Week 4 Lesson Chapter 4 - Malicious Code Malicious software or Malware is code that is unfriendly to the Information System and causes it to operate in an unpredictable manner. Malware comes in various forms to include; worms, bots, and Trojans to name a few. What ever the form that these codes take their presences causes disruption in the host environment, to their determent. This week lesson focuses on the various type of Malware that has been used to affect Information Systems; informing how they were deployed and their impact. We will examine a few types of malware, view exploitation, and discuss botnets. The lesson will conclude with a video from DEFCON 19 detailing the history of computer viruses. Worms Malware that does not need a host object; instead, a worm is a self-sustaining program in its own right. Worms are designed around specific system flaws. The worm scans other systems for this flaw and exploits the flaw to gain access to another victim. Once hosted on another system, the worm seeks to spread itself by repeating the process. Worms can act as carriers to deposit other forms of malicious code as they multiple and spread across networked hosts. Worms are very hard to detect because they are usually invisible files. Worms can travel from computer to computer without any action from the user, unlike other viruses and Trojan Horses. Having an antivirus software is key to detecting worms early before they cause any damage. Also keeping your windows a nd other updates up to par is a go od idea, because they plug the “tunnels” that the worms crawl through to infect your computer. The “tunnels” that worms generally crawl through are system flaws in which a hacker has found and is abusing. Worms can use these same flaws to just from computer to computer over a network. Botnet A botnet is a collection of infected devices controlled by one or a few particular people. The network consists of the bots, agents, or zombies that intercommunicate over the Internet.” Botnet armies are used by hackers for a number of reasons, but the main reason is that the sheer number of devices a hacker controls makes his job much easier. One example of a botnet army is Mirai. Mirai is software created by a hacker known as “Anna-senpai” and was distributed as open sourced software. As hackers have gotten their hands on the Mirai software the botnets created with it have grown rapidly. That’s not the worst part. The Mirai software is actually evolving. This means that the software can be updated to perform new tasks. It has been used to cause DDoS attacks using not just personal computers, but also routers, DVRs, etc. One of the most fascinating aspects of Mirai is that since it can employ a large number of infected zombie machines, it also requires a lot of resources to function. Due to the requirements of resources to power attacks, hackers actually began t argeting each other as a means of controlling new territory and acquiring additional resources. Malware Analysis Malware analysis is the art of analyzing malware to understand what its capabilities are. The people who practice malware analysis as a profession are known as malware analysts and sometimes referred to as reverse engineers. In the field of malware analysis, the goal is to discover, uncover, classify, and deeply understand the millions of malware samples which are in the wild (meaning still on the internet) or which are obtained through methods like a honeypot or an anti-virus database. When conducting malware analysis there are two kinds of methods used when examining malware samples. There is static analysis and dynamic analysis. When conducting static analysis, the malware sample which is usually an .exe is never run on the system in which it is being examined on. Tools which read the file PE header are used to test and discover any obvious factors that the executable file being examined is malicious. Tools like Ollydebugger, PEfile, Fileyzer, Agent Ransack and many more are used to find malicious looking strings of code in the file, bad hashes, known malicious hashes, and more. Dynamic analysis is a completely different playing field. This is a much more complicated approach to gathering information on malware depending on how well the malware hides its maliciousness and true purpose. Through executing the suspected malware on a virtual or physical non production machine lab, we are able to watch the malware act out its natural behavior. When the malware is executed, malware analysts are looking for potential signs or traits in order to classify the malware sample. For example, a malware sample named Microsoft repair agent is executed on a virtual machine. Seconds after being executed the program disappears and four minutes later the computers screen is locked and a message stating that all files have been encrypted and a fee for $500 must be paid or the files will be destroyed appears. This is a very obvious indicator to the malware analysts that the executable program Microsoft repair agent is a Ransomware malware. Various tools such as Process Hacker, IDApro, Gseck, Wireshark, and many more are used when conducting a dynamic malware analysis session. The following video explains the history of computer viruses: https://youtu.be/s2g9lgYrYJM References Graham, J., Howard, R, & Olson, R. (2011) Cyber Security Essentials CRC Press, Auerbach
Purchase answer to see full attachment