K. Salah 1

MalwareMalware

K. Salah 2

Malcode TaxonomyMalcode Taxonomy

K. Salah 3

K. Salah 4

K. Salah 5

The Ten Most Common Critical Cyber The Ten Most Common Critical Cyber Security ThreatsSecurity Threats1.1. Malware attack with Social Engineering TacticsMalware attack with Social Engineering Tactics2.2. SPAMSPAM3.3. DoS and DDoS attackDoS and DDoS attack4.4. Phishing and Pharming (identity theft)Phishing and Pharming (identity theft)5.5. BotnetsBotnets6.6. IM and P2P attackIM and P2P attack7.7. Mobile and Wireless attack (Wi-Fi and Bluetooth)Mobile and Wireless attack (Wi-Fi and Bluetooth)8.8. RootkitsRootkits9.9. Web Application HackingWeb Application Hacking10.10. Hacking with GoogleHacking with Google

K. Salah 6

Most Advanced Critical Cyber Security Most Advanced Critical Cyber Security ThreatsThreats1.1. Zero Day AttackZero Day Attack2.2. Web 2.0 AttackWeb 2.0 Attack3.3. VoIP AttackVoIP Attack4.4. Web Services AttackWeb Services Attack5.5. USB AttackUSB Attack

K. Salah 7

Attack on the Critical InfrastructureAttack on the Critical Infrastructure

Government OperationsGovernment OperationsTelecommunicationsTelecommunicationsElectrical EnergyElectrical EnergyGas & Oil Storage and DeliveryGas & Oil Storage and DeliveryWater Supply SystemsWater Supply SystemsBanking & FinanceBanking & FinanceTransportationTransportation

K. Salah 8

Virus, Spam and Spyware RelationshipVirus, Spam and Spyware Relationship

Antispam

Antivirus

Antispyware

Spam

Virus Spyware

Worm Phish/ Adware

Zombie/ Trojan

K. Salah 9

Digital Forensics AnalysisDigital Forensics Analysis1.1. Incident NotificationIncident Notification2.2. Understand Nature of IncidentUnderstand Nature of Incident3.3. InterviewInterview4.4. Obtain AuthorizationObtain Authorization5.5. Verify ScopeVerify Scope6.6. Team AssemblyTeam Assembly7.7. Document work areaDocument work area8.8. Document Incident EquipmentDocument Incident Equipment9.9. Move EquipmentMove Equipment10.10. Prepare two imagesPrepare two images11.11. Preserve/ Protect First ImagePreserve/ Protect First Image12.12. Use second Image for restoration and ExaminationUse second Image for restoration and Examination13.13. Data Extraction and AnalysisData Extraction and Analysis14.14. Watch Assumptions – Date /timeWatch Assumptions – Date /time15.15. Review Log / InterviewReview Log / Interview16.16. AnalysisAnalysis17.17. Prepare findingsPrepare findings18.18. Lesson LearnedLesson Learned

K. Salah 10

Anti-forensic techniquesAnti-forensic techniques Anti-forensic techniquesAnti-forensic techniques try to frustrate try to frustrate forensic investigatorsforensic investigators and and

their their techniquestechniques1.1. Overwriting Data and MetadataOverwriting Data and Metadata

1. Secure Data Deletion2. Overwriting Metadata3. Preventing Data Creation

2.2. Cryptography, Steganography, and other Data Hiding ApproachesCryptography, Steganography, and other Data Hiding Approaches1. Encrypted Data2. Encrypted Network Protocols3. Program Packers4. Steganography5. Generic Data Hiding

ExamplesExamples Timestomp

Changes the dates of computer files (4 timestamps of NTFS). Encase shows blanks. Slacker

Store files in the slack of disk blocks

K. Salah 11

Virus TechniquesVirus Techniques

TSRTSR Virus can hide in memory even if program has stopped

or been detected Stealth VirusesStealth Viruses

Execute original code Size of file stays the same after infection Hide in memory within a system process

Virus infects OS so that if a user examines the infected file, it appears normal

Encrypted/Polymorphic VirusesEncrypted/Polymorphic Viruses To hide virus signatures encrypt the code Have the code mutate to prevent signatures scanning

K. Salah 12

Polymorphic VirusesPolymorphic Viruses

K. Salah 13

Virus CleaningVirus Cleaning

Remove virus from fileRemove virus from fileRequires skills in software reverse Requires skills in software reverse

engineeringengineering Identify beginning/end of payload and Identify beginning/end of payload and

restore to originalrestore to original

K. Salah 14

How hard is it to write a virus?How hard is it to write a virus?

