100%(1)100% au considerat acest document util (1 vot)
32 vizualizări25 pagini
This document discusses various types of malware and analysis techniques. It defines malware as malicious software that can harm computers. Various types of malware are described, including viruses, worms, trojans, spyware, and backdoors. Live analysis techniques like using existing system software are contrasted with dead analysis using disk images. Ways people can get infected, why malware is created, and countermeasures are also outlined.
This document discusses various types of malware and analysis techniques. It defines malware as malicious software that can harm computers. Various types of malware are described, including viruses, worms, trojans, spyware, and backdoors. Live analysis techniques like using existing system software are contrasted with dead analysis using disk images. Ways people can get infected, why malware is created, and countermeasures are also outlined.
This document discusses various types of malware and analysis techniques. It defines malware as malicious software that can harm computers. Various types of malware are described, including viruses, worms, trojans, spyware, and backdoors. Live analysis techniques like using existing system software are contrasted with dead analysis using disk images. Ways people can get infected, why malware is created, and countermeasures are also outlined.
Contents Analysis Techniques Introduction to Malware Dangers of Malware How We Can Get Infected with Malware? Why People Write Malware? Types of Malware Cookies Spyware Viruses Worms Trojan Horse Backdoors Rootkits Bots and zombies Countermeasures to Malware Problem Effects of Malware to Forensic Investigation Types of Analysis Techniques
Live Analysis Dead Analysis
Use software that existed on Use no software that existed the system during the on the system during the timeframe being investigated timeframe The system is kept running and The system is powered off, the incident response members image copy of hard disk was used the OS and other made. The image was analyzed applications to view log files etc in a lab using trusted OS and Live analysis techniques rely on applications. applications that could have been modified to produce false data. Live Analysis Mostly associated with incident response Also include everyday anti-virus scanning of file systems Live analysis is used when: It is costly to power off the system and boot into the trusted environment every time data needs to be analyze. Example: A server could not be switched off for hours So as not make the user suspect that there is an investigation under way Malware short for malicious software. It is any program or file that is harmful to a computer user (or computer?). It can cause damage to a single computer, a server or a computer network. Dangers of Malware Capturing keystrokes Stealing passwords Stealing data and information (search and copy files) Remotely restarting operating systems Gaining the list of running processes and applications Starting and stopping running processes and applications Perform any administrative functions with administrative privileges
All these result in computers taken offline, stolen confidential
data and information or even deleted data. How We Can Get Infected With Malware Below are some of the ways: comes bundled with freeware or shareware programs. These malware programs usually pop-up ads, send revenue from the ads to the program's authors. Installed from websites, pretending to be software needed to view the website. Installed themselves through holes in Internet Explorer like a virus would.Visiting an infected web page will cause a user to get infected. Why Do People Write Or Come Up With Malware? To cause harm To test skills Revenge For fun/take up challenge Types of Malware Cookies - Cookie is a text file on computer which contains information that identifies users to a particular website. Spyware - Spyware is any program that aids in gathering information from infected system without the user's knowledge. Viruses - This is the most known malware category. In this category we have programs that can reproduce themselves.Viruses need user interaction to propagate. Worms - This type of programs can self-propagate via a network and Internet. Trojan horses - This is software that does something other than its apparent functionality. Rootkits and back doors - Programs designed to infiltrate a system, hide their own presence and provide administrative and monitoring control to attacker. Bots and zombies - These programs are very similar to rootkits. They are focused on usurping the victim systems resources to perform a specific task (DoS attack, spam attack). Cookies Cookies are a legitimate tools used by many websites to track visitor information. They can be used to track web surfing habits across many different websites without informing tracked users. Cookies are the lowest form of malware and are typically considered as an invasion of privacy. Spyware Is any software which employs a user's Internet connection without user's knowledge or his explicit permission. Used for spying, capturing information or even for transmitting confidential information. Spyware programs are installed as cookies, entries in windows registry and as executable files on infected computer. Malicious act of spyware: Capable of capturing screen shots turn on the local microphone track user's web browsing habits search hard drives and report back what programs are installed on infected computer forward copies of sent and received electronic mails to unknown address. stealing e-mail client's address book (could be used for spamming), login names, passwords, credit card numbers, etc. Spyware Spyware often works in conjunction with