Fight against Malware
Let’s face it, Windows machines can get hijacked if you happen to be on the wrong place at the wrong time. Fortunately, Microsoft has built numerous tools into Windows so administrators and power users can analyze systems to determine whether and how they’ve been compromised. But many of us are not even take this in to consideration! In this demonstration I’ll demonstrate the tools built into Windows for such analysis, as well as more free tools from the Security community to help you out get of chaos! If you have ever had a virus in your PC than attending this session is a must for you.
This article is about Malwares, from the past , to present and their future, I hope you will like it…
Before we get into the specifics of how to malware history, present and past I believe we need to define some terminology, cover common types of malware, and introduce the fundamental approaches to malware analysis to identify and highlight the article.
Malware, (malicious software) refers to any program that is deliberately created to perform an unauthorized, often harmful, action. It’s a generic terminology for software with malicious intents. It includes many categories, such as virus, spyware, rootkits, Trojan horses, backdoor, bots, etc. (Automatic Malware Analysis, Springer P.23) Malwares are one of the main threats today since early days of computing and many in depended study’s shows that malware causes billions of dollars financial losses annually. As malware writers are not hobbyist or activist anymore and they are profit or government driventhe future of stoping it does not look very bright. (Eugene Kaspersky, AusCERT 2012 Keynote speech)
I’m sure you all know what Trojan, Virus, Spam, Adware- Spyware, Keyloggers, Ransomware, Worms etc. means. We all know how victims can infected.
To be able to predict the future of viruses we always need to look back in to the past and try to analyse how viruses has been created, this involves to know a Malware stage life:
- Design: The malware code will designed based on the programmers needs.
- Replication: The virus will start to “spread” , the attackers will try to infect their target where their malware can replicate itself
- Launch: The malware will be activated when a user performs certain actions as triggering or when the “malware” has been activated with a click (as example)
- Detection: Hopefully this stage will come early as possible. The malware will be detected in this stage and it might been submitted to the anti-malware team for reverse engineering.
- Incorporation: The malware code will be reversed engineered to find the effects and damage way, and a core will be written to remove the malware from the systems
- Elimination: Anti Malware databases will be updated with the signature files to prevent any other possible damage.
Based on Baseline Magazine in 1962 Bell Telephone Lab’s researchers invent a game that destroys software programs. So all started with a game J The “real” virus has appeared first time in 1971 on ARPANET, the virus was replication itself with a message “I’m Creeper: Catch me if you can” In 1981 the first widespread outbreak of a virus was seen in Apple 2 platform. Eric Cloner spreads a virus with a floppy disc which was infecting boot sectors and generating messages which was impairing performance.
Finally in 1983 Professor Len Adleman at Lehigh University demonstrates the virus concept in a seminar and the term “computer virus” became part of our lives.
1986 was the year where the world learned how the consumers where clueless against computer viruses while the “Brain Virus” was hitting the PC platform.
1987 was the year where the Vienna virus goes global and it destroys data. And right after this IBM did introduce their first Antivirus called “Viruscan for MS-DOS”
1991 several Anti-Virus companies entered to the market with “300” viruses documented, yes only 300.
1996 viruses started to hit Microsoft platform, Laroux , then Win32. HLLP.DeTrio started to steal passwords.
2001 was the year where e-mails and Internet has become primary transmission vector and as a result more and more malwares started to spread out via e-mails and internet.
2007 was the first time the Botnets infected millions of systems worldwide and DoS attacks started to effect Computer users
As I mentioned in the intro today the effect of viruses is measured by billions of dollars.
To fight against malware development and innovation, first we need to understand and know the “enemy”, as they are getting more complex this is not as easy as it sounds. We should be able to analyse a malicious binary program with aim of analyse and detect its malicious behaviours. There are already many ways to collect info about suspicious programs through honeypots, computer forensics of compromised systems, and underground channels. By analysing this unknown program, we identify its malicious behaviours and extract attack mechanisms then we can rely on the analysis results to build up proper defence, such as creating detection signatures and updating detection policies. This analysis process has to be automatic in order to catch up with the speed of malware development. One of my most favoured tool is GFI Sandbox (Secunia CSI)
Today, malwares are not just aiming computers, smartphones, tablets, cars and anything which run’s an Operating System is an open target, which makes the fight harder. Platforms such as Google’s Android has known and unpatched vulnerabilities since early versions (Android Security Attacks and Defenses by A.Dybey & A. Misra). Apple’s iOS 7 has been patched just after 1 week of release, same with Microsoft’s Windows Phone 8. The BYOD will make things just harder in the future. Many articles can be read about those topics in www.securelist.com which states all the difficulties which we will face.
