Malware and Social Engineering Attacks

Dr. Abid Rauf

Security+ Guide to Network Security Fundamentals, Fifth Edition

By Mark Ciampa 1
 The Great Bank Robbery: the Carbanak APT

• Multinational gang of cyber criminals

• 1 billion $
– Hacking different banks and stealing $2.5 million to approximately
$10 million from each bank
– Each bank robbery took between 2-4 months, from infecting the
first computer to cashing the money out
– Criminal used Carbanak malware to infect the bank’s network,
giving them access to the employees computers
– Letting the criminal see and record everything that happened on
the screens of staff who services the cash transfer systems.
– This way they got to know every last details of the bank clerks
work; enable the criminals to mimic the staff to transfer the money
and cash out.

2
 3
https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/
The Great Bank Robbery: the Carbanak APT

4
 The Great Bank Robbery: the Carbanak APT

The email attachments exploit vulnerabilities in Microsoft Office

2003, 2007 and 2010 (CVE-2012-0158 and CVE-2013-3906) and
Microsoft Word (CVE-2014- 1761). Once the vulnerability is
successfully exploited, the shellcode decrypts and executes the
backdoor known as Carbanak.

Remote Code Execution

• CVE-2014- 1761 (zero day) allow remote attackers to
execute arbitrary code or cause a denial of service (memory
corruption) via crafted RTF (Rich Text Format) data

More details: https://stopmalvertising.com/malware-reports/a-closer-look-at-cve-2014-1761.html

5
Carbanak copies itself into “%system32%\com” with the name “svchost.exe” with
the file attributes: system, hidden and read-only. The original file created by the
exploit payload is then deleted.

6
https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/
 Carabanak – Technical Analysis

• CARBANAK is a full-featured backdoor with data-

stealing capabilities and a plugin architecture.
• Some of its capabilities include
– key logging
– desktop video capture
– VNC (Virtual Network Computing)
– HTTP form grabbing,
– file system management
– file transfer
– TCP tunneling
– HTTP proxy
– OS destruction
– Outlook data theft and reverse shell.
7
https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html
Carabanak- Monitoring threads

8
 Instead, the virus seeks to a random
location in the host program and
overwrites the file with itself at that
location.

Malware

CompTIA Security+ Guide to Network Security 9

 Attacks Using Malware

• Malicious software (malware)

– Enters a computer system:
• Without the owner’s knowledge or consent
– deliver a malicious “payload” that performs a harmful
function once it is invoked
• Malware is a general term that refers to a wide
variety of damaging or annoying software

CompTIA Security+ Guide to Network Security 10

 What does malware do?
Potentially nearly anything (subject to permissions)
• Brag: “APRIL 1st HA HA HA HA YOU HAVE A VIRUS!”
• Destroy: files, hardware
• Crash the machine, e.g., by over-consuming resource
Fork bombing or “rabbits”: while(1) { fork();
• Steal information (“exfiltrate”)
• Launch external attacks: spam, click fraud, DoS
• Ransomware: e.g., by encrypting files
• Rootkits: Hide from user or software-based detection
Often by modifying the kernel
• Man-in-the-middle attacks to sit between UI and reality
11
 Attacks Using Malware
• Malware can be classified by the using the primary
trait that the malware possesses:
– Circulation - spreading rapidly to other systems in order to
impact a large number of users
• by using the network to which all the devices are connected,
through USB flash
• drives that are shared among users, or by sending the malware as
an email attachment.
• Malware can be circulated automatically or it may require an
action by the user.

CompTIA Security+ Guide to Network Security 12

 Attacks Using Malware
• Infection - how it embeds itself into a system
• Some malware attaches itself to a benign program while
other malware functions as a stand-alone process.

