Analyze Attack Indicators

Malware

Virus

• Made up of malicious code that’s run on a machine without the user’s knowledge.
• Allows it to infect the computer whenever it’s being run.
• Viruses require user action in order to reproduce and spread.

The Security+ exam is going to separate viruses into various different types:

Boot Sector

• stores itself in the first sector of a hard drive and is loaded into memory whenever the computer boots up.
• Very difficult to detect because they’re installed before the operating system boots up.

Macro

• Codes that embedded inside another document. And when that document is opened by the user, that virus then is executed.
• The most common examples of macros are ones that are found inside Word documents or Excel spreadsheets, or PowerPoint presentations. By default, macros aren’t malicious.

Program

• Program viruses seek out executable or application files to infect.
• For example, if you went and loaded a virus and was able to install itself into your Microsoft Word program, every time you opened up Word you’d be loading that virus again and again. And that’s why a program virus targets programs.

Multipartite

A multipartite virus is a combination of a boot sector type virus and a program virus. By using this combination, the virus is able to place itself in the boot sector and be loaded every time the computer boots. And by doing so, it can then install itself in a program where it can be run each and every time the computer starts up. This allows it to have a persistence and be able to be there over and over again.

Stealth / Fileless

And these aren’t necessarily a specific type of virus as much as a category of a virus protecting itself. When we talked about encrypted and polymorphic and metamorphic viruses, these are all examples of stealth viruses. They’re viruses that are using various different techniques to avoid detection by antivirus software.

Worms

A worm is much like a virus. But it has a key difference.

• With viruses, user has to install something: a program, or open a file, for that virus to be able to take its action.
• Worms are able to self-replicate and spread throughout your network, without a user’s consent, or their action
• To do this, worms usually take advantage of vulnerabilities of system’s OS or applications to spread itself.
• Firewalls and IDS/IPS can mitigate many cases of worm infestation
• Ex: Wannacry worm that install crypto malware and replicate itself via a vulnerability in SMBv1 called EternalBlue on Windows systems.

Ransomwares / Crypto-malwares

• Type of malware that restricts access to a victim’s computer or their files until a ransom is received.
• Encrypts your files or change your password or do something else to hold your system until you pay up. Ransomware goes through and uses various vulnerabilities in your system to gain access to your machine, then encrypting your files.

You can either choose to:

• Pay the ransom (not recommended)
• Restore from a last working backup (you should always have scheduling backup)

Mitigation: • Always have a backup (An offline backup, ideally) • Keep your operating system up to date • Keep your applications up to date • Keep your anti-virus/anti-malware signatures up to date • Keep everything up to date!!!!

Trojan (Trojan horse)

• Malicious software that’s disguised as harmless or desirable software. Basically, a Trojan is going to perform this function for you. And it will perform that desired function, but it will also perform a malicious one, too.

Remote Access Trojan - RAT

Or Remote Administration Tool (Prof. Messer)

• A RAT is a type of Trojan that is in use today, and it’s widespread. It provides the attacker with remote control of a victim machine.
• The ultimate backdoor, have every control over your machine, remotely

Potentially Unwanted Program (PUP)

• It may or may not be malicious, but it is very annoying
• Usually a toolbar in browser, or an additional software embedded in the Installer of another software.

Mitigation:

• Don’t run unknown software
• Backup bla bla bla you know the drill

Rootkits

• Originally an UNIX term, root in rootkit
• Form of malware that is specifically designed to modify the operation of the operating system in some fashion to facilitate nonstandard functionality.
• Parts of the kernel, drivers, etc
• Can be invisible to the operating system • Also invisible to traditional anti-virus utilities

Mitigation:

• Use secure boot with UEFI
• If infected, use specific tools to remove: rkhunter on *NIX

Spyware

• Malicious software that’s installed on your system and gathers information about you without your consent. It spies on you.
• Normally, this will be installed from a website or some third-party software that you’ve installed on your system.

