Module_09_Malware_Presentation_for_IT500.pptx
spiessrobbin
26 views
60 slides
Aug 16, 2024
Slide 1 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
About This Presentation
This presentation contains top tier information on malware
Slide Content
Malware ( mal icious soft ware ) Software designed to infiltrate, damage or disrupt a computer system without the owner's informed consent A set of instructions that run on your electronic device and make it do something that an attacker wants it to do What is Malware?
Malware may… Steal your personal information Monitor your computer activity Install additional software Create backdoors Lower the overall state of security Display forced advertising Enable profiteering scams Use your computer resources (CPU, RAM etc.) Consequences of Malware?
Flaws or bugs in software Over privileged users or system processes Design of software or a system Poorly implemented Standard Operating Environment (SOE) practices Lack of awareness/education surrounding the topic of malware How Systems Become Vulnerable to Malware?
Malware Screenshots
Malware through Scare Tactics?
Evolution of Malware – 30 Years 1990 2000 2004 2009 2020 Attack complexity Attack : Against web server Motivation : Defacement and glory Attack : Against web server, data infrastructure Motivation : Corporate information and financial gain Attack : Against web server, data infrastructure and end-user computers Motivation : Corporate information and financial gain Attack : Against SCADA networks, servers, IoT Motivation : Corporate information, personal information, financial gain and computer resources Time
Total Malware 1984-2018* *The website av-test.org stopped using this type of graph in 2018
Total Malware 2012-2021*
Other Malware Statistics
Malware Threats
Malware Attack Kits Traditionally the development of malware required considerable technical skills and knowledge Malware creation ‘kits’ have enhanced the ability for ‘anyone’ to develop and customise malware Malware toolkits also known as ‘ Crimeware ’ simplify the process of malware development Commonly used kits include; Zues , Blackhole, Sakura, Phoenix
Viruses Trojan horses Worms Rootkit Botnets Logic bombs Spyware Scareware Ransomware Malware Categories
Zeus Trojan horse Commonly spread by FaceBook messages Installed via drive-by-downloads and phishing Works on Microsoft Windows only Attacker fine tunes their Trojan to steal information of interest to them only Awakes when a particular site is accessed Malware Specimens
Psyb0t Targets Linux based ADSL routers Infection occurs from an internal IP address Initially pre-populated with 6000 usernames and 13,000 passwords Generally exploits poorly configured devices When part of a botnet is receives commands via IRC command and control servers Malware Specimens
Because malware is such a broad concept, the ways malware can threaten an organisation’s security is extensive. Most malware is sent out through large scale campaigns, often through malicious spam emails ( MalSpam ). Large scale, indiscriminate attacks: This ‘spray and pray’ approach to finding targets is indiscriminate - the goal is to find ANY vulnerable target, not a specific target. Defence against this type of malware will mostly consist of preventing the large scale attacks through techniques such as firewall rules, application whitelisting, good patch management to reduce vulnerabilities, and virus and malware scanners. These large scale attacks usually also make the news (at least in cyber security circles). Targeted attacks: Less common, but potentially more dangerous is a directed or targeted malware attack. If an attacker is specifically attempting to breach an organisation’s security they may be much more deliberate in their actions. Performing reconnaissance, hacking and even crafting manual malicious payloads. Often directed at larger organisations or more public targets. Goals include everything from extortion to theft of secrets. Detection of these attacks requires more advanced threat hunting techniques. Auditing of log files, intrusion detection systems, email scanning. Threats to Organisations
Classification of Malware
Classification of Malware
Computer Viruses and Worms
A virus is a piece of malicious code that replicates by attaching itself to another piece of executable code When the other executable code is run, the virus also executes and has the opportunity to infect other files and perform any other nefarious actions it was design to do Viruses
Virus Structure
Virus Phases
