Please enable JavaScript.
Coggle requires JavaScript to display documents.
Malicious Code and Application Attacks - Coggle Diagram
Malicious Code and
Application Attacks
Malicious Code Objects
Virus
Trojan Horses
Zeus log key strokes and harvest online banking passwords
Worms
Logic bombs
Malware
Advanced
persistent threat (APT)
Eg: Stuxnet: Malware built by APTs is highly targeted
malware
developers often have access to zero-day exploits that are not known to software vendors
Propagation
Master Boot Record(MBR) Infection
Viruses attack the MBR—the portion of bootable
media Hard disk, USB, CD/DVD that computer uses to load OS during bootup
MBR is extremely small (usually 512 bytes), it can’t contain all the code required to implement the virus’s propagation and destructive functions
MBR is a single disk
sector, normally the first sector of the media that is read in the initial stages of the boot
process
MBR determines which media partition contains the operating system and
then directs the system to read that partition’s boot sector to load the operating system.
Viruses can attack both the MBR and the boot sector, with substantially similar results.
MBR viruses act by redirecting the system to an infected boot sector, which loads the
virus into memory before loading the operating system from the legitimate boot sector
MBR viruses are spread between systems through the use of infected media inadvertently
shared between users.
File Infection
viruses infect different types of executable fi les and trigger
when the operating system attempts to execute them.
Windows-based systems, files end with .exe and .com extensions.
Standard file infector viruses
that do not use cloaking techniques such as stealth or encryption.
Easily detected by comparing fi le characteristics (such as size and modifi cation date) before and after infection or by comparing hash values.
Companion virus: These viruses are self-contained
executable fi les that escape detection by using a file name similar to, but slightly different from, a legitimate operating system file. They rely on the default file name extensions that
Windows-based operating systems append to commands when executing program files ( .com , .exe , and .bat , in that order)
Macro Infection
Melissa virus spread through the use of a Word document that
exploited a security vulnerability in Microsoft Outlook to replicate.
ILove You virus quickly followed on its heels, exploiting similar vulnerabilities in early 2000
Restricting the ability of untrusted macros to run without explicit user permission
infect documents created in the popular Microsoft Word environment
Service Injection
Infect systems and escape detection—injecting themselves into trusted runtime processes of the operating system, such as svchost.exe, winlogin.exe, and explorer.exe.
Best techniques to protect systems against service injection is to ensure that all software allowing the viewing of web content (browsers, media players, helper applications) receives current security patches.
Hoaxes
Almost every email user has, at one time or another, received a
message forwarded by a friend or relative that warns of the latest virus threat roaming the
internet.
In addition to email messages, malware hoaxes now circulate via Facebook, Twitter,
WhatsApp, Snapchat, and other social media and messaging platforms
Logic Bombs
Logic bombs are malicious code objects that infect a system and lie dormant until they are triggered by the occurrence of one or more conditions such as time, program launch, website logon etc.
Majority of logic bombs are programmed into custom-built
applications by software developers seeking to ensure that their work is destroyed if they unexpectedly leave the company. Many viruses and Trojan horses contain a logic bomb component
Eg: Michelangelo virus, South Korea targetted Logic bomb
Trojan Horses
a software program that appears benevolent but
carries a malicious, behind-the-scenes payload that has the potential to wreak havoc on a
system or network
Eg: Xbox Trojan horses, rouge antivirus software
Worms
Code Red Worm:
Web servers running unpatched versions of Microsoft’s Internet Information Server (IIS)
They propagate themselves
without requiring any human intervention
It defaced HTML pages on the local web server, replacing normal content. It planted a logic bomb that would initiate a denial-of-service attack against the IP address 198.137.240.91, which at that time belonged to the web server hosting the White House’s home page.
