ITS 2110 - Introduction to Network Security

Chapter 2 -Malware and Social Engineering Attacks

Objectives:

This lesson introduces the student to two major types of attacks. Objectives important to this lesson:

  1. Malware, definition and common types
  2. Social engineering: psychological and physical
Concepts:

Chapter 2 is titled Malware and Social Engineering Attacks. It begins with an article that describes one sort of social engineering attack. The attackers (actually researchers) created accounts on Facebook and LinkedIn for a fictitious, attractive, female MIT graduate who supposedly worked in the IT security industry. The key to this approach was to make the lure believable, and to gain trust, and to ask for nothing at first. Eventually, male employees at a targeted security agency clicked on a link that loaded an executable to their computers, and the researchers gained access to the targeted system. It is interesting that when the project was tried in reverse, posting accounts with a fictitious male lure in search of female responders, there was no success. Perhaps the male lure should have been constructed by female researchers, or maybe the male employees who were duped should learn some things about women?

The author explains that most successful attacks contain elements of malware and social engineering. He states that "tricking the users into performing a compromising action" is the most cost effective approach to staging an attack. The story at the start of the chapter is not just entertaining. It is a cautionary tale, which should impress would-be professionals with the fact that they should act like professionals.

The term malware is introduced in this chapter. It means any software that does something harmful to a system. The text breaks malware into types by several methods. The author remarks that malware is often detected by its signature, the way its files are named, coded, or deployed. Malware authors know this, and have taken three approaches to avoiding this kind of detection:

  • oligomorphic - the program contains several versions of its code, each a bit different from the others; each time it executes, it can use one of these different versions of itself, but it will eventually repeat a version
  • polymorphic - the deployed version of the malware contains code that is scrambled/encrypted/camouflaged, that must be unscrambled before it is executed; in this way, the deployed package does not resemble the actual attacking package
  • metamorphic - the package rewrites its code when it is executed, making a new version of itself each time that will not be identical to known versions

The author then discusses malware at length, based on whether it falls into one of three (four?) types, which are based on the objectives the malware follows: circulating/infecting a system, concealing its actions, or bringing profit from its actions by its payload.

Circulating/Infecting Malware

The text lists circulating and infecting as two types of malware, but they are discussed as one. Infecting software is divided into viruses, worms, and Trojans. A virus typically requires a carrier to infect a system, like an email, an instant message, or a program that the user runs. A virus typically has two tasks: replicate and damage. Some viruses have historically been rather benign, just displaying a message to the user. The ones that cause damage to a system are categorized by the method they use or the damage they cause:

  • appender - an older type that writes its malicious code to the end of an existing program (appends to it), and places an instruction at the beginning of the program that skips all the original program code, and executes the virus code instead of the desired program code; this is also called a file infector
    The text offers two variants on this type:
    swiss cheese infection - the virus code is encrypted until it is run, and the decryption engine (code) is stored in several segments in the infected file
    split infection - the virus code is encrypted, like the version above, but the entire malware program is broken into pieces, stored in various file segments, and linked together when needed

    Earlier versions of the text also listed these virus types:
  • resident (aka terminate and stay resident) virus - loads into RAM, then does its damage based on actions the user takes through the operating system
  • boot virus - infects the Master Boot Record of a hard disk, which means the virus will load and run the next time the hard drive is used to boot the computer; typically the virus will trash the hard drive
  • companion virus - found more on pre-Windows systems, loads a program with a name similar to that of a real program, but with a preferred extension so the companion (malware) program is run when the user tries to run the real program from a command line; this seems like it might have a resurgence in Windows Server 8 which has more command line features
  • macro virus - a script virus that is typically placed in a Microsoft Office file

Virus protection programs typically recognize viruses by signatures, the way they look. This recognition method is complicated by metamorphic viruses that change the way they look over time, and polymorphic viruses that change their signature and their encryption methods.

Worms are described on page 57. The text tells us a major difference between worms and viruses: once it is started, a worm can replicate itself across connected computer systems without further human interaction. It does not need a carrier. A worm can attack any running computer that is connected to a network that an infected computer is on: it does not require cooperation from the user. Worms are more dangerous due to their self driven nature. Once a worm is detected in a system, each device on the network must be scanned for it, cleaned if necessary, and prevented from accessing the network until this is done.

Trojan horse programs are named for the myth of a wooden horse that was used to smuggle Greek soldiers inside the walls of Troy. A program of this sort has two aspects: what we are told it does, and what it actually does. In some cases, Trojans may do what they say, but they also have a hidden malicious purpose which is what puts them in this category. A classic ploy used by Trojans is to pretend not to be a program at all. The text gives an example of a file that has a .exe extension, but the characters .docx occur in the name immediately before it. If a Windows computer is using the default (idiotic!) configuration, the actual .exe extension will be hidden from the user, and the user may think it is only a Word document.

