Week2_Part1
Deakin University CRICOS Provider Code: 00113B
SIT182 – Real World Practices For Cyber Security
Trimester 2 – 2021
Deakin College
Week 2 – Part 1
Deakin University CRICOS Provider Code: 00113B
• The different types of Malware
• Malware Infection Vectors
2
Topics,
Deakin University CRICOS Provider Code: 00113B
Malware (Mal + Software)
3
Software intentionally designed or deployed to have effects contrary to the best interests of one or more
users (or system owners or administrators), including potential damage related to resources, devices, or
other systems.
• Some typical examples of the way malicious payloads cause damage:
• System disruption (e.g., advert popups)
• Defacement of a publicly visible service
• Destruction of data
• Crashing a system
• Stealing data (“exfiltration”)
• Hidden malicious services to send spam, etc.
• Setting up backdoor access to a system
Deakin University CRICOS Provider Code: 00113B
Malware Payload, and Main Categories
4
Virus
Worm
Trojan
Main
Categories
hides in stored code, propagates based on user action
hides in running code, propagates automatically, exploits
vulnerabilities
imitates legitimate software, typically propagated by attacker
• Payload is the component of the attack which causes harm to the victim
• The payload defines the malicious action of the malware
• Payload may be included in any of the following main categories of malware:
Deakin University CRICOS Provider Code: 00113B
Virus
5
Flue Analogy: A computer virus, much like a flu virus, is designed to spread from host to host
and can replicate itself. Similarly, in the same way that flu viruses cannot reproduce without
a host cell, computer viruses cannot reproduce and spread without programming such as a
file or document.
Deakin University CRICOS Provider Code: 00113B
Virus
6
• A type of malicious code or program written to alter the way a computer operates
• Designed to spread from one computer to another
• Operates by inserting or attaching itself to a legitimate program or document that
supports macros in order to execute its code.
• First virus?
• “Creeper system” in 1971:
• caused no damage to data, the only effect being a message it output to the
teletype reading “I’m the creeper: catch me if you can.
Deakin University CRICOS Provider Code: 00113B
Types of Viruses
7
2. Boot Sector virus
This type of virus can take control when you start — or boot — your computer. One way it can spread is by
plugging an infected USB drive into your computer.
Content from https://us.norton.com/internetsecurity-malware-what-is-a-computer-virus.html
1. File infector virus
This common virus inserts malicious code into executable files.
https://us.norton.com/internetsecurity-malware-what-is-a-computer-virus.html
Deakin University CRICOS Provider Code: 00113B
Types of Viruses
8
3. Web scripting virus
4. Browser hijacker
This type of virus exploits the code of web
browsers and web pages. If you access such
a web page, the virus can infect your
computer.
This type of virus “hijacks” certain web browser functions,
and you may be automatically directed to an unintended
website.
Content from https://us.norton.com/internetsecurity-malware-what-is-a-computer-virus.html
https://us.norton.com/internetsecurity-malware-what-is-a-computer-virus.html
Deakin University CRICOS Provider Code: 00113B
Types of Viruses
9
5. Resident virus
6. Polymorphic virus
This is a general term for any virus that inserts itself in a computer system’s memory. A resident virus can execute
anytime when an operating system loads.
A polymorphic virus changes its code each time an infected file is executed. It does this to evade antivirus
programs.
Content from https://us.norton.com/internetsecurity-malware-what-is-a-computer-virus.html
https://us.norton.com/internetsecurity-malware-what-is-a-computer-virus.html
Deakin University CRICOS Provider Code: 00113B
Types of Viruses
10
7. Macro virus
Macro viruses are written in the same macro language used for software applications. Such viruses spread when
you open an infected document, often through email attachments.
Content from https://us.norton.com/internetsecurity-malware-what-is-a-computer-virus.html
https://us.norton.com/internetsecurity-malware-what-is-a-computer-virus.html
Deakin University CRICOS Provider Code: 00113B
Worms
11
• Hide on a system and attempt to spread rapidly.
• Typically, use network to send copies of themselves without any user
intervention
• Try to replicate themselves onto other systems (self-replicating).
• May be stand-along programs – e.g., /etc/rc3.d/S00malservd.
• The first worm?
• Morris Worm (1988, 10% of Internet went down!)
Image from https://blog.emsisoft.com/en/28154/computer-worms/
Deakin University CRICOS Provider Code: 00113B
Trojan
12
Program has an overt (expected) and covert (malicious and unexpected) functionality such that:
• Overt functionality -> the program works and appears to be normal,
• Covert functionality -> the program violates the security policy.
