Week 3 - Malware Defenses




Attack vector graph sourced from lecture slides provided by Oregon State University CS373

There are four key things that malware do, first contact, code execution, establish presence, and perform malicious activity.

First contact: can come in many different ways including email attachments, spoofing an ad network which is also known as malvertizing,  instant messaging, poisoned search results, watering hole which is a term for poisoning a website that people routinely frequent, and physical contact such as a USB stick.

Execute: there are three main methods of execution, social engineering, exploitation, and code that is passed as a feature and not a bug.

Establish presence: the malware may try and blend in by having filenames that are very similar to operating system names. The malware can also modify date/time installation and modification. Malware can also hide in rootkits or bootkits. A piece of malware has to also persist after it has been established. The easiest way to maintain persistence is to establish an autorun executable.

Malicious activity: this is the stage where malware will send back information to the source such as key loggers, screen scrapers, spyware, botnet services, and so on.

So does defense occur? It can't be pinned down to one of the previously mentioned stages. Instead malware defense takes place at every stage in many different forms. A user could incorporate two-factor authorization or use a commercial antivirus software. There is also the computer's network firewall, whitelists and blacklists (lists of known legitimate and ilegitimate URLs and domains), and prevention of auto-run scripts. There can be business rules like only using known USB drives and device encryption. This is not an all encompassing list, merely some tools and practices that can help prevent malware.

The tool we learned about this week:
YARA - an open source tool that uses a rule-based approach to scan for malware based on ascii and wide strings, hexadecimal patterns, and other patterns.
Cuckoo - an automated virus replication and malware analysis system that runs on virtual machines and can handle all operating systems

This week had a mini- lab to complete. We were to select a piece of malware from a choice of four options and write about how it behaves. Below is the write up for this lab.

Name: Casey Heinle
Date/Time of Posting: 1/29/2019 at 20:50
Hash: 00670F2B9631D0F97C7CFC6C764DD9D9

Update 1/30/2019: I have a functioning box again and I was able to complete the lab. I first examined the malware with FileInsight and discovered that the entry point had a hex value of 0x40146C and that the dll "MSVBVM60.DLL" is imported upon execution. I added these two pieces of information as strings to my Yara rule and found four matches.



After renaming the malware to "bad" rather than it's hash and moving it to the desktop, I ran Cuckoo to see what the malware is doing. One thing that is immediately apparent when examining the Cuckoo logs is that an executable called qusla.exe was attempted to be ran.


The registry is also being modified when running the malware.

What exactly does this piece of malware do? Further examination of the Cuckoo logs shows Internet Explorer settings being modified.

This lead me to check the settings in Internet Explorer and discover that the home page had been changed to a malicious site rather than the default home page.


As of 1/29/19, I am without a computer. My current machine had a castatrophic failure and I'm anticipating a replacement box on 1/31/19. This means I've been working from a Kindle for the past week. Unfortunately the tablet OS and VMSphere don't play well with each other, specifically I am unable to provide any keyboard input to the VM. Any images for this week have been taken with my phone then uploaded.
I'm able to navigate with the touch screen but can't provide any input other than a left mouse click, therefore I can't complete the lab as of the 29th. If I was able to run it, I would write a Yara signature that would look something like this:

 rule labExercise
{
strings:
$a = "relevantString1"
$b = "relevantString2"
$c = "relevantString3"
condition:
all of them
}

 I would use the condition all of them to search for each string. If this yielded too many results I would then change the condition to <($a and $b) or $c> to change the "or" condition to an "and" condition.

 The relevant strings would be determined from a string dump examination with FileInsight. The behavior of the malware would be observed within Cuckoo's logs. If this blog post is read prior to 1/31/19, check back on this date to see the observed behavior and proper Yara rule. Thanks!

Comments

Post a Comment

Popular posts from this blog

Week 5 - Windows Internals

Image
This week we will be primarily focusing on rootkits. A rootkit is a piece of malware that conceals its activities and existence from the user. The ushering in of this new era of malware came into focus in 2006 when Sony released a disk to try and prevent copying of music. In this piece of software any file that started with $sys$ was hidden from the user. Attackers saw the potential of this and gained control of this method. The majority of rootkits operate in a 32 bit Windows environment however some rootkits target a 64 bit environment. Most rootkits are at the kernel level because at this level they have full access and control to the system. The slide below is a nice illustration what the computer architecture looks like and where rootkits are located. slide source from lecture, OSU CS 373 Definitions for this week: thread - the smallest unit of execution within an operating system. The slide below has a nice demonstration of how a thread is executed hooking - redirecting...
Read more

Week 1 - Introduction to Malware

This week we were introduced to the basics of malware. The first commercial anti-virus was released in the early 1990s where updates would be distributed monthly via floppy disks. An important component in current and future anti-malware is collaboration efforts between companies. If one company remains siloed in their efforts they can miss behavior that a different company may see from the same piece of malware. The primary vector for malware is users. Next is USB drives. Some basic definitions that were covered are: DGA - domain generating algorithm that creates lots of domain names that can be used as rendezvous points for command and control servers Malware - shorthand for malicious software viruses - these are a type of malware that are polymorphic and parasitic worm - this type of virus is not necessarily parasitic, the main purpose is to spread as quickly as possible trojan - backdoor and downloader means that the hacker is controlling the host machine remotely. Tro...
Read more

Week 4 - Software Vulnerabilities and Common Exploits

Image
There are two main components to hacking, finding "bugs" in the software that allows the user to interact with a program in an unintended way and configuration vulnerabilities (an example of a configuration vulnerability is a weak password). Hacking used to primarily focus on a company's perimeter systems (parts of the system that are exposed to the internet), but as defense against those types of attacks have been improved hackers are now targeting the internal systems aka the system's users. Memory corruption is a key area that attackers can examine to try and gain access to the system. The definition used by the lecturer this week is: "Accessing (reading/writing) memory (stack/heap) in an invalid (originally unintended) way which results in an undefined behavior (what we are looking to control)." There are four common categories of memory corruption: lifetime control, uninitiated memory, array index calculations, and buffer length calculations. A stan...
Read more