Boot sector infector Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus File infector Infects files that the operating system or shell considers to be executable Macro virus Infects files with macro or scripting code that is interpreted by an application Multipartite virus Infects files in multiple ways Virus Classifications Encrypted virus A portion of the virus creates a random encryption key and encrypts the remainder of the virus Stealth virus A form of virus explicitly designed to hide itself from detection by anti-virus software Polymorphic virus A virus that mutates with every infection Metamorphic virus A virus that mutates and rewrites itself completely at each iteration and may change behavior as well as appearance By target.. By concealment strategy …
Virus Code Execution Normal Program Header Normal “main” code sections Additional/Modified Program Header Normal “main” code sections Malicious Code Normal Program Header Normal “main” code sections Malicious library (DLL/SO) injected Normal Program Header Memory mapped libraries (DLLs/Shared Objects) With modification of executable file Injection in to running process
Worms Program that actively seeks out machines to infect and each infected machine serves as an automated launching pad for attacks towards other machines Typically exploits vulnerabilities in client or server programs Makes use of network connections or portable storage Upon activation the worm may replicate and propagate again Usually carries some form of payload
Scan for targets on network Locate a target with a vulnerability that could be exploited by the worm Exploit the identified vulnerability and establishes itself on that host Repeats the process by scanning for new targets that can be exploited Worm Propagation
Worm Types
Scanning (or fingerprinting) is the first function in the propagation phase for a network worm (i.e. search for other systems to infect) Scanning strategies that a worm can use include; Random Each compromised host probes random addresses in the IP address space This produces a high volume of Internet traffic which may cause generalized disruption even before the actual attack is launched Hit-list The attacker first compiles a long list of potential vulnerable machines Once the list is compiled the attacker begins infecting machines on the list Each infected machine is provided with a portion of the list to scan Topological This method uses information contained on an infected victim machine to find more hosts to scan Local subnet If a host can be infected behind a firewall that host then looks for targets in its own local network The host uses the subnet address structure to find other hosts that would otherwise be protected by the firewall Worm Target Discovery
Worm Technology
Trojan horses and Rootkits
A Trojan horse is a program that appears to be useful, but also performs a negative task to the computer, smartphone, IoT device etc. Can be a resultant payload or its own program Common Trojan horse (social engineering) A functional program with an alternative malicious behaviour i.e. every time the 7 is pressed a file is deleted at random Files/partitions could be encrypted requiring payment before they are again accessible i.e. ransomware Trojan Horses
Remote Access Trojan horse (RAT) Allows the device to be controlled/monitored A backdoor into a system and allow an attacker to execute or monitor actions on the victim’s computer Allows the infected host to be access when behind a firewall/router/NAT (discussed in a later module) Trojan Horse Types
Rootkits A stealthy application designed to hide the fact that an operating system has been compromised Typically encompasses three components Concealment Command and control Surveillance
Rootkit Classification Characteristics
Logic Bombs, Ransomware and Botnets
A logic bomb (usually) performs a malicious action as a result of a certain logic condition A programmer puts code into software for the payroll system that makes the program crash should it ever process two consecutive payrolls without paying him Some trial programs work for a certain period of time and then disable themselves Logic Bombs
Software that ‘kidnaps’ a user’s device by encrypting a drive or files, then demanding payment (usually in Bit coins) to decrypt it If not paid within a certain amount of time (usually 72 hours) the key will be destroyed Recent ransomware versions allow users to decrypt a few files for free to prove they can be recovered Ransomware
Ransomware
Ransomware
Botnets BotNet – Ro bot Net work A collection of machines under the control of a malicious actor. Sometimes known as a botherder (someone who controls multiple machines) Generally botnets are established through a range of malware propagation techniques from worms, through to viruses and trojans.
