Match the malware detection methods on the left with the description on the right.

Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\u202Egnp.js will be displayed as photo_high_resj.png.[1]

Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with Spearphishing Attachment/Malicious File since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.[2][3] RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.

Malware Detection

Harlan Carvey, in Windows Forensic Analysis Toolkit (Fourth Edition), 2014

Summary

Detecting malware on a system can be difficult, and detecting potential malware within an acquired image even more so. However, this is something analysts in law enforcement, as well as in the public and private sectors have to deal with, and as such, need the knowledge, skills, and process in order to accomplish this task. AV scanning applications may prove insufficient for this task, and analysts may have to look for artifacts of a malware infection, rather than the malware itself, in order to locate the malware. As such, it is important for analysts to understand the characteristics of malware in order to understand the types of malware artifacts that may be present on a system, as well as where and how to locate those potential. Analysts should always document their activities, and developing a checklist of malware detection techniques can be very valuable, particularly when the analyst fills that checklist in with the results of each technique, or a statement or justification for not using the technique.

In the next chapter, we will walk through the process of creating a timeline of system activity for analysis; this is a technique that can be used in order to determine a great deal of additional information about not just the infection vector used to get the malware on the system but also actions that occurred in association with the malware following the infection. This analysis technique has a number of other uses, and as such deserves a chapter of its own.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780124171572000060

Signal-to-Noise Ratio

Will Gragido, ... Daniel Molina, in Blackhatonomics, 2013

Polymorphism, Packing, and Encryption

As malware became more widely known, and anti-virus programs became more capable of detecting malware through patterns, the criminal element found a need to make these programs harder to identify as they attempted to enter target systems.

They started using multiple forms of hiding, in order to make it more difficult for the anti-malware programs to detect them. One of the first changes implemented to try to subvert anti-malware programs was polymorphism. In a polymorphic virus, each new iteration of the malware takes on a new characteristic, without impacting the main code. As such, it becomes harder to identify it with simple pattern matching.

By packing and encrypting the malware, cybercriminals escalated the arms race once again. With these techniques, they were often able to bypass base detection. These were the days of “Pray and Spray,” when there was little targeting being done by attackers, and they mainly looked to reach the largest possible attack surface.

The packed and encrypted payloads forced the smart anti-malware providers to migrate to a heuristic engine so that the malware behavior could be detected, regardless of the path it took to reach the system.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597497404000046

Domain 7

Eric Conrad, ... Joshua Feldman, in Eleventh Hour CISSP® (Third Edition), 2017

Endpoint Security

Because endpoints are the targets of attacks, preventive and detective capabilities on the endpoints themselves provide a layer beyond network-centric security devices. Modern endpoint security suites often encompass a variety of products beyond simple antivirus software. These suites can increase the depth of security countermeasures well beyond the gateway or network perimeter.

An additional benefit offered by endpoint security products is their ability to provide preventive and detective control even when communications are encrypted all the way to the endpoint in question. Typical challenges associated with endpoint security are associated with volume considerations; vast number of products/systems must be managed, while significant amounts of data must be analyzed and potentially retained.

Antivirus

The most commonly deployed endpoint security product is antivirus software. Antivirus is one of many layers of endpoint defense-in-depth security. Although antivirus vendors often employ heuristic or statistical methods for malware detection, the predominant means of detecting malware is still signature based.

Application whitelisting

Application whitelisting is a more recent addition to endpoint security suites. The primary focus of application whitelisting is to determine in advance which binaries are considered safe to execute on a given system. Once this baseline has been established, any binary attempting to run that is not on the list of “known-good” binaries is prevented from doing so. A weakness of this approach is when a “known-good” binary is exploited by an attacker and used maliciously.

Removable media controls

The need for better control of removable media has been felt on two fronts in particular. First, malware-infected removable media inserted into an organization's computers has been a method for compromising otherwise reasonably secure organizations. Second, the volume of storage that can be contained in something the size of a fingernail is astoundingly large and has been used to surreptitiously exfiltrate sensitive data.

Disk encryption

Another endpoint security product found with increasing regularity is disk encryption software.

Full disk encryption, also called whole disk encryption, encrypts an entire disk. This is superior to partially encrypted solutions, such as encrypted volumes, directories, folders, or files. The problem with the latter approach is the risk of leaving sensitive data on an unencrypted area of the disk.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780128112489000073

Domain 2: Telecommunications and Network Security

Eric Conrad, ... Joshua Feldman, in Eleventh Hour CISSP (Second Edition), 2014

Endpoint security

Because endpoints are the targets of attacks, preventive and detective capabilities on the endpoints themselves provide a layer of defense beyond network-centric security devices.

Many point products can be considered part of an overall endpoint security suite. The most important are antivirus, application whitelisting, removable media controls, disk encryption, Host Intrusion Prevention Systems, and desktop firewalls.

Antivirus

The most commonly deployed endpoint security product is antivirus software. Antivirus is one layer (of many) of endpoint security defense in depth. Although antivirus vendors often employ heuristic or statistical methods for malware detection, the predominant means of detecting malware is still signature based.

Signature-based approaches require that a malware specimen is available to the antivirus vendor for the creation of a signature. This is an example of blacklisting.

Application whitelisting

Application whitelisting is a more recent addition to endpoint security suites. The primary focus of application whitelisting is to determine in advance which binaries are considered safe to execute on a given system. Once this baseline has been established, any binary attempting to run that is not on the list of known-good binaries is prevented from executing. A weakness of this approach is when a “known good” binary is exploited by an attacker and used maliciously.

Removable media controls

Another recent endpoint security product assists with removable media control. Malware delivery and data exfiltration have compelled organizations to exert stricter control over what type of removable media may be connected. Removable media control products are the technical control that matches administrative controls such as policy mandates against unauthorized use of removable media.

