Malware and Social Engineering Attacks

Malware Attacks

  • Malware is malicious software that enters a computer system without the owner's knowledge or consent.
  • It utilizes a threat vector to deliver a malicious "payload".
  • Malware is a general term referring to a wide variety of damaging or annoying software.

Classification by Primary Trait:

  • Circulation: How malware spreads rapidly to other systems.
    • Viruses
    • Worms
  • Infection: How it embeds itself into a system.
    • Trojans
    • Ransomware
    • Crypto-malware
  • Concealment: How it avoids detection.
    • Rootkits
  • Payload capabilities: What actions the malware performs.

Circulation

Viruses

  • Malicious computer code that reproduces itself on the same computer.

  • Types of Viruses:

    • Program virus: infects an executable program file.
    • Macro virus: written in a script known as a macro and infects a common data file.

  • Virus infection method:

    • Appender infection: virus appends itself to end of a file, easily detected by virus scanners.
    • Armored virus: Goes to great lengths to avoid detection
      • Swiss cheese infection: viruses inject themselves into executable code, making the code "scrambled" to be more difficult to detect.
      • Split infection: virus splits into several parts, placing parts at random positions in host program
      • Mutation:
        • Oligomorphic virus: Changes its internal code to one of a set of predefined mutations whenever executed.
        • Polymorphic virus: Completely changes from its original form when executed.
        • Metamorphic virus: Can rewrite its own code and appear different each time it is executed.

  • Viruses Perform two actions:

    • Unloads a payload to perform a malicious action
    • Reproduces itself by inserting its code into another file on the same computer

  • Examples of Virus actions:

    • Cause a computer to repeatedly crash
    • Erase files from or reformat hard drive
    • Turn off computer’s security settings

  • Viruses cannot automatically spread to another computer; it relies on user action to spread

  • Viruses are attached to files and are spread by transferring infected files.

Worms

  • Malicious program that uses a computer network to replicate.
  • Sends copies of itself to other network devices.
  • Worms may:
    • Consume resources
    • Leave behind a payload to harm infected systems
  • Examples of worm actions:
    • Deleting computer files
    • Allowing remote control of a computer by an attacker
  • Difference between Virus and Worm:
    • Virus:
      • Inserts malicious code into a program or data file
      • User transfers infected files to other devices to spread
      • Infects a file
      • Needs to have user action for it to spread
    • Worm:
      • Exploits a vulnerability in an application or operating system
      • Uses a network to travel from one computer to another
      • Does not infect a file
      • Does not need to have user action for it to spread

Infection

Trojans

  • An executable program that does something other than advertised.
  • Contain hidden code that launches an attack
  • Sometimes made to appear as a data file
    • Example: User downloads “free calendar program” and the program scans system for credit card numbers and passwords and transmits that information to attacker through network.
  • Remote Access Trojan (RAT): Gives the threat actor unauthorized remote access to the victim’s computer by using specially configured communication protocols.

Ransomware

  • Prevents a user’s device from properly operating until a fee is paid.
  • Highly profitable.
  • Some ransomware displays a fictitious warning that a software license has expired or there is a problem and users must purchase additional software online to fix the problem

Crypto-malware

  • A more malicious form of ransomware where threat actors encrypt all files on the device so that none of them can be opened.
  • Once infected with crypto-malware:
    • The software connects to the threat actor’s command and control (C&C) server to receive instructions or updated data.
    • A locking key is generated for the encrypted files, and that key is encrypted with another key that has been downloaded from the C&C.
    • Second key is sent to the victims once they pay the ransom

Concealment

Rootkits

  • Software tools used by an attacker to hide actions or presence of other types of malicious software
  • Hides or removes traces of log-in records, log entries
  • May alter or replace operating system files with modified versions that are specifically designed to ignore malicious activity
  • Users can no longer trust their computer that contains a rootkit because the rootkit is in charge and hides what is occurring on the computer.

Payload Capabilities

  • The destructive power of malware can be found in its payload capabilities.
  • Primary payload capabilities are to:
    • Collect data
    • Delete data
    • Modify system security settings
    • Launch attacks

Collect Data

  • Different types of malware are designed to collect important data from the user’s computer and make it available at the attacker
  • This type of malware includes:
    • Spyware
    • Adware
Spyware
  • Software that gathers information without user consent
  • Uses the computer’s resources for the purposes of collecting and distributing personal or sensitive information
  • Keylogger: captures and stores each keystroke that a user types on the computer’s keyboard
    • Attacker searches the captured text for any useful information such as passwords, credit card numbers, or personal information.
    • Can be a small hardware device or a software program.
      • Hardware keylogger: inserted between the computer keyboard connection and usb port
      • Software keyloggers: programs installed on the computer that silently capture information
        • Advantage is that they do not require physical access to the user’s computer
        • Often installed as a Trojan or virus, can send captured information back to the attacker via Internet.
Adware
  • Program that delivers advertising content in manner unexpected and unwanted by the user
  • Typically displays advertising banners and pop-up ads
  • May open new browser windows randomly
  • Users disapprove of adware because:
    • Adware can display objectionable content
    • Frequent popup ads can interfere with a user’s productivity
    • Popup ads can slow a computer or even cause crashes and the loss of data
    • Unwanted advertisements can be a nuisance

