# Intro to Malware ## CS 3710: Intro to Cybersecurity === ## Intro to malware --- ## Why malware? <div class="fragment semi-fade-out" data-fragment-index="0"> So far, we've discussed reconnaissance and exploitation. Put yourself in the mindset of an attacker: once you've gained an initial foothold into a network, what's next? </div> <div class="fragment fade-in-then-semi-out" data-fragment-index="0"> _**A:**_ it depends on what your objectives were! - If you just wanted to hack into somebody's personal computer and steal their files, you might be close to finished. </div> <div class="fragment" data-fragment-index="1"> - A more sophisticated attacker typically has more complex objectives in mind. </div> --- ## Why malware? <div class="fragment semi-fade-out" data-fragment-index="0"> It usually isn't sufficient to just hack into a single machine on a network. </div> <div class="fragment" data-fragment-index="0"> Instead, attackers have to leverage their access to perform further reconnaissance and gain more information about their target's network. </div> <figure> <img src="../../img/web/dmz_example.svg"class="image-background"style="max-height: 40vh;"> <figcaption> </figcaption> </figure> --- ## Why malware? <figure> <img src="../../img/malware/offensive_operational_lifecycle.webp"> <figcaption> *The "ideal" offensive operational lifecycle* *(Source: Matt Monte, "Network Attacks and Exploitation: A Framework")* </figcaption> </figure> --- ## Why malware? <div class="fragment semi-fade-out" data-fragment-index="0"> At its core, malware is just another tool to allow attackers to complete offensive operational objectives. </div> <div class="fragment fade-in-then-semi-out" data-fragment-index="0"> In some cases, malware can be a tool to collect files from the hacked machine and ransom it. </div> <div class="fragment" data-fragment-index="1"> In other cases, malware is a way to maintain _**persistence**_ on the target's network while the attacker continues to gather information. </div> --- ## Who writes malware? <div class="container"> <div class="col"> <div class="fragment semi-fade-out" data-fragment-index="0"> In the early days of malware, plenty of viruses were written by bored college students and programmers, and cybercrime is often still portrayed in this light today. </div> <div class="fragment" data-fragment-index="0"> Nowadays, it's more accurate to think of malware as a growing underground market with many products and services on offer. </div> </div> <div class="col"> <figure> <img src="../../img/malware/iloveyou.webp"style="max-width: 100%;"> <figcaption> *ILOVEYOU virus (CNN, 2020)* </figcaption> </figure> </div> </div> --- ## Cybercrime: ransomware groups <div class="fragment semi-fade-out" data-fragment-index="0"> As malware has turned from a curiosity into an underground industry, _**ransomware groups**_ have taken a much larger fraction of the spotlight. </div> <div class="fragment" data-fragment-index="0"> These are professional criminal organizations that develop malware and launch sophisticated and heavily-planned attacks to ransom machines and exfiltrate sensitive data. _**Examples:**_ REvil, Maze, Nefilim </div> notes: References: - [Nefilim](https://www.zdnet.com/article/a-deep-dive-into-nefilim-a-double-extortion-ransomware-group/) --- ## Cybercrime: marketplaces There are various dark markets that sell various tools and services that can be used to gain access to organizations, e.g. - various malware components and "ransomware as a service"; <div class="fragment"> - command and control infrastructure; </div> <div class="fragment"> - access to breached hosts; </div> <div class="fragment"> - credential dumps; - etc. </div> --- ## Nation-state attackers <div class="fragment semi-fade-out" data-fragment-index="0"> Outside of cybercrime, there are _**state-sponsored adversaries**_ that are directly or indirectly supported by a government to launch attacks against companies and institutions in other countries. </div> <div class="fragment" data-fragment-index="0"> These adversaries typically provide support for military and intelligence objectives of their host countries. These groups are often referred to as _**advanced persistent threats**_ (_**APTs**_). **Examples:** Fancy Bear (APT 28) / Cozy Bear (APT 29), Equation Group/TAO, Lazarus Group (APT 38) </div> notes: Fancy Bear: attributed to GRU (RU) Cozy Bear: attributed to SVR (RU) Equation Group: attributed to the Tailored Access Operations unit of the NSA (US) === ## Types of malware --- ## *Botnets:* Mirai <div class="container"> <div class="col code-inline-bg"> _**Mirai**_ is malware that turns consumer *Internet of Things (IoT)* devices, like webcams and routers, into a massive _**botnet**_. Mirai infected new devices by trying to log into them using a list of common credentials, e.g. username `admin` and password `password`. </div> <div class="col text-center"> <figure> <img src="../../img/malware/mirai_krebs.webp"style="max-height: 40vh;"> <figcaption> *Credit: KrebsOnSecurity* </figcaption> </figure> </div> </div> notes: References: - [Wikipedia](https://en.wikipedia.org/wiki/Mirai_(malware)) - ["Understanding the Mirai Botnet", USENIX '17](https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakis) - [Krebs article on Mirai author's identity](https://web.archive.org/web/20170122013744/https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/) - [Mirai source code](https://github.com/jgamblin/Mirai-Source-Code) --- ## *Botnets:* Mirai The infected devices formed a _**botnet**_, which would check a command and control server for new commands about what to do next. The goal of Mirai was to launch _**distributed denial of service (DDoS)**_ attacks against various targets. - _**DDoS:**_ a type of *denial-of-service* attack where a group of devices floods a target with so much traffic that it can't respond to requests from legitimate clients. --- ## *Botnets:* Mirai <div class="container"> <div class="col"> The Mirai botnet was originally designed by a student at Rutgers University to DDoS Minecraft servers as well as cause outages at his own university. It came to public attention when it was used to launch a 620 Gbit/s DDoS attack on security researcher Brian Krebs's blog. </div> <div class="col"> <img alt="Screenshot of a news article with the headline 'Rutgers University Suffers Sixth DDoS Attack This Year', subtitle 'Three cyber-security firms could not handle the attack." src="../../img/malware/rutgers_ddos.webp"> </div> </div> notes: Mirai was also used to launch a 1 Tbit/s attack against a French web host (OVH). Before the author of Mirai was caught, he published the source code online. Since then many new variants of IoT-based botnets have evolved out of the published source code of Mirai. --- ## *Ransomware, worm:* WannaCry <div class="container"> <div class="col" style="padding: 0px;"> _**WannaCry**_ was a type of _**ransomware**_ for Windows systems that appeared in May 2017. WannaCry ransomed systems by encrypting its files, and then providing a note saying it would decrypt the files if the victim paid a certain amount of Bitcoin. </div> <div class="text-center col"> <img alt="A screenshot of the ransom note presented by WannaCry. At the top it says 'Ooops, your files have been encrypted!' and then follows up with instructions for how to recover the infected system." src="../../img/malware/Wana_Decrypt0r_screenshot.webp"> </div> </div> notes: References: - https://en.wikipedia.org/wiki/WannaCry_ransomware_attack --- ## *Ransomware, worm:* WannaCry WannaCry could also be classified as a _**worm**_. - _**Worm:**_ self-replicating malware that automatically spreads through a network by exploiting vulnerabilities in connected systems. In WannaCry's case, it spread using an exploit called _**Eternal Blue**_, which exploited vulnerability CVE-2017-0144 in Windows' implementation of the *Server Message Block (SMB)* protocol. notes: Hundreds of thousands of computers were infected in 150 countries. The UK's National Health Service (NHS) was one of the most heavily impacted, with tens of thousands of medical devices infected by WannaCry. References: - [CVE-2017-0144](https://www.cve.org/CVERecord?id=CVE-2017-0144) --- ## *Spyware:* Pegasus <div class="container"> <div class="col"> _**Pegasus**_ is a type of _**spyware**_ designed by NSO Group, an Israeli "cyber warfare" vendor. Pegasus is explicitly designed to target mobile devices (i.e. phones). Once infected, Pegasus monitors the activity of that device and reports it back to a command-and-control server. </div> <div class="text-center col"> <img alt="Statistics on the Pegasus malware published by Citizen Lab. It is split into two columns. The left column says 'Global Scale' followed by '36 likely operators', '45 countries with likely infections', and '10 operators with infections in another country'. The right column says 'Human Rights' followed by '6 operators linked to countries with a history of abusing spyware to target civil society'." src="../../img/malware/pegasus_stats.webp" style="max-height: 15em;"> *Credit: Citizen Lab* </div> </div> notes: Pegasus has been sold to multiple governments, who have used it to surveil activists, journalists, and politicians. References: - https://en.wikipedia.org/wiki/Pegasus_(spyware) - https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/ - https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/ --- ## *Spyware:* Pegasus <div class="container"> <div class="col"> Pegasus originally relied on "one-click" attacks: an operator would have to send a victim a special link that, if clicked on, would exploit a chain of 0-day vulnerabilities to infect the target device. <div class="fragment" data-fragment-index="1"> NSO eventually developed "zero-click" attacks that could infect a phone without any target interaction required. </div> </div> <div class="col text-center"> <div class="fragment" data-fragment-index="1"> <div class="image-background"> <img alt="Visualization of the buffer overflow exploited by Pegasus." src="../../img/malware/gp0_forcedentry.webp"> </div> <p class="text-small"> *Source: Google Project Zero* </p> </div> </div> </div> notes: References: - [Google Project Zero post on FORCEDENTRY](https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html) --- ## Other types of malware, and malware components <div class="fragment semi-fade-out" data-fragment-index="0"> **Trojans:** files that look legitimate but are carrying some kind of malicious payload. </div> <div class="fragment fade-in-then-semi-out" data-fragment-index="0"> **Loader / dropper:** an initial piece of malware that installs additional payloads onto the target system. </div> <div class="fragment fade-in-then-semi-out" data-fragment-index="1"> **Rootkit:** malware designed to hide its presence and maintain access to a system, typically on systems with root-level access. </div> <div class="fragment fade-in-then-semi-out" data-fragment-index="2"> **Bootkit:** malware that installs itself to the boot sector of a hard drive and runs as soon as its host boots up. </div> <div class="fragment" data-fragment-index="3"> ... and many other context-dependent components that lack a straightforward categorization. </div> --- ## Anatomy of a ransomware attack <iframe width="560" height="315" src="https://www.youtube.com/embed/sD2sCeY9-Q4" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> notes: "The Future of Destructive Malware" by Greg Foss, BSides Boulder 2020 Probably best to go from ~04:00 - 20:00