Académique Documents
Professionnel Documents
Culture Documents
Malicious Software
Outline
1. The IC3 has been made aware of various malware attacking Android
operating systems for mobile devices.
2. Some of the latest known versions of this type of malware are Loozfon
and FinFisher
4. Finfisher spyware can take over and remotely control the device and
monitor a user's whereabouts. This exploit is propagated over the
Internet or through text messages.
Malware
Infection mechanism
Trigger
Payload
OBFUSCATION
Self
TECHNIQUES
Encryption/decryption
Polymorphism
Metamorphism
Armoring
Tunneling
Stealth
Obfuscation techniques
1. Self-encryption and decryption:
the objective is to hide the virus code from direct examination.
Such viruses may use several layers of encryption, or choose the
cryptographic key randomly at each encryption,
making each instance of the virus appear different from the
others. The first virus of this type is Cascade.1701.
2. Polymorphism:
This is an improved form of encryption.
The decryption code is made more robust. An example is the
1260 virus.
3. Metamorphism:
Instead of hiding its content via encryption, a polymorphic virus
changes its body content.
Metamorphic viruses create a new generation of viruses that
look different from their creators.
Code alteration may include adding unneeded instructions, or
modifying the sequencing of the different parts of the code.
Obfuscation techniques
4. Stealth:
Tries to conceal the occurrence of an infection.
Manipulate the data returned to a function call.
For example,
it will manipulate the system call requesting the listing of
files on a machine by altering the size of the infected file.
The displayed file size would correspond to the size of the
original file, not the infected one.
Examples include: Brain, Read Stealth, and
Number_of_the_Beast.
5. Armoring:
Aims at preventing human expert and automated tools
from analysing its code.
The basic methods used by armoured viruses are to make
more difficult tasks such as disassembly and debugging.
Obfuscation techniques
Tunnelling:
Installs itself in the lower layers of the operating system
as to be able to take control of the interrupt handler,
modifying it so that control is first passed to the virus in
the event of a system call or interrupt.
The virus can defeat any attempt of monitoring activity.
One of the first tunnelling viruses is the Eddie virus or
Dark_Avenger.1800.A.
Polymorphic viruses
spreads through shared media (USB drives, CD, DVD data disks)
first known implementation was done in Xerox Palo Alto Labs in the
early 1980s
Worm Replication
electronic mail or instant • worm e-mails a copy of itself to other systems
messenger facility • sends itself as an attachment via an instant message service
remote file access or • worm uses a remote file access or transfer service to copy
transfer capability itself from one system to the other
multiplatform
multi-exploit
ultrafast
spreading
polymorphic
metamorphic
Worm technology
1. Multiplatform:
Newer worms: not limited to Windows machines but can
attack a variety of platforms, UNIX;
Exploit macro or scripting languages supported in
popular document types.
2. Multi-exploit:
Penetrate systems in a variety of ways,
using exploits against Web servers, browsers, e-mail, file
sharing, and other network-based applications; or via
shared media.
Worm technology
3. Ultrafast spreading:
Exploit various techniques to optimize the rate of spread
of a worm
to maximize its likelihood of locating as many vulnerable
machines as possible in a short time period.
4. Polymorphic:
To evade detection, skip past filters, and foil real-time
analysis,
Each copy of the worm has new code generated on the fly
using functionally equivalent instructions and encryption
techniques.
Worm technology
5. Metamorphic:
In addition to changing their appearance,
have a repertoire of behavior patterns that are unleashed
at different stages of propagation.
6. Transport vehicles:
worms can rapidly compromise a large number of systems,
they are ideal for spreading a wide variety of malicious
payloads,
such as distributed denial-of-service bots, rootkits, spam
e-mail generators, and spyware.
Worm technology
7. Zero-day exploit :
To achieve maximum surprise and distribution,
a worm should exploit an unknown vulnerability that is
only discovered by the general network community
when the worm is launched.
Mobile Code
mobile phone
spam Trojan horse
trojans
unsolicited bulk
program or utility
e-mail first appeared in
containing harmful
2004 (Skuller)
hidden code
significant carrier
of malware
used to accomplish
functions that the target is the
used for phishing attacker could not smartphone
attacks accomplish directly
Payload
System Corruption
data destruction
Chernobyl virus
first seen in 1998
Windows 95 and 98 virus
infects executable files and corrupts the entire file system when a
trigger date is reached
Klez
mass mailing worm infecting Windows 95 to XP systems
on trigger date causes files on the hard drive to become empty
ransomware
encrypts the user’s data and demands payment in order to access
the key needed to recover the information
PC Cyborg Trojan (1989)
Gpcode Trojan (2006)
Payload
System Corruption
real-world damage
causes damage to physical equipment
Chernobyl virus rewrites BIOS code
Stuxnet worm
targets specific industrial control system software
there are concerns about using sophisticated targeted malware
for industrial sabotage
logic bomb
code embedded in the malware that is set to “explode” when
certain conditions are met
Payload – Attack Agents
Bots
takes over another Internet attached computer and uses that
computer to launch or manage attacks
botnet - collection of bots capable of acting in a coordinated
manner
uses:
distributed denial-of-service (DDoS) attacks
spamming
sniffing traffic
keylogging
spreading new malware
installing advertisement add-ons and browser helper objects
(BHOs)
attacking IRC chat networks- clone attack DDOS of an IRC
network.
