1. K. Salah1 Malware

2. 2 Malcode Taxonomy

3. K. Salah3

4. 4

5. 5 The Ten Most Common Critical Cyber Security Threats 1.Malware attack with Social Engineering Tactics 2.SPAM 3.DoS and DDoS attack 4.Phishing and Pharming (identity theft) 5.Botnets 6.IM and P2P attack 7.Mobile and Wireless attack (Wi-Fi and Bluetooth) 8.Rootkits 9.Web Application Hacking 10.Hacking with Google

6. K. Salah6 Most Advanced Critical Cyber Security Threats 1.Zero Day Attack 2.Web 2.0 Attack 3.VoIP Attack 4.Web Services Attack 5.USB Attack

7. K. Salah7 Attack on the Critical Infrastructure Government Operations Government Operations Telecommunications Telecommunications Electrical Energy Electrical Energy Gas & Oil Storage and Delivery Gas & Oil Storage and Delivery Water Supply Systems Water Supply Systems Banking & Finance Banking & Finance Transportation Transportation

8. K. Salah8 Virus, Spam and Spyware Relationship Antispa m Antiviru s Antispy ware Spam Virus Spyware WormPhish/ Adware Zombie/ Trojan

9. K. Salah9 Digital Forensics Analysis 1.Incident Notification 2.Understand Nature of Incident 3.Interview 4.Obtain Authorization 5.Verify Scope 6.Team Assembly 7.Document work area 8.Document Incident Equipment 9.Move Equipment 10.Prepare two images 11.Preserve/ Protect First Image 12.Use second Image for restoration and Examination 13.Data Extraction and Analysis 14.Watch Assumptions – Date /time 15.Review Log / Interview 16.Analysis 17.Prepare findings 18.Lesson Learned

10. K. Salah10 Anti-forensic techniques Anti-forensic techniques try to frustrate forensic investigators and their techniques Anti-forensic techniques try to frustrate forensic investigators and their techniquesforensic investigatorstechniquesforensic investigatorstechniques 1.Overwriting Data and Metadata 1.Secure Data Deletion 2.Overwriting Metadata 3.Preventing Data Creation 2.Cryptography, Steganography, and other Data Hiding Approaches 1.Encrypted Data 2.Encrypted Network Protocols 3.Program Packers 4.Steganography 5.Generic Data Hiding Examples Examples  Timestomp Changes the dates of computer files (4 timestamps of NTFS). Encase shows blanks.  Slacker Store files in the slack of disk blocks

11. K. Salah11 Virus Techniques TSR TSR  Virus can hide in memory even if program has stopped or been detected Stealth Viruses Stealth Viruses  Execute original code  Size of file stays the same after infection  Hide in memory within a system process Virus infects OS so that if a user examines the infected file, it appears normal Encrypted/Polymorphic Viruses Encrypted/Polymorphic Viruses  To hide virus signatures encrypt the code  Have the code mutate to prevent signatures scanning

12. K. Salah12 Polymorphic Viruses

13. K. Salah13 Virus Cleaning Remove virus from file Remove virus from file Requires skills in software reverse engineering Requires skills in software reverse engineering Identify beginning/end of payload and restore to original Identify beginning/end of payload and restore to original

14. K. Salah14 How hard is it to write a virus? Simple Google search for “virus construction toolkit” Simple Google search for “virus construction toolkit” www.pestpatrol.com www.pestpatrol.com www.pestpatrol.com Tons of others Tons of others Conclusion: Not hard Conclusion: Not hard

15. K. Salah15 Attaching code

16. K. Salah16 Integrate itself

17. K. Salah17 Completely replace

18. K. Salah18 Boot Sector Virus

19. K. Salah19 How viruses work Attach Attach Append to program, e-mail  Executes with program Surrounds program  Executes before and after program  Erases its tracks Integrates or replaces program code Gain control Gain control Virus replaces target Reside Reside In boot sector Memory Application program Libraries

20. K. Salah20 Cont’d Detection Detection Virus signatures Storage patterns Execution patterns Transmission patterns Prevention Prevention Don’t share executables Use commercial software from reliable sources Test new software on isolated computers Open only safe attachments Keep recoverable system image in safe place Backup executable system file copies Use virus detectors Update virus detectors often

21. K. Salah21 Virus Effects and Causes Virus Effect How it is caused Attach to executable Modify file directory Modify file directory Write to executable program file Write to executable program file Attach to data/control file Modify directory Modify directory Rewrite data Rewrite data Append to data Append to data Append data to self Append data to self Remain in memory Intercept interrupt by modifying interrupt handler address table Intercept interrupt by modifying interrupt handler address table Load self in non-transient memory area Load self in non-transient memory area Infect disks Intercept interrupt Intercept interrupt Intercept OS call (to format disk, for example) Intercept OS call (to format disk, for example) Modify system file Modify system file Modify ordinary executable program Modify ordinary executable program Conceal self Intercept system calls that would reveal self and falsify results Classify self as “hidden” file Spread self Infect boot sector Infect boot sector Infect systems program Infect systems program Infect ordinary program Infect ordinary program Infect data ordinary program reads to control its executable Infect data ordinary program reads to control its executable Prevent deactivation Activate before deactivating program and block deactivation Activate before deactivating program and block deactivation Store copy to reinfect after deactivation Store copy to reinfect after deactivation

22. K. Salah22 Virus vs. Worm Both are Malicious Code  Virus does harm  Worm consumes resources

23. K. Salah23 Exploitation of Flaws: Targeted Malicious Code Trapdoors Trapdoors Undocumented entry point in code Program stubs during testing Intentionally or unintentionally left  Forgotten  Left for testing or maintenance  Left for covert access Salami attack Salami attack Merges inconsequential pieces to get big results A salami attack is a series of minor data-security attacks that together results in a larger attack. For example, a fraud activity in a bank where an employee steals a small amount of funds from several accounts, can be considered a salami attack, i.e. deliberate diversion of fractional cents Too difficult to audit

24. K. Salah24 Covert Channels Covert Channels An example of human/student covert channel Programs that leak information  Trojan horse Discovery  Analyze system resources for patterns  Flow analysis from a program’s syntax (automated) Difficult to close  Not much documented  Potential damage is extreme Exploitation of Flaws: Targeted Malicious Code (cont’d.)

25. K. Salah25 File lock covert channel

26. K. Salah26 Race Conditions In wu-ftpd v2.4 In wu-ftpd v2.4 Allows root access Allows root access Signal handling Signal handling  SIGPIPE EUID=user changes to EUID=root to logout the user and access privileged operations and files It takes some time to do this  SIGURG Logging out is broken/stopped and prompt is gotten back with EIUD=root