Disk encryption

Another endpoint security product found with increasing regularity is disk encryption software. Full Disk Encryption (FDE), also called whole disk encryption, encrypts an entire disk. This is superior to partially encrypted solutions, such as encrypted volumes, directories, folders, or files. The problem with the latter approach is the risk of leaving sensitive data on an unencrypted area of the disk.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780124171428000029

Friendly and Threat Intelligence

Chris Sanders, Jason Smith, in Applied Network Security Monitoring, 2014

Virustotal

Perhaps the easiest way to determine if a file is malicious is to run an antivirus tool against it. Unfortunately, the detection rate for antivirus in the modern security landscape is very low, and the chances that a single antivirus product will be able to detect a strain of malware are 50/50 or less. Because of this, the chances of detecting malware are increased by submitting a malware sample to multiple antivirus engines. It isn’t entirely feasible to configure a single system with multiple AV engines, nor is it cheap to license it. However, there is an online solution called VirusTotal.

VirusTotal (http://www.virustotal.com) is a free service that was bought by Google in 2012, and analyzes suspicious files and URLs using multiple antivirus engines. There are multiple ways to submit files to VirusTotal, including their website, by e-mail, or by any tool that uses their API. My preferred mechanism is their Google Chrome extension. Once you submit the file, VirusTotal will perform its analysis and generate a report indicating which antivirus engines detected a match for the file or its content, and the name of the string(s) that match.

An example of this output is shown in Figure 14.19. As of now, VirusTotal currently supports 49 different antivirus engines, including all of those from the larger and more popular antivirus providers.

Match the malware detection methods on the left with the description on the right.

Figure 14.19. A Sample VirusTotal Report

In the example above, you can see that this report indicates the file that was submitted was detected as malware by 7 out of 48 different antivirus engines. Two of the engines that detected this are shown; the antiy-AVL and Baidu-International engines. They both detect this file as some sort of VNC-based application, which can be used to remotely control a system. The meter at the top right of the screen shows an indication of whether the file is actually malicious based upon the number of matches and a few other factors. In this case, it thinks that the file we’ve submitted is probably malicious.

While VirusTotal doesn’t share submitted samples publicly, it does share samples that match at least one antivirus engine with antivirus companies. Keep this in mind when submitting files that might be highly sensitive or involved in targeted attacks.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780124172081000143

Domain 7: Security Operations (e.g., Foundational Concepts, Investigations, Incident Management, Disaster Recovery)

Eric Conrad, ... Joshua Feldman, in CISSP Study Guide (Third Edition), 2016

Endpoint Security

While most organizations have long employed perimeter firewalls, Intrusion Detection Systems (IDS), and numerous other network-centric preventive and detective countermeasures, defense in depth mandates that additional protective layers be employed. When the firewall, IDS, Web Content Filter, and others are bypassed an endpoint can be compromised.

Because endpoints are the targets of attacks, preventive and detective capabilities on the endpoints themselves provide a layer beyond network-centric security devices. Modern endpoint security suites often encompass myriad products beyond simple antivirus software. These suites can increase the depth of security countermeasures well beyond the gateway or network perimeter.

Though defense in depth is a laudable goal on its own, endpoint security suites provide significant advantages to the modern organization beyond simply greater depth of security. These tools can aid the security posture of devices even when they venture beyond the organization’s perimeter, whether that is because the device has physically moved or because the user has connected the internal device to a Wi-Fi or cellular network. An additional benefit offered by endpoint security products is their ability to provide preventive and detective control even when communications are encrypted all the way to the endpoint in question. Typical challenges associated with endpoint security are associated with volume considerations: vast number of products/systems must be managed; significant data must be analyzed and potentially retained.

Many point products can be considered part of an overall endpoint security suite. The most important are antivirus, application whitelisting, removable media controls, disk encryption, Host Intrusion Prevention Systems, and desktop firewalls.

Note

For details on Host Intrusion Detection Systems (HIDS) and Host Intrusion Prevention Systems (HIPS), please see HIDS and HIPS section above. For details regarding desktop firewalls please review the Firewalls section above.

Antivirus

The most commonly deployed endpoint security product is antivirus software. Many of the full endpoint security suites evolved over time from an initial offering of antivirus. Antivirus products are often derided for their continued inability to stop the spread of malware. However, most arguments against antivirus seem to bemoan the fact that these products alone are not sufficient to stop malware. Unfortunately, there is no silver bullet or magic elixir to stop malware, and until there is, antivirus or antimalware products will continue to be necessary, though not sufficient. Antivirus is one layer (of many) of endpoint security defense in depth.

Although antivirus vendors often employ heuristic or statistical methods for malware detection, the predominant means of detecting malware is still signature based. Signature-based approaches require that a malware specimen is available to the antivirus vendor for the creation of a signature. This is an example of application blacklisting (see Application Whitelisting section below). For rapidly changing malware or malware that has not been previously encountered, signature based detection is much less successful.

Application Whitelisting

Application Whitelisting is a more recent addition to endpoint security suites. The primary focus of application whitelisting is to determine in advance which binaries are considered safe to execute on a given system. Once this baseline has been established, any binary attempting to run that is not on the list of known-good binaries is prevented from executing. A weakness of this approach is when a “known good” binary is exploited by an attacker, and used maliciously.

Whitelisting techniques include allowing binaries to run that:

Are signed via a trusted code signing digital certificate

Match a known good cryptographic hash

Have a trusted full path and name

The last approach is the weakest: an attacker can replace a trusted binary with a malicious version.

Application whitelisting is superior to application blacklisting (where known bad binaries are banned).

Removable Media Controls

Another recent endpoint security product to find its way into large suites assists with removable media control. The need for better controlling removable media has been felt on two fronts in particular. First, malware infected removable media inserted into an organization’s computers has been a method for compromising otherwise reasonably secure organizations. Second, the volume of storage that can be contained in something the size of a fingernail is astoundingly large, and has been used to surreptitiously exfiltrate sensitive data.

