Chapter 5, Malware; Chapter 6, Techniques Used by Hackers
Objectives:
Chapter 5 presents material on malware, which runs the
distance from pranks to seriously harmful programs. Objectives
important to this lesson:
Understanding computer viruses
Knowing how some viruses spread
Knowing something about virus scanners
Trojan viruses, and some popular ones
How spyware can become an issue
Defending your systems from these attacks
Concepts:
Chapter 5
This chapter continues advice about the issues from chapter 4. It
begins with a section on viruses. Most of us have seen a virus or
two, which made us into believers in safe software. The text
points out that a virus is a self-replicating program, but it does
not necessarily cause destruction. A virus spreads itself,
and that can be enough. The text mentions two classic methods for
replication:
The virus can compromise the email service
on a computer, mailing a copy of itself to all addresses found
in the email app's address book. The text explains that this is
an easy and common method. A famous virus called ILOVEYOU used
this method to great effect, as explained in this video. NOTE:
The video calls this virus a worm, which is debatable. A virus
requires that the user do something to trigger it. A worm does
not. Once a worm is in your system, it continues to act on its
own. All worms are malware, but not all viruses are worms.
The text tells us that ILOVEYOU did not act destructively, but
this is not so, as the video demonstrates. For more information
about ILOVEYOU, check out
this article.
The other method the text brings up is to get the user to click
on a program on a web page, to download and
run (open) a file, or to do something else
that the user thinks is harmless. The virus
writer has, of course, booby-trapped the harmless action.
We should note that viruses can be spread by other methods,
but they often fall into one of these categories. Research has
been done to show that people who know better still do things
that are foolish or dangerous, like picking up a flash drive in
a parking lot, then plugging it into a computer at work to see
what is on the thing. Lots of people at hacking conventions have
had their computers compromised this way.
The text offers a short list of virus types. A virus typically
has two tasks: replicate and damage.
Some viruses have historically been rather benign, just displaying
a message to the user. The ones that cause damage to a system are
often categorized by the method they use or the damage
they cause:
appender - an older type that writes its
malicious code to the end of an existing program (appends to
it), and places an instruction at the beginning of the program
that skips all the original program code, and executes the virus
code instead of the desired program code; this is also called a
file infector
Two variants on this type, both exist to avoid detection: Swiss cheese infection - the virus code is
encrypted until it is run, and the decryption engine (code)
is stored in several segments in the infected file (in the holes
of the Swiss cheese) split infection - the virus code is encrypted,
like the version above, but the entire malware program
is broken into pieces, stored in various file
segments, and linked together when needed
resident (aka terminate-and-stay-resident)
virus - loads into RAM, then does its damage based on actions
the user takes through the operating system
boot virus - infects the Master Boot Record
of a hard disk,which means the virus will load and run the next
time the hard drive is used to boot the computer; typically the
virus will trash the hard drive
companion virus - found more on pre-Windows
systems, loads a program with a name similar to that of a real
program, but with a preferred extension so the companion
(malware) program is run when the user tries to run the real
program from a command line
macro virus - a script virus that is
typically placed in a Microsoft Office file; it is written in
commands that only work in a Microsoft Office product
logic bombs - another
type of concealed malware is a logic bomb,
malware that waits for a logical condition to
occur before it executes its mission. A classic case was the Michelangelo
virus that only executed on the birthday of Michelangelo
Buonarroti (which, as everyone knows, is March 6th).
The text mentions several viruses by name, but you should know
that the same virus may be called by a different name on the
informational site of a different anti-virus product. The text
mentions Symantec (Norton Antivirus) and Sophos, and you should
know about several others. On a zero day (the first day of a virus
outbreak), you never know which vendor will be the first with a
virus description or a solution to clean it off your network. How
do you find out which ones are good products? It often pays off to
look at yearly independent reviews, such as this one from PC
Magazine, The Best
Antivirus Software for 2023. (I am writing this
note in 2023. If you are reading this in the future, look for
recent reviews.)
The chapter also includes a discussion of ransomware, a class of
virus that prevents the use of your system, probably by encrypting
your data and programs. The virus typically informs you that you
are infected and that you must quietly pay the virus writer to
make your system work again. It is not known how many systems have
been attacked, disabled, and made available again by paying the
ransom.This type of attack was mentioned in Chapter 4 as a follow
up to a DDoS attack, but in that case the threat was that the
attack would continue.