Adware

• Specific type of spyware where it’s going to display advertisements to you, based on what it saw when it spied on you.
• Money, greed
  • Your eyeballs can be exploited into viewing ads without consents
  • Your computational power, your network bandwidth can be exploited into making profit for them
  • Your bank information, habits, data, metadata,… are incredibly valuable for them to store, exploit and sell to 3rd parties

Mitigation:

• Be very aware of what you install, these things are really annoying to remove completely

Botnet/Zombies

• Once your machine is infected, it becomes a bot. You may not even know you’re infected

• How does it get on your computer?

• Trojan Horse (I just saw a funny video of you! Click here.) or…

  • You run a program or click an ad you THOUGHT was legit, but…
  • OS or application vulnerability

• A bot has a master:

  • C2/C&C (Command and Control)
  • Sits idly. Wait for instructions.

• A botnet is simply a collection of compromised computers under the control of a master node.

• Nothing good can come from this

  • Distributed Denial of service (DDoS)
  • The power of many
  • Relay spam, proxy network traffic, distributed computing tasks,…

• Botnets are for sale

  • Crime as a Service (heh)
  • Rent time from the botnet owner
  • Not a long-term business proposition

Mitigation:

• Prevent the initial infection:
  • OS and application patches
  • Anti-virus/anti-malware and updated signatures
  • Identify an existing infection
  • On-demand scans, network monitoring
• Prevent C&C
  • Identify, block using IPS
  • Block at firewall

Logic bomb

• A logic bomb is a piece of code that sits dormant for a period of time until some event or date invokes its malicious intention.
• It can be difficult to identify because each logic bomb only executes when a certain condition is met. And we often don’t know the actor’s intention.
• No consistent signature for IDS/IPS to identify.

Mitigation:

• Host-based Intrusion Detection, Tripwire,…
• Scheduled auditing

Password Attacks

Plaintext/Unencrypted Passwords

• As the name suggested, passwords were stored in clear, plain text.
• One word: DON’T
• Ditch any software, website that does this.

Spraying Attack

• Brute force type of attack in which multiple user accounts are tested with a dictionary of common passwords.
• If common passwords don’t work, move on to the next account
• Stealthy, but not really effective.

Brute force

• Try every combination until one works.
• E.g: You have the password like DOG, and I know that your password is three characters long. So, I start out guessing AAA, AAB, AAC,…
• Eventually I get to DOG, which is the correct password.
• Guarantee success, but not effective/feasible if the password is complicated, e.g: more than 8 characters; has numbers, special characters, case sensitive; unicoded; etc
• Takes really, really, REALLY long time if the case above is true
• Online Brute force gets lock out fairly quickly, or triggering some kind of alarm system once too many failed attempts was met.

Dictionary Attack

• Instead of guessing using every combination, narrow them down with a dictionary
• Automatically guess the password by trying each and every word in that dictionary file.
• Attackers usually have their own dictionaries that consist of variations:
  • Commonly-used passwords, variations on real dictionary words using numbers, letters, and special characters, and other such variations.
  • Known breached: contains a lot of passwords to add
  • Rule-sets to generate different variations: different people have different habit of password

Rainbow tables

• Pre-calculated hashes of password. Similar to Dictionary Attack but narrowed down to specific kind of hashes. Each hashes output differently, e.g: MD5, SHA1, SHA2
• Benefits:
  • Saves a lot of computing energy, storage space
  • Saves time
• Downside:
  • The narrowed-ness, each hashing algorithm has to have its own hashing tables ⇒ Might not saving storage space anymore
  • Potentially useless if techniques like salting was applied in the process of hashing.

Physical Attacks

Malicious Devices

USB Cables

• Looks like a normal USB cables, but has additional functions that are often malicious
• OS identifies them as HID (Human Interface Device). Once connected, will download and install malicious payload into the system

Flash drives