• Concealment - avoid detection by concealing its

presence from scanners
• Payload capabilities - what actions the malware
performs
– Steal password
– Delete data
– Modify system security settings
– Participate in DDos
13
 Circulation/Infection

• Three types of malware have the primary traits of

circulation and/or infections:
– Viruses
– Worms
– Trojans

CompTIA Security+ Guide to Network Security 14

 Viruses

• Viruses perform two actions:

– Unloads a payload to perform a malicious action
– Reproduces itself by inserting its code into another
file on the same computer
• Examples of virus actions
– Cause a computer to repeatedly crash
– Erase files from or reformat hard drive
– Turn off computer’s security settings
– Reformat the hard disk drive

CompTIA Security+ Guide to Network Security 15

 Viruses

• Viruses cannot automatically spread to another

computer
– Relies on user action to spread
• Viruses are attached to files (autorun.exe on
storage devices, Email attachements)
• Viruses are spread by transferring infected files

CompTIA Security+ Guide to Network Security 16

 Viruses

• Computer virus - malicious computer code that

reproduces itself on the same computer
• Program virus - infects an executable program file
• Macro - a series of instructions that can be
grouped together as a single command
– Common data file virus is a macro virus that is
written in a script known as a macro

17
18
CompTIA Security+ Guide to Network Security 19
 Lab task

• Embed a script in a Ms word or Ms excel to perform

some action at the time when the document is
loaded. The performed action should be safe and
not malicious.
• Bring this in next class

20
 Detecting the virus

• Signature-based Detection- Compare the content

of a file to a dictionary of virus

21
 Detecting the virus
• Behavior-based Detection- Behavior-based
malware detection evaluates an object based on its
intended actions before it can actually execute that
behavior.
• Some examples include any attempt to discover a
sandbox environment, disabling security controls,
installing rootkits, and registering for autostart.

22
23
CompTIA Security+ Guide to Network Security 24
CompTIA Security+ Guide to Network Security 25
Instead, the virus seeks to a random location in the host program and overwrites
the file with itself at that location.

CompTIA Security+ Guide to Network Security 26

Virus infection methods:
• Appender infection - virus appends
itself to end of a file
• Easily detected by virus
scanners

27
CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition
 Viruses

CompTIA Security+ Guide to Network Security 28

 Encrypted virus

• This technique neutralizes all signatures that

were created based on patterns found in the
payload, since the payload is only decrypted
when running.
• Its idea was to hide the fixed signatures by
scrambling the virus therefore making it
unrecognizable by the virus scanner.

https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/malware-vs-
antivirus-the-never-ending-story-part-i/

29
 Encrypted virus
• Encrypt your payload and use a decryptor at the
beginning of the code. When the code is executed, the
decryptor will decrypt the payload, which will carry out
its malicious mission.
• After that, the decryptor will re-encrypt the payload with
a different key.

30
Encrypted virus

31
 Encrypted virus
• Of course, an AV could simply scan the system’s
memory to look for it, and while some may do that, it is
generally avoided because of the colossal resource
cost.
• The main approach to counter classic encrypted
malware is a signature based on the decryptor, which
remains the same throughout the sample’s activities.

32
 Viruses

Classic example: Encrypts virus code and then divide decryption

engine into different pieces and inject these pieces throughout the
infected program code 33
 Attacks Using Malware

• Attackers can mask the presence of their malware

by having it “mutate” or change (in form or nature)
• Three types of mutating malware:
– Oligomorphic malware
– Polymorphic malware
– Metamorphic malware

34
 Oligomorphic malware
– changes its internal code to a predefined mutation
whenever executed

The first malware known to use this technique was the Whale virus in 1990.
It carried with it a few dozen decryptors and would randomly chose one to encrypt 35
itself as it spread to a new file.
Polymorphic and
metamorphic viruses

36
37
Polymorphic using Mutation engine

38
 Metamorphic viruses
Every time the virus propagates, generate a
semantically different version of the code
• Higher-level semantics remain the same
• But the way it does it differs
- Different machine code instructions
- Different algorithms to achieve the same thing
- Different use of registers
- Different constants….

