Malware and Modern Propagation Techniques


Published on

Describes malware and provides an overview of traditional and modern propagation techniques. This includes obfuscation, polymorphism, DDNS, etc.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Malware and Modern Propagation Techniques

  1. 1. Malware and Modern Propagation Techniques Joseph Bugeja Information Security Manager/Architect December 01, 2013
  2. 2. Categorization of Malware • Malware, or malicious code, is defined as “software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an [Information System]” (CNSS 4009) • Virus – – Replicates by attaching its program instructions to an ordinary “host” program or document, so that the virus instructions are executed when the host program is executed E.g. File, Boot Sector, Macro, Email, RFID viruses
  3. 3. Categorization of Malware • Network Worms – – – Self-propogating program that spreads over a network, usually the Internet Unlike viruses, may not depend on other programs or victim actions for replication, dissemination or execution E.g. Email, IM, IRC, Web/Internet, P2P worms • Trojan Horse and Spyware – – – Destructive program that masquerades as a benign program Can be controlled remotely E.g. Backdoor, Data-Collecting, Downloader/Dropper, Rootkit, Bot, Tracking Cookies
  4. 4. Categorization of Malware • Blended Attacks – E.g. Using worms as a delivery mechanism for other malware types • Embedded Malicious Code – E.g. Logic bomb, Time bomb • Crimeware – E.g. Clicker, Session hijacker, Email redirector • DoS and DDoS Tools – E.g. Flooder, Nuker • Malware Constructors – E.g. VirTool, Crytographic Obfuscators • Other Hacker Tools and Programmed Exploits – E.g. Dialers
  5. 5. Propagation Techniques - Traditional • Social Engineering – – – Oldest and still the most effective method Violates human trust relationships by crafting stories Ambiguous filenames entice unsuspecting victims to kick off the infection process • File Execution – – – – Most straightforward method for malware infection Foundation for all malware Popular file types include .flv, .doc, .ppt, .xls, .exe., .pdf, .bat Files delivered through social engineering techniques, P2P networking, file sharing, email or nonvolatile memory device transfers
  6. 6. Propagation Techniques Metamorphism • Metamorphic Malware – – Changes as it reproduces or propogates, making it difficult to identify using signature-based antivirus or malicious software removal tools Does not completely alter its code • Polymorphism – Self-replicating malware that takes on a different structure than the original
  7. 7. Propagation Techniques Metamorphism – – Can create an unlimited number of new decryptors that can all use different encryption methods Detection is extremely hard • Oligomorphic – – – Poor man's polymorphic engine Selects a decryptor from a set number of predefined alternatives Cannot change the encrypted base code
  8. 8. Propagation Techniques - Obfuscation • Archivers – – – ZIP, RAR, CAB and TAR utilities Needs to be unpacked/installed on the victim's host Easily detectable by modern antivirus scanners • Encryptors – – – Core code is encrypted and compressed Hard to analyze Recent implementations use public key encryption • Packers – An encryption module used to obfuscate the actual main body of code that executes the true functionality of the malware
  9. 9. Propagation Techniques - Obfuscation – – – – – Lots of packers publicly and privately available Generally protect executables and DLLs without the need for any preinstalled utils Can provide a robust set of features – detect VMs, generate exceptions, insert junk instructions, etc. Everything is run as an in-process memory Can be very difficult to detect and analyze
  10. 10. Propagation Techniques - Obfuscation • Network Encoding – – Sneak past boundary protection systems through HTTP/HTTPS channel XOR/XNOR are simple encryption engines that change information at rest or on-the-fly
  11. 11. Propagation Techniques – DDNS and Fast Flux • Dynamic Domain Name Services (DDNS) – – – DNS where the domain name to IP resolution can be updated in real-time, typically within minutes IP address of the compromised host could be anywhere and move at any moment Domain caching can be limited to a very short period of time • Fast Flux – – Used by various botnets, malware and phishing schemes Delivers content and command/control (C2) through a constantly changing network of proxied compromised hosts
  12. 12. Propagation Techniques – DDNS and Fast Flux – – – Similar to DDNS but it is much faster and much harder to catch the malware mastermind Single-Flux: • Associates a single DNS A (address) record for a single DNS entry and produces a fluctuating list of destination addresses for a single domain name (can be 1000s of entries) • Typically, very short TTL records Double-Flux: • Similar to Single-Flux but the multiple hosts are name servers and register/deregister NS records that produce lists for the DNS zone • More difficult to implement
  13. 13. Propagation Techniques – DDNS and Fast Flux
  14. 14. Thank You! Thanks for Listening! Joseph Bugeja