A common vector for malware propagation is the AutoRun feature of many recent Microsoft operating systems. If a properly-formatted removable drive (or CD/DVD) is inserted into a Microsoft Windows operating system that supports AutoRun, any program referenced by the “AUTORUN.INF” file in the root directory of the media will execute automatically. Many forms of malware will write a malicious AUTORUN.INF file to the root directory of all drives, attempting to spread virally if and when the drive is removed and connected to another system.

It is best practice to disable AutoRun on Microsoft operating systems. See the Microsoft article “How to disable the AutoRun functionality in Windows” (http://support.microsoft.com/kb/967715) for information on disabling AutoRun.

Primarily due to these issues, organizations have been compelled to exert stricter control over what type of removable media may be connected to devices. Removable media control products are the technical control that matches administrative controls such as policy mandates against unauthorized use of removable media.

Disk Encryption

Another endpoint security product found with increasing regularity is disk encryption software. Organizations have often been mandating the use of whole disk encryption products that help to prevent the compromise of any sensitive data on hard disks that fall into unauthorized hands, especially on mobile devices, which have a greater risk of being stolen.

Full Disk Encryption (FDE), also called Whole Disk Encryption, encrypts an entire disk. This is superior to partially encrypted solutions, such as encrypted volumes, directories, folders or files. The problem with the latter approach is the risk of leaving sensitive data on an unencrypted area of the disk. Dragging and dropping a file from an unencrypted to encrypted directory may leave unencrypted data as unallocated data, for example.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780128024379000084

Giovanni Bottazzi, ... Luciano Capone, in Strategy, Leadership, and AI in the Cyber Ecosystem, 2021

4 The defenders’ perspective

The concepts illustrated in the previous paragraphs must be the technical background of a good defender. But this is still not enough to block cyberattacks. This is where cybersecurity comes into play: cybersecurity is the state or process of protecting and recovering networks, devices, and programmes from any type of cyberattack.

A strong cybersecurity system has multiple layers of protection spread across computers, devices, networks, and programs. But a strong cybersecurity system doesn’t rely solely on cyber defence technology; it also relies on people making smart cyber defence choices.

We will try to summarise the defenders’ perspective by analysing the different types of cybersecurity defence systems (Toch et al., 2018) associated to the most current widespread threats (as described in the second paragraph).

4.1 Cybersecurity defence systems

It is possible to divide cyberattacks into two different groups:

1.

The first group concerns what the attacker wants to obtain:

stealing information

tracking user information

taking control of a system

2.

The second group concerns the vector used by the attacker to exploit an existent vulnerability:

hardware

network

application

Cybersecurity defence systems can be classified in the following four categories (Toch et al., 2018):

1.

System architecture

Security systems designed for a specific architecture:

stand-alone

centralized client server

collaborative architectures

2.

Type of detection

Security systems that belong to this category operate at the level of the attack vector described earlier (hardware, network, and application). There are two main categories:

anomaly-based detection, based on modelling normality to identify occurrences of anomalies;

signature-based detection, based on a database of the signatures that might signal a particular type of attack; they compare incoming traffic to those signatures.

3.

Type of data

Security systems can be classified depending on the type of analyzed data:

application data

file data

network data

4.

Ecosystems

Security systems can be classified depending on the ecosystem they must protect:

enterprise

mobile devices

IoT

The table (Table 1) reported in Toch et al. (2018) summarizes several cybersecurity solutions according to the classification described earlier. The solutions are differentiated according to the source of the analyzed data:

(a)

Network solutions include organisation firewalls and network intrusion detection systems (NIDS).

(b)

Content filtering solutions include proxies, web client-side attack detection, and email phishing and spam detection.

(c)

Endpoint solutions include host-based intrusion detection systems (HIDS) and host-based intrusion prevention systems (HIPS) that usually monitor a device (system calls, file system integrity, etc.) detecting malware.

4.2 Understanding the true costs and impact of cybersecurity programmes

However, a good defender, as described earlier, not only needs to know the state of the art of cyberattack techniques and technologies but also must be aware of what kind of impact a specific attack can reach on the environment that he aims to protect.

An interesting article of McKinsey & Company (Choi et al., 2017) illustrates that often cybersecurity is a critical but misunderstood aspect of companies’ technology infrastructures.

Companies are using all kinds of sophisticated technologies and techniques to protect critical business assets. Surely, it is possible to assure that the most important factor in any cybersecurity context is trust. It should overhang all the decisions executives make about tools, talent, and processes. However, trust is often lacking in many organizations’ cybersecurity initiatives. Senior business leaders and the board consider cybersecurity as a priority only when an intrusion occurs, for instance, while the chief security officer and his team view security as an everyday priority, as even the most routine website transactions present potential holes to be exploited.

One issue that continues to arise is the gap between organizations’ perceived security strength and their actual security strength. This perception problem emerges because enterprises typically don’t establish quantitative metrics to measure security preparedness. Instead, they often use more qualitative, anecdotal experiences to determine security maturity. A common error enterprise makes is to view data security preparedness and maturity as something that can be measured by listing the layers of defence an IT department has in place (two firewalls is better than one firewall). Viewing cybersecurity through this lens means enterprises cannot distinguish between self-perception and reality. One of the key elements of a strong security posture is an organisation's ability to anticipate threats before they happen.

Perceptions become facts, trust erodes further, and cybersecurity programmes end up being less successful than they could be. If incidence of breaches has been light, for instance, business leaders may freeze the cybersecurity budget until the CIO or other cybersecurity leaders prove the need for further investment in controls—perhaps opening themselves up to attack.

Conversely, if threats have been documented frequently, business leaders may reflexively decide to overspend on new technologies without understanding that there are other, nontechnical remedies to keep data and other corporate assets safe.