Typically botnets are used to perform some massive simultaneous task. These can range from distributed denial of service (DDoS) attacks, through to sending out massive email spam or malspam campaigns DDoS Malspam Cryptocurrency mining Password cracking Uses for Botnets
Establishment/Recruitment An attacker establishes a network of compromised machines. These machines may appear to the end-users to be working as normal, however they are also acting based on commands send by those in control of the botnet. Command and Control (C2) Botnets don’t on their own do anything except wait for instructions. The instructions are relayed to the botnet through command and control servers. These servers can instruct the botnet to download a new payload and start execution of a process. Attack Once equipped with an attack payload, the botnet can be commanded to simultaneously launch an attack. In the case of DDoS attacks, botnets provide distribution which makes the attack difficult to stop as malicious data is being sent from many different IP addresses. For other campaigns the instructions will depend on the motives of the attacker Phases of a Botnet
Botnet for Hire
Spyware, Adware and Scareware Spyware : a type of malware that gathers information from a user’s computer without their knowledge or consent Adware : a type of malware often linked to spyware, which forces advertising upon the victim Scareware : a type of malware leveraging social engineering techniques to entice a victim to perform a specific task
Malware Countermeasures
Each malware specimen has a unique set of instructions Instructions form the signature or ‘fingerprint’ Anti-virus software uses a signature database to detect known malware A file is considered infected if it contains the known signature or unique instructions Malware Countermeasures - Signatures
Sometimes false positives occur… A ‘safe’ file has instructions similar to a known virus file The vendors signature database is proprietary Demand for vendors detecting and releasing an updated database of signatures is high Until your anti-virus software database is updated you remain vulnerable Malware Countermeasures - Signatures
When malware installs on a device, it will leave some sort of trace. These changes or behaviours are known as Indicators of Compromise ( IoCs ). Malware may alter how the device behaves Modify files on the device Make changes to the operating system Alter configurations Launch services Open ‘network ports’ Malware Detection Indicators of Compromise
All software is developed with various features. The goal of malware detection is to find these features In simple malware files it may be as easy as looking for certain keywords or matching hashes with known malware files But in cases where a virus may evade detection using encryption or polymorphisms look for suspicious code detect the presence of the evasion code evidence of unexpected encryption When reverse engineers have identified how a piece of malware operates, they can craft detection rules or signatures . Malware Prevention and Scanning
In simple malware files it may be as easy as looking for: Hash signatures of the executable files Keywords in the executable file (e.g. The name of the malware or text in a message the malware displays such as ransomware messages) Simple Malware Detection
But in cases where a virus may evade detection using encryption or polymorphisms, the goal is to detect the presence of the evasion code code or behaviours that are suspicious Often called Heuristic detection More Complex Threat Detection
Antivirus software vendors use a combination of techniques: Hash based detection for known strains Hash detection of certain parts (headers) Content and behavior detection Heuristic analysis Source code analysis Reverse engineering Sandbox execution and behaviour analysis Detection techniques
When reverse engineers have identified how a piece of malware operates, they can craft detection rules or signatures Virus detection ‘rules’ are distributed by antivirus vendors as virus definitions updates AV Manufacturers generally store definitions in a proprietary format and the manufacturers detection signatures are closely guarded trade secrets Malware detection relies on up-to-date virus definitions Open-source malware tools such as ClamAV can provide a glimpse into how signatures are used by virus detection software Malware Signature Databases
Scanning Suspicious Files and URLs
Scanning Suspicious Files and URLs
Well-resourced, persistent application of a wide variety of intrusion technologies and malware to selected targets (usually business or political) Typically attributed to state-sponsored organizations and criminal enterprises Differ from other types of attack by their careful target selection and stealthy intrusion efforts over extended periods E.g. Stuxnet Advanced Persistent Threats (APT)
APT Characteristics
Aims: Varies from theft of intellectual property or security and infrastructure related data to the physical disruption of infrastructure Techniques Used: Social engineering Spear-phishing email Drive-by-downloads from selected compromised websites likely to be visited by personnel in the target organisation Intent: To infect the target with sophisticated malware with multiple propagation mechanisms and payloads Post infection, a further range of attack tools are used to maintain and extend their access APT Attacks
Future of Malware
Future of Malware
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 26
- Slides 60
- Age 473 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views