39
40
41
 ILOVEYOU virus
• e-mail note with "I LOVE YOU" in the subject line
• contains an attachment (VB script) that, when
opened, results in the message being re-sent to
everyone in the recipient's Microsoft Outlook
address book
• It then overwrites (and thus destroys) all files of the
following file types: JPEG, MP3, VPOS, JS, JSE,
CSS, WSH, SCT and HTA.
• copycat variations with subject lines: "JOKE" ,
"Mother's Day!" , VIRUS ALERT!!!" Posing as a
virus fix from Symantec
42
 ILOVEYOU virus

• causing damages totalling in at an estimate of $10 billion.

• 10% of the world’s Internet-connected computers were believed
to have been infected. 43
 Worms

• Worm – standalone malicious program that uses a

computer network to replicate (primary purpose to
spread)
– Sends copies of itself to other network devices
• Worms may:
– Consume resources or
– Leave behind a payload to harm infected systems
• Examples of worm actions
– Deleting computer files
– Allowing remote control of a computer by an attacker

CompTIA Security+ Guide to Network Security 44

 Controlling millions of hosts: How?
• Worm: self-propagates by arranging to have itself
immediately executed
• At which point it creates a new, additional
instance of itself
• Typically infects by altering running code
• No user intervention required
• The key is parallelization
• Without being triggered by human interaction!

45
 CodeRed Worm 2001
(buffer overflow vulnerability)

• Exploited overflow in MS-IIS server

• At peak, more than 2000 new infections/minute
• Spread by randomly scanning the entire 32-bit IP
address space
• Once it has infected a system, it multiplies itself
and it begins scanning random IP addresses at
TCP port 80 looking for other IIS servers to
infect

https://www.sans.org/reading-
46
room/whitepapers/malicious/code-red-worm-45
 Example

The worm's payload is the string following the last 'N'. Due to a buffer overflow,
a vulnerable host interprets this string as computer instructions, propagating the
worm.
47
 CodeRed Worm 2001 (cont..)

https://en.wikipedia.org/wiki/Code_Red_(computer_worm)

48
 CodeRed Worm 2001 (cont...)

• If found c:\notworm then do nothing

else
• Create new threads (i.e. 100 threads)
– 99 threads attempt to exploit more systems by
targeting random IP addresses, if the date is before
20th of the month.
– The 100th thread of the worm code defaces the web
server’s homepage

49
 Trojans

CompTIA Security+ Guide to Network Security 50

 Trojans

• Trojan horse (Trojan) - an executable program

that does something other than advertised
– Contain hidden code that launches an attack
– Sometimes made to appear as data file
• Example
– User downloads “free calendar program”, “Fake
antiviruses”
• Program scans system for credit card numbers and
passwords
• Transmits information to attacker through network

CompTIA Security+ Guide to Network Security 51

 ZEUS Trojan
• Zeus is often used to steal banking information by man-
in-the-browser keystroke logging and form grabbing.
• It is also used to install the CryptoLocker ransomware.
• Zeus is spread mainly through drive-by downloads and
phishing schemes.
• Zeus is very difficult to detect even with up-to-date
antivirus and other security software as it hides
itselfstealth techniques.

52
 Trojans

CompTIA Security+ Guide to Network Security 54

 Payload Capabilities

• The destructive power of malware can be found in

its payload capabilities
• Primary payload capabilities are to:
– Collect data
– Delete data
– Modify system security settings
– Launch attacks

CompTIA Security+ Guide to Network Security 55

 Collect Data

• Different types of malware are designed to collect

important data from the user’s computer and make
it available at the attacker
• This type of malware includes:
– Spyware
– Adware
– Ransomware

56
 Collect Data

• Spyware - software that gathers information without

user consent
– Uses the computer’s resources for the purposes of
collecting and distributing personal or sensitive
information (including the sites you visit, the things you download, your
usernames and passwords, payment information, and the emails you send and
receive.)

How do I get spyware?

• Accepting a prompt or pop-up without reading it first
• Downloading software from an unreliable source
• Opening email attachments from unknown senders
• Pirating media such as movies, music, or games
57
 Collect Data

• Keylogger - captures and stores each keystroke

that a user types on the computer’s keyboard
– Attacker searches the captured text for any useful
information such as passwords, credit card numbers,
or personal information

CompTIA Security+ Guide to Network Security 58

 Collect Data

• A keylogger can be a small hardware device or a

software program
– As a hardware device, it is inserted between the
computer keyboard connection and USB port
– Software keyloggers are programs installed on the
computer that silently capture information
• An advantage of software keyloggers is that they do
not require physical access to the user’s computer
– Often installed as a Trojan or virus, can send
captured information back to the attacker via Internet

CompTIA Security+ Guide to Network Security 59

 Hardware keylogger

Hardware keyloggers are often installed on public access computers,

such as those in a school’s open computer lab or a public library.

60
 Collect Data

CompTIA Security+ Guide to Network Security 61

 Collect Data
• Adware - program that delivers advertising content
in manner unexpected and unwanted by the user
– Typically displays advertising banners and pop-up
ads
– May open new browser windows randomly
• Adware can also perform tracking of online activities
– Information is gathered by adware and sold to
advertisers

CompTIA Security+ Guide to Network Security 62

Collect Data

63
 Malvertising
• Malvertising, or malicious advertising, is the use of online
advertising to distribute malware with little to no user interaction
required.
• You could be researching business trends on a site like
NYTimes.com and, without ever having clicked on an ad, be in
trouble.
• A tiny piece of code hidden deep in the ad directs your computer to
criminal servers. These servers catalog details about your
computer and its location, and then select the “right” malware for
you.
• The problem is simple. Malvertising has gone unchecked because
of the current lax conditions and low barrier for entry to ad
networks.

64
Malvertising

65
 Malvertising

https://blog.malwarebytes.com/101/2015/02/what-is-malvertising/ 66
 Ransomware

• Ransomware - prevents a user’s device from

properly operating until a fee is paid
– Is highly profitable
– Nearly 3 percent of those users who have been
infected pay the ransom without questions,
generating almost $5 million annually
How do I get ransomware?
• through malicious spam, or malspam, which is unsolicited email that is
used to deliver malware.
• Malspam uses social engineering in order to trick people into opening
attachments or clicking on links by appearing as legitimate

https://www.malwarebytes.com/ransomware/s://www.malwarebytes.com/ransomware/ 67
 Collect Data (Ransomware)
Scareware, as it turns out, is not that scary. It includes rogue security
software and tech support scams. You might receive a pop-up message
claiming that malware was discovered and the only way to get rid of it is to
pay up

68
 Collect Data (Ransomware)
Screen lockers, Upgrade to terror alert orange for these guys. When lock-
screen ransomware gets on your computer, it means you’re frozen out of
your PC entirely. Upon starting up your computer, a full-size window will
appear, often accompanied by an official-looking FBI or US Department of
Justice seal saying illegal activity has been detected on your computer and
you must pay a fine.

69
 Collect Data (Ransomware)
Encrypting ransomware: This is the truly nasty stuff. These are the guys who
snatch up your files and encrypt them, demanding payment in order to decrypt
and redeliver. The reason why this type of ransomware is so dangerous is because
once cybercriminals get ahold of your files, no security software or system restore
can return them to you. Unless you pay the ransom—for the most part, they’re
gone. And even if you do pay up, there’s no guarantee the cybercriminals will
give you those files back.

70
 Collect Data (Ransomware)
KeRanger, the first true Mac ransomware.

The fact that this malware will encrypt external drives and connected network volumes means that it could
encrypt backups, including Time Machine backups stored on a Time Capsule.
71
 Delete Data

• The payload of other types of malware deletes data

on the computer
• Logic bomb - computer code that lies dormant until
it is triggered by a specific logical event
– Difficult to detect before it is triggered
– Often embedded in large computer programs that
are not routinely scanned

CompTIA Security+ Guide to Network Security 72

 Modify System Security

• “A backdoor refers to any method by which

authorized and unauthorized users are able to get
around normal security measures and gain high
level user access (aka root access) on a computer
system, network, or software application.”
– When installed on a computer, they allow the
attacker to return at a later time and bypass security
settings

CompTIA Security+ Guide to Network Security 73

 Launch Attacks

CompTIA Security+ Guide to Network Security 74

 Social Engineering Attacks

• Social engineering - refers to psychological

manipulation of people into performing actions or
divulging confidential information.
• Social engineering attacks can involve
psychological approaches as well as physical
procedures.

