Malware

Types (Ch. 11 - Stallings)

  • APT - Advanced Persistent Threats.
  • Adware
  • Attack Kit - Tools for generating malware automatically. Past kits by name include Zeus, Blackhole, Sakura, and Phoenix.
  • Auto-rooter
  • Backdoor/Trapdoor
  • Downloaders - Code which downloads other items
  • Drive-by-download Exploits
  • Flooders (DoS client)
  • Keyloggers - Collects sensitive info, a specific form of spyware
  • Logic bomb
  • Macro Virus
  • Mobile Code
  • Rootkit
  • Spammer programs
  • Spyware
  • Trojen Horse - An apparently useful utility containing hidden malicious code.
  • Virus - malware which replicates itself into other executable code such as a program or file; it ‘infects’ other files. For example, a macro virus which automatically embeds macros in other office docs
  • Worm - Malware which runs independently and replicates a complete independent copy of itself to other nodes for further spreading.
  • Zombie, bot

Early classification schemes distinguished between those which need a host file/program (such as viruses), and those which are independent such as worms.

Virus

A Virus has 3 parts:

  • Infection Mechanism
  • Trigger
  • Payload

A virus typically goes through the follow phases:

  • Dormant Phase - Virus Idle
  • Propogation Phase - Copy itself to other programs
  • Triggering Phase - Virus code activated; e.g. opening of an office doc.
  • Execution Phase - Malware actions performed.

Virus Classification by Target:

  • Boot sector infector
  • File infector
  • Macro virus
  • multipartite virus - Infects in multiple ways

Classification by Concealment:

  • Encrypted Virus - Use of encryption to obscure content. Decryption key likely stored within the virus. Use different keys when spreading.
  • Stealth virus - Uses various techniques to hide from AV.
  • Polymorphic Virus - Mutates with each copy. Viral copies are functionally equivalent, but comprised of unique bit patterns for avoiding detection. e.g. Junk code or random strings may be inserted.
  • Metamorphic virus - Complete rewrite at each iteration. Changes behaviour as well as appearance.

Worms

Common spreading techniques: Email, file shares, exposed RCE services

A worm typically used the same phases as a computer virus: dormant, propagation, triggering, and execution.

Worm Propogation Model - Initially exponential infection rate as qty. of viable hosts is high, then decreases to approx. linear, then spread slows as few viable hosts remain. (see chart)

Payload

Major Payload classes: System Corruption, Attack Agent: Zombie/Bot, Information Theft: Keyloggers/Phishing/Spyware, Stealthing: Backdoor/Rootkits

Bots: Bot usage examples include: DDoS attacks, Spam email relay/sending, sniffing traffic, keylogging, malware spread, browser add-ons (fraud ad revenue), poll manipulation (social statistics manipulation)

Bots are controlled remotely via a C2 or C&C (Command & Control) server. This used to be via IRC, but has since trended toward other protocols.

A backdoor is a secret entry point into an application. Often left by a developer for quick access. Also called a trapdoor, or maintenance hook. An open network listener on a non-standard port is an example of a backdoor.

A root-kit can be classified as:

  • Persistent - Activates when system boots
  • Memory based - Non-persistent, cannot survive a reboot.
  • User Mode - Intercepts calls to APIs and modifies results (e.g. to hide itself during directory listing)
  • Kernel mode - Intercepts calls to APIs in kernel mode. Higher privileges, deeper in the system.
  • Virtual Machine Based - Creates and runs inside of a virtual machine.
  • External mode - Resides outside of the OS such as BIOS. Direct access to system hardware.

Anti-malware

Malware scanners use:

  • Simple static signature analysis -
  • Heuristic scanners - No specific signature. Static analysis gauging malware probability based on attributes which are commonly associated with malware.
  • Behavioral Analysis - Checks memory, and monitors process for malicious activities.
  • Full-featured/combination - Applies principle’s from above.

Malicious Attacks

Denial of Service

NIST def: action that prevents or imparis the use of networks, systems, or apps. by exhausting resources; e.g. network bandwidth, system resources, application resources.

A poison packet is categorically a crafted packet which may cause a crash or malfunction. Examples include a ping of death (ICMP vuln.) or a teardrop attack (fragmentation attack).

A cyberslam is an attack using a series of costly valid requests; e.g. expensoive database queries.

Flood attack: Simple/classic network bandwidth exhaustion attack. E.g. a flood of ICMP echo reqs. Source address may be spoofed to avoid return traffic and mask identity.

  • ICMP
  • UDP
  • TCP SYN - All of these are aimed at choking bandwidth (in contrast to a SYN spoofing attack; below)

SYN Spoofing attack: Sending a bunch of SYN packets with spoofed source addresses. ACKs will not be returned (sometimes there may be a RST), and this will eventually exhaust the available network ports. Significantly less traffic is required for this than a flood attack.

DDoS: DoS attack executed by botnet. The botnet is the ‘distributed’ component. Fun fact: Early pioneer tool is Tribe Flood Network (TFN), followed by TFN2K.

Slowloris: sending partial requests, trickling in info, but never completing a request. Repeat many time, and a low bandwidth attack will exhaust resources. Described in context of an HTTP server attack. Similar to TCP Spoofing attack.

Reflector: Many requests sent to many varying intermediaries, but all with same spoofed (target) source address. Intermediaries all reply to the same address overwhelming the target address. Services with larger response payloads result in more traffic sent to targetl DNS, ISAKMP, SNMP

Amplification attacks: Similar to reflection attack, except multiple response packets sent for each request. Sending to a broadcast address for example. Smurf attack: broadcast ICMP to broadcast address with spoofed source. Fraggle attack is the same, except uses UDP sent to broadcast.

DNS Amplification: Tailored reflection attack; select DNS requests with large responses. 60 byte request ==> 512 byte (or larger) response.

DDoS Defenses

Selective or random packet drops: Random dropped packets are likley to be attack packets during an attack. Real packets will retry and (hopefully) be successful at establishing connection.

SYN Cookies: Encoding information (e.g. session info) in the sequence number. The server can then recall the session and doesn’t have to leave the port open.

Tuning TCP params such as timeout periods.

The bext defense is for infrastructure to stop these packets at the source, but this is out of control of end users.