Malware needing a host program (parasitic code) like viruses.
Independent, self-contained programs like worms, trojans, and bots.
Another distinction was:
Malware that does not replicate (trojans, spam).
Malware that replicates (viruses, worms).
Payload actions: Actions performed by malware once it infects a system.
Corruption of system or data files.
Theft of service to make the system a zombie agent (botnet).
Theft of information (logins, passwords) via keylogging or spyware.
Stealthing to hide its presence.
Blended attack:
Uses multiple infection/propagation methods to maximize contagion speed and severity.
Attack Kits
Development and deployment of malware used to require considerable technical skill.
Virus-creation toolkits in the early 1990s and general attack kits in the 2000s (crimeware) changed this.
These kits:
Include various propagation mechanisms and payload modules.
Can be customized with the latest vulnerabilities.
Enlarged the population of attackers.
Attack Sources
Shift from individual attackers to organized and dangerous sources:
Politically motivated attackers.
Criminals, organized crime.
Organizations selling services to companies/nations.
National government agencies.
This shift led to:
Increased resources and motivation behind malware development.
A large underground economy selling attack kits, access to compromised hosts, and stolen information.
Viruses
Parasitic software fragments that attach themselves to existing executable content.
"Infect" other programs and modify them.
Modification includes injecting code to make copies of the virus.
Viruses were dominant due to the lack of user authentication and access controls on early personal computer systems.
Virus Structure
A computer virus includes one or more variants of components, but the specific components are not disclosed in this transcript.
Virus Phases
A typical virus goes through the following four phases:
Dormant
Propagation
Triggering
Execution
Virus Classification by Target
The transcript does not include any categories.
Virus Classification by Concealment Strategy
Encrypted virus:
Encrypts the virus body with a random key.
Decrypts when the infected program is invoked.
Uses a different key for each instance to avoid a constant bit pattern.
Stealth virus:
Hides itself from antivirus software.
Hides the entire virus, not just the payload.
Polymorphic virus:
Mutates with every infection.
Makes detection by signature impossible.
Metamorphic virus:
Rewrites itself completely at each iteration.
May change its behavior and appearance.
Macro and Scripting Viruses
Infect scripting code used in user document types.
Threats:
Platform independent.
Infect documents, not executable code.
Easily spread through shared documents.
Traditional file system access controls are of limited use.
Worms
Actively seeks out more machines to infect.
Replicates and propagates after activation.
Uses various means to access remote systems:
Electronic mail or instant messenger.
File sharing.
Remote execution capability.
Remote file access.
Remote login capability.
Worm Phases
Typically uses the same phases as a computer virus:
Dormant
Propagation
Triggering
Execution
The propagation phase performs:
Searching for access mechanisms to other systems.
Transferring a copy of itself to the remote system and causing it to run.
Target Discovery
Scanning/fingerprinting:
The function in the propagation phase for a network worm to search for other systems to infect.
Worm network scanning strategies:
Random:
Probes random addresses in the IP address space.
Produces high Internet traffic, causing disruption.
Hit list:
Attacker compiles a list of vulnerable machines.
Infects machines on the list.
Results in a short scanning period.
Topological:
Uses information on an infected machine to find more hosts.
Local subnet:
Looks for targets in its local network behind a firewall.
The Morris Worm
Released by Robert Morris in 1988.
Spread on UNIX systems.
Techniques for propagation:
Discovering other hosts known to the current host.
Attempting to log on to remote hosts as a legitimate user.
Exploiting a bug in the UNIX finger protocol.
Exploiting a trapdoor in the debug option of the remote process that receives and sends mail.
Mobile Code
Programs that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics
Transmitted from a remote system to a local system and then executed on the local system without the user’s explicit instruction
Often acts as a mechanism for a virus, worm, or Trojan horse to be transmitted to the user’s workstation
Popular vehicles for mobile code include:
The most common ways of using mobile code for malicious operations on local system are:
Cross-site scripting
Interactive and dynamic Web sites
E-mail attachments
Downloads from untrusted sites or of untrusted software
Client-Side Vulnerabilities and Drive-by-Downloads
Drive-by-download:
Exploits browser vulnerabilities to download and install malware without user knowledge.
Does not actively propagate like a worm.
Waits for users to visit a malicious website.
Watering-hole attacks:
Targeted attacks which identify websites the target is likely to visit.
Exploit vulnerabilities on these sites with drive-by-downloads.
Malvertising:
Places malware on websites through paid advertisements.
Clickjacking
Also known as a user-interface (UI) redress attack.
Collects an infected user’s clicks.
Forces the user to perform actions.
Uses transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page
Using a similar technique, keystrokes can also be hijacked
With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their e-mail or bank account but are instead typing into an invisible frame controlled by the attacker
Spam
Unsolicited bulk e-mail.
Imposes costs on network infrastructure and users.
Most recent spam is sent by botnets using compromised user systems.
A significant carrier of malware.
May be used in a phishing attack.
Trojan Horses
A program or utility containing hidden code that performs unwanted functions when invoked.
Can accomplish functions indirectly.
Fits into one of three models, but those models are not specified in this document.
Uses of Bots
Distributed denial-of-service (DDoS) attacks
Spamming
Sniffing traffic
Keylogging
Spreading new malware
Installing advertisement add-ons and browser helper objects (BHOs)
Attacking Internet Relay Chat (IRC) networks
Manipulating online polls/games
Payload - Information Theft
This section does not provide details about information theft.
Payload - Stealthing
Backdoor:
A secret entry point into a program.
Allows access without usual security procedures.
Implemented as a network service listening on a nonstandard port.
Rootkit:
A set of programs to maintain covert access with administrator privileges.
Hides evidence of its presence.
Alters host functionality in a malicious way.
Subverts mechanisms that monitor processes, files, and registries.