Also due to the just mentioned perceived security, the world of cybersecurity is full of wrong myths created over time and very resistant to disavowal. The article in Choi et al. (2017) lists four main myths of cybersecurity:

Myth 1—All assets in the organisation must be protected the same way. Obviously, this is a myth because not all data are created with equal value. Companies don’t have endless resources to protect all data at any cost. A strong cybersecurity strategy provides differentiated protection of the company's most important assets, utilizing a tiered collection of security measures. For example, is it convenient for a company a full ransomware protection of all the saved data? Probably the company must choose the more convenient asset data to protect.

Myth 2—The more we spend, the more secure we will be. According to Choi et al. (2017), there is no direct correlation between spending on cybersecurity (as a proportion of total IT spending) and success of a company's cybersecurity programme. Companies often don’t protect the right assets. A classic example of how this myth is far from reality is the fifth threat described in the second paragraph: human error. A human error can bypass easily all the expensive technologies dedicated to the defence systems.

Myth 3—External hackers are the only threat to corporate assets. The danger of a hacker attack from the outside is certainly high, especially in the case of companies that hold important patents or sensitive data, but there are significant threats inside companies as well. Internal people who are closest to the data or other corporate assets can often be a weak link in a company (e.g. when they share passwords or files over unprotected networks, click on malicious hyperlinks sent from unknown email addresses, or otherwise act in ways that open up corporate networks to attack). Indeed, threats from inside the company account for about 43% of data breaches (Choi et al., 2017).

Myth 4—The more advanced our technology, the more secure we are. It is true that cybersecurity teams often use powerful, cutting-edge technologies to protect data and other corporate assets. But it is also true that many threats can be mitigated using less advanced methods. After all, most companies are not dealing with military-grade hackers. More than 70% of global cyberattacks come from financially motivated criminals who are using technically simple tactics, such as phishing emails (Choi et al., 2017).

We consider this last myth particularly interesting. In fact the Verizon report, about 2019 data breaches (Verizon, 2019), shows changes in threat actions and affected assets from 2013 to 2018. The rise in social engineering is evident in both charts, with the action category ‘social’ and the related ‘person’ asset both increasing.

But this phenomenon does involve not only end user weakness in the cybersecurity chain but also the presence of a not negligible weakness in the management of the security infrastructures of the top ranked social networks.

Indeed the mentioned report shows what types of attack patterns are more common to different categories of industry, along with breakouts for threat action categories and affected assets. We want to highlight as in absolute term, incidents, and breaches hit particularly server asset that surely are controlled from expert IT professionals. So the defender weakness does not always rely on the final user.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780128214428000082

Postmortem Forensics

Cameron H. Malin, ... James M. Aquilina, in Malware Forensics Field Guide for Linux Systems, 2014

Search for Known Malware

Use characteristics from known malware to scour the file system for the same or similar items on the compromised computer.

▸ Many intruders will use easily recognizable programs such as known rootkits, keystroke monitoring programs, sniffers, and anti-forensic tools (e.g., touch2, shsniff, sshgrab). There are several approaches to locating known malware on a forensic duplicate of a compromised computer.

Hashe and File Characteristics: Searching a forensic duplicate of a compromised system for hash values matching known malware may identify other files with the same data but different names. In addition to using a hash database such as NSRL, another approach to identifying malicious code is to look for deviations from known good configurations of the system. Some Linux systems have a feature to verify the integrity of many installed components, providing an effective way to identify unusual or out of place files. For instance, rpm -Va on Linux is designed to verify all packages that were installed using RedHat Package Manager. For instance, the results of this verification process in the T0rnkit scenario are shown in Figure 3.3 to show binaries that have different filesize (S), mode (M), and MD5 (5) than expected. Some of these binaries also have discrepancies in the user (U), group (G), and modified time (T). With rpm it is also possible to specify a known good database using the --dbpath option, when there are concerns that the database on the subject system is not trustworthy.

Match the malware detection methods on the left with the description on the right.

FIGURE 3.3. T0rnkit rootkit files found using RPM verify

Rootkit Detectors: Tools such as Rootkit Hunter1 and chkrootkit2 have been developed to look for known malicious code on Linux systems. These programs contain a regularly updated database of known malware, and can be used to scan a forensic duplicate. Many of the rootkit checks can be run against a mounted image as shown in Figure 3.4, but some checks can only be performed on a running system, such as scanning running processes for malware. Be aware that these rootkit scanning tools may only detect rootkit files that are in a specific, default location. Therefore, a specific rootkit may not be detected by these scanning tools if the files are not in the expected location (false negative). These scanning tools also often have false positive hits, flagging legitimate files as possible rootkit components.

Match the malware detection methods on the left with the description on the right.

FIGURE 3.4. Scanning a target drive image with rkhunter

AntiVirus: Using updated AntiVirus programs to scan files within a forensic duplicate of a compromised system may identify known malware. To increase the chances of detecting malware, multiple AntiVirus programs can be used with any heuristic capabilities enabled. Such scanning is commonly performed by mounting a forensic duplicate on the examination system and configuring AntiVirus software to scan the mounted volume as shown in Figure 3.5 using Clam AntiVirus.3 Another AntiVirus program for Linux is F-Prot.4

Match the malware detection methods on the left with the description on the right.

FIGURE 3.5. Clam AntiVirus software scanning a mounted forensic duplicate

Piecewise Comparison: When known malware files are available for comparison purposes, a tool such as frag_find5 can be used to search for parts of the reference dataset on the compromised system. In addition, a piecewise comparison tool such as ssdeep6 may reveal malware files that are largely similar with slight variations. Using the matching mode, with a list of fuzzy hashes of known malware, may find specimens that are not detected with an exact hash match or by current anti-virus definitions (e.g., when embedded IP addresses change).

