The purpose of this white paper is to increase awareness of malware and apply emphasis on recommended mitigation strategies and prevention of future attacks. Since malware is becoming an increasingly vast subject, the white paper addresses various types and gives details on many malware-related topics.
What is malware?
Malware is often known as a piece of code or program that is crafted with the intent to covertly compromise of the CIA Triad (confidentiality, availability, or integrity) of a system, network, or application.
Types of Malware
Malware differs greatly among its types because they are created to execute the specific intent of the malicious developer. Due to the sharp differences, the process of conducting a forensic investigation will not be entirely the same for each type of malware.
The primary characteristic of a virus is its ability to attach to another file and complete its self-replication process. Similar to its biological counterpart, a virus needs to attach itself to a file (most often it is an executable) in order to self-replicate and spread from one host to another host. There are multiple types of a virus and they are listed below: Boot Sector Virus (System virus)- A type of virus that moves the boot sector to another location on the hard drive so it can be given priority during startup. Metamorphic Virus- A type of virus that rewrites itself during every initial infection. Shell Virus- Similar to the boot sector virus, it surrounds the code of the application, thus, the virus is executed before the application is run on a system. Polymorphic Virus- A virus that mutates its own code thus causing consistent changes of its signature. Note: It may require a combination of both signature detection and observance of anomalies to determine the presence of polymorphic viruses. Although signatures will change, digital footprints can be found.
Worms operate differently from viruses and the key difference is that a worm DOES NOT need to attach to a host program to start an initial infection. It is self-replicating and it seeks to reside in active memory and wait for the opportunity to spread to another host. Common infection vectors of worms are the following: Removable media (USB Drives, flash devices, etc) Network Drives System vulnerabilities (Worms have been used to exploit Windows vulnerabilities) Some common worms are listed below: Slammer- In 2003, it was believed to have shut down more than 13,000 ATMs through infecting its database servers. Waledac- It infected through the execution of an executable named eCard.exe and it has multiple variants that can be remotely controlled. Conficker- A worm that exploited a zero day flaw in AutoPlay which allowed it to rapidly infect through USB devices.
Trojans are a type of malware that disguise themselves behind legitimate programs and they run concurrently among execution of the program. They are often used to establish backdoors which are another way or route into a system that bypasses initial login and can make changes through administrative rights. Trojans are wrapped with the legitimate application in order to hide itself and make its presence. Note: Trojans that are wrapped have a higher success rate of bypassing anti-virus detection. For example, a trojan that is wrapped can bypass at least 40% of vendors that specialize in anti-virus detection. Trojans can be set to operate through many ports so I’ve chosen to list some below. These ports should normally be closed as a best practice: 667 1807 3460 2140 31337 They are designed to execute some of the more common malicious purposes and they are listed below: Log keystrokes from the attacked system Control the attacked system remotely Create a FTP server on the attacked system so files can be both uploaded on the system and downloaded from it (See Mitigation Section for Recommended Forensics) Notice the screenshot below of the setup of a Poison Ivy Trojan. Figure 1- Trojan Configured To Run Through Port 443
The screenshot shows port 443 as an option when a black hat hacker is configuring this trojan to listen to a connection on port 443. This strategy increases the probability of compromising a target because most networks would have port 443 open unless other closed according to a standard of procedure. A keylogger has also been chosen to operate in conjunction with the trojan so passwords and other typed data can be stolen via the trojan. Figure 2-Keylogger within Trojan
The screenshot below displays something that is critical to the execution of a trojan and also essential to properly detecting and removing it during the mitigation process. Figure 3-Run Name on systemstartup The name that was given to the trojan is “Anti-Virus Protect” for demonstration purposes but most Trojans would have a name that is very identical to a file that is already on the system. For example, McAfee is a common Anti-Virus solution so a trojan would be named as McAffe.exe in hopes that the user never notices that it is incorrectly spelled and it appears to be identical as well.
A botnet is actually a conglomerate of zombie-like computers that work together to execute distributed denial of service attack (DDOS). Botnets can operate through two different ways and they are P2P and C&C. Peer to Peer (P2P) does not require a central command and control server so all of the traffic is transmitted from bot to bot. Command and Control threat, however, is more sophisticated and the attacker actually hides behind the C2C so it is less difficult to detect the attacker. Note: The Botnet attack (ZeroAccess) began with the user installing a fake AV application so this white paper discusses later about fraudulent files and how they can bypass some AV detection.
Ransomware is commonly known as a type of malware that compromises the availability of a system unless a ransom is paid for its release via a decryption key. Cryptoware and ransomware are closely related and the definitions of these terms have been applied interchangeably in cyber security. It can spread through some of the following scenarios: Downloaded unto a system via visiting a malicious website Payload via malware that is already on the system Attachments via email Downloaded from malvertisements Process of infection by Ransomware can occur but not limited to these steps: User opens a malicious attachment or perhaps a web server is compromised If present, network drives are exploited to increase spread of infection Users are locked out of the system unless ransom is paid and a paid ransom does not guarantee the release of the system The healthcare industry has been targeted heavily by ransomware and its sub-family of cryptoware yet there are some countermeasures that can be used to strengthen the prevention of not only ransomware infection but other malware as well. Countermeasures, best practices, and recommended forensics can collectