The first (real) section of the CompTIA Security+ All-in-One Exam Guide covers “Threats, Attacks and Vulnerabilities.” The first chapter of this section is about malware, and indicators of compromise (IOC). You can find the intro blog post here.
The objective for this chapter is to:
Given a scenario, analyze indicators of compromise and determine the type of malware.
This is a continuation of my blog post series on the CompTIA Security+ exam, where I share my studying and connect it to real-world events.
Types of Malware
First off, what is malware? Malware refers to software that has been designed for some nefarious purpose. Or at least, that’s the definition provided. Such purposes could be damaging data, or a system, or granting unauthorized access, and so on.
The point of this chapter is to differentiate types of malware based on indicators of compromise. This chapter does not go into great detail. At most, there’s only two paragraphs dedicated to each type.
Malware causes damage to computers, and thus, we want to detect and prevent it. Such anti-malware programs look for a “signature.” This signature is a type of marker in the malware code that gives clues into its behavior and what type of malware it is. As mentioned earlier, this chapter is brief. For a more in-depth forensics certification, check out the GIAC Certified Forensic Analyst (GCFA) cert.
Anyway, malware authors can avoid detection by writing polymorphic malware. Poly means many, and morphic means having forms. In other words, polymorphic malware changes forms by changing its code after each replication. This makes the “signature” (and thus, the fact that the code is malicious) more difficult to detect.
A virus is a piece of malicious code that “replicates itself by attaching itself to another piece of executable code.” When that executable code is run, the virus can spread and/or perform other malicious actions. The book later differentiates worms from viruses by saying that viruses need human interaction to spread.
Searching for news stories about “viruses” return a deluge of results. Viruses are both common, and a commonly used phrase (over a more specific technical term). A more cynical person might say that “virus” is also a catch-all phrase for unsolved computer issues. In the last week, one can find news stories about viruses disrupting things in Ulster (NY), Anniston (AL), Beatrice (NE), West Tisbury (MA), and so on.
A subsection of the virus part of this chapter; armored viruses are viruses that encrypt or otherwise obfuscate their source code. This makes it more difficult to reverse engineer.
One of many overlapping categories in this section…. crypto-malware is malware that encrypts files on a system (without being authorized to do so). This leaves the files unusable, sometimes permanently, sometimes until a ransom is paid (which would make it ransomware as well).
Confusingly, “crypto” now also means cryptocurrency (disagree). As a result, you can find news stories about crypto-malware blocking by Firefox and others. In this case, it means the prevention of malware that helps attackers mine cryptocurrency. This type of malware is also called crypto-jacking. Even more confusing is the Fbot botnet that uninstalls cryptojacking malware.
Ransomware is a “form of malware that performs some action and extracts ransom from a user.” Many of these categories overlap with one another, and ransomware is one such example. If malware in another category demands money from the user to reverse damage or prevent future damage, then it’s also considered ransomware.
Recent events have shown ransomware as increasingly common. The examples above (WannaCry, NotPetya, etc) in the crypto-malware section also qualify as ransomware. In the last year, various US cities have been hit with ransomware (notably: Atlanta).
Worms are similar to viruses in that they try to “penetrate networks and computer systems… [and then] create a new copy of itself on the penetrated system.” However, worms don’t need to attach to another piece of code to reproduce (unlike a virus).
The book phrases the difference as viruses being system-based problems, and worms are network-based. “Worms act like a virus but also have the ability to travel without human action” and “can survive on its own.”
Phorpiex, which sounds kind of like a Pokemon character, is a worm + botnet combo that’s back in the news for spreading ransomware. XNet is another such worm + botnet + ransomware combination. WannaMine is a crypto-mining worm that continues to spread.
A trojan horse is named after the story of the Greeks using a wooden horse to sneak soldiers inside of the city of Troy. So, a trojan is a piece of software that appears to do (or actually does) one thing, while also hiding some other (malicious) functionality. A trojan is a standalone program and is installed by an authorized user, much like the Trojan horse was brought inside the city walls by its citizens.
Mentioned later in this blog post is Adwind RAT. Other recent news stories about trojan malware include OilRig, which has attacked Middle-Eastern governments. In Brazil, CamuBot is stealing banking info from users. Lastly, Kronos has a new variant called Osiris. Apparently all malware authors are huge fucking nerds.
Rootkits are “a form of malware that is specifically designed to modify the operation of the operating system in some fashion to facilitate nonstandard functionality.” The book notes that rootkits have a legitimate history in UNIX OSes. Originally, they were admin tools used to deal with crashes or unresponsiveness.
A rootkit can do anything an operating system can do. This means they have a lot of power to do malicious activity (keylogging, backdoors, etc.). It also means that they have great ability to cover up said malicious activity and avoid detection. They can do this by hiding files, affecting app performance, and so on.
There are different types of rootkits affecting different levels of operation. These include firmware, virtual, kernel, library and application levels.
Russia’s Fancy Bear hackers are back in the news with a rootkit vulnerability. This one is called “LoJax” and it uses the LoJack (formerly Computrace) functionality meant to help you find your laptop in the event of theft.
A keylogger is software that logs all the keystrokes typed by a user. Sometimes this is legitimate; for example, you want Microsoft Word to capture all your keystrokes and turn them into a document. Keyloggers become malware when they are unknown to a user, and not under the user’s control.
In the news, Virobot is a all-in-one example of a botnet, ransomware and keylogger. Despite targeting folks in the US, the ransomware message is in French… bonne chance, y’all). Earlier this summer, there was a story about employees of financial institutes being targeted with keyloggers. Keylogging is also an issue for mobile devices, as shown in stories about Android malware (MysteryBot and LokiBot), and infected apps being removed from the Google play store.
Adware is software that supports itself through advertising. So it might be free to the user, but finances itself through paid advertising spots. Often, the user is aware of this agreement, so it’s okay, albeit kind of annoying. However, this part of the chapter is talking about malware that presents “unwanted ads” (as though that doesn’t cover all ads?). Think of pop-ups or cascading windows.
Spyware is software that “spies” on its user(s), by recording and/or reporting their activities. This could include keylogging, recording how a user uses a program, browser history, etc.
There’s quite a bit of “authorized” spyware out there aimed at parents who want to make sure that their kids aren’t up to anything bad. In my opinion, it’s unhealthy from both a security and an interpersonal perspective (in terms of boundaries, privacy, trust, etc). The same goes for spyware for people to spy on their partners.
Recently, malware called “OwnMe” has been targeting WhatsApp users, prompting fear that conversations and browsing history, although the code doesn’t seem to be fully implemented.
A bot is a piece of software that acts under the control of another program. A series of such bots is called a botnet. Botnets can be used for anything from bitcoin mining to distributed computing projects (like SETI) to DDoSing.
Bots are a hot topic these days. Usage ranges from customer service to swaying political opinions. There are also new botnets, including Torii. Meanwhile, the Mirai botnet authors are working for the FBI.
RAT stands for remote-access trojan. A RAT is a “toolkit designed to provide the capability of convert surveillance and/or the capability to gain unauthorized access to a target system.” Wikipedia describes it as " is a type of malware that controls a system through a remote network connection.” RATs can allow malicious operators to gain nearly unlimited access to a system, “as if by physical access.”
A recent example of a RAT is the Adwind RAT. The latest versions target cryptocurrency information, and are also able to bypass most anti-virus software. There’s also Parasite HTTP, another RAT that is able to avoid detection. There’s LuminosityLink, where a software dev sold a RAT to 6,000 people under the guise of it being a legitimate admin tool. Lastly, there’s DarkComet, whose developer stopped working on it after evidence of abuse in Syria.
Logic Bombs are malware that remain dormant for a period of time until triggered. They can be triggered by an event, or a specific date/time. Think of a disgruntled IT person who leaves the company, and a few weeks later, a bunch of files mysteriously become deleted. Logic bombs are a lesson that monitoring is necessary, and not just for active threats. Additionally, always always always keep backups.
There is a recent logic bomb story in the press. An army contractor will get two years in prison and be fined $1.5 million dollars for sabotaging US Army servers with a logic bomb.
Backdoors, like some of the other malware types, do have some legitimate uses. For example, software developers might install a backdoor to reset a password. Backdoors with hardcoded credentials are a security vulnerability in themselves. You can also have malware (like the RATs mentioned earlier) that provide a backdoor into a system.
The word backdoor, then, also describes malware that allow attackers to gain unauthorized access to a system even after the initial access method is blocked.
An older example of a backdoor is “Back Orifice” (check out the Wikipedia page for its lovely logo).
More recently (end of Sept 2018), Cisco admitted to adding a backdoor to its video surveillance software. There are also cases of governments asking for backdoors in software, including the US, UK and its allies, and China. As to whether these constitute “unauthorized” access is likely up to years of court battles.
Indicators of Compromise
Indicators of Compromise, or IOCs, “are indications that a system has been compromised by authorized activity.” The behavior of a system after being infected with malware gives forensics clues into the type of malware. Further digital forensics could help determine where the malware came from, how it got on the system, who made it, etc.
The book has a long list of IOCs. I’ve listed them here in groups, with specific items as examples of unusual behavior:
- Network traffic: including unusual outbound traffic, geographical irregularities, unusual DNS requests, mismatched port-application traffic, web traffic with non-human behavior, signs of DDoSing, etc.
- Accounts: including anomalies in privileged user account activity, account login red flags, mobile device profile changes, etc.
- Data: including large database read volumes, HTML response sizes, large numbers of requests for the same file, suspicious registry or system file changes, bundles of data in the wrong place, unexpected patching of systems, etc.