RTM and the Internet Worm (by Morris security holes in UNIX OS
Send Mail Debug Mode
Password Attack
Finger Buffer Overflow Vulnerability
Trust Relationships
Stuxnet
Searching for unprotected administrative shares of systems on the local network
Exploiting zero-day vulnerabilities in the Windows Server service and Windows Print
Spooler service
Connecting to systems using a default database password
Spreading by the use of shared infected USB drives
Actually searching for a very specific type of system—one using a controller manufactured by Siemens and allegedly used in the production of material for nuclear weapons
Designed by Western nations with the intent of disrupting
an Iranian nuclear weapons program
use of a worm to cause major physical damage to a facility and the use of malicious code in warfare between nations
Botnets
network slowness? Well, the Trojan horse made all the infected
systems members of a botnet, a collection of computers (sometimes thousands or even
millions!) across the internet under the control of an attacker known as the botmaster.
botnet used the systems on their network as part of a
denial-of-service attack against a website that he didn’t like
instructed all the systems in his botnet to retrieve the same web page, over and over again, in hopes that the website would fail under the heavy load
Antivirus software was installed on the systems and it removed
the Trojan horse. Network speeds returned to normal quickly.
Ransomware eg: WannaCry, Cryptolocker
AV Vendors
Kaspersky software created a back door in their security products that allowed Russian hackers to break into the
computer of a National Security Agency contractor and steal highly classified information
Tripwire data integrity
Signature based vs Heuristic-based (Behaviour based) mechanisms to detect potential malware
infections.
Virus technologies
Multipartite viruses
Marzia virus discovered in 1993 infects critical COM and EXE files, most notably the command.com system file, by adding 2,048 bytes of malicious code to each file. Its a file infector virus and bootsector virus
Stealth Viruses
hide themselves by actually tampering with the operating
system to fool antivirus packages
stealth boot sector virus might overwrite the system’s master boot record with malicious code but then also modify the operating system’s file access functionality to cover tracks
Polymorphic Viruses
modify their own code as they travel from system to system, signature of the virus is somewhat different each time it infects a new system, constantly changing signature will render signature-based antivirus packages useless.
take vendors longer to generate the necessary signature files to stop a polymorphic virus in its tracks
Encrypted Viruses
In their outward appearance, they are actually quite similar to polymorphic viruses—each infected system has a virus with a different signature
However, they do not generate these modified signatures by changing their code; instead, they alter the way they are stored on the disk.
Encrypted viruses use a very short segment of code, known as the virus decryption routine, which contains the cryptographic information necessary to load and decrypt the main virus code stored elsewhere on the disk.
Each infection utilizes a different cryptographic key, causing the main code to appear completely different on each system.
virus decryption routines often contain
telltale signatures that render them vulnerable to updated antivirus software packages.
Masquerading Attacks
IP Spoofing
Session Hijacking
Tricking the client into thinking the attacker’s system is the server, acting as the middleman as the client sets up a legitimate connection with the server, and then disconnecting the client
Accessing a web application using the cookie data of a user who did not properly close the connection
Capturing details of the authentication between a client and server and using those details to assume the client’s identity
Admin controls such as Anti-replay authentication techniques & application controls expiring cookies within a reasonable period of time
Reconnaissance Attacks
IP Probes
Port Scans
Vulnerability Scans
Spyware and Adware
Spyware monitors your actions and transmits important details to a remote system that spies on your activity
It uses a variety of techniques to display advertisements on infected computers. The simplest forms of adware display pop-up ads on your screen while you surf the web
Adware and malware authors often take advantage of third party plug-ins to popular internet tools, such as web browsers, to spread their malicious content.
Zero-Day Attacks (Avoided by Defense in Depth)
Strong Patch Management
Current Antivirus Software
Configuration Management
Application Control
Content Filtering
Strong overlapping controls
Application Attacks
Buffer Overflows
Time of Check(TOC) to Time of Use(TOU)
Backdoors
Escalation of Privilege and Rootkits
Webapplication Security
Cross-Site Scripting
Cross-Site Request Forgery
SQL Injection
Password Attacks
Password guessing
Dictionary
Social engineering