Image from https://malware.wikia.org/wiki/Trojan
When a user is tricked into executing a Trojan:
• Covert action is executed with user’s rights/authorization level.
Important
Deakin University CRICOS Provider Code: 00113B
Trojan
13
A major issue in today’s mobile App stores .. Be wary of the `free apps’!
Deakin University CRICOS Provider Code: 00113B
Other Malware
14
• Based on the payload and attacker’s goal(s), different malware types are recognized.
• We briefly review some of the most common malware including:
1. Spyware
2. Adware
3. Ransomeware
4. Rootkit
Deakin University CRICOS Provider Code: 00113B
Other Malware – Spyware
15
• A type of malware installed on computers that collects information about users without their
knowledge.
• The presence of spyware is typically hidden from the user and can be difficult to detect.
• Spyware programs aim to steal information such as login details and other personal
identification information and then send it off to someone else.
• E.g., Keylogger (logs all keystrokes)
Deakin University CRICOS Provider Code: 00113B
Other Malware – Adware
16
• Adware (ADvertising-supported softWARE) is a type of malware that automatically delivers
unwanted advertisements.
• Common examples of adware include non-closable pop-up ads on websites and
advertisements that are displayed by software.
• If Adware steals some information then it is a Spyware ☺.
• Most of adware is legal (user decides to use a paid
app with adverts) and manufactures have even sued
Antivirus companies for blocking the adware.
Deakin University CRICOS Provider Code: 00113B
Other Malware – Ransomeware
17
• Ransomware is a form of malware that essentially holds a computer system captive while
demanding a ransom
• The malware restricts user access to the computer either by encrypting files on the hard
drive or locking down the system
WannaCry – 200,000+ computers affected across the globe in 2017!
Deakin University CRICOS Provider Code: 00113B
Other Malware – Rootkit
18
• Root*-level access + Toolkit = Rootkit
• A type of malware that are designed so that they can remain hidden on a computer.
• Rootkits give cybercriminals the ability to remotely control your computer:
• Ability to subvert or disable security software –> hence, Rootkits are hard to
detect.
• Install keylogger, etc.
* Root/admin has the highest access privilege on a device.
Deakin University CRICOS Provider Code: 00113B
Other Malware – Rootkit
19
1. Hardware or Firmware Rootkit
It could infect your computer’s hard drive or its system BIOS.
2. Bootloader Rootkit
Bootloader loads your computer’s operating system when you turn the machine on. bootloader toolkit, then,
attacks this system, replacing your computer’s legitimate bootloader with a hacked one. This means that this
rootkit is activated even before your computer’s operating system turns on.
Content from https://us.norton.com/internetsecurity-malware-what-is-a-rootkit-and-how-to-stop-them.html
3. Kernel Rootkit
These rootkits target the core of your
computer’s operating system. Cybercriminals
can use these to change how your operating
system functions.
Deakin University CRICOS Provider Code: 00113B
Other Malware – Rootkit
20
5. Memory Rootkit
hides in a computer’s RAM (Random Access Memory). These rootkits will carry out harmful activities in the
background. The good news? These rootkits have a short lifespan. They only live in your computer’s RAM and will
disappear once you reboot your system
Content from https://us.norton.com/internetsecurity-malware-what-is-a-rootkit-and-how-to-stop-them.html
4. Application Rootkit
Application rootkits replace standard files in your computer with rootkit files. They might also change the way
standard applications work. These rootkits might infect programs such as Word, Paint, or Notepad. Every time a
user run these programs hackers can access target computer. The challenge here is that the infected programs
will still run normally, making it difficult for users to detect the rootkit.
Deakin University CRICOS Provider Code: 00113B
Malware Infection Vectors
Deakin University CRICOS Provider Code: 00113B
Malware Infection Vectors
22
Security defects in software
Insecure design or user error
Over privileged users and code
Homogeneity
Deakin University CRICOS Provider Code: 00113B
Malware Infection Vectors
23
Security defects in software = Vulnerabilities
Deakin University CRICOS Provider Code: 00113B
Vulnerabilities as Malware Infection Vector
24
Weakness in an information system, system security procedures, internal
controls, or implementation that could be exploited or triggered by a threat
source.
Image from https://www.aldeid.com/wiki/Definitions/Threats-vulnerabilities-assets
Deakin University CRICOS Provider Code: 00113B
The reason for vulnerabilities: Bugs
25
What is a bug? Bugs are errors, mistakes, or oversights in programs that result in unexpected and
typically undesirable.
Software vulnerabilities are bugs that a malicious user can leverage to launch attacks against the
software system.
• Almost all security vulnerabilities are bugs, but only some bugs turn out to be vulnerabilities.