Concealing Malware

The text discusses one type of malware whose first concern is remaining hidden from the user and from security personnel:rootkits. At first, a rootkit sounds like a resident virus that replaces operating system files with its own. There are similarities, but one difference is that a rootkit is much more extensive, and another is that the rootkit obtains elevated privileges to carry out its stealth actions. The resident virus may replace one program on the computer, which will then do some harm to the system. The rootkit opens a door for lots of malware. How?

Have you ever seen a movie about a robbery in which the robbers send false information to security staff (like a video loop) that shows all is well, while the robbers proceed to steal whatever they want? That's kind of what a rootkit does. The rootkit assumes the role of a trustworthy part of the operating system. It will stand between the user and security software on one side, and other malware doing whatever it wants on the other.

The intention of the rootkit programmer may not be malicious. Of course, that is possible with any program, but our concern here is about malware. The text discusses the example of Sony, who in 2005 put a rootkit installer on several of their audio CDs. The rootkit had the goal of preventing computer users from copying those CDs. Sony's intent was not malicious, but their rootkit changed a PC without the user's consent, and it made the PC vulnerable to security exploits. The first is just wrong, and the second is worse. As the saying goes, the road to hell is paved with good intentions.

Detection and removal of a rootkit can be difficult, but it is worth trying before following the text's scenario of formatting the hard drive and starting over. The Sophos company, for example, has a free download that is supposed to be good at finding and removing these problems. Here is another one from Kaspersky. Students should do an internet search for tools from the vendor of their choice.

Privilege escalation is a technique, not a type. The technique is commonly use by system administrators. They log in to networks with an ID that has normal privileges on the system, but they execute administrative tasks with an ID that has elevated privileges. Of course, these are authorized users who are supposed to do such things. When malware does this, it may do it in one of two ways. It may use an exploit to escalate its own privileges, or it may access the privileges of another account which are greater than its own.

Malware for Profit: Malware Noted by Its Capabilities

The text discusses some major and minor types in this category. The first is Spyware, described on page 60. It is defined as software that violates a user's security. More informatively, the text says that spyware typically has one of four missions: to install other software without the user's consent, collection of personal information such as browsing history, changing configuration settings, or collection of private information for sale or for the commission of fraud. The text proposes that if other software did what spyware does with the user's permission, that software would not be spyware. So the issue is not what it does, as much as the fact that it is done in secret, without the user's "notice, consent, or control".

A subcategory of spyware is keyloggers. Keyloggers can be implemented through hardware or software. The idea is that the program (or device) captures every key press the user makes, which can be analyzed later for by someone who reads the key log. Obviously, capturing IDs and passwords would be one use of such a product. Keeping a log of all activity on a computer would be another. Some viruses contain a key logging function which sends its log to the virus originator.

The chart on page 60 lists effects that spyware can have on a computer. Several of these items seem to be less related to spying than to leading the user to particular products and resources. As such, I would consider "spyware" to be an inappropriate label for the category. A better label is the next subcategory the text talks about, adware.

As its name suggests, adware is concerned with presenting advertisements to the computer user. Adware is universally disliked. At best, it presents an interruption or a distraction to the user. At its worst, it can crash programs or the operating system.

On page 62, the author discusses ransomware, which is described as software that disables or locks your computer until you pay a ransom to the hacker who created or exploited your computer with it.The infecting program may pretend to be from a government agency, an anti-virus company, or some other recognized and trusted source, which convinces a small percentage (3%) of computer users that they should pay the requested fee to have their computers cleaned of the "detected problem".

Deleting data is another common payload capability. The text mentions logic bombs on page 64, another type of concealed malware, as an example of malware that will delete data. A logic bomb is not a bomb. It is malware that waits for a logical condition to occur before it executes its mission. A classic case was the Michelangelo virus that only executed on the birthday of Michelangelo Buonarroti (which, as everyone knows, is March 6th). In other examples, some act like "dead man switches", where the malware engages if it is not regularly reset, or if a person's ID is removed from a network. A logic bomb can be hidden in a much larger program, making it difficult to find. It is also possible for a logic bomb to take actions other than deleting files.

Another payload effect is modifying system security. Disgruntled system administrators have been known to leave logic bombs in their own systems set to change security settings if they are not removed or reset by an arbitrary date. The intention is to disable the system if the administrator is not allowed to continue to manage the system. When a modification program is placed on a system by an attacker, it is more likely being done to open a back door, a new account that has elevated permissions which will give the attacker all desired access to the system.

The text notes that program developers may install back door access for themselves, to be used while the system is being developed and debugged. This is not malicious. It is an efficient means to access, repair, and improve the system. These back doors are not commonly left in place in the deployed versions of the programs, but they may be, which presents a vulnerability to attack.