The list of viruses presented in the text is a bit old. If you
want to know more about current threats, look for information at
Symantec, Sophos, McAfee, or your own favorite information site.
They frequently offer cleaning tools for current, in the wild
viruses, trying to make the point that if you were a subscriber,
you would have gotten their offered protection as soon as it was
available. When looking for a quick fix, check as many sites as
you can think of. Sticking to one is not as useful as checking
several reliable sources.
After the general virus section, the text tells us about Trojans,
which are programs that pretend to be good programs, instead of
the evil troublemakers they actually are. A Trojan Horse
virus is embedded in a file that may actually do something useful,
but it will typically attack you whenever it is ready to do so.
The author walks us through a program he uses for penetration
testing. It is essentially a script-kiddie-kit to embed a virus
into an otherwise pleasant program. The only requirement is that
the user has both the virus and the bait program already. This is
as good a place as any to remind you that you are charged to use
your skills, knowledge, and powers for good, not evil.If the
defenders of Troy saw anything like the mock-up in the image on
the right, they should have set it on fire on the beach. Do the
same: delete the attachment, the email that brought it, and the
horse it rode in on.
General information about virus types: we'll start with the short
version about Trojan horses.
Trojan horse - Trojan horse programs
are named for the myth
of a wooden horse that was used to smuggle Greek soldiers
inside the walls of Troy. A program of this sort has two
aspects: what we are told it does, and what it actually does. In
some cases, Trojans may do what they say, but
they also have a hidden malicious purpose which is what puts
them in this category. A classic ploy used by Trojans is to
pretend not to be a program at all. The text gives an example of
a file that has a .exe extension, but the characters .docx occur
in the name immediately before it. If a Windows computer is
using the default (idiotic!) configuration,
the actual .exe extension will be hidden from
the user, and the user may think it is only a Word document.
The text seems to discuss Trojans for several pages, but the
threats and capabilities it describes apply to other malware
types as well. The essence of a Trojan horse is that it deceives
the victim, not what it does after the deception.
rootkit - A rootkit replaces all or parts of operating
system files with its own. The rootkit obtains elevated
privileges to carry out its stealth
actions by impersonating files that run in kernel mode. By
impersonating OS files, the rootkit opens a door for lots
of other malware. How? Have you ever seen a movie about a
robbery in which the robbers send false information
to security staff (like a video loop) that shows all is well,
while the robbers proceed to steal whatever they want?That's
kind of what a rootkit does. The rootkit assumes the role of a
trustworthy part of the operating system. It will stand between
the user and security
software on one side, and other malware that
it loads, doing whatever it wants on the other side.
spyware - Spyware is typically a program that loads
with another program that the user wants. It may, or may not, be
a separate file. It gathers information about the user, which it
reports to its home base.
ransomware - Ransomware hides itself, but also
announces its intentions when it runs, which are to demand a
payment from the victim. If the payment is not made, files that
the ransomware has already encrypted (which could be the
entire hard drive) will be deleted, or will remain encrypted
until a higher payment is made later. The user is led to believe
that they have no other recourse, which may not be true,and that
their computer will be restored if the ransom is paid, which
also may not be true.
backdoor - This is a
general term for any method or software that allows access to a
system by other than normal means. The text mentions password
crackers, rootkits, services that make themselves available on a
known port, and hidden processes started by an attacker
scareware - .Software
that creates a sense of fear and urgency in the mind of the
victim, often to get them to buy a product that has no real
value. This video below discusses (at length) a particular
vendor who seems to be a classic example, making the lies told
to the victim scarier and scarier.
The text includes a separate category for covert
communication, which includes several methods listed. The
idea is to send information to an attacker without that
information being noticed. In the pages that follow, the text
discusses some related hacking programs:
key loggers - programs
that capture what is typed on a keyboard; a log of this
information is sent to or harvested by a hacker, often being
transmitted by covert methods
port redirection - The
text discusses an example program, Netcat,
which can be used for several unclean and unsavory actions
across a network. This link will take you to an article on
Github about this utility. It shows you how to test ports, copy
files and folders, and capture traffic sent to a particular
port.