CompTIA Security+ Guide to Network Security 75

 Phishing

• Phishing - sending an email claiming to be from

legitimate source
– Tries to trick user into giving private information
• Many phishing attacks have these common features:
• Deceptive web links
• Logos
• Urgent request
• Variations of phishing attacks
– Pharming - automatically redirects user to a
fraudulent Web site

CompTIA Security+ Guide to Network Security 76

 Phishing

CompTIA Security+ Guide to Network Security 77

78
 Phishing

• Variations of phishing (cont’d.)

– Spear phishing - email messages target specific
users
– Whaling - going after the “big fish”
• Targeting wealthy individuals
– Vishing (voice phishing)
• Attacker calls victim with recorded “bank” message
with callback number
• Victim calls attacker’s number and enters private
information

CompTIA Security+ Guide to Network Security 79

 Spam

• Spam - unsolicited e-mail

– Primary vehicles for distribution of malware
– Sending spam is a lucrative business
• Cost spammers very little to send millions of spam
messages
• Filters look for specific words and block the email
• Image spam - uses graphical images of text in
order to circumvent text-based filters
– Often contains nonsense text so it appears
legitimate

CompTIA Security+ Guide to Network Security 80

 Typo Squatting
• Typo squatting - redirecting a user to a fictitious website based on
a misspelling of the URL
– Also called URL hijacking
• Example: typing goggle.com instead of google.com
• Attackers purchase the domain names of sites that are spelled
similarly to actual sites
– Many may contain a survey that promises a chance to win
prizes or will be filled with ads

CompTIA Security+ Guide to Network Security 81

 Physical Procedures

• Dumpster diving
– Digging through trash to find information that can be
useful in an attack
• Tailgating
– Following behind an authorized individual through an
access door
– An employee could conspire with an unauthorized
person to allow him to walk in with him (called
piggybacking)
– Watching an authorized user enter a security code
on a keypad is known as shoulder surfing
CompTIA Security+ Guide to Network Security 82
83
 Modern Malware

• Note that most of these examples are old, why?

• Maybe the problem is solved? (Hint: no)

• Instead, new era of malware

• Old: Pride, anger, destruction, low-level politics
• New: Economics, governments, espionage
• How does this change the game?

84
85
 Summary

• Malware is malicious software that enters a

computer system without the owner’s knowledge or
consent
• Malware that spreads include computer viruses,
worms, and Trojans
• Spyware is software that secretly spies on users by
collecting information without their consent
• Type of spyware include keylogger, adware and
ransomware

CompTIA Security+ Guide to Network Security 86

 Summary

• A logic bomb is computer code that is typically

added to a legitimate program but lies dormant until
triggered by a specific logical event
• A backdoor gives access to a computer, program,
or service that circumvents any normal security
protections
• One of the most popular payloads of malware
today carried out by Trojans, worms, and viruses is
software that will allow the infected computer to be
placed under the remote control of an attacker
(infected computer is known as a zombie)
CompTIA Security+ Guide to Network Security 87
 Summary

• Social engineering is a means of gathering

information for an attack from individuals
• Types of social engineering approaches include
phishing, dumpster diving, and tailgating
• Typo squatting (URL hijacking) takes advantage of
user misspellings to direct them to fake websites
• A watering hole attack is directed toward a smaller
group of specific individuals, such as major
executives working for a manufacturing company

CompTIA Security+ Guide to Network Security 88

 References

• Chapter 1 & 2 - Information Security Principles and

Practice by Mark Stamp
• Mark Ciampa-CompTIA Security+ Guide to
Network Security Fundamentals - 5th Edition
• Corporate Computer Security by Randall J. Boyle,
Raymond R. Panko

89