CIS2750 - Securing Information Systems

Chapter 5, Malware; Chapter 6, Techniques Used by Hackers


Chapter 5 presents material on malware, which runs the distance from pranks to seriously harmful programs. Objectives important to this lesson:

  1. Understanding computer viruses
  2. Knowing how some viruses spread
  3. Knowing something about virus scanners
  4. Trojan viruses, and some popular ones
  5. How spyware can become an issue
  6. Defending your systems from these attacks
Chapter 5

This chapter continues advice about the issues from chapter 4. It begins with a section on viruses. Most of us have seen a virus or two, which made us into believers in safe software. The text points out that a virus is a self-replicating program, but it does not necessarily cause destruction.  A virus spreads itself, and that can be enough. The text mentions two classic methods for replication:

  • The virus can compromise the email service on a computer, mailing a copy of itself to all addresses found in the email app's address book. The text explains that this is an easy and common method. A famous virus called ILOVEYOU used this method to great effect, as explained in this video. NOTE: The video calls this virus a worm, which is debatable. A virus requires that the user do something to trigger it. A worm does not. Once a worm is in your system, it continues to act on its own. All worms are malware, but not all viruses are worms.

    The text tells us that ILOVEYOU did not act destructively, but this is not so, as the video demonstrates. For more information about ILOVEYOU, check out this article.
  • The other method the text brings up is to get the user to click on a program on a web page, to download and run (open) a file, or to do something else that the user thinks is harmless. The virus writer has, of course, booby-trapped the harmless action.
  • We should note that viruses can be spread by other methods, but they often fall into one of these categories. Research has been done to show that people who know better still do things that are foolish or dangerous, like picking up a flash drive in a parking lot, then plugging it into a computer at work to see what is on the thing. Lots of people at hacking conventions have had their computers compromised this way.

The text offers a short list of virus types. A virus typically has two tasks: replicate and damage. Some viruses have historically been rather benign, just displaying a message to the user. The ones that cause damage to a system are often categorized by the method they use or the damage they cause:

  • appender - an older type that writes its malicious code to the end of an existing program (appends to it), and places an instruction at the beginning of the program that skips all the original program code, and executes the virus code instead of the desired program code; this is also called a file infector
    Two variants on this type, both exist to avoid detection:
    Swiss cheese infection - the virus code is encrypted until it is run, and the decryption engine (code) is stored in several segments in the infected file (in the holes of the Swiss cheese)
    split infection - the virus code is encrypted, like the version above, but the entire malware program is broken into pieces, stored in various file segments, and linked together when needed
  • resident (aka terminate-and-stay-resident) virus - loads into RAM, then does its damage based on actions the user takes through the operating system
  • boot virus - infects the Master Boot Record of a hard disk,which means the virus will load and run the next time the hard drive is used to boot the computer; typically the virus will trash the hard drive
  • companion virus - found more on pre-Windows systems, loads a program with a name similar to that of a real program, but with a preferred extension so the companion (malware) program is run when the user tries to run the real program from a command line
  • macro virus - a script virus that is typically placed in a Microsoft Office file; it is written in commands that only work in a Microsoft Office product
  • logic bombs - another type of concealed malware is a logic bomb, malware that waits for a logical condition to occur before it executes its mission. A classic case was the Michelangelo virus that only executed on the birthday of Michelangelo Buonarroti (which, as everyone knows, is March 6th).

The text mentions several viruses by name, but you should know that the same virus may be called by a different name on the informational site of a different anti-virus product. The text mentions Symantec (Norton Antivirus) and Sophos, and you should know about several others. On a zero day (the first day of a virus outbreak), you never know which vendor will be the first with a virus description or a solution to clean it off your network. How do you find out which ones are good products? It often pays off to look at yearly independent reviews, such as this one from PC Magazine, The Best Antivirus Software for 2023. (I am writing this note in 2023. If you are reading this in the future, look for recent reviews.)

