Bangeter actors_attacks-80.pdf

Malware (short for malicious software) is software designed to infiltrate or damge a computer system without the owner's being informed or giving consent. 

Once malware has compromised a system, an attacker can (sometimes fulliy) control the system.

Typical areas of malware usage:

• Cybercrime
• Espionage
• Disruption
• Cyber war
• Lawful interception

Opportunistic /non-targeted attacks (~cybercrim): Attack on a large weakly targeted population, often oppertunistic. Even if success rate is low, the absolute number of successful infections and the resulting revenue might be high.

Targeted attacks (~espionage): Attacks that are targeted at few individuals.

Infection vector: refers to the means and techniqyes for delivering a piece of malware onto the victime machine.

There are may differen types of technical vulnerabilities:

• Misconfiguration of firewall, Web server, etc...
• Weak passwords allow login, and take over
• Etc...
• Software vulnerabilities are particularly interesting, since they allow for very powerfull attacks. They may be deployed via different infection vectors.

A software vulnerability is a (sometimes) subtle programming error that triggers when processing maliciously crafted input data provided by an attacker, allowing the attacker to git her code executed in the victim program / process.

In short: Input data is turned into code.

The malicious data / code that triggers a vulnerability is called a (software) exploit.

A patch is a software update that removes a known software vulnerability.

The most dangerus phase is after the vulnerability is disclosed publicly and befor ts, tp and ta.

This is becuase the vulnrability is public allowing others to exploit it, and now real defenses or mitigations are posible.

• Zero-day exploits are hard to find / expensive (they are typically used by espionage / nation state actors)
• Cybercriminals rather use "other day" vulnerabilities, i.e. fresh known vulnerabilities which are able to compromise unpatched systems.

Microsoft patch tuesday -> exploit wednesday :D

1. Attacker compromises a legitimate "good" website. Attacker inserts malicious code in "good" website e.g. an IFRAME
2. User visits the "good" website. The users browser or plugin vulnerable
3. User is silently redirected to the 'bad' website through the hidden IFRAME. Attacker can now identify os version and vulnerabilities.
4. Malicious code is downloaded to the user.
5. Leveraging the vulnerabilities the malicious code is installed on the user's computer.
6. Malicious software takes advantege of the user's system.

ZEUS used the drive by download technique

Watering-hole attacks use drive by download as an infiction vector, by preparing a website that is known to be visited by your target audience (and are thus semi-targeted)

E.g. if you know that employees  of the targeted company X often order pizzas from www.tonis-pizza-lausanne.ch they'll use the pizza site for the drive by downloads.

Microsoft office documents

• may contain VBA macros
• VBA is a powerful programming language, which gives attacker logs of possiblities to drop and execute  malicious pauload.
• Payload is either embedded in document (dropper) or downloaded from the internet (downloader)

PDF dockuments

• may contain scripts e.g. JavaScript.

Document attacks are the most prevalent infection vector. Malicious documents do not make use of exploits.

• may

Social engineering is tricking the human into performing an action that allows for the execution of malware
 

Some examples:

• Get person to open attachment / file
• Make them run a program or script
• Get them to plug in a usb device
• etc...

Phishing is non targeted: Mail is sent to many users in the hope that a small subset of users fall for the trick and install the malware.

Spearphishing is targeted either against a individual person or a small group. The email is crafted in a specific personalized way to make them interact with attacker.

Does not need to be at the level of the ISP but can also be a local wifi such as the one at starbucks.

A pinaple access point can be used to intercep wifi traffic.

payload: In information security, the term pauload generally refers to the part of malicious code that performs the destructive operations.

activities of payloads:

• execute malicious activity ("effective payload")
  • Information theft, modification, store information
  • Abuse computing resources
• Communicate with command and control server
  • Update
  • Exfiltrate data
• Propagate 
• Anti-forensics, e.g. hiding ("rootkit" techniques) and self defense technique

• Information theft
  • Key logging
  • Take screenshots
  • Email addresses
• Information storage and modifaction
  • Store ilegal data, software, etc..
  • HTML injection into browser to proactively harvest data
  • Modify payment info in e-banking transactions, so called "transaction generators"
• Abuse of computing resources
  • Proxy
  • Sending spam
  • Click fraud
• Propagation
  • Copy malware to network shares, USB sticks
  • Network based spreading via remote exploits, open ports etc..
  • Email malware to recipients in address book etc...

Most current malware does not propagate, too noisy and hard to control (see morisworm)

Early malware did this so called