toolbars. It may use a program that is always running in the background or it may be integrated into Internet Explorer to collect data. It often run undetected. Adware is mildest form of spyware. Main adware function is to track user's habits and then based on the collected information pulls the adequate ads to the specific users. Example : CoolWebSearch spyware Viruses and Worms most known/popular forms of malware today. Viruses: Self-replicating programs Needs a host. It attaches themselves to executable files, and can delete data from hard drives and crash the infected computer whenever virus program is started. Worms: Programs that use security holes and computer networks for self- propagation. Worm scans the computer network for another computer with specific security hole (vulnerability). After that, it copies itself to that computer and starts to propagate from there. Example : ILOVEYOU virus, Code Red worms Viruses and Worms The most important qualities for this type of malware are: ◦ Propagation mechanism : mostly e-mail attachments and software vulnerabilities ◦ Propagation mode: self-propagation and remote control of the infected computers with additional use of trojan horses, back doors, rootkits, bots and zombies. ◦ Insertion points : refer to the locations where the files and data in the payload that actually execute the Virus or Worm functionality are installed or hidden. Normally viruses write values to the ˝Run˝ keys in the Windows Registry in order to ensure the code will restart at the next logon. The ˝Run˝ keys in the Windows Registry are at: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Trojan horse is a malicious program that is disguised as legitimate software provide apparently useful functions to the user, and at the same time, open a network port on a victim computer Malicious acts include: managing files on the victim computer managing processes remote activation of commands intercepting keystrokes watching screen images restarting and closing down infected hosts. connect themselves to their originator Trojan Horse Propagation: mostly propagate via email. Usually found within email attachments, to exploit vulnerabilities of the email client. bound into other programs. Example: NetBus, SubSeven and Back Orifice. Backdoor A backdoor is a method of bypassing normal authentication procedures. A program or a set of related programs that a hacker installs on the victim computer to allow access to the system at a later time. Backdoor may also be installed prior to malicious software to allow attackers entry. Crackers typically use backdoors to secure remote access to a computer while attempting to remain hidden from casual inspections. Backdoor It removes the evidence of initial entry from the systems log. It will allow a hacker to retain access to a machine it has penetrated even if the intrusion factor has been detected by the system administrator. Example: default BIOS, router or switch passwords set either by careless manufacturers or security administrators. Rootkit Rootkit is a collection of tools used by an intruder to hide his presence in an attacked system. It is usually used by attacker to conceal his presence on a compromised system. It enables administrator-level access to a computer or computer network. A rootkit is typically installed on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. After successful rootkit placing, attacker has a possibility to return undetected at some time later. Example: Hacker Defender, FU Rootkit,Vanquish and AFX. Bots and Zombies Bot term is derived from ˝robot˝ and has referred to a program that performs predefined actions in an automated fashion on unmonitored IRC (Internet Relay Chat) channels. A computer which is infected with one malware may end up hosting a bot. IRC connection is very important, because it is primary mechanism for controlling majority bots today. Zombie : a group of computers under the control of an attacker. Malicious acts: ◦ Spam ◦ Distributed denial of service (DDoS) attacks ◦ Harvest valuable information ◦ Secondary infection ◦ Laundered connections and hosting Some of the most popular bots in use today are: Agobot, AttackBot, SubSeven, etc. Countermeasures to Malware Problem Keep up to date on all relevant software security patches. (Use of Windows Automatic Updates is recommended.) Use of anti-virus protection software (with daily updates). Use of anti-spyware protection software (with daily updates). Use of software firewalls. Use of suitable settings in web browsers. Change Windows default configuration. Obligatorily testing on malware presents for all from Internet acquired programs, before their use in standalone systems or in network environment. Countermeasures to Malware Problem Regular make of safety copies for critical systems. Use of policy which prevents opening of unsolicited electronic mails and mail attachments from unknown users. Filtering of electronic mail with certain mail attachments (.exe, .vbs, .pif, .com, .scr) For daily use, it isn't recommended using of administrative privileges. Never use account with administrative privileges on system that you will use to browse the Internet or read electronic mail. Education and increasing awareness of user's. Disable unneeded build-in programming interfaces (ActiveX controls, VBScripts, JavaScripts programs, etc.) How Malware May Affect Digital Investigation Modify OS, could allow attacker access to the system Change file size Cause files to be invisible from searches/ list command Change file checksum Supply false information during live analysis and in logs – anti forensics Lose potential evidence - evidence could be missed References Aleš Zavec, Sašo Tomažič, Malware in Windows environment (What it is and how to prevent it)