The text presents some thoughts about defense.
It begins with a warning that a virus can come in an email, on a
memory stick, on a disc, or by any other means that adds a new file
to a network or a computer.Network connection is not the only way to
pass a virus. This is worth remembering, as is the advice to clean
everything that is or has been in contact with a computer that has
been infected.
The buffer overflow attack is one most students have a hard time
with. The basic idea is that the attacker writes code in a place
that is not supposed to be available to the attacker, attempting
to change the value of a variable, plant a command that can be
executed, or crash a computer, which is easier. Let's give
Professor Messer a chance to explain the concept.
The bottom line for this chapter is that you must think,
you must be suspicious, and you must use some
kind of protection against viruses and other
malware.
Chapter 6, Techniques Used by Hackers
Objectives:
Hacker methods
Hacker tools
Probable hacker mentality
Concepts:
This chapter begins with a section on how hackers might approach
a target. As a change, let me offer you a speech delivered by Rob
Joyce of Tailored Access Operations (TAO), a division of the NSA,
on defending from Nation State Exploiters.
Mr. Joyce talks about the basics first, knowing the network, knowing
the vulnerabilities.
He lists phases of an intrusion at 2:06, and continues to talk
about them in the presentation.
Reconnaissance - scanning, gathering public information,
figuring out who is important, figuring out what is actually in
use in the network, then research for functionality,
vulnerability, and exploits.
we should run our own penetration tests, and keep them for
reference in the next test, because things are often not
corrected.
APT will look for holes opened for vendors to fix something.
Initial Exploitation - try spear phishing, waterholing,
exploit a known CVE. most intrusions start with an email with a
malicious payload, a visit to corrupted website, or contaminated
removable media.
use technical enforcement of policies, don't rely on users
to do the right thing.
Establish Persistence - digging in, escalating privileges
Install Tools - tools to harvest and report, or to destroy, if
that's the objective
Move Laterally - find what you need in other locations in the
network
Collect, Ex-filtrate, and Exploit - gather what you need, get
it where you want it, and get out. Worry about the attacker who
only wants to destroy.
His recommendation: disrupt the transition between the elements
of the intrusion, take all available actions at all levels.
The text continues with a discussion of port scanning. You
should read this section for running diagnostics on your own
network, and for watching for unauthorized traffic on the network
using it. The author mentions that the most frequently used port
scanner is nmap, whether you are running Linux or Windows. This
link will take you to a large, publicly available graphic on the
nmap.org site that presents a list of options when
using nmap, organized by purpose. It should be in your
toolkit.
For those who are not familiar with the command, watch
this video which shows the presenter using nmap and Wire Shark.
The text continues with a discussion of tools that can be used
for enumeration and other reconnaissance missions.
The text continues with a section about staging an attack. It
begins with a short, and inadequate, lesson in Structured Query
Language and relational data tables. The single page of this
information is not enough for you to understand SQL if you have
not already learned it. The more digestible part of the lesson is
that an attack can be staged that can cause an SQL command to be
executed, rewarding the attacker with information about the data
tables that are kept on the target system. Having some of that
information, the attacker can proceed to change data in those
tables, such as creating a new user, elevating privileges, or
simply erasing data.
The concept, which is about all you will get from the text, is
explained very well in the video from Tom Scott, back when he
worked for ComputerPhile. Dr. Scott explains the danger, the
essence of the method, and how a good programmer might defend
against this attack.
The chapter looks like it switches into faster presentation,
giving us a paragraph about each of several attack methods that
are often mentioned in books, but rarely explained in them. Given
the level (2000) of this course, I will suggest the author is
correct, and let him move on.
The author does spend adequate time and space explaining the
OphCrack tool, and how it manages to grab the file in which a
Windows computer stores its user passwords. Read that section,
Google the word "hash", and you will see how the password file for
a copy of Windows is usually secure enough. He points out that
OphCrack is limited to getting a login for a user on the computer
on which you are able to use that tool, but explains how a bit of
finesse can take one further.
The final sections of the chapter are not very useful. Take it on
faith that penetration testing is an actual job, that it requires
some people skills, and that you should never do it without a
written contract stating what you are going to do and who
authorized you to do it.
