ITS 4550 - Fraud Prevention and Deterrence

Chapter 10, Malware

This lesson presents material from chapter 10. Objectives important to this lesson:

1. What is malware?
2. Viruses and worms
3. Trojan horse issues
4. Backdoors
5. Covert channels
6. Spyware, adware, scareware, ransomware
   

Concepts:

Chapter 10

This chapter, like several others, should be familiar material to most people in this class. It begins with a definition, telling us that malware is a category that includes software that may be annoying, intrusive, bothersome, hostile, or destructive. It includes software that only displays advertising or prank messages, as well as software that has infected, disabled, or destroyed systems and applications. More modern instances have been used to extort money from victims (ransomware) or steal personal information or payment card information.

The text reviews some legal information on page 238, referencing the Computer Fraud and Abuse Act of 1986, The CFAA has been expanded by the Patriot Act (and other laws) since then. The text also mentions the Canadian Electronic Commerce Protection Act of 2009, reminding us that there are applicable laws written in other countries, something our textbooks often forget.

The text tells us that malware often tries to steal one or more of three kinds of data:

• payment card information
• restricted resources - IDs, passwords, credentials
• any secret or confidential company information

This list is not exhaustive, but it applies to many malware intrusions.

The text goes into some detail about several types of malware. The first two are there to viruses and worms.

• viruses - A virus typically requires a carrier to infect a system, like an email, an instant message, or a program that the user runs. A virus typically has two tasks: replicate and damage. Some viruses have historically been rather benign, just displaying a message to the user. Others have been extremely destructive
• worms - Once it is started, a worm can replicate itself across connected computer systems by itself. It does not need a carrier. A worm can attack any running computer that is connected to a network that an infected computer is on. It does not require cooperation from the user. Worms are more dangerous due to their self driven nature. Once a worm is detected in a system, each device on the network must be scanned for it, cleaned if necessary, and prevented from accessing the network until this is done. Until that cleaning is done, you run the risk of continued propagation of the worm.

The text discusses several more types that are notable for their method of hiding from a user or an investigator.

• Trojan horse - Trojan horse programs are named for the myth of a wooden horse that was used to smuggle Greek soldiers inside the walls of Troy. A program of this sort has two aspects: what we are told it does, and what it actually does. In some cases, Trojans may do what they say, but they also have a hidden malicious purpose which is what puts them in this category. A classic ploy used by Trojans is to pretend not to be a program at all. The text gives an example of a file that has a .exe extension, but the characters .docx occur in the name immediately before it. If a Windows computer is using the default (idiotic!) configuration, the actual .exe extension will be hidden from the user, and the user may think it is only a Word document.
  
  The text seems to discuss Trojans for several pages, but the threats and capabilities it describes on pages 251 through 256 apply to other malware types as well. The essence of a Trojan horse is that it deceives the victim, not what it does after the deception.
  
• rootkit - A rootkit replaces all or parts of operating system files with its own. The rootkit obtains elevated privileges to carry out its stealth actions by impersonating files that run in kernel mode. By impersonating OS files, the rootkit opens a door for lots of other malware. How? Have you ever seen a movie about a robbery in which the robbers send false information to security staff (like a video loop) that shows all is well, while the robbers proceed to steal whatever they want? That's kind of what a rootkit does. The rootkit assumes the role of a trustworthy part of the operating system. It will stand between the user and security software on one side, and other malware that it loads, doing whatever it wants on the other side.
• spyware - Spyware is typically a program that loads with another program that the user wants. It may, or may not, be a separate file. It gathers information about the user, which it reports to its home base.
• ransomware - Ransomware hides itself, but also announces its intentions when it runs, which are to demand a payment from the victim. If the payment is not made, files that the ransomware has already encrypted (which could be the entire hard drive) will be deleted, or will remain encrypted until a higher payment is made later. The user is led to believe that they have no other recourse, which may not be true, and that their computer will be restored if the ransom is paid, which also may not be true.
• backdoor - This is a general term for any method or software that allows access to a system by other than normal means. The text mentions password crackers, rootkits, services that make themselves available on a known port, and hidden processes started by an attacker
• scareware - .Software that creates a sense of fear and urgency in the mind of the victim, often to get them to buy a product that has no real value. This video below discusses (at length) a particular vendor who seems to be a classic example, making the lies told to the victim scarier and scarier.
  
  
  

On page 258, the text starts a separate category for covert communication, which includes several methods listed at the bottom of that page. The idea is to send information to an attacker without that information being noticed. In the pages that follow, the text discusses some related hacking programs:

• key loggers - programs that capture what is typed on a keyboard; a log of this information is sent to or harvested by a hacker, often being transmitted by covert methods
• port redirection - The text discusses an example program, Netcat, which can be used for several unclean and unsavory actions across a network. This link will take you to an article on Github about this utility. It shows you how to test ports, copy files and folders, and capture traffic sent to a particular port.
  

The text presents some thoughts about defense. It begins with a warning that a virus can come in an email, on a memory stick, on a disc, or by any other means that adds a new file to a network or a computer. Network connection is not the only way to pass a virus. This is worth remembering, as is the advice to clean everything that is or has been in contact with a computer that has been infected.

In a well managed environment, users would not be allowed to install any software except by approved means, and even then only curated programs that had been examined, tested, and approved by properly trained staff.

Antivirus software is highly recommended. There are many well known vendors. The text does not list any brands. A list of ten brands is reviewed in this article from PC Magazine. I have enjoyed their reviews for many years. The text explains that most antivirus products examine files and processes in memory for similarities to the code signatures of known viruses. If you buy and install an antivirus product, you typically have a one year subscription to their updated signature files which should be downloaded to your computer frequently to maintain the best protection available for that product.

Some products also feature heuristic scanning, which means that the antivirus program can look for activity in the system that matches the known activities of viruses. This is different from looking for a similarity to a known program itself. It offers a second line of defense that can be valuable.

In both cases, protective software products mainly guard against known threats. A new virus that exploits an unknown exploit might not be detected by such a product. The text refers to an attack from such a virus as a zero-day attack, meaning that victims, and the world in general, have had zero days of notice about the exploit. For this reason, it is best to update your antivirus and anti-adware signature files every time there is an update from your vendor. It is also important to practice safe computing: do not expose your computer to hazards that can be avoided.

• Configure your protective software to scan new files that are added or downloaded to your computer. Your text refers to this as using the shield function of the product.
• Run regular scans on the entire hard drive.
• Update signature files often, but be aware that a new signature file means that a new exploit may have been attacking computers for an unspecified amount of time.
• Review items that the protective software has placed in the vault (or quarantine) area it has set aside for detected threats. Files in this area are not trophies. They are live threats stored in a part of the hard drive where they, theoretically, cannot be executed. This area is available for examination by forensic staff who are looking for clues or data about the infection.
• Consult the website of your vendors for data about known exploits, new updates, and new signature files to protect against recent attacks.

When there has been a successful infection of a machine under your protection or responsibility, try this procedure:

1. Disconnect the affected computer from the network. This means wired and wireless connections.
2. Use a clean computer to download a cleaning tool from a trusted vendor. Install or save it on removable media.
3. Use the removable media to run or install the cleaning tool on the infected computer.
4. Scan, quarantine, and clean the infected computer if all three are possible.
5. Follow special instructions for the situation at hand. In the early days of a new virus, it is less likely that a simple scan and clean will be all you need to do.