• Rate of bugs per line: 1:10 – 1:1000 ☺ !!
Image from http://blog.blueinfy.com/2013/12/bug-vs-vulnerability.html
Deakin University CRICOS Provider Code: 00113B
Backdoor Vulnerability
26
• Hidden function that can be used to circumvent normal security.
• A hidden entry point into a system
• Examples:
• Special user id or special password
• Special instruction / option / keyboard sequence
• Commonly used by developers
• Hard to distinguish legitimate reasons (testing, debugging, circumventing some bug, jokes
and Easter Eggs) from intentional security compromise
• Commonly seen in Closed Source software (remember Week 1 – Part 2?)
Deakin University CRICOS Provider Code: 00113B
Backdoor Vulnerability – A growing interest by governments
27
National Security Agency (NSA) implanting backdoor into network routers!!
Deakin University CRICOS Provider Code: 00113B
Backdoor Vulnerability – A growing interest by governments
28 From https://www.wired.com/story/the-time-tim-cook-stood-his-ground-against-fbi/
Given that Apple’s iPhone is Closed Source, we
could not be sure though ☺ (Or, can we?)
Deakin University CRICOS Provider Code: 00113B
Vulnerability Lifecycle
29
“Zero-Day exploits, and their underlying vulnerabilities, have a 6.9-year life expectancy, on average” !!
Quote from: https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf
Deakin University CRICOS Provider Code: 00113B
Zero-Day Vulnerability
30
0-Day refers to the day when a new vulnerability is discovered by a software vendor.
[Home] Watch (until 2:20): https://www.youtube.com/watch?v=-BIANfzF43k
• From that moment, of zero-day detection, the clock is ticking for the software
vendor to produce a patch as quickly as possible.
• Typically, used for targeted attacks and propagation of malware.
Deakin University CRICOS Provider Code: 00113B
CVE – Common Vulnerabilities and Exposures
31
• Dictionary of unique, common names for publicly known software flaws
• A comprehensive list of publicly known software flaws
• A globally unique name to identify each vulnerability
• A basis for discussing both the priorities and risks of vulnerabilities
Question: why would you make this publicly available?
[Home] Browse: https://cve.mitre.org
🤔
https://cve.mitre.org/
Deakin University CRICOS Provider Code: 00113B
Malware Infection Vectors
32
Insecure design or user error
Deakin University CRICOS Provider Code: 00113B
Insecure Design & User Error as Malware Infection Vector
33
Insecure design example:
In the past email software used to
automatically open HTML email containing
malicious code !!
User Error:
Using social engineering to persuade a user
to click on a malicious link that installs
malware.
Image from https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/82/social-
engineering-facilitates-tax-season-malware-attacks
This unit is mostly a technical one, but we will have a guest
lecture on Usable Security and Social Engineering.
Deakin University CRICOS Provider Code: 00113B
Malware Infection Vectors
34
Homogeneity
Deakin University CRICOS Provider Code: 00113B
Homogeneity as Malware Infection Vector
35
• It can be a vulnerability.
• For example, when all computers in a network run the same operating system (MS Windows,
Apple OS X), upon exploiting one, one worm can exploit them all !!
Deakin University CRICOS Provider Code: 00113B
Malware Infection Vectors
36
Over privileged users and code
Deakin University CRICOS Provider Code: 00113B
Over Privilege as Malware Infection Vector
37
• Privilege = Level of access = how much a user or program can modify a system
Over Privilege user example: The normal user allowed to install any software and
make system changes.
Over Privilege code example: Allow code executed by a user to access all rights of
that user. Commonly exploited in Email-based malware.
Remember `User Error’ (slide 30) and that people are the weakest link in security chain
(Part 2 – Week 1).
More on privilege (and access control) in Week 3.
Deakin University CRICOS Provider Code: 00113B
References and Further Reading
38
Chapter 3 – M. Ciampa, “Security Awareness Applying Practical Security In Your World”, Fifth
Edition, Cengage Learning, 2016.
Chapter 17 – Introduction to Computer Networks and Cybersecurity, J. David Irwin, and
Chwan-Hwa (John) Wu, CRC Press, 2013.
Deakin University CRICOS Provider Code: 00113B
Acknowledgement
Acknowledging the kind support and contribution of:
Dr Arash Shaghaghi (Deakin University, Australia), Prof. Chang-Tsun Li (Deakin University, Australia), Prof. Sanjay
Jha (The University of New South Wales, Australia), Dr. Nicolas Courtois (University College London, UK), Dr George
Danezis (University College London, UK), and Dr Michael March (University of Maryland, USA).