Objectives

CS4451 – Computer Security

1. Define malware

Malware and Social Engineering Attacks 2. List the different types of malware
3. Identify payloads of malware
4. Describe the types of psychological social engineering attacks

Dr. Luu Quang Trung 5. Explain physical social engineering attacks

[email protected]

© 2018 Cengage. All Rights Reserved

Attacks Using Malware (1 of 2) Attacks Using Malware (2 of 2)

• Malicious software (malware) • Malware can be classified by the using the primary trait that the malware possesses:
• Enters a computer system without the owner’s knowledge or consent • Circulation (lưu thông) - spreading rapidly to other systems in order to impact a large number of
• Uses a threat vector to deliver a malicious “payload” that performs a harmful function once it is users
invoked • Infection (lây nhiễm) - how it embeds itself into a system
• Malware is a general term that refers to a wide variety of damaging or annoying software • Concealment (che giấu) - avoid detection by concealing its presence from scanners
• Payload capabilities (năng lực) - what actions the malware performs

Threat vector: The means by which an attack can occur 3 4

Circulation Virus (1 of 6)

• Two types of malware have the primary traits of circulation: • Computer virus - malicious computer code that reproduces itself on the same computer
• Viruses • Program virus - infects an executable program file
• Worms
• Macro - a series of instructions that can be grouped together as a single command
• Common data file virus is a macro virus that is written in a script known as a macro
• Virus infection method:
• Appender infection - virus appends itself to end of a file
- Easily detected by virus scanners

5 6

Virus (2 of 6) Virus (3 of 6)

• Most viruses today go to great lengths to avoid detection (called an armored virus – virus bọc thép)
• Some armored virus infection techniques include:
• Swiss cheese infection - viruses inject themselves into executable code
- Virus code is “scrambled” to make it more difficult to detect
• Split infection - virus splits into several parts
- Parts placed at random positions in host program
- The parts may contain unnecessary “garbage” doe to mask their true purpose
• Mutation – some viruses can mutate or change
- An oligomorphic virus (virus bán đa hình) changes its internal code to one of a set of number of
predefined mutations whenever executed
- A polymorphic virus (virus đa hình) completely changes from its original form when executed
- A metamorphic virus (virus siêu đa hình) can rewrite its own code and appear different each time it is
executed

7 8
Virus (4 of 6) Virus (5 of 6)

Swiss cheese infection - viruses inject themselves into Split infection - virus splits into several parts
executable code - Parts placed at random positions in host program
- Virus code is “scrambled” to make it more difficult to detect - The parts may contain unnecessary “garbage” doe to mask their
true purpose

scramble /'skræmbl/: Trộn theo cách cách lộn xộn 9 10

Virus (6 of 6) Worm (1 of 2)

• Viruses perform two actions:

• Unloads a payload to perform a malicious action • Worm - malicious program that uses a computer network to replicate
• Reproduces itself by inserting its code into another file on the same computer • Sends copies of itself to other network devices
• Examples of virus actions • Worms may:
• Cause a computer to repeatedly crash • Consume resources or
• Erase files from or reformat hard drive • Leave behind a payload to harm infected systems
• Turn off computer’s security settings • Examples of worm actions
• Viruses cannot automatically spread to another computer • Deleting computer files
• Relies on user action to spread • Allowing remote control of a computer by an attacker
• Viruses are attached to files
• Viruses are spread by transferring infected files

11 12
Worm (2 of 2) Infection

• Three examples of malware that have the primary trait of infection:

Action Virus Worm
Exploits a vulnerability in an • Trojans
Inserts malicious code into a
What does it do? application or operating system • Ransomware
program or data file
• Crypto-malware
How does it spread to User transfers infected files to other Uses a network to travel from one
other computers? devices computer to another
Does it infect a file? Yes No
Does there need to be
user action for it to Yes No
spread?

13 14

Trojans Ransomware (1 of 3)

• Trojan - an executable program that does something other than advertised • Ransomware - prevents a user’s device from
• Contain hidden code that launches an attack properly operating until a fee is paid
• Sometimes made to appear as data file • Is highly profitable

• Example • A variation of ransomware displays a fictitious

warning that a software license has expired or
• User downloads “free calendar program”
there is a problem and users must purchase
- Program scans system for credit card numbers and passwords additional software online to fix the problem
- Transmits information to attacker through network
• Special type of Trojan:
• Remote Access Trojan (RAT) – gives the threat actor unauthorized remote access to the victim’s
computer by using specially configured communication protocols

15 16
Ransomware (2 of 3) Ransomware (3 of 3)

17 18

Crypto-malware (1 of 2) Crypto-malware (2 of 2)

• Crypto-malware – a more malicious form of ransomware where threat actors encrypt all files on the
device so that none of them could be opened
• Once infected with crypto-malware:
• The software connects to the threat actor’s Command and Control (C&C) server to receive
instructed or updated data
• A locking key is generated for the encrypted files and that key is encrypted with another key
that has been downloaded from the C&C
• Second key is sent to the victims once they pay the ransom

19 20
Concealment (1 of 2) Concealment (2 of 2)

• Rootkits - software tools used by an attacker to hide actions or presence of other types of malicious
software
• Hide or remove traces of log-in records, log entries
• May alter or replace operating system files with modified versions that are specifically designed to
ignore malicious activity
• Users can no longer trust their computer that contains a rootkit
• The rootkit is in charge and hides what is occurring on the computer

21 22

Payload Capabilities Collect Data (1 of 6)

• The destructive power of malware can be found in its payload capabilities • Different types of malware are designed to collect important data from the user’s computer and make
it available at the attacker
• Primary payload capabilities are to:
• Collect data • This type of malware includes:
• Delete data • Spyware
• Modify system security settings • Adware
• Launch attacks

23 24
Collect Data (2 of 6) Collect Data (3 of 6)

• Spyware - software that gathers information without user consent • A keylogger can be a small hardware device or a software program
• Uses the computer’s resources for the purposes of collecting and distributing personal or • As a hardware device, it is inserted between the computer keyboard connection and USB
sensitive information port
• Keylogger - captures and stores each keystroke that a user types on the computer’s keyboard • Software keyloggers are programs installed on the computer that silently capture information
• Attacker searches the captured text for any useful information such as passwords, credit card • An advantage of software keyloggers is that they do not require physical access to the user’s
numbers, or personal information computer
• Often installed as a Trojan or virus, can send captured information back to the attacker via
Internet

25 26

Collect Data (4 of 6) Collect Data (5 of 6)

27 28
Collect Data (6 of 6) Delete Data

• Adware - program that delivers advertising content in manner unexpected and unwanted by the • The payload of other types of malware deletes data on the computer
user
• Logic bomb - computer code that lies dormant (i.e., sleep mode) until it is triggered by a specific
• Typically displays advertising banners and pop-up ads logical event
• May open new browser windows randomly • Difficult to detect before it is triggered
• Users disapprove of adware because: • Often embedded in large computer programs that are not routinely scanned
• Adware can display objectionable content
• Frequent popup ads can interfere with a user’s productivity
• Popup ads can slow a computer or even cause crashes and the loss of data
• Unwanted advertisements can be a nuisance

objectionable /əb'dʤekʃənbl/: chướng mắt 29 30

Modify System Security Launch Attacks (1 of 2)

• Backdoor - gives access to a computer, program, or service that circumvents normal security to give • Bot or zombie - an infected computer that is under the remote control of an attacker
program access
• Groups of zombie computers are gathered into a logical computer network called a botnet under the
• When installed on a computer, they allow the attacker to return at a later time and bypass security control of the attacker (bot herder)
settings
• Infected zombie computers wait for instructions through a command and control (C&C) structure
from bot herders
• A common C&C mechanism used today is HTTP, which is more difficult to detect and block

31 32
Launch Attacks (2 of 2) Social Engineering Attacks

Type of attack Description

• Social engineering - a means of gathering information for an attack by relying on the weaknesses
Spamming Botnets are widely recognized as the primary source of spam email. A of individuals
botnet consisting of thousands of bots enables an attacker to send massive
amounts of spam. • Social engineering attacks can involve psychological approaches as well as physical procedures
Spreading malware Botnets can be used to spread malware and create new bots and botnets.
Bots can download and execute a file sent by the attacker.

Manipulating online polls Because each bot has a unique Internet Protocol (IP) address, each “vote”
by a bot will have the same credibility as a vote cast by a real person.

Denying services Botnets can flood a web server with thousands of requests and overwhelm
it to the point that it cannot respond to legitimate requests.

33 34

Psychological Approaches Impersonation

• Psychological approaches goal: to persuade the victim to provide information or take action • Impersonation (mạo danh) - attacker pretends to be someone else:
• Attackers use a variety of techniques to gain trust without moving quickly: • Help desk support technician
• Provide a reason • Repairperson
• Project confidence • IT support
• Use evasion and diversion • Manager
• Make them laugh • Trusted third party
• Fellow employee
• Psychological approaches often involve:
• Impersonation, phishing, spam, hoaxes, and watering hole attacks • Attacker will often impersonate a person with authority because victims generally resist saying “no”
to anyone in power

35 36
Phishing (1 of 2) Phishing (2 of 2)

• Phishing - sending an email claiming to be from legitimate source

• Tries to trick user into giving private information
• The emails and fake websites are difficult to distinguish from those that are legitimate
• Variations on phishing attacks:
• Spear phishing – targets specific users
• Whaling – targets the “big fish”
• Vishing – instead of using email, uses a telephone call instead
• About 97% of all attacks start with phishing

37 38

Spam (1 of 2) Spam (2 of 2)

• Spam - unsolicited e-mail

• Primary vehicles for distribution of malware
• Sending spam is a lucrative business
- Cost spammers very little to send millions of spam messages
• Filters look for specific words and block the email
• Image spam - uses graphical images of text in order to circumvent text-based filters
• Often contains nonsense text so it appears legitimate

39 40
Hoaxes Watering Hole Attack

• Hoaxes - a false warning, usually claiming to come from the IT department • Watering hole attack – a form of cyberattack that targets groups of users by infecting websites that
• Attackers try to get victims to change configuration settings on their computers that would they commonly visit
allow the attacker to compromise the system
• Example:
• Attackers may also provide a telephone number for the victim to call for help, which will put
them in direct contact with the attacker • Major executives working for a manufacturing company may visit a common website, such as a
parts supplier to the manufacturer

41 42

Physical Procedures Dumpster Diving (1 of 2)

• Two of the most common physical procedures are: • Dumpster diving

• Dumpster diving (lục lọi rác) • Digging through trash to find information that can be useful in an attack
• Tailgating (bám đuôi) • An electronic variation of dumpster diving is to use Google’s search engine to look for
documents and data posted online
• Called Google dorking

43 44
Dumpster Diving (2 of 2) Tailgating

Item retrieved Why useful

Calendars A calendar can reveal which employees are out of town at a
particular time • Tailgating
Inexpensive computer hardware, such as USB Often improperly disposed of and might contain • Following behind an authorized individual through an access door
flash drives or portal hard drives valuable information • An employee could conspire with an unauthorized person to allow him to walk in with him (called
Memos Seemingly unimportant memos can often provide small bits of piggybacking)
useful information for an attacker who is building an • Watching an authorized user enter a security code on a keypad is known as shoulder surfing
impersonation
Organizational charts These identify individuals within the organization who are in
positions of authority
Phone directories Can provide the names and telephone numbers of individuals in the
organization to target or impersonate

Policy manuals These may reveal the true level of security within the organization

System manuals Can tell an attacker the type of computer system that is being used
so that other research can be conducted to pinpoint vulnerabilities

45 46

Chapter Summary (1 of 2) Chapter Summary (2 of 2)

• Malware is malicious software that enters a computer system without the owner’s knowledge or
consent
• A logic bomb is computer code that is typically added to a legitimate program but lies dormant until
• Malware that spreads include computer viruses and worms triggered by a specific logical event
• Ransomware prevents a user’s device from properly and fully functioning until a fee is paid • A backdoor gives access to a computer, program, or service that circumvents any normal security
protections
• A rootkit can hide its presence or the presence of other malware on the computer by accessing
lower layers of the OS • A popular payload of malware is software that will allow the infected computer to be placed under the
remote control of an attacker (known as a bot)
• Different types of malware are designed to collect data from the user’s computer and make it
available to the attacker • Multiple bot computers can be used to created a botnet
• Spyware, keylogger, and adware • Social engineering is a means of gathering information for an attack from individuals
• Types of social engineering approaches include phishing, dumpster diving, and tailgating

47 48