Malware ResponseOregon Department of Education

CISSP basics (CIA)

• The loss of any of these three is bad:• Confidentiality• Integrity• Availability

CAUTION: If you suspect a crime has been committed (significant data breach), contain the system and then do not do anything further.

The Problem

• Malware threatens CIA, respond accordingly• All signature-based antivirus programs miss some malware• Malware usually comes in bunches• Malware is designed to resist removal (persist)• It is very unlikely that one tool will remove all malware• Multiple tools give you a 50% chance of saving the machine• The other 50% of the time, it’s faster to re-image the machine

Rule 1

• Do not over react.• Some malware requires immediate action, but the situation is unlikely

to get worse in a few seconds. • However, you can lose valuable evidence by over reacting.

The framework (SANS 6-steps)

• Preparation• Identification• Containment• Eradication• Recovery• Lessons learned

Vulnerability

• A weakness in a computer system that may allow unintended action or access• Usually fixed with a patch• “Zero-Day” means it is known but no patch is available• “Zero-Day Attack” means bad guys are already exploiting the zero-day

vulnerability• See Common Vulnerabilities and Exposures (CVE)

Exploit

• A piece of code or technique that takes advantage of a vulnerability (e.g. unpatched software) to negatively affect the system• Often shared amongst virus writers who then wrap it up and set it

free• Can be detected heuristically and should be treated as any other

malware• Risk=See CVE#

Malware

• Sometimes people use the work “virus” generically to mean malware• Many instances of malware have elements from two or more of the

characteristics associated with lists below• Installs or runs without user’s knowledge• Does something malicious or unwanted• Tries to be sneaky• Is not easy to disable or remove• Risk=It depends…

Preparation

• Knowledge of the threat• Know what it does

• Spread to other systems• Steal data• Erase (or encrypt) data• Keystroke log• Download other malware• Mess with industrial controls!• Allow your machine to be covertly used by a third party• Serve you up unwanted ads or pop-ups• EVADE, RESIST, PERSIST!

• Know how to find it• Know how to remove it• Know how to prevent it from coming back

Worm

• Can affect the Confidentiality, Integrity, and/or the Availability of data• Very dangerous because it can spread from computer to computer

without a human doing anything (e.g. opening an attachment or plugging in an infected flash drive), which means it can spread very quickly• Risk=VERY HIGH

Virus

• Can affect the Confidentiality, Integrity, and/or the Availability of data• Dangerous because it can spread from computer to computer but

requires a human doing something (e.g. opening an attachment or plugging in an infected flash drive), which means it can be slowed by awareness• Risk=HIGH

Trojan

• Malware that is disguised as a program you want or is part of a program you thin you want• Iliad• Can affect the Confidentiality, Integrity, and/or the Availability of data• By far the most common malware today• Does not spread by itself• Is downloaded or copied, usually from a website or a downloaded

program (e.g. screensaver)• Risk=HIGH

Ransomware

• Affects Availability of data• Encrypts your data and demands a payment to decrypt• Risk=HIGH

Logic Bomb

• Can affect the Confidentiality, Integrity, and/or the Availability of data• A piece of malware designed to activate at a specific time or during a

specific event• Risk=HIGH

Backdoor

• Can affect the Confidentiality, Integrity, and/or the Availability of data• A piece of malware designed allow covert access into a system• Risk=HIGH

Rootkit

• Can affect the Confidentiality, Integrity, and/or the Availability of data• A piece of malware that gains complete control of a computer by

embedding itself into the operating system (OS)• Harder to detect and remove• Risk=HIGH

Bootkit

• Can affect the Confidentiality, Integrity, and/or the Availability of data• Similar to a rootkit but loads before (or under) the OS• Uses direct hardware control to make it harder to detect and remove• Risk=HIGH

Keylogger

• Can affect the Confidentiality, Integrity, and/or the Availability of data• Logs keystrokes and/or mouse clicks and sends to third party• Great for stealing passwords• Risk=HIGH

Advanced Persistent Threat (APT)

• Can affect the Confidentiality, Integrity, and/or the Availability of data• Is designed to infect a computer and remain undetected for a long

time (years!)• Usually hard to detect and remove because they don’t make a lot of

noise and get the attention of antivirus vendors• Often used against high value targets• Risk=HIGH

Botnet

• Can affect the Integrity, and/or the Availability of data• Is designed to link your computer to a bad guy’s network and put it

under his control• Usually waits for further orders from the Bot Master (Herder)• Can be used to launch a Distributed Denial of Service (DDOS) attack

against a third party to disguise an attack and increase volume• Can “borrow” some of your computing power for whatever purpose• Often used against high value targets• Risk=HIGH

Remote Access Tools (RAT)

• Malware that provides remote access• If used legitimately, they are fine• If not, they are bad• Can be covertly used• Risk=Low/High

Downloader

• Malware that downloads other malware• Most likely there will be other malware on the machine soon after it is

activated• Risk=Low/High

Spyware

• Can affect the Confidentiality of data• Acts like other types of malware but its main purpose is monitoring

your activity for some nefarious purpose• Risk=Moderate

Malicious Browser Helper Object (BHO)• Can affect the Confidentiality or Integrity of data• Add-on to your browser (similar to Flash Player)• Monitors or manipulates your web browsing• Risk=Moderate

Dialers

• Don’t see them around much anymore – for obvious reasons• Used to dial a 900 number for $$ or to dial a bad guys number• Risk=Low

Adware/Riskware

• Can affect the Confidentiality or Integrity of data• Acts like other types of malware but its main purpose is monitor your

activity and serve up relevant (or not) advertisements• May cause other problems or risks• Risk=Moderate

Cookies

• Can affect YOUR Confidentiality• Small files left on your machine by websites you visit• Sometimes read by subsequent websites you visit• Risk=Low

Potentially Unwanted Program (PUP)

• Software that is not necessarily desirable but tries to avoid being stereotyped as “malware”• Some antivirus programs will not remove it automatically• May be able to be removed via Control Panel• “Hack tools”• Can do just about anything, but can threaten security (CIA)• Risk=Low

Is it “malware”? Does it matter?

• Installs or runs without user’s knowledge• Does something malicious or unwanted• Tries to be sneaky• Is not easy to disable or remove• Risk=It depends…

Preparation

• Loaner machines• Local administrator account• Know how to boot from a CD and boot into Safe Mode• Virus Response Toolkit

• ESET SysInspector• Process Explorer• Emsisoft Pro EEK• Comodo CCE (x86 and x64)• HitManPro 3 (x86 and x64)• Symantec NPE• Ccleaner• Rescue CD• WWW (MMPC and Virustotal.com)

Signs of Malware Infection

• AV or IPS alert• Suspicious email• Problems with browser• Slow, unstable, some websites blocked, homepage changes, pop-ups, toolbars

• Overall system slowness or instability• Unknown programs installed• Missing or corrupt files

Identification

• There is no surefire way to find and remove malware• Like a banker, the best way to spot something wrong is to be very

familiar with what is right• This is why signature-based antivirus has a surprisingly bad detection

rate – especially against new or targeted malware• AV-Comparatives.org• The best way is to detect changes, but Windows makes this difficult

Identification and Containment

• Open a ticket• If the malware is spreading or spewing, unplug the network• Document the initial symptoms or alerts• Run SysInspector and HiJackFree and document findings• Check timestamps on suspicious files• Update the local antivirus and run a full scan• Run any suspicious files through VirusTotal.com• Check the HASH (Advanced)• Research viruses on Microsoft Malware Response Center or other AV site

Where Malware Hides and How it Persists (Demo) – Advanced Analysis• Run SysInspector and check:• Running Processes• Network Connections• Autostart Items• Services• Drivers• Critical Files

• Run Process Explorer and check suspicious processes with Virustotal plug-in

New Fancy Detection Methods – Advanced Analysis

• Why signature detection is failing• Wanted posters at airport checkpoints

• Heuristics• If it does things only a virus would do, it’s probably a virus

• Whitelisting• Baseline• Cloud-based

• Host-based Firewalls and Intrusion Prevention Systems• Anything out of the ordinary• Messing with sensitive areas

• Sandboxing• Defenses that actually spawn a little VM and run suspicious files

Using Timestamps to Identify Malicious Changes (Demo) – Advanced Analysis• Yes, hackers can change timestamps• Understanding timestamp attributes MAC• Understand that running a full scan (or doing anything) will change

timestamps• Search for files by date range• Sort by time/date• Examine suspicious files• If malware files are found, identify all files with similar timestamps• Non-executable files may contain stolen data

Cleaning (DEMO)

• Safe mode?• Run Emsisoft Pro EEK• Run Comodo CCE• Run HitManPro 3• Run Symantec NPE• Install and run Ccleaner• Boot and scan from a LiveCD• Static Analysis (Advanced Concept)• System Restore?

Recovery

• If the machine is “clean”, return it to service – but monitor it for a few days.• Patch the OS and all applications to prevent re-infection.• If the machine cannot be cleaned successfully, or is re-infected, re-

image it after helping the customer recover needed files.• Do not allow persistently infected or vulnerable machine back into

service• Advise the customer to change all passwords used on that PC

Lessons learned

• Attempt to determine the source of infection• Share information with other technicians• Document all your findings• Close the ticket (with pertinent information) after monitoring to

ensure the system is clean

Malware Response Workflow

• Service desk receives notification or report of malware• Service desk opens a tracker ticket• Identify the risk and contain if necessary• Document the details• Run tools and scans to identify and clean the virus• Keep a close eye on the machine over the next few days for recurrence of any

symptoms• Have customer change passwords• Patch system• Share info (in tracker or in person)• Close the ticket

Checklist

Prepare and update your USB kit Ticket (document the alert info) Disconnect if needed Loaner PC (if needed) SysInspector Process Explorer HiJackFree Update and run local AV Timestamps Emsisoft EEK Comodo CCE HitManPro Symantec NPE MalwareBytes ARK

CCleaner LiveCD scan Research malware See if you can find the source Return to service or re-image Monitor further if needed Have customer change passwords Document all findings

S