History Of Malware Defense

Expert Reference Series of White Papers

Preparing for Tomorrow’s Threat Today: What We Can Learn from the History of Malware and Defenses 1-800-COURSES

www.globalknowledge.com

Preparing for Tomorrow’s Threat Today: What We Can Learn from the History of Malware and Defenses Mike Gregg, CISA, CISSP, CISM, MCSE, CTT+, A+, N+, Security+, CNA

Introduction There is one given in the IT security realm and that is change. The challenges faced by security professionals a decade ago are much different than the challenges we face today. Not long ago, hackers concentrated their efforts on malicious software that was designed for recognition, fame, and glory. Attack vectors of the 21st century have changed; now, many attacks are financial in nature. Current FBI estimates indicate that malicious software and attacks targeting identity theft cost American businesses and consumers more than $50 billion a year. Yesterday’s virus is today’s custom malware, while denial of service attacks have been replaced with botnets.

Early Attacks While it might be nice to believe that there was a time when malware did not exist, the truth is that malware has been around almost since the beginning of the computer age. The phrase “computer virus” came into existence in 1984 when Fred Cohen was working on his doctoral thesis. In his thesis, he was discussing selfreplicating programs, and an advisor suggested he call them computer viruses. About this time, programmers started writing self-replicating code. Ralf Burger, a German computer systems engineer, created one of the first self-replication programs, Virdem, in 1985. Interest in these programs led Mr. Burger to give the keynote speech at the Chaos Computer Club later that year. His discussion on computer viruses encouraged others in this emerging field. Soon, many viruses started to be released into the wild. One early computer virus that spread around the world was the Brain virus. The Brain virus was written by two brothers in Pakistan. The Brain virus targeted a floppy disk by infecting its boot sector. It had full-stealth capability built in. Systems that boot to DOS look for files like io.sys, command.com, config.sys, and autoexec.bat; if these files are tainted, the computer will load the virus into memory and infect other users that inserted a floppy disk into the infected system. The brothers thought the virus would bring them business and notoriety. While they did end up getting many calls to their business, most who called were upset. In the end, the brothers were forced to change their phone number to escape the flood of negative calls. Other early attacks have a similar story. Consider the Melissa virus, which was written by David Smith. The goal of the virus was to get the attention of the girl he named the virus after. In 1999, at the height of the infection, more than 300 corporations’ computer networks were taken completely off line. The virus, which also had the traits of a worm, used the victim’s email account to send the malware to others. Because the virus appeared to come from someone the victim knew and probably trusted, a large portion of the public was tricked into opening the infected document. Melissa not only spread itself via email, but it also infected the Normal.dot template file that is typically used to create Word documents. By performing this function, the virus would then place

Copyright ©2009 Global Knowledge Training LLC. All rights reserved.

2

a copy of itself within each file the user created. As a result, one user could easily infect another by passing infected documents. David Smith was identified and eventually sentenced to five years in prison. Today, viruses have evolved into many different categories including boot sector, stealth, polymorphic, multipart, self-garbling, and meme.

Early Defenses Defenses against these early attacks included anti-virus, IDSs, and vulnerability assessment. Anti-virus programs can use one or more techniques to check files and applications for viruses. Signature scanning anti-virus programs work in a similar fashion as IDS pattern matching systems. Signature scanning anti-virus software looks at the beginning and end of executable files for known virus signatures, which are nothing more than a series of bytes found in the viruses code. Heuristic scanning is another method that anti-virus programs use. Software designed for this function examines computer files for irregular or unusual instructions. Integrity checking can also be used to scan for viruses. Integrity checking works by building a database of checksums or hashed values. These values are saved in a file. Periodically, new scans occur and the results are compared to the stored results. While not very effective for data files, this technique is useful for programs and applications as the contents of executable files rarely change. Activity blockers can also be used by anti-virus programs. An activity blocker intercepts a virus when it starts to execute and blocks it from infecting other programs or data. One way to verify your anti-virus program is working is the EICER test. If you copy the following string into a text file and rename it as an executable, your anti-virus should flag it as a virus. X5O!P%@AP[4\PZX54(P^)7CC)7$EICAR-STANDARD-ANTIVIRUS-TESTFILE!$H+H*