Delete Data

  • Payload of other types of malware deletes data on the computer
  • Logic bomb: computer code that lies dormant until it is triggered by a specific logical event
    • Difficult to detect before it is triggered
    • Often embedded in large computer programs that are not routinely scanned

Modify System Security

  • Backdoor: gives access to a computer, program, or service that circumvents normal security to give program access
  • When installed on a computer, they allow the attacker to return at a later time and bypass security settings

Launch Attacks:

  • Bot/zombie: An infected computer that is under the remote control of an attacker
  • Groups of zombie computers are gathered into a logical computer network called a botnet under the control of the attacker (bot herder)
  • Infected zombie computers wait for instructions through a command and control (C&C) structure from bot herders
  • A common C&C mechanism used today is HTTP, which is more difficult to detect and block
  • Types of attacks:
    • Spamming: Botnets are widely recognized as the primary source of spam email. A botnet consisting of thousands of bots enables an attacker to send massive amounts of spam.
    • Spreading malware: Botnets can be used to spread malware and create new bots and botnets. Bots can download and execute a file sent by the attacker.
    • Manipulating online polls: Because each bot has a unique Internet Protocol (IP) address, each “vote” by a bot will have the same credibility as a vote cast by a real person.
    • Denying services: Botnets can flood a web server with thousands of requests and overwhelm it to the point that it cannot respond to legitimate requests.

Social Engineering Attacks

  • Social engineering: a means of gathering information for an attack by relying on the weaknesses of individuals.
  • Social engineering attacks can involve psychological approaches as well as physical procedures

Psychological Approaches

  • Psychological approaches goal: to persuade the victim to provide information or take action
  • Attackers use a variety of techniques to gain trust without moving quickly:
    • Provide a reason
    • Project confidence
    • Use evasion and diversion
    • Make them laugh
  • Psychological approaches often involve:
    • Impersonation, phishing, spam, hoaxes, and watering hole attacks
Impersonation
  • Attacker pretends to be someone else:
    • Help desk support technician
    • Repairperson
    • IT support
    • Manager
    • Trusted third party
    • Fellow employee
  • Attacker will often impersonate a person with authority because victims generally resist saying “no” to anyone in power
Phishing
  • Sending an email claiming to be from legitimate source
  • Tries to trick user into giving private information
  • The emails and fake websites are difficult to distinguish from those that are legitimate
  • Variations on phishing attacks:
    • Spear phishing: targets specific users
    • Whaling: targets the “big fish”
    • Vishing: instead of using email, uses a telephone call instead
  • About 97% of all attacks start with phishing
Spam
  • Unsolicited e-mail
  • Primary vehicles for distribution of malware
  • Sending spam is a lucrative business because it costs spammers very little to send millions of spam messages
  • Filters look for specific words and block the email
  • Image spam: uses graphical images of text in order to circumvent text-based filters
  • Often contains nonsense text so it appears legitimate
Hoaxes
  • A false warning, usually claiming to come from the IT department
  • Attackers try to get victims to change configuration settings on their computers that would allow the attacker to compromise the system
  • Attackers may also provide a telephone number for the victim to call for help, which will put them in direct contact with the attacker
Watering Hole Attack
  • A malicious attack that is directed toward a small group of specific individuals who visit the same website
  • Example: Major executives working for a manufacturing company may visit a common website, such as a parts supplier to the manufacturer

Physical Procedures

  • Two of the most common physical procedures are:
    • Dumpster diving
    • Tailgating
Dumpster Diving
  • Digging through trash to find information that can be useful in an attack
  • An electronic variation of dumpster diving is to use Google’s search engine to look for documents and data posted online, called Google dorking
  • Items retrieved and Why Useful:
    • Calendars: A calendar can reveal which employees are out of town at a particular time
    • Inexpensive computer hardware, such as USB flash drives or portal hard drives: Often improperly disposed of and might contain valuable information
    • Memos: Seemingly unimportant memos can often provide small bits of useful information for an attacker who is building an impersonation
    • Organizational charts: These identify individuals within the organization who are in positions of authority
    • Phone directories: Can provide the names and telephone numbers of individuals in the organization to target or impersonate
    • Policy manuals: These may reveal the true level of security within the organization
    • System manuals: Can tell an attacker the type of computer system that is being used so that other research can be conducted to pinpoint vulnerabilities
Tailgating
  • Following behind an authorized individual through an access door
  • An employee could conspire with an unauthorized person to allow him to walk in with him (piggybacking)
  • Watching an authorized user enter a security code on a keypad is known as shoulder surfing