Simple Google search for “virus Simple Google search for “virus construction toolkit”construction toolkit”

www.pestpatrol.comwww.pestpatrol.comTons of othersTons of othersConclusion: Not hardConclusion: Not hard

K. Salah 15

Attaching codeAttaching code

K. Salah 16

Integrate itselfIntegrate itself

K. Salah 17

Completely replaceCompletely replace

K. Salah 18

Boot Sector VirusBoot Sector Virus

K. Salah 19

How viruses workHow viruses work

AttachAttach Append to program, e-mail

Executes with program Surrounds program

Executes before and after program Erases its tracks

Integrates or replaces program code Gain controlGain control

Virus replaces target ResideReside

In boot sector Memory Application program Libraries

K. Salah 20

Cont’dCont’d

DetectionDetection Virus signatures Storage patterns Execution patterns Transmission patterns

PreventionPrevention Don’t share executables Use commercial software from reliable sources Test new software on isolated computers Open only safe attachments Keep recoverable system image in safe place Backup executable system file copies Use virus detectors Update virus detectors often

K. Salah 21

Virus Effects and CausesVirus Effects and CausesVirus EffectVirus Effect How it is causedHow it is caused

Attach to executableAttach to executable Modify file directoryModify file directoryWrite to executable program fileWrite to executable program file

Attach to data/control fileAttach to data/control file Modify directoryModify directoryRewrite dataRewrite dataAppend to dataAppend to dataAppend data to selfAppend data to self

Remain in memoryRemain in memory Intercept interrupt by modifying interrupt handler address tableIntercept interrupt by modifying interrupt handler address tableLoad self in non-transient memory areaLoad self in non-transient memory area

Infect disksInfect disks Intercept interruptIntercept interruptIntercept OS call (to format disk, for example)Intercept OS call (to format disk, for example)Modify system fileModify system fileModify ordinary executable programModify ordinary executable program

Conceal selfConceal self Intercept system calls that would reveal self and falsify resultsIntercept system calls that would reveal self and falsify resultsClassify self as “hidden” fileClassify self as “hidden” file

Spread selfSpread self Infect boot sectorInfect boot sectorInfect systems programInfect systems programInfect ordinary programInfect ordinary programInfect data ordinary program reads to control its executableInfect data ordinary program reads to control its executable

Prevent deactivationPrevent deactivation Activate before deactivating program and block deactivationActivate before deactivating program and block deactivationStore copy to reinfect after deactivationStore copy to reinfect after deactivation

K. Salah 22

Virus vs. WormVirus vs. Worm

Both are Malicious Code Virus does harm Worm consumes resources

K. Salah 23

Exploitation of Flaws:Exploitation of Flaws: Targeted Malicious Code Targeted Malicious Code TrapdoorsTrapdoors

Undocumented entry point in code Program stubs during testing Intentionally or unintentionally left

Forgotten Left for testing or maintenance Left for covert access

Salami attackSalami attack Merges inconsequential pieces to get big results A salami attack is a series of minor data-security attacks that

together results in a larger attack. • For example, a fraud activity in a bank where an employee steals a

small amount of funds from several accounts, can be considered a salami attack, i.e. deliberate diversion of fractional cents

Too difficult to audit

K. Salah 24

Covert ChannelsCovert Channels An example of human/student covert channel Programs that leak information

Trojan horse Discovery

Analyze system resources for patterns Flow analysis from a program’s syntax

(automated) Difficult to close

Not much documented Potential damage is extreme

Exploitation of Flaws:Exploitation of Flaws: Targeted Malicious Code Targeted Malicious Code (cont’d.)(cont’d.)

K. Salah 25

File lock covert channelFile lock covert channel

K. Salah 26

Race ConditionsRace Conditions

In wu-ftpd v2.4 In wu-ftpd v2.4 Allows root accessAllows root accessSignal handlingSignal handling

SIGPIPE EUID=user changes to EUID=root to logout the user

and access privileged operations and files It takes some time to do this

SIGURG Logging out is broken/stopped and prompt is gotten

back with EIUD=root