Security+ Guide to Network Security Fundamentals, Fourth Edition

Chapter 2 Malware and Social Engineering Attacks

Objectives
Describe the differences between a virus and a worm List the types of malware that conceals its appearance Identify different kinds of malware that is designed for profit Describe the types of social engineering psychological attacks Explain physical social engineering attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition 2

Attacks Using Malware

Malicious software (malware)
Enters a computer system:
Without the owners knowledge or consent

Refers to a wide variety of damaging or annoying software

Primary objectives of malware

Infecting systems Concealing its purpose Making profit

Security+ Guide to Network Security Fundamentals, Fourth Edition

Malware That Spreads

Viruses
Malicious computer code that reproduces itself on the same computer

Virus infection methods

Appender infection
Virus appends itself to end of a file Moves first three bytes of original file to virus code Replaces them with a jump instruction pointing to the virus code

Security+ Guide to Network Security Fundamentals, Fourth Edition

Malware That Spreads (contd.)

Virus infection methods (contd.)
Swiss cheese infection
Viruses inject themselves into executable code Original code transferred and stored inside virus code Host code executes properly after the infection

Split infection
Virus splits into several parts Parts placed at random positions in host program Head of virus code starts at beginning of file Gives control to next piece of virus code
5

Security+ Guide to Network Security Fundamentals, Fourth Edition

Malware That Spreads (contd.)

When infected program is launched:
Virus replicates itself by spreading to another file on same computer Virus activates its malicious payload

Viruses may display an annoying message:

Or be much more harmful

Examples of virus actions

Cause a computer to repeatedly crash Erase files from or reformat hard drive Turn off computers security settings
Security+ Guide to Network Security Fundamentals, Fourth Edition 6

Malware That Spreads (contd.)

Figure 2-4 Annoying virus message

Cengage Learning 2012

Security+ Guide to Network Security Fundamentals, Fourth Edition

Malware That Spreads (contd.)

Virus cannot automatically spread to another computer
Relies on user action to spread

Viruses are attached to files Viruses are spread by transferring infected files

Security+ Guide to Network Security Fundamentals, Fourth Edition

Malware That Spreads (contd.)

Types of computer viruses
Program
Infects executable files

Macro
Executes a script

Resident
Virus infects files opened by user or operating system

Security+ Guide to Network Security Fundamentals, Fourth Edition

Malware That Spreads (contd.)

Types of computer viruses (contd.)
Boot virus
Infects the Master Boot Record

Companion virus
Adds malicious copycat program to operating system

Security+ Guide to Network Security Fundamentals, Fourth Edition

10

Malware That Spreads (contd.)

Worm
Malicious program Exploits application or operating system vulnerability Sends copies of itself to other network devices

Worms may:
Consume resources or Leave behind a payload to harm infected systems

Examples of worm actions

Deleting computer files Allowing remote control of a computer by an attacker
Security+ Guide to Network Security Fundamentals, Fourth Edition 11

Malware That Spreads (contd.)

Table 2-1 Difference between viruses and worms

Security+ Guide to Network Security Fundamentals, Fourth Edition

12

Malware That Conceals

Trojans
Program that does something other than advertised Typically executable programs
Contain hidden code that launches an attack

Sometimes made to appear as data file Example

User downloads free calendar program Program scans system for credit card numbers and passwords Transmits information to attacker through network
Security+ Guide to Network Security Fundamentals, Fourth Edition 13

Malware That Conceals (contd.)

Rootkits
Software tools used by an attacker to hide actions or presence of other types of malicious software Hide or remove traces of log-in records, log entries May alter or replace operating system files with modified versions:
Specifically designed to ignore malicious activity

Security+ Guide to Network Security Fundamentals, Fourth Edition

14

Malware That Conceals (contd.)

Rootkits can be detected using programs that compare file contents with original files Rootkits that operate at operating systems lower levels:
May be difficult to detect

Removal of a rootkit can be difficult

Rootkit must be erased Original operating system files must be restored Reformat hard drive and reinstall operating system

Security+ Guide to Network Security Fundamentals, Fourth Edition

15

Malware That Conceals (contd.)

Logic bomb
Computer code that lies dormant
Triggered by a specific logical event Then performs malicious activities

Difficult to detect before it is triggered

Backdoor
Software code that circumvents normal security to give program access Common practice by developers
Intent is to remove backdoors in final application
Security+ Guide to Network Security Fundamentals, Fourth Edition 16

Malware That Conceals (contd.)

Table 2-2 Famous logic bombs

Security+ Guide to Network Security Fundamentals, Fourth Edition

17

Malware That Profits

Types of malware designed to profit attackers
Botnets Spyware Adware Keyloggers

Security+ Guide to Network Security Fundamentals, Fourth Edition

18

Malware That Profits (contd.)

Botnets
Computer is infected with program that allows it to be remotely controlled by attacker
Often payload of Trojans, worms, and viruses

Infected computer called a zombie Groups of zombie computers together called botnet

Early botnet attackers used Internet Relay Chat to remotely control zombies
HTTP is often used today

Security+ Guide to Network Security Fundamentals, Fourth Edition

19

Malware That Profits (contd.)

Botnets advantages for attackers
Operate in the background:
Often with no visible evidence of existence

Provide means for concealing actions of attacker Can remain active for years Large percentage of zombies are accessible at a given time
Due to growth of always-on Internet services

Security+ Guide to Network Security Fundamentals, Fourth Edition

20

Table 2-3 Uses of botnets

Security+ Guide to Network Security Fundamentals, Fourth Edition

21

Malware That Profits (contd.)

Spyware
Software that gathers information without user consent Usually used for:
Advertising Collecting personal information Changing computer configurations

Security+ Guide to Network Security Fundamentals, Fourth Edition

22

Malware That Profits (contd.)

Spywares negative effects
Slows computer performance Causes system instability May install new browser menus or toolbars May place new shortcuts May hijack home page Causes increased pop-ups

Security+ Guide to Network Security Fundamentals, Fourth Edition

23

Table 2-4 Technologies used by spyware

Security+ Guide to Network Security Fundamentals, Fourth Edition

24

Malware That Profits (contd.)

Adware
Program that delivers advertising content:
In manner unexpected and unwanted by the user

Typically displays advertising banners and pop-up ads May open new browser windows randomly Can also perform tracking of online activities

Security+ Guide to Network Security Fundamentals, Fourth Edition

25

Malware That Profits (contd.)

Downsides of adware for users
May display objectionable content Frequent pop-up ads cause lost productivity Pop-up ads slow computer or cause crashes Unwanted ads can be a nuisance

Security+ Guide to Network Security Fundamentals, Fourth Edition

26

Malware That Profits (contd.)

Keyloggers (contd.)
Can be a small hardware device
Inserted between computer keyboard and connector Unlikely to be detected Attacker physically removes device to collect information

Security+ Guide to Network Security Fundamentals, Fourth Edition

27

Malware That Profits (contd.)

Figure 2-6 Hardware keylogger

Cengage Learning 2012

Security+ Guide to Network Security Fundamentals, Fourth Edition

28

Malware That Profits (contd.)

Figure 2-7 Information captured by a software keylogger

Cengage Learning 2012

Security+ Guide to Network Security Fundamentals, Fourth Edition

29

Social Engineering Attacks

Directly gathering information from individuals
Relies on trusting nature of individuals

Psychological approaches
Goal: persuade the victim to provide information or take action Flattery or flirtation Conformity Friendliness

Security+ Guide to Network Security Fundamentals, Fourth Edition

30

Social Engineering Attacks (contd.)

Attacker will ask for only small amounts of information
Often from several different victims

Request needs to be believable Attacker pushes the envelope to get information:

Before victim suspects anything

Attacker may smile and ask for help

Security+ Guide to Network Security Fundamentals, Fourth Edition

31

Social Engineering Attacks

True example of social engineering attack
One attacker called human resources office
Asked for and got names of key employees

Small group of attackers approached door to building

Pretended to have lost key code Let in by friendly employee Entered another secured area in the same way

Group had learned CFO was out of town

Because of his voicemail greeting message
Security+ Guide to Network Security Fundamentals, Fourth Edition 32

Social Engineering Attacks

True example of social engineering attack (contd.)
Group entered CFOs office Gathered information from unprotected computer Dug through trash to retrieve useful documents One member called help desk from CFOs office
Pretended to be CFO Asked for password urgently Help desk gave password

Group left building with complete network access

Security+ Guide to Network Security Fundamentals, Fourth Edition

33

Social Engineering Attacks (contd.)

Impersonation
Attacker pretends to be someone else
Help desk support technician Repairperson Trusted third party Individuals in roles of authority

Security+ Guide to Network Security Fundamentals, Fourth Edition

34

Social Engineering Attacks (contd.)

Phishing
Sending an email claiming to be from legitimate source
May contain legitimate logos and wording

Tries to trick user into giving private information

Variations of phishing
Pharming
Automatically redirects user to fraudulent Web site

Security+ Guide to Network Security Fundamentals, Fourth Edition

35

Social Engineering Attacks (contd.)

Variations of phishing (contd.)
Spear phishing
Email messages target specific users

Whaling
Going after the big fish Targeting wealthy individuals

Vishing (voice phishing)

Attacker calls victim with recorded bank message with callback number Victim calls attackers number and enters private information
Security+ Guide to Network Security Fundamentals, Fourth Edition 36

Figure 2-8 Phishing message

Cengage Learning 2012

Security+ Guide to Network Security Fundamentals, Fourth Edition

37

Social Engineering Attacks (contd.)

Ways to recognize phishing messages
Deceptive Web links
@ sign in middle of address

Variations of legitimate addresses Presence of vendor logos that look legitimate Fake senders address Urgent request

Security+ Guide to Network Security Fundamentals, Fourth Edition

38

Social Engineering Attacks (contd.)

Spam
Unsolicited e-mail Primary vehicles for distribution of malware Sending spam is a lucrative business

Spim: targets instant messaging users Image spam

Uses graphical images of text Circumvents text-based filters Often contains nonsense text
Security+ Guide to Network Security Fundamentals, Fourth Edition 39

Social Engineering Attacks (contd.)

Spammer techniques
GIF layering
Image spam divided into multiple images Layers make up one complete legible message

Word splitting
Horizontally separating words Can still be read by human eye

Geometric variance
Uses speckling and different colors so no two emails appear to be the same
Security+ Guide to Network Security Fundamentals, Fourth Edition 40

Figure 2-10 Image spam

Cengage Learning 2012

Security+ Guide to Network Security Fundamentals, Fourth Edition

41

Social Engineering Attacks (contd.)

Hoaxes
False warning or claim May be first step in an attack

Physical procedures
Dumpster diving
Digging through trash to find useful information

Tailgating
Following behind an authorized individual through an access door

Security+ Guide to Network Security Fundamentals, Fourth Edition

42

Table 2-5 Dumpster diving items and their usefulness

Security+ Guide to Network Security Fundamentals, Fourth Edition

43

Social Engineering Attacks (contd.)

Methods of tailgating
Tailgater calls please hold the door Waits outside door and enters when authorized employee leaves Employee conspires with unauthorized person to walk together through open door

Shoulder surfing
Casually observing user entering keypad code

Security+ Guide to Network Security Fundamentals, Fourth Edition

44

Summary
Malware is software that enters a computer system without the owners knowledge or consent Malware that spreads include computer viruses and worms Malware that conceals include Trojans, rootkits, logic bombs, and backdoors Malware with a profit motive includes botnets, spyware, adware, and keyloggers

Security+ Guide to Network Security Fundamentals, Fourth Edition

45

Summary (contd.)
Social engineering is a means of gathering information for an attack from individuals Types of social engineering approaches include phishing, impersonation, dumpster diving, and tailgating

Security+ Guide to Network Security Fundamentals, Fourth Edition

46