Analysis Tip

Existing Security Software Logs

Given the prevalence of security monitoring software, it is advisable to review any logs that were created by AntiVirus software or other programs that were running on the compromised system for indications of malware. Many AntiVirus programs have logging and quarantine features that can provide information about detected malware. When a system is running Tripwire or other system integrity checking tools that monitor the system for alterations, daily reports might exist showing which files were added, changed, and deleted during a malware incident.

Keywords: Searching for IRC commands and other traits commonly seen in malware, and any characteristics that have been uncovered during the digital investigation (e.g., IP addresses observed in network-level logs) may uncover malicious files on the system. Strings within core system components can reveal that they have been trojanized by the intruder. For instance, Figure 3.6 shows a shared library from a compromised system with unusual functions named proc_hackinit and proc_istrojaned, fp_hack, hack_list and proc_childofhidden, which demonstrates that “trojan,” “hack,” and “hidden” may be useful keywords when investigating some malware incidents.

Match the malware detection methods on the left with the description on the right.

FIGURE 3.6. Extract from a trojanized shared library (/lib/libproc.so.2.0.6) with unusual function names

Investigative Considerations

Some malware provides an installation option to delete the executable from disk after loading into memory. Therefore, in addition to scanning logical files, it can be worthwhile to carve all executables out of the swap partition and unallocated space in order to scan them using AntiVirus software as well, particularly when malware has been deleted by the intruder (or by AntiVirus software that was running on the compromised system).

Some malware is specifically designed to avoid detection by hash values, AntiVirus signatures, rootkit detection software, or other similarity characteristics. Therefore, the absence of evidence in an AntiVirus scan or hash analysis should not be interpreted as evidence that no malware is on the system. For example, the Phalanx2 rootkit periodically changes the name of its executables and now stores its components and TTY sniffer logs in a randomly named directory. For instance, in one incident the /etc/khubd.p2 directory contained files related to the Phalanx2 rootkit shown in Figure 3.7.7 However, every part of the rootkit and hidden directory is subject to change in later versions of Phalanx2, including the location and names of files.

Match the malware detection methods on the left with the description on the right.

FIGURE 3.7. Phalanx2 rootkit and TTY sniffer components located in a hidden directory

Given that intruders can make a trojanized application look very similar to the legitimate one that was originally installed on the compromised system, it is advisable to compare critical applications such as SSH with the original package obtained from a trusted source. Any discrepancies between the MD5 hash values of SSH binaries on a compromised system and those from a trusted distribution of the same version warrant further investigation.

If backups of the compromised system exist, they can be used to create a customized hashset of the system at various points in time. Such a customized hashset can be used to determine which files were added or changed since the backup was created. In one case, intruders made a trojanized SSH package indistinguishable from the original, legitimate package, making it necessary to perform hashset comparisons with files from backups. This comparison also helped narrow down the time frame of the intrusion, because the trojanized files were on a backup from February but not an earlier backup from January.

Keyword searches for common characteristics in malware can also trigger on AntiVirus definition files, resulting in false positives.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597494700000036

The Botnet Problem

Daniel Ramsbrock, Xinyuan Wang, in Computer and Information Security Handbook (Second Edition), 2013

5 Botnet Defense

When botnets emerged, the response was similar to previous Internet malware: Antivirus vendors created signatures and removal techniques for each new instance of the bot. This approach initially worked well at the host level, but researchers soon started exploring more advanced methods for eliminating more than one bot at a time. After all, a botnet with tens of thousands of members would be very tedious to combat one bot at a time.

This part of the chapter describes the current defenses against centralized botnets, moving from the host level to the network level, then to the C&C server, and finally to the botmaster himself.

Detecting and Removing Individual Bots

Removing individual bots does not usually have a noticeable impact on the overall botnet, but it is a crucial first step in botnet defense. The basic antivirus approach using signature-based detection is still effective with many bots, but some are starting to use polymorphism, which creates unique instances of the bot code and evades signature-based detection. For example, Agobot is known to have thousands of variants, and it includes built-in support for polymorphism to change its signature at will.

To deal with these more sophisticated bots and all other polymorphic malware, detection must be done using behavioral analysis and heuristics. Researchers Stinson and Mitchell have developed a taint-based approach called BotSwat that marks all data originating from the network. If this data is used as input for a system call, there is a high probability that it is bot-related behavior, since user input typically comes from the keyboard or mouse on most end-user systems.27

Detecting C&C Traffic

To mitigate the botnet problem on a larger scale, researchers turned their attention to network-based detection of the botnet’s C&C traffic. This method allows organizations or even ISPs to detect the presence of bots on their entire network, rather than having to check each machine individually.

One approach is to examine network traffic for certain known patterns that occur in botnet C&C traffic. This is, in effect, a network-deployed version of signature-based detection, where signatures have to be collected for each bot before detection is possible. Researchers Goebel and Holz implemented this method in their Rishi tool, which evaluates IRC nicknames for likely botnet membership based on a list of known botnet naming schemes. As with all signature-based approaches, it often leads to an “arms race” where the attackers frequently change their malware and the network security community tries to keep up by creating signatures for each new instance.28

Rather than relying on a limited set of signatures, it is also possible to use the IDS technique of anomaly detection to identify unencrypted IRC botnet traffic. This method was successfully implemented by researchers Binkley and Singh at Portland State University, and as a result they reported a significant increase in bot detection on the university network.29

Another IDS-based detection technique called BotHunter was proposed by Gu et al. in 2007. Their approach is based on IDS dialog correlation techniques: It deploys three separate network monitors at the network perimeter, each detecting a specific stage of bot infection. By correlating these events, BotHunter can reconstruct the traffic dialog between the infected machine and the outside Internet. From this dialog, the engine determines whether a bot infection has taken place with a high accuracy rate.30

Moving beyond the scope of a single network/organization, traffic from centralized botnets can be detected at the ISP level based only on transport layer flow statistics. This approach was developed by Karasaridis et al., and it solves many of the problems of packet-level inspection. It is passive, highly scalable, and only uses flow summary data (limiting privacy issues). Additionally, it can determine the size of a botnet without joining and can even detect botnets using encrypted C & C. The approach exploits the underlying principle of centralized botnets: Each bot has to contact the C&C server, producing detectable patterns in network traffic flows.31

Beyond the ISP level, a heuristic method for Internet-wide bot detection was proposed by Ramachandran et al. in 2006. In this scheme, query patterns of DNS black-hole lists (DNSBLs) are used to create a list of possible bot-infected IP addresses. It relies on the fact that botmasters need to periodically check whether their spam-sending bots have been added to a DNSBL and have therefore become useless. The query patterns of botmasters to a DNSBL are very different from those of legitimate mail servers, allowing detection.32 One major limitation is that this approach focuses mainly on the sending of spam. It would most likely not detect bots engaged in other illegal activities, such as DDoS attacks or click fraud, since these do not require DNSBL lookups.