Microsoft Security Intelligence Report v14 has a very interesting malware infection rate based on countries, which gives also an indication on how the targets has been selected.
If we look in to today’s political activities we will see that the below map is not just a virus infection or detection map, it’s also a map where many political activates happen. Middle East, Africa, China – Russia and of course USA… Without going to much in to politics I can say that all the virus infections is not a coincidence, I believe they are related to each other.
Important issue’s from today:
From reading the CSU Interact forum, I have noticed that none of the assignments did highlight targeted attacks such as Stuxnet, Flame (unless I missed it). It’s important to mention how “engineered malware’s” can bypass anti malware software. And Mikko Hypponen who is Chief Research Officer of F-Secure wrote a very good self-critique blog post on how Anti Malware companies like his ones could not detect those targeted malware, in summary:
“Stuxnet went undetected for more than a year after it was unleashed in the wild, and was only discovered after an antivirus firm in Belarus was called in to look at machines in Iran that were having problems. When researchers dug back through their archives for anything similar to Stuxnet, they found that a zero-day exploit that was used in Stuxnet had been used before with another piece of malware, but had not been noticed at the time
Stuxnet, Duqu and Flame are not normal, everyday malware, of course. All three of them were most likely developed by a Western intelligence agency as part of covert operations that weren’t meant to be discovered. The fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications. And instead of trying to protect their code with custom packers and obfuscation engines—which might have drawn suspicion to them—they hid in plain sight. In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware.
Most of the infections occurred in politically turbulent areas of the world, in countries like Iran, Syria and Sudan. It’s not known exactly what Flame was used for, but it’s possible that if we had detected and blocked it earlier, we might have indirectly helped oppressive regimes in these countries thwart the efforts of foreign intelligence agencies to monitor them.
Any malware, even targeted, can get out of hand and cause “collateral damage” to machines that aren’t the intended victim. Stuxnet, for example, spread around the world via its USB worm functionality and infected more than 100,000 computers while seeking out its real target, computers operating the Natanz uranium enrichment facility in Iran. In short, it’s our job as an industry to protect computers against malware. That’s it.
The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers, and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons. Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”
It looks like the future will have more and more targeted attacks. Not just computers, tablets or mobile devices will be targeted but anything which can be reached. Below are few statements of Security experts what they see coming up in the near future:
F Secure CRO if F Secure has stated consumer antimalware’s are not going to be powerful enough to detect special engineered attacks.
LinuxSecurity.com has an article which states the future trends of attack’s, as summary :”Mobile malwares will be susses fully monetized, Localization as a concept will attract the coders’ attention, Open Source Malware will be more popular, Zero day malwares going to be more on demand, Cryptoviral extortion will emerge, hijacking botnets will be more specific “
Based on CIO magazine Experts say the future of malware isn’t so much about how malware itself will be engineered as how potential victims will be targeted,
According to Todd Feinman, groups like Anonymous aren’t motivated by money. They’re trying to embarrass their targets, which include government agencies and law enforcement. But when they post sensitive personal information, they are helping a second tier of lower-skilled cyber-criminals commit identity theft. “In one online post, AntiSec came right out and said ‘we don’t care about collateral damage. It will happen and so be it…”
Chris Larsen, head of Blue Coat Systems’ research lab, says the most common social engineering attack their lab catches is for fake security products. He also explained that social networks aren’t just being used to target individuals.
Paul Wood, senior intelligence analyst for Symantec cloud. “Just a couple years ago, we saw one or two of these sorts of attacks per day. Today, we catch as many as 80 daily.”
Stuart McClure, as more and more functions get embedded in the digital technology of automobiles, the threat of attack and malicious manipulation increases,”
I did mention simular thoughts in my AusCERT two day tutorial class to my students as well. I really believe that Social Media will lead for more and more damages which will effect organisations as well. (Tech Ed Australia 2013, a Journey to the Dark Site of Social Media)
Beside the traditional defence controls such as patching the systems, stopping the unnecessary services, installing Intrusion detection and prevention solutions and etc. there must a serious Risk Management in place, and standards such as ISO/IEC 27005/2011 Information security risk management standards should be implemented in to organizations to minimise the impacts of the Malwares.
Concise summary of the issues discussed in forum, important/missing issues not addressed in the forum:
The assessments submitted in the form had really good information about malwares in the past and present but I could not see much info about other platform malwares such as cars. None of the team members mentioned milestone zero day attacks such as Stuxnet or Flame, and addressed the concerns about the effects which is very important in real life.