The chapter also includes a discussion of ransomware, a class of virus that prevents the use of your system, probably by encrypting your data and programs. The virus typically informs you that you are infected and that you must quietly pay the virus writer to make your system work again. It is not known how many systems have been attacked, disabled, and made available again by paying the ransom.This type of attack was mentioned in Chapter 4 as a follow up to a DDoS attack, but in that case the threat was that the attack would continue.

The list of viruses presented in the text is a bit old. If you want to know more about current threats, look for information at Symantec, Sophos, McAfee, or your own favorite information site. They frequently offer cleaning tools for current, in the wild viruses, trying to make the point that if you were a subscriber, you would have gotten their offered protection as soon as it was available. When looking for a quick fix, check as many sites as you can think of. Sticking to one is not as useful as checking several reliable sources.

After the general virus section, the text tells us about Trojans, which are programs that pretend to be good programs, instead of the evil troublemakers they actually are. A Trojan Horse virus is embedded in a file that may actually do something useful, but it will typically attack you whenever it is ready to do so. The author walks us through a program he uses for penetration testing. It is essentially a script-kiddie-kit to embed a virus into an otherwise pleasant program. The only requirement is that the user has both the virus and the bait program already. This is as good a place as any to remind you that you are charged to use your skills, knowledge, and powers for good, not evil.If the defenders of Troy saw anything like the mock-up in the image on the right, they should have set it on fire on the beach. Do the same: delete the attachment, the email that brought it, and the horse it rode in on.

General information about virus types: we'll start with the short version about Trojan horses.

  • Trojan horse - Trojan horse programs are named for the myth of a wooden horse that was used to smuggle Greek soldiers inside the walls of Troy. A program of this sort has two aspects: what we are told it does, and what it actually does. In some cases, Trojans may do what they say, but they also have a hidden malicious purpose which is what puts them in this category. A classic ploy used by Trojans is to pretend not to be a program at all. The text gives an example of a file that has a .exe extension, but the characters .docx occur in the name immediately before it. If a Windows computer is using the default (idiotic!) configuration, the actual .exe extension will be hidden from the user, and the user may think it is only a Word document.

    The text seems to discuss Trojans for several pages, but the threats and capabilities it describes apply to other malware types as well. The essence of a Trojan horse is that it deceives the victim, not what it does after the deception.
  • rootkit - A rootkit replaces all or parts of operating system files with its own. The rootkit obtains elevated privileges to carry out its stealth actions by impersonating files that run in kernel mode. By impersonating OS files, the rootkit opens a door for lots of other malware. How? Have you ever seen a movie about a robbery in which the robbers send false information to security staff (like a video loop) that shows all is well, while the robbers proceed to steal whatever they want?That's kind of what a rootkit does. The rootkit assumes the role of a trustworthy part of the operating system. It will stand between the user and security software on one side, and other malware that it loads, doing whatever it wants on the other side.
  • spyware - Spyware is typically a program that loads with another program that the user wants. It may, or may not, be a separate file. It gathers information about the user, which it reports to its home base.
  • ransomware - Ransomware hides itself, but also announces its intentions when it runs, which are to demand a payment from the victim. If the payment is not made, files that the ransomware has already encrypted (which could be the entire hard drive) will be deleted, or will remain encrypted until a higher payment is made later. The user is led to believe that they have no other recourse, which may not be true,and that their computer will be restored if the ransom is paid, which also may not be true.
  • backdoor - This is a general term for any method or software that allows access to a system by other than normal means. The text mentions password crackers, rootkits, services that make themselves available on a known port, and hidden processes started by an attacker
  • scareware - .Software that creates a sense of fear and urgency in the mind of the victim, often to get them to buy a product that has no real value. This video below discusses (at length) a particular vendor who seems to be a classic example, making the lies told to the victim scarier and scarier.

The text includes a separate category for covert communication, which includes several methods listed. The idea is to send information to an attacker without that information being noticed. In the pages that follow, the text discusses some related hacking programs:

  • key loggers - programs that capture what is typed on a keyboard; a log of this information is sent to or harvested by a hacker, often being transmitted by covert methods
  • port redirection - The text discusses an example program, Netcat, which can be used for several unclean and unsavory actions across a network. This link will take you to an article on Github about this utility. It shows you how to test ports, copy files and folders, and capture traffic sent to a particular port.
The text presents some thoughts about defense. It begins with a warning that a virus can come in an email, on a memory stick, on a disc, or by any other means that adds a new file to a network or a computer.Network connection is not the only way to pass a virus. This is worth remembering, as is the advice to clean everything that is or has been in contact with a computer that has been infected.