It is not actually a virus, the code is harmless. It’s just a tool developed by the European Institute of Computer Anti-virus Research (EICER) used to test the functionality of anti-virus software. Virus creators attempt to circumvent the signature process by making viruses polymorphic. Another early defense was intrusion detection. The idea of intrusion detection was introduced in 1980 with James Anderson’s paper, Computer Security Threat Monitoring and Surveillance. Dr. Dorothy Denning built upon this work when she began working on the first deployable IDS designed to monitor user access to government mainframes and create profiles of users based upon their activities. Later, in 1997, ISS developed one of the first commercial network intrusion detection systems called RealSecure. A year later, in 1998, Martin Roesch led the development of Snort. Intrusion detection engines or techniques can be divided into two distinct types or methods, anomaly and signature. An anomaly-based IDS has the ability to learn normal behavior and alert administrators when something out of the ordinary occurs. A signature-based or pattern-matching IDS system relies on a database of known attacks. These known attacks are loaded into the system as signatures. As soon as the signatures are loaded into the IDS, it can begin to guard the network. The signatures are usually given a number or name so that the administrator can easily identify an attack when it sets off an alert. Alerts can be triggered for fragmented IP packets, streams of SYN packets (DoS), or malformed ICMP packets. The alert might be configured to change

Copyright ©2009 Global Knowledge Training LLC. All rights reserved.

3

the firewall configuration, set off an alarm, or even page the administrator. While the development of the IDS helped security professionals track what attackers were doing, these tools are detective in nature and did little to prevent attacks. Vulnerability assessment tools were another early defense that caused the big changes in the security arena. In the early 1990s, two well known security professionals, Dan Farmer and Wietse Venema, wrote a landmark paper titled “Improving the security of your site by breaking into it.” They went on to code the first automated penetration tool known as SATAN (System Administrator Tool for Analyzing Networks). Dan Farmer was actually fired from his job at Sun for development of the program. At the time, some people believed that such tools would aid the attackers more than security professionals. Vulnerability assessment tools provided security professionals a way to easily examine what ports were open on a system or network.

A New Century Brings New Threats While many IT shops were focusing on Y2K bug, attackers were busy thinking up new ways to bypass early defenses. As an example, the term spyware was not even used until around the year 2000. Zone Labs was one of the first to use the phrase “spyware” when it stated, “A computer with an always-on connection has a permanent IP address, which makes it especially vulnerable to Spyware attacks.” Since the year 2000, there has been a huge increase in spyware, extortion-ware, and attacks focused on making money. Spyware is not just one type of program. It’s an entire category of malicious software that includes adware, Trojans, keystroke loggers, and information-stealing programs. These programs have become increasingly intelligent. Many have the capability to install themselves in more than one location, and any attempt to remove them triggers the software to spawn a new variant in a uniquely new location. One example is CoolWebSearch. CoolWebSearch is actually a bundle of browser hijackers united only to redirect their victims to targeted search engines and flood them with popup ads. Another example is Cryzip. This piece of malware was developed to extort money from anyone infected. After encrypting all of the user’s files, the malware orders its victims to deposit a ransom into an e-gold account to obtain the key. The new century also brought about a rise in Botnets. Botnets are a simply a massive collection of computers that have been compromised or infected with dormant bots or zombies. Most malware researchers estimate that there are thousands of botnets in operation at any time. One massive botnet was used to deliver the Storm Trojan. According to www.sophos.com, it is believed that Storm could have infected more than 50 million computers. During its height, Storm was believed to be sending billions of SPAM messages a day. To realize the power of a botnet of this size, imagine a botnet that has infected 10,000 home users across the United States; if each of these compromised computers has nothing more than a basic 56k dial-up connection to the Internet, the collective bandwidth adds up to 56 gigabits of bandwidth. For an explanation of how Storm functions, take a moment to review http://en.wikipedia.org/wiki/Storm_botnet.

New Defenses Defenses have had to evolve to meet threats of this size and potential. Anti-spyware, intrusion prevention, and next-generation vulnerability assessment tools are three such defenses. Running anti-spyware programs has become an accepted practice and a part of routine computer security practices. Some well-known anti-spyware programs include Spybot Search & Destroy, Microsoft Windows Defender, Webroot Spy Sweeper, MacAfee Virus

Copyright ©2009 Global Knowledge Training LLC. All rights reserved.