Detecting and Neutralizing the C&C Servers

Though detecting C&C traffic and eliminating all bots on a given local network is a step in the right direction, it still doesn’t allow the takedown of an entire botnet at once. To achieve this goal in a centralized botnet, access to the C&C servers must be removed. This approach assumes that the C&C servers consist of only a few hosts that are accessed directly. If hundreds or thousands of hosts are used in a fast-flux proxy configuration, it becomes extremely challenging to locate and neutralize the true C&C servers.

In work similar to BotHunter, researchers Gu et al. developed BotSniffer in 2008. This approach represents several improvements, notably that BotSniffer can handle encrypted traffic, since it no longer relies only on content inspection to correlate messages. A major advantage of this approach is that it requires no advance knowledge of the bot’s signature or the identity of C&C servers. By analyzing network traces, BotSniffer detects the spatial-temporal correlation among C&C traffic belonging to the same botnet. It can therefore detect both the bot members and the C&C server(s) with a low false positive rate.33

Most of the approaches mentioned under “Detecting C&C Traffic” can also be used to detect the C&C servers, with the exception of the DNSBL approach.33 However, their focus is mainly on detection and removal of individual bots. None of these approaches mentions targeting the C&C servers to eliminate an entire botnet.

One of the few projects that has explored the feasibility of C&C server takedown is the work of Freiling et al. in 2005.34 Although their focus is on DDoS prevention, they describe the method that is generally used in the wild to remove C&C servers when they are detected. First, the bot binary is either reverse-engineered or run in a sandbox to observe its behavior, specifically the hostnames of the C&C servers. Using this information, the proper dynamic DNS providers can be notified to remove the DNS entries for the C&C servers, preventing any bots from contacting them and thus severing contact between the botmaster and his botnet. Dagon et al. used a similar approach in 2006 to obtain experiment data for modeling botnet propagation, redirecting the victim’s connections from the true C&C server to their sinkhole host.35 Even though effective, the manual analysis and contact with the DNS operator is a slow process. It can take up to several days until all C&C servers are located and neutralized. However, this process is essentially the best available approach for shutting down entire botnets in the wild. As we mentioned, this technique becomes much harder when fast-flux proxies are used to conceal the real C&C servers or a P2P topology is in place.

Attacking Encrypted C&C Channels

Although some of the approaches can detect encrypted C&C traffic, the presence of encryption makes botnet research and analysis much harder. The first step in dealing with these advanced botnets is to penetrate the encryption that protects the C&C channels.

A popular approach for adding encryption to an existing protocol is to run it on top of SSL/TLS; to secure HTTP traffic, ecommerce Web sites run HTTP over SSL/TLS, known as HTTPS. Many encryption schemes that support key exchange (including SSL/TLS) are susceptible to man-in-the-middle (MITM) attacks, whereby a third party can impersonate the other two parties to each other. Such an attack is possible only when no authentication takes place prior to the key exchange, but this is a surprisingly common occurrence due to poor configuration.

The premise of an MITM attack is that the client does not verify that it’s talking to the real server, and vice versa. When the MITM receives a connection from the client, it immediately creates a separate connection to the server (under a different encryption key) and passes on the client’s request. When the server responds, the MITM decrypts the response, logs and possibly alters the content, then passes it on to the client reencrypted with the proper key. Neither the client nor the server notices that anything is wrong because they are communicating with each other over an encrypted connection, as expected. The important difference is that unknown to either party, the traffic is being decrypted and reencrypted by the MITM in transit, allowing him to observe and alter the traffic.

In the context of bots, two main attacks on encrypted C&C channels are possible: (1) “gray-box” analysis, whereby the bot communicates with a local machine impersonating the C&C server, and (2) a full MITM attack, in which the bot communicates with the true C&C server. Figure 12.2 shows a possible setup for both attacks, using the DeleGate proxy36 for the conversion to and from SSL/TLS.

Match the malware detection methods on the left with the description on the right.

Figure 12.2. Setups for man-in-the-middle attacks on encrypted C&C channels.

The first attack is valuable to determine the authentication information required to join the live botnet: the address of the C&C server, the IRC channel name (if applicable), plus any required passwords. However, it does not allow the observer to see the interaction with the larger botnet, specifically the botmaster. The second attack reveals the full interaction with the botnet, including all botmaster commands, the botmaster password used to control the bots, and possibly the IP addresses of other bot members (depending on the configuration of the C&C server). Figures 12.3–12.5 show the screenshots of the full MITM attack on a copy of Agobot configured to connect to its C&C server via SSL/TLS. Specifically, Figure 12.3 shows the botmaster’s IRC window, with his commands and the bot’s responses. Figure 12.4 shows the encrypted SSL/TLS trace, and Figure 12.5 shows the decrypted plaintext that was observed at the DeleGate proxy. The botmaster password botmasterPASS is clearly visible, along with the required username, botmaster.

Match the malware detection methods on the left with the description on the right.

Figure 12.3. Screenshot showing the botmaster’s IRC window.