The last payload category is one that will launch an attack. As a current example, the text discusses the concept of a botnet. This has been around for a while, but it is a refinement and step back from the others at the same time. A botnet is a network of computers that have been infected, turned into robots (aka zombies), that can be used for any kind of attack. The refinement is the creation of a network of infected machines on one mission. The step back is the brute force aspect of the attacks. The attacker (the bot herder) does not depend on finesse or subtlety, he uses more points of attack to meet his goal. Four types of botnet attacks are listed on page 66.

  • spam - Botnets can follow a script to send spam faster than an individual system can.
  • spreading malware - When an infection is being spread by a coordinated attack from a botnet it is much harder to stop.
  • poll (election) manipulation - Each zombie pretends to be one or many devices, changing the results of online voting.
  • denial of service - Any network can be disabled by too many requests, which is an easy attack for a botnet to stage.
Social Engineering Attacks

The text returns to social engineering on page 66. It begins with another story about people simply asking for access to a building and an office, and making a request for a password change. A primary aspect of social engineering is all about asking people for information they see no reason to keep secret.

Psychological Approaches

The table on page 67 lists six attitudes/approaches the social engineer might take when making a request for a password change.

  • authority - pretend to be someone who has the right to make the request
  • intimidation - in an oppressive environment, it may be easy to use fear of what would happen if the request is not granted
  • consensus/social proof - tell a believable lie that others have granted this request in the past
  • scarcity -  tell the victim that you are short on time, or you have to get this before it can't be done
  • urgency -  tell the victim that you need this right now, and that you will complete the red tape later
  • familiarity/liking - act like one of the family, especially one who appreciate the work the victim does for the company
  • trust - use details about the organization to make it seem like you are a part of it

Someone who is practiced in manipulating people may be able to choose between these approaches easily, based on the attitude of the person on the other end of the phone, email, or messaging application.

The text mentions that basic information about target or a work site may be obtained from documents on a public facing website, a Facebook site, unshredded trash, or a phone call to the right person. More advice is offered on page 68:

  • ask for a little information from each of several people, building your required knowledge base without alerting the victims
  • ask for what the victim is likely to be able to provide; don't ask for something inconsistent with the victim's job or role
  • be pleasant and flattering, but in moderation
  • don't ask for so much that it raises suspicion about you
  • asking for help often triggers sympathy, thanking the victim helps them believe they have done something good

The text continues with a discussion of several other approaches under this heading.

  • impersonation - An attacker might impersonate anyone who might seem to belong in the environment being surveilled or attacked. It is common to impersonate a help desk employee when calling a victim. It is also common to impersonate an employee, a delivery person, or a repair person when the ploy calls for infiltrating a site.
  • phishing - Phishing is the solicitation of personal or company information, typically through an official looking email. Some variations on phishing:
    • spear phishing - sending the email to specific people, customizing it to look like a message sent to them by an entity with some of their personal information already
    • whaling - This is spear phishing but it focuses on big (wealthy or data rich) targets.
    • pharming - sending an email that takes the personn directly to a web site (the phisher's site) instead of asking the reader to follow a link
    • Google phishing - the phisher sets up a fake search engiine that will send people to the phishing web site on specific searches (presumably it returns real search results on searches that would not lead to a page the phisher has prepared)
  • spam - The section on spam, unsolicited emaill, seems out of place in this discussion. Most spam may only be looking for a customer, but some spam is sent with the intent to steal, abuse, and sell the payment information that a person might volunteer to provide.
  • hoaxes - In the larger sense, all social engineering involves a hoax of some kind. First the grifter finds a mark, then he tells the mark the tale, and offers the deal. In the sense that the text means here, a hoax is distraction from reality, such as when the attacker pretends that there is a virus outbreak that is affecting the potential victim. It sets the idea in the victim's mind that the attacker is trying to help and should be assisted in his/her efforts.
  • typo squatting - Most people are not great typists. Thee text explains that this is why other people (the bad ones) register domain names that are similar but not identical to real domains. They are hoping that the bad typists among us will misspell a URL and find ourselves on their site instead of the one we wanted, where we might volunteer information by trying to log in with credentials that can then be abused, sold, or ransomed. This technique is also called URL hijacking by the text.
  • watering hole attack - The attacker determines that targets in the company/agency often visit a particular web site, called the watering hole in this scenario. It may be easier to infect that site than to attack the individuals directly, and then to take advantage of the real target.

Physical Approaches 

  • dumpster diving - Attackers doing research on a company can learn a lot from the trash the company discards. The text provides a table on page 73 with seven suggestions about things to look for in a target's trash.
  • tailgating - The concept behind tailgating is simple. Someone who does not have authorization to pass through a secure entry point will gain access by simply following an authorized person through it, or by waiting for the door to open as someone exits through it. This might be done with or without the knowledge or cooperation of the authorized person.