4

Scan, and Anti Spyware. Anti-spyware best practices can be found at http://www.onguardonline.gov/topics/spyware.aspx. Intrusion prevention systems (IPSs) are seen as an extension to intrusion detection. The term “Intrusion Prevention System” was first used by Andrew Plato and represented a step forward from traditional IDSs. An IPS takes a more proactive approach than the IDS. Whereas an IDS is seen as a detective control, an IPS is seen as a preventive control. When an IPS is deployed, it monitors the network for malicious or unwanted behavior and can react in real-time to block or prevent those suspect activities. As an example, if a user brings a laptop to work that is infected with a virus, an IPS can detect the virus and place the laptop user on a separate VLAN that only has access to an anti-virus update. One of the first commercial IPSs that was developed was StormWatch in 2001. StormWatch used a kernel-based analysis of malicious traffic that built on access control rules based on acceptable behavior. While the concept of an IPS overcame many of the problems associated with IDS, it still lacked a means of testing the efficiency of such systems. In 2002, TippingPoint developed the IPS testing tool Tomahawk to help build a standard means of testing an IPS. Today, Tomahawk is freely available for testing any IPS or intrusion detection system (IDS) and is available at http://tomahawk.sourceforge.net/. Next-generation vulnerability assessment tools started to appear around the year 2000. One such tool, Nessus, is a powerful, flexible security scanning and auditing tool. It takes a basic “nothing for granted” approach. The concept of Nessus was first developed in the late 1990s by Renaud Deraison and was conceived to be an opensource program. The design used community support to allow for fast updates. This open design would allow community members to develop their own plug-ins for their use or use by the community. Nessus has evolved since these early days and is used as a component of commercial products designed by IBM, VeriSign, Counterpane Internet Security, Symantec, ScannerX, and others. The Nessus Client and Server Model offers a distributed means of performing vulnerability scans. Nessus tells you what is wrong and provides suggestions for fixing a given problem. You can learn more about Nessus at http://www.nessus.org/nessus/. The basic components of Nessus include. • The Nessus Client and Server Model • The Nessus Plugins • The Nessus Knowledge Base

Bleeding-Edge Threats The third and final section of this paper examines the future of malware and the defenses needed to counter these bleeding-edge attacks. While attacks are still focused on making money, the motives are changing. Current trends indicate that computer crime is no longer the exclusive realm of the underworld and organized crime. Corporate espionage and government-sponsored spies are two emerging threats. These new attack vectors use a variety of techniques such as social engineering and spear phishing to perform surgical strikes designed to gain information, access, or data. These attacks can result in financial loss, and the loss of government secrets, corporate secrets, or highly sensitive information.

Copyright ©2009 Global Knowledge Training LLC. All rights reserved.

5

Consider the following examples. In 2002, the CEO of Qualcomm reported a laptop stolen that contained highly sensitive data that could be of great value to foreign governments. The lack of encryption made this loss of data even more damaging. In 2007, the first recorded nation state DDoS attack was launched against Estonia. During this time, Estonia came under a series of attacks that brought its Internet communications to its knees. Estonian institutions and businesses were targeted. The attack was motivated by the removal of a Soviet war memorial from the center of Tallinn, Estonia. Moving this Bronze Soldier was seen as an insult to the memory of Russian soldiers who were killed during World War II. Emerging attack vectors show a willingness by attackers to bring down networks to cause financial damage to the victim. In 2008, four members of an Israeli private investigation firm were jailed after being found guilty of using custom malware to spy on and steal commercially sensitive information from a variety of companies, including the HOT cable television group and a large mobile phone operator. In 2008, it was also reported that U.S. authorities were investigating whether Chinese officials secretly copied the contents of a government laptop computer during a visit to China by Commerce Secretary Carlos M. Gutierrez. Other new attacks have focused on • The iPhone - First iPhone Trojan in 2008 targeted a fake phone firmware 1.1.3 prep • iPod and solid state music devices - Podslurp allows the attacker to steal confidential information from a business by loading malware on the portable device • P ortable storage - USB attacks (Hacksaw, Switchblade, Dumper) that use storage devices to steal sensitive data Many new attacks have been developed to take advantage of the proliferation of USB ports and devices. The attackers’ tools are capable of a range of activities from stealing information to running Nmap and other vulnerability scans, and sending the data to remote locations. USB thumb drives are now even being used to execute USB-driven worms.