Match the malware detection methods on the left with the description on the right.

Figure 12.4. Screenshot showing the SSL/TLS-encrypted network traffic.

Match the malware detection methods on the left with the description on the right.

Figure 12.5. Screenshot showing decrypted plaintext from the DeleGate proxy.

Armed with the botmaster username and password, the observer could literally take over the botnet. He could log in as the botmaster, then issue a command such as Agobot’s .bot.remove, causing all bots to disconnect from the botnet and permanently remove themselves from the infected computers. Unfortunately, there are legal issues with this approach because it constitutes unauthorized access to all the botnet computers, despite the fact that it is in fact a benign command to remove the bot software.

Locating and Identifying the Botmaster

Shutting down an entire botnet at once is a significant achievement, especially when the botnet numbers in the tens of thousands of members. However, there is nothing stopping the botmaster from simply deploying new bots to infect the millions of vulnerable hosts on the Internet, creating a new botnet in a matter of hours. In fact, most of the machines belonging to the shutdown botnet are likely to become infected again because the vulnerabilities and any attacker-installed backdoors often remain active, despite the elimination of the C&C servers. Botnet-hunting expert Gadi Evron agrees: “When we disable a command-and-control server, the botnet is immediately recreated on another host. We’re not hurting them anymore,” he said in a 2006 interview.37

The only permanent solution of the botnet problem is to go after the root cause: the botmasters. Unfortunately, most botmasters are very good at concealing their identities and locations, since their livelihood depends on it. Tracking the botmaster to her true physical location is a complex problem that is described in detail in the next part of the chapter. So far, there is no published work that would allow automated botmaster traceback on the Internet, and it remains an open problem.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B978012394397200012X

Reputation-Based Detection

Chris Sanders, Jason Smith, in Applied Network Security Monitoring, 2014

Common Public Reputation Lists

There are many public reputation lists available. Here are a few of my favorites, along with some pros and cons of each, and how they can best be utilized.

Malware Domain List

Regardless of the global concerns related to targeted attacks by sophisticated adversaries, the majority of an analyst’s day will be spent investigating incidents related to malware infections on their systems. Because of this, it becomes pertinent to be able to detect malware at both the host and network level. One of the easiest ways to detect malware at the network level is to use public reputation lists that contain IP addresses and domain names that are known to be associated with malware-related communication.

Malware Domain List (MDL) is a non-commercial community project that maintains lists of malicious domains and IP addresses. The project is supported by an open community of volunteers, and relies upon those volunteers to both populate the list, and vet it to ensure that items are added and removed from the list as necessary.

MDL allows you to query its list on an individual basis, or download the list in a variety of formats. This includes CSV format, an RSS feed, and a hosts.txt formatted list. They also provide lists that include only new daily list entries, and lists of sites that were once on the list but have now been cleaned or taken offline. MDL is one of the largest and most used reputation lists available.

I’ve seen many organizations that have had a great deal of success detecting malware infections and botnet command and control (C2) by using MDL as an input for reputation-based detection. The vastness of MDL can sometimes result in false positives, so an alert generated from a friendly host visiting an entry found on MDL isn’t enough by itself to automatically declare an incident. When one of these alerts is generated, you should investigate other data sources and a wider range of communication from the friendly host to attempt to determine if there are other signs of an infection or compromise.

You can learn more about MDL at http://www.malwaredomainlist.com.

Abuse.ch ZeuS and SpyEye Trackers

ZeuS and SpyEye are incredibly popular crimeware kits that are used by attackers to infect systems and perform a variety of malicious tasks (Figure 8.1). The kits themselves provide the ability to create malware that infects machines via drive-by download, eventually joining them to a botnet that the kit can be used to control. At one time, ZeuS was the largest botnet in the world, with SpyEye being one of its biggest competitors. Even though the creator of ZeuS announced in 2010 that he was retiring the source code, its public release has ensured that ZeuS infections remain prevalent today. SpyEye infections are also still very common, even though the creator of the software was allegedly caught and jailed in 2013.

Match the malware detection methods on the left with the description on the right.

Figure 8.1. Zeus Tracker

ZeuS Tracker and SpyEye Tracker are projects that track command and control servers on the Internet that are used to control Zeus and SpyEye infected machines. In addition to this, these services also track hosts that are infected with Zeus and SpyEye files, including those hosting drive-by download exploits. These lists allow for user submission, and list contents can be queried individually, or downloaded as a single list. These lists can be downloaded in a variety of formats, including by domain or IP only, or in the form of Squid, iptables, or host file block lists. They also maintain a list of recently removed entries.

I’ve found that both of these lists tend to be high quality with a minimal number of false positives when utilized for reputation-based detection. The way you handle the investigation of an alert generated by communication with a host on one of these lists depends upon the nature of the communication, and whether the friendly host appears to actually be infected with one of these types of malware.

You can learn more about the ZeuS Tracker at https://zeustracker.abuse.ch/, and SpyEye tracker at https://spyeyetracker.abuse.ch/.

PhishTank

A great number of targeted attacks begin with some type of phishing as the initial attack vector. Most organizations have more success detecting these types of compromises after this initial stage, however, the ability to know when users are being redirected to known phishing websites can be useful for early detection of an incident that is currently happening, or for a retrospective investigation of an incident that has already occurred.

PhishTank, operated by OpenDNS, is a free community-driven website that allows for the sharing of phishing related data. Once registered, users can submit links they’ve found that appear to be associated with phishing attempts. PhishTank is unique because it relies on community verification in addition to community submission. In order for any URL to appear on its list, it must be verified by a certain number of registered PhishTank users. Users who have successfully verified more URLs have more weight to their verifications, so it takes a smaller number of verifications from these more trusted users.

One especially useful feature is their web-based search that allows you to search based upon the “Targeted Brand”, or company name, that is being used for the phishing attack. If you happen to work for an organization that is frequently targeted for use in phishing schemes (such as a bank), then you can utilize the PhishTank list to derive adversaries who may be looking to prey on your customers.