The buffer overflow attack is one most students have a hard time with. The basic idea is that the attacker writes code in a place that is not supposed to be available to the attacker, attempting to change the value of a variable, plant a command that can be executed, or crash a computer, which is easier. Let's give Professor Messer a chance to explain the concept.

The bottom line for this chapter is that you must think, you must be suspicious, and you must use some kind of protection against viruses and other malware.

Chapter 6, Techniques Used by Hackers

  1. Hacker methods
  2. Hacker tools
  3. Probable hacker mentality

This chapter begins with a section on how hackers might approach a target. As a change, let me offer you a speech delivered by Rob Joyce of Tailored Access Operations (TAO), a division of the NSA, on defending from Nation State Exploiters.

Mr. Joyce talks about the basics first, knowing the network, knowing the vulnerabilities.

He lists phases of an intrusion at 2:06, and continues to talk about them in the presentation.

  • Reconnaissance - scanning, gathering public information, figuring out who is important, figuring out what is actually in use in the network, then research for functionality, vulnerability, and exploits.
    • we should run our own penetration tests, and keep them for reference in the next test, because things are often not corrected.
    • APT will look for holes opened for vendors to fix something.
  • Initial Exploitation - try spear phishing, waterholing, exploit a known CVE. most intrusions start with an email with a malicious payload, a visit to corrupted website, or contaminated removable media.
  • Establish Persistence - digging in, escalating privileges
  • Install Tools - tools to harvest and report, or to destroy, if that's the objective
  • Move Laterally - find what you need in other locations in the network
  • Collect, Ex-filtrate, and Exploit - gather what you need, get it where you want it, and get out. Worry about the attacker who only wants to destroy.

His recommendation: disrupt the transition between the elements of the intrusion, take all available actions at all levels.

The text continues with a discussion of port scanning. You should read this section for running diagnostics on your own network, and for watching for unauthorized traffic on the network using it. The author mentions that the most frequently used port scanner is nmap, whether you are running Linux or Windows. This link will take you to a large, publicly available graphic on the site that presents a list of options when using nmap, organized by purpose. It should be in your toolkit.

For those who are not familiar with the command, watch this video which shows the presenter using nmap and Wire Shark.

The text continues with a discussion of tools that can be used for enumeration and other reconnaissance missions.

The text continues with a section about staging an attack. It begins with a short, and inadequate, lesson in Structured Query Language and relational data tables. The single page of this information is not enough for you to understand SQL if you have not already learned it. The more digestible part of the lesson is that an attack can be staged that can cause an SQL command to be executed, rewarding the attacker with information about the data tables that are kept on the target system. Having some of that information, the attacker can proceed to change data in those tables, such as creating a new user, elevating privileges, or simply erasing data.

The concept, which is about all you will get from the text, is explained very well in the video from Tom Scott, back when he worked for ComputerPhile. Dr. Scott explains the danger, the essence of the method, and how a good programmer might defend against this attack.

The chapter looks like it switches into faster presentation, giving us a paragraph about each of several attack methods that are often mentioned in books, but rarely explained in them. Given the level (2000) of this course, I will suggest the author is correct, and let him move on.

The author does spend adequate time and space explaining the OphCrack tool, and how it manages to grab the file in which a Windows computer stores its user passwords. Read that section, Google the word "hash", and you will see how the password file for a copy of Windows is usually secure enough. He points out that OphCrack is limited to getting a login for a user on the computer on which you are able to use that tool, but explains how a bit of finesse can take one further.

The final sections of the chapter are not very useful. Take it on faith that penetration testing is an actual job, that it requires some people skills, and that you should never do it without a written contract stating what you are going to do and who authorized you to do it.