Spam is the electronic version of junk mail. It involves sending unwanted messages, often unsolicited advertising, to a large number of recipients. Spam is a serious security concern as it can be used to deliver Trojan horses, viruses, worms, spyware, and targeted phishing attacks.virusesspywarephishing

Protecting Yourself From Phishing On Guard Online suggests many different ways to protect your computer and information: Do not private information Be careful when opening attachments, regardless of who sent them Update all antivirus and antispyware software regularly Do not reply to popups If you think you have been scammed, report it on

Protecting yourself from Pharming Norton suggests: Keeping your computer updated Review bank statements carefully and regularly Remember that online offers that seem too good to be true…usually are.

Controlling Spam Norton suggests: Install a spam blocker Try reading s in plain-text If you think is spam, do not reply, just delete. Reject all Instant Messages from those not on your buddy list.

Real-time Examples

Byzantine Hades cyber-espionage attacks against US companies and government agencies Attack websites located in China, use same precise postal code as People's Liberation Army Chengdu Province First Technical Reconnaissance Bureau Targeted results in installing a Trojan Gh0stNet / Poison Ivy Remote Access Tool Stole 50 megabytes of , documents, usernames and passwords from a US government agency Same tools used to penetrate Tibetan exile groups, foreign diplomatic missions, etc. slide 14

slide 15 Night Dragon Started in November 2009 Targets: oil, energy, petrochemical companies Propagation vectors SQL injection on external Web servers to harvest account credentials Targeted s to company executives (spear-phishing) Password cracking and “pass the hash” attacks Install customized RAT tools, steal internal documents, deliver them to China

slide 16 zwShell RAT When launched, presents a fake crash error Type “zw.china” into the hidden password field Can create a custom trojan or start a C&C server Select listening port, password for encrypting C&C traffic, custom sound notifications when infected machines connect or disconnect

slide 17 RAT Capabilities “Dropper” program installs RAT DLL, launches it as persistent Windows service, deletes itself RAT notifies specified C&C server, waits for instructions Attacker at C&C server has full control of the infected machine, can view files, desktop, manipulate registry, launch command shell

slide 18 Who Was Behind Night Dragon? C&C servers hosted in Heze City, Shandong Province, China All data exfiltration to IP addresses in Beijing, on weekdays, between 9a and 5p Beijing time Uses generic tools from Chinese hacking sites Hookmsgina and WinlogonHack: password stealing ASPXSpy: Web-based RAT Make in China

slide 19 Sources say hackers using servers in China gained control of a number of Canadian government computers belonging to top federal officials. The hackers, then posing as the federal executives, sent s to departmental technical staffers, conning them into providing key passwords unlocking access to government networks. At the same time, the hackers sent other staff seemingly innocuous memos as attachments. The moment an attachment was opened by a recipient, a viral program was unleashed on the network. The program hunts for specific kinds of classified government information, and sends it back to the hackers over the internet. One source involved in the investigation said spear-phishing is deadly in its simplicity: "There is nothing particularly innovative about it. It's just that it is dreadfully effective."

Restricting Malaware Step 1 – Plan Vulnerabilities in client-side software on workstations. Vulnerabilities in network-accessible software on servers. Social engineering techniques, which often are part of malware-propagation tactics. Removable media, such as USB keys. Weak passwords of network-accessible accounts.

Restricting Malaware Step 2 – Resist Install and maintain a modern anti-virus suite. Lock down the configuration of the operating system. Control what software is installed and allowed to run. Restrict outbound and inbound network access. Protect Web browsing activities. Limit user account access and minimize user privileges. Keep up with security patches. Enforce change management practices. Identify, investigate, and respond to anomalies.

Restricting Malaware Step 3 – Detect Use change detection tool to discover unauthorized modifications Educating end users Training the IT Staff Reviewing security event logs. Employing intrusion detection systems. Verifying DNS Logs.

Restricting Malaware Step 3 – Respond