Week 2_Part 2
Deakin University CRICOS Provider Code: 00113B
SIT182 – Real World Practices For Cyber Security
Trimester 2 – 2021
Deakin College
Week 2 – Part 2
Deakin University CRICOS Provider Code: 00113B
• Malware and Critical Infrastructure
• Malware Analysis
• Defense against Malware
2
Topics,
Deakin University CRICOS Provider Code: 00113B
Attacks to Power Grids
3
CIA Confirms Cyber Attack Caused Multi-City Power Outage On 1/18/2008:
“We have information, from multiple regions outside the United States, of cyber intrusions
into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of
these attackers had the benefit of inside knowledge. We have information that cyber
attacks have been used to disrupt power equipment in several regions outside the United
States. In at least one case, the disruption caused a power outage affecting multiple cities.
We do not know who executed these attacks or why, but all involved intrusions through the
Internet.”
Attack avalanches! Department of Homeland Security (DHS) in 2012:
US’s water and power utilities under daily cyber-attack!
Deakin University CRICOS Provider Code: 00113B
Critical Infrastructure & Cyberwar
4
Advanced Metering Infrastructure (AMI) Smart Grid systems use a variety of low-
power processors along with custom-designed firmware and operating systems
and can be equipped with a variety of wireless protocols, which can give attackers
different ways to break into the systems.
• 2009: Hackers reportedly planted malware on key parts of the U.S. electrical grid, perhaps
with the intent to cripple the country’s power infrastructure, most likely gained access like
any other cybercriminal — by exploiting a bug in software such as Windows or Office in PCs
connected to the Internet.
Deakin University CRICOS Provider Code: 00113B
Stuxnet: Malware as a Weapon
5
Stuxnet: Targeted Malware and first use of malware as a
weapon
• Discovered in 2010
• Targeted specific part of Iran’s nuclear infrastructure
• Designed to circumvent protection mechanisms
• Complex malware with rootkits, worms, detection,
command and control module
• A very high complexity requiring huge investment: 6+
man years to develop
• Developed by state actors.
Image from https://worldview.stratfor.com/article/stuxnet-computer-worm-and-iranian-nuclear-program
Deakin University CRICOS Provider Code: 00113B
Stuxnet: more details
6
• Designed to attack the Siemens Simatic WinCC SCADA system
• Infected MS Windows machines used to manage the SCADA systems
• Components used included:
• Zero‐day exploits (4 different ones actually)
• Windows rootkit
• Programmable Logic Controller (PLC) rootkit – first ever!
• Antivirus evasion
• A Windows machine that may be taken into the facilities (e.g., for maintenance work), or
• A USB that was already plugged to a compromised machine was used in the facilities.
Target device was not connected to Internet. So, Stuxnet Quietly travelled around the world (e.g., email attachments, etc).
Goal was to compromise:
Also, some claim insider(s) in the nuclear facilities may have plugged a malicious USB device.
Deakin University CRICOS Provider Code: 00113B
Stuxnet: EXTRA details
7
[home] Watch SBS documentary on Stuxnet:
https://www.sbs.com.au/ondemand/video/802325059721/cyberwar-stuxnet-the-digital-weapon (should be
available for free in Australia]
[home] Watch: https://youtu.be/TGGxqjpka-U
Image from https://imgflip.com/i/x6n1t
[Further reading]: http://www.cse.psu.edu/~trj1/cse443-
s12/slides/cse443-lecture-22-stuxnet.pdf
https://www.sbs.com.au/ondemand/video/802325059721/cyberwar-stuxnet-the-digital-weapon
https://imgflip.com/i/x6n1t
http://www.cse.psu.edu/~trj1/cse443-s12/slides/cse443-lecture-22-stuxnet.pdf
Deakin University CRICOS Provider Code: 00113B
Malware as a Weapon: rapidly evolving
8
• Duqu (1.0, 2.0) and Flame emerged after Stuxnet (and were even more complicated)
• Cyberweapons against voting systems, health-care, etc.
• Countries growing investments in offensive cyber capabilities …
Deakin University CRICOS Provider Code: 00113B
Malware Analysis
Deakin University CRICOS Provider Code: 00113B
Malware Detection
10
Malware Detection is hard because:
• A malware is a program and program analysis is undecidable in general (Theorem),
• Malware actively aims to evade detection,
• It is not clear what triggers a malware
• E.g. Immediately after install, Time-bomb (after certain time), Logic-bomb (a
condition must be satisfied), Manually through backdoor, etc.