Bleeding-Edge Defenses Just as attackers have opened new fronts in the ongoing cyber war, security professionals have been working on new defenses. Defenses include Intrusion Detection and Prevention (IDP), Network Access Control (NAC), and advanced penetration tools. Systems designed to detect and defend against intrusions have matured into hybrid devices, so much so, that by 2006, the US government started to refer to such devices as Intrusion Detection and Prevention Systems (IDPS). This was solidified with the release of NIST 800-94 , A Guide to Intrusion Detection and Prevention Systems, which defined IDS and IPS as follows: “IDS and IPS technologies offer many of the same capabilities, and administrators can usually disable prevention features in IPS products, causing them to function as IDSs.” Another emerging defense is Network Access Control (NAC). NAC offers administrators a way to verify that devices meet certain health standards before they’re allowed to connect to the network. Laptops, desktop computers, or any devices that do not comply with predefined requirements can be prevented from joining the network

Copyright ©2009 Global Knowledge Training LLC. All rights reserved.

6

or can even be relegated to a controlled network where access is restricted until the device is brought up to the required security standards. NAC can help achieve optimal network security by providing the following. 1. Access control: Organizations face special challenges in tracking who has access to the network and if the level of access they have is appropriately set. 2. Malicious code: Most attacks against small businesses are automated and potentially debilitating to the business. These attacks can appear as viruses, worms, Trojans, and bots. 3. Mobile device security: Mobile devices such as USB drives, iPods, and camera phones allow data and information to be moved in and out of the network without normal access controls, creating a definite security hazard. There are several different incarnations of NAC available. These include infrastructure-based NAC, endpointbased NAC, and hardware-based NAC. Vulnerability and penetration tools have also advanced since the development of tools such as SATAN. Today, many third-generation security assessment tools are available, as are tools that can be used to simulate an attack against a network. Metasploit, released around 2003, is one such tool. According to the Metasploit website, “the Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide.” Metasploit is an attack platform with three basic ways that it can be controlled. These methods include • The msfweb – A simple point-and-click interface • The msfconsole – A console-based interface • The msfcli – A command line interface The basic approach includes 1. Selecting the exploit module to be executed 2. Choosing the configuration options for the exploit options 3. Selecting the payload and specifying the payload options to be entered 4. Launching the exploit and waiting for a response

Summary It has been said that those who fail to learn from the past are doomed to repeat it, and there is a lesson to be learned in this message for security professionals. Many times, we get lulled into thinking that security means protection against current threats. But the truth is that attackers are always looking for the next attack vector and for new ways to target an organization’s IT resources. What is needed is a sound methodology that can be used to help protect from yesterday’s, today’s, and tomorrow’s attack vectors. This includes 1. Risk assessment 2. Policy 3. Implementation

Copyright ©2009 Global Knowledge Training LLC. All rights reserved.

7

4. Training 5. Audit Using a methodology as shown here on a periodic basis helps companies reassess critical assets, practice defense in depth, and apply the principle of least privilege effectively. Risk assessments, asset valuation, and periodic reviews of threats and vulnerabilities should drive the security process.

Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge courses: Certified Ethical Hacker Essentials of Information Security - Security+ CISA Prep Course Defending Windows Networks For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative. Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs.

About the Author Michael Gregg has 20 years’ information security experience. Mr. Gregg is the CTO of Superior Solutions, Inc., a Houston-based IT security consulting and auditing firm. Mr. Gregg has led security risk assessments, establishing security programs within top corporations and government agencies. He is an expert in security risk assessment, security risk management, security criteria, and building corporate security programs. Mr. Gregg holds two associate’s degrees, a bachelor’s degree, and a master’s degree. Some of the certifications he holds include CISA, CISSP, CISM, MCSE, CTT+, A+, N+, Security+, CNA, CCNA, CIW Security Analyst, CEH, CHFI, CEI, DCNP, ES Dragon IDS, ES Advanced Dragon IDS, and SSCP. In addition to his experience performing security assessments, Mr. Gregg has authored or coauthored more than 10 books, including Certified Ethical Hacker Exam Prep (Que), CISSP Exam Cram 2 (Que), Build Your Own Network Security Lab (Wiley), and Hack the Stack (Syngress). Mr. Gregg has created more than 15 security-related courses and training classes for various companies and universities.

Copyright ©2009 Global Knowledge Training LLC. All rights reserved.

8