manipulating online polls/games
Remote Control Facility
keylogger
• captures keystrokes to allow attacker to monitor sensitive
information
• typically uses some form of filtering mechanism that only returns
information close to keywords (“login”, “password”)
spyware
• subverts the compromised machine to allow monitoring of a wide
range of activity on the system
• monitoring history and content of browsing activity
• redirecting certain Web page requests to fake sites
• dynamically modifying data exchanged between the browser and
certain Web sites of interest
Payload – Information Theft
Phishing
exploits social engineering to
leverage the user’s trust by spear-phishing
masquerading as
communication from a trusted recipients are carefully
source researched by the
attacker
include a URL in a spam e-
mail that links to a fake e-mail is crafted to
Web site that mimics the specifically suit its
login page of a banking, recipient, often quoting a
gaming, or similar site range of information
to convince them of its
suggests that urgent
authenticity
action is required by the
user to authenticate their
account
attacker exploits the
account using the
captured credentials
Payload – Stealthing
Backdoor
memory
persistent user mode
based
virtual
external
kernel mode machine
mode
based
Rootkit classifications
1. Persistent:
Activates each time the system boots.
The rootkit must :
I. store code in a persistent store, such as the registry or file
system,
II. and configure a method by which the code executes without
user intervention.
easier to detect, as the copy in persistent storage can be
scanned.
2. Memory based:
Has no persistent code and therefore cannot survive a reboot.
However, because it is only in memory, it can be harder to detect.
Rootkit classifications
3. User mode:
Intercepts calls to APIs and modifies returned
results.
For example, when an application performs a
directory listing, the return results don’t include
entries identifying the files associated with the
rootkit.
4. Kernel mode:
Can intercept calls to native APIs in kernel mode.
Can also hide the presence of a malware process by
removing it from the kernel’s list of active processes.
Rootkit classifications
5. Virtual machine based:
This type of rootkit installs a lightweight virtual machine
monitor,
then runs the operating system in a virtual machine above it.
can then transparently intercept and modify states and
events occurring in the virtualized system.
6. External mode:
The malware is located outside the normal operation mode
of the targeted system, in BIOS or system management
mode, where it can directly access hardware.
New generation rootkits
Modifying
system calls
Modify system
Modify the Redirect the
call table
system call table system call table
targets
Modify the system call table
7. This VMBR can hide all its state and activity from intrusion
detection systems running in the infected OS and
applications.
• policy
• awareness
• vulnerability mitigation
• threat mitigation
1. A3 11 22 33 C9 44 55 66 0A 77 88
2. 11 34 22 33 C4 44 55 66 67 77 88
3. 11 22 33 44 D4 DD E5 55 66 77 88
Generic detection
The scanner can detect a Stoned variant if one string is detected and
refuse disinfection of the virus because it could be a possibly
unknown variant that would not be disinfected correctly.
2. The idea: viruses typically infect only a subset of known object types.
4. Thus an extra flag field of the string (or detection routine) can be used
to indicate whether or not the signature in question is expected to
appear in the object being scanned.
5. This reduces the number of string matches the scanner must perform.
Algorithmic scanning relies strongly on good filters.
Because such detections are more expensive in terms of CPU
resources.
Generally, A filter is virus-specific:
a) the type of the executable,
b) the identifier marks of the virus in the header of the scanned object,
c) suspicious code section characteristics or code section names, and
so on.
BUT some viruses are too sophisticated for such type of filtering.
Problem with algorithmic viruses
limitations
• because malicious code must run on the target machine
before all its behaviors can be identified, it can cause
harm before it has been detected and blocked
Perimeter Scanning Approaches
anti-virus software typically
included in e-mail and Web ingress egress
proxy services running on monitors monitors
an organization’s firewall
and IDS
located at the egress
may also be included in the located at the border point of individual
traffic analysis component between the LANs as well as at the
enterprise network border between the
of an IDS and the Internet enterprise network
may include intrusion and the Internet
prevention measures,
blocking the flow of any
suspicious traffic one technique is to monitors outgoing
traffic for signs of
look for incoming
approach is limited to traffic to unused scanning or other
scanning malware local IP addresses suspicious behavior