Deakin University CRICOS Provider Code: 00113B
Malware Analysis
11
Static Analysis
Dynamic Analysis
Examine without running the
malware
Run the malware and monitor its
effect
• Malware analysis is the process of learning how malware functions and any potential
repercussions of a given malware.
Deakin University CRICOS Provider Code: 00113B
Static Analysis
12
Static Analysis
Examine without running the
malware
Basic
Advanced
• View malware without looking at instructions
• Quick and easy but fails for advanced malware and can
miss important behaviour
• Tools: https://www.virustotal.com, etc.
• Reverse-engineering with a disassembler
• Complex, requires understanding of assembly code
https://www.virustotal.com/
Deakin University CRICOS Provider Code: 00113B
Dynamic Analysis
13
Dynamic Analysis
Run the malware and monitor its
effect
Basic
Advanced
• Easy but requires a safe test environment
• Not effective for all malware
• Tools: Process Monitor, Process Hacker, RegShot, …
• Run code in a debugger/Virtual Machine
• Examines internal state of a running malicious executable
Deakin University CRICOS Provider Code: 00113B
Malware Analysis: Evasion Techniques
14
• A Malware often uses obfuscation techniques to avoid detection and analysis.
Common Approach 1 – Packer
• Malware coders often use packing in order to make the analysis more difficult.
• They sometimes contain multiple layers of packing.
• When a packer program is running the malware is unpacked.
Deakin University CRICOS Provider Code: 00113B
Malware Analysis: Evasion Techniques
15
Common Approach 2– Process Hollowing
• Process hollowing is a technique used by a malware to inject a malicious code into another process.
• At launch, the legitimate process is created in a suspended state and the process’s memory is replaced with the
code of a second program so that the second program runs instead of the original program.
Deakin University CRICOS Provider Code: 00113B
Malware Analysis: Evasion Techniques
16
Common Approach 3 – Anti-Debug
• If a debugging setting is detected, the malware terminates its process or changes its
behaviour to fool the analyst.
• Trivial to build virtualization detection into the malware – which could cause several interesting effects
including:
• The Malware may simply refuse to execute
• It May act as a totally innocent utility / clean file
• It May Attempt to crash the virtual machine
Other Approaches: Encryption, Commercial Code Obfuscator, Custom Encoding, etc.
[keen? Malware Analysis unit should be available from 2021☺ !!]
Common Approach 4 – Anti-VM
Deakin University CRICOS Provider Code: 00113B
Malware Mitigation
Deakin University CRICOS Provider Code: 00113B
Malware Mitigation
18
US-CERT* has a set of Mitigation strategies for Malware:
*: https://www.us-cert.gov/sites/default/files/publications/malware-threats-mitigation.pdf
Firewalls
Intrusion Detection and Prevention System
Authorized devices: avoid USB, personal laptops, etc.
Operating System Patching, Updating, and Hardening
Anti-Virus (updated)
Host-based Firewall
Vulnerability Scanning
Keep and Monitor logs
Email Attachment Filtering
Web Content Filtering
Within the organization premises
At the boundary of organization premises
We will have lectures and tasks on some of these in
coming weeks ☺ !!
Deakin University CRICOS Provider Code: 00113B
References and Further Reading
19
Chapter 3 – M. Ciampa, “Security Awareness Applying Practical Security In Your World”, Fifth
Edition, Cengage Learning, 2016.
Chapter 17 – Introduction to Computer Networks and Cybersecurity, J. David Irwin, and Chwan-
Hwa (John) Wu, CRC Press, 2013.
US-CERT, Malware Threats and Mitigation Strategies, https://www.us-
cert.gov/sites/default/files/publications/malware-threats-mitigation.pdf
https://www.us-cert.gov/sites/default/files/publications/malware-threats-mitigation.pdf
Deakin University CRICOS Provider Code: 00113B
Acknowledgement
Acknowledging the kind support and contribution of:
Dr Arash Shaghaghi (Deakin University, Australia), Prof. Chang-Tsun Li (Deakin University, Australia), Prof. Sanjay
Jha (The University of New South Wales, Australia), Dr. Nicolas Courtois (University College London, UK), Dr George
Danezis (University College London, UK), and Dr Michael March (University of Maryland, USA).