PhishTank provides their list in a variety of formats, along with an API for integration with custom applications. While PhishTank doesn’t have a web-based forum, it does have open mailing lists for users and developers.

If you deploy PhishTank listings into a detection mechanism on your network, then you should pay special attention to everything that occurs immediately following a device’s initial visit to a known phishing site. Particularly, you will want to look for any additional redirections, the download of any executable content, or a user inputting their credentials into the site.

You can learn more about PhishTank at http://www.phishtank.com/.

Tor Exit Node List

Normally, when you communicate with a device on the Internet, such as a web server, your client browses directly to that device. For the web server owner, this results in the web server generating a log of the communication containing the client’s IP address. Additionally, if the web server is monitored by an NSM sensor, the client’s IP address will appear in other data sources such as packet capture data or session data.

One method commonly used to prevent a client’s true source IP address from showing up in these logs is a service like Tor. Tor is an open network that allows a user to mask their IP address so they can remain anonymous while accessing devices on the Internet.

When you browse to a web server utilizing a Tor client, your outbound traffic is routed to the Tor network instead of the destination web server. When this traffic is routed into the Tor network, it is eventually redirected to an exit node. It is the exit node that will actually initiate communication with the web server. This means that the logs generated by the web server and any NSM infrastructure will show the IP address associated with the Tor exit node rather than the actual client that initiated the communication. This process is illustrated in Figure 8.2.

Match the malware detection methods on the left with the description on the right.

Figure 8.2. Tor Communication Process

If someone attempts to anonymize his or her activities while communicating with a device on your network, then this would constitute a suspicious action and might be worth investigating. With that said, plenty of individuals utilize Tor for legitimate anonymization. Traffic originating from a Tor exit node might warrant some suspicion, but this factor alone is not enough on its own to draw any sort of conclusion during an investigation.

The detection of traffic sourced from the Tor network can be accomplished by implementing a listing of Tor exit nodes into a detection mechanism. One such list exists at blutmagie.de, and can be queried from the browser or downloaded in a CSV file.

You can learn more about the Tor Exit Node list at http://torstatus.blutmagie.de/.

Spamhaus Block Lists

Spamhaus is an international nonprofit organization that is devoted to tracking spam operations and sources on the Internet. They host multiple lists, including:

Spamhaus Block List (SBL) – A database of IP addresses from which Spamhaus does not recommend accepting e-mail.

Exploits Block List (XBL) – A database of IP addresses of hijacked systems infected by third party exploits, including open proxies, worms/viruses with built-in spam engines, and other types of exploits.

Policy Block List (PBL) – A database of end-user IP address ranges that should not be delivering unauthenticated SMTP e-mail to any Internet mail server except those provided for specifically by an ISP for that customer’s use. This essentially prevents hosts that shouldn’t be sending mail from doing so. This is primarily used to help networks enforce their acceptable use policies.

Domain Block List (DBL) – A database of domains found in spam messages.

Don’t Route or Peer (DROP) – A listing of hijacked network blocks of IP space that are directly allocated to spam hosting operations. These are blocks of IP addresses that are typically forgotten about by network owners that get reclaimed by spammers through a variety of techniques including the registration of abandoned domain names to accept point-of-contact e-mails, or by document forgery or social engineering tactics. Spamhaus also provides an Extended DROP (EDROP) list, which contains everything in the DROP list, as well as IP addresses that it believes to be more generally associated with cyber crime, but not directly allocated to spam distributors.

The SBL, XBL, PBL, and DBL lists are available for free for non-commercial use. If you don’t meet these criteria, then you are required to purchase a subscription to these services. The DROP and EDROP lists, however, are free for use, which makes them good candidates for inclusion in reputation-based detection systems. The DROP/EDROP lists are well maintained as well, so they can be useful for detection of internal hosts who are communicating with known spam hosting systems.

Of particular interest is the DROP list’s integration with the Emerging Threats (ET) signature repository. ET maintains a set of Spamhaus DROP list detection signatures for use with either the Snort or Suricata intrusion detection systems. This really simplifies the implementation of this list.

While it isn’t entirely fruitful to utilize these lists to detect incoming spam, it might be worth knowing if a friendly host (other than a mail server) is communicating with systems that fall into the ranges typically used by spammers.

You can learn more about the Spamhaus lists at http://www.spamhaus.org/drop/.

Other Lists

A plethora of other IP and Domain reputation lists are available. In fact, there are far too many to cover in this book. Others public lists you might want to look into include:

AlientVault Labs IP Reputation Database: http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/

MalC0de Database

http://malc0de.com/database/

SRI Malware Threat Center

http://www.mtc.sri.com/live_data/attackers/

Project Honeypot

https://www.projecthoneypot.org/list_of_ips.php

Emerging Threats Rules

http://www.emergingthreats.net/open-source/etopen-ruleset/

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780124172081000088

What is a pup select 3 answers?

A potentially unwanted program (PUP) is a program that may be unwanted, despite the possibility that users consented to download it. PUPs include spyware, adware and dialers, and are often downloaded in conjunction with a program that the user wants.

Which of the following best describes malware that is disguised as a legitimate looking application?

Trojans Malware – Malware disguised in what appears to be legitimate software. Once activated, malware Trojans will conduct whatever action they have been programmed to carry out. Unlike viruses and worms, Trojans do not replicate or reproduce through infection.

Which of the following is malware that is specifically designed to allow attackers to access a system through a backdoor?

Rootkits are a back door program that allows a threat actor to maintain command and control over a computer without the user knowing. This access can potentially result in full control over the targeted system.

Which of the following malware programs disguises a harmful program within a seemingly safe software application?

Trojan: A type of malware that is disguised as a legitimate program or file. Trojans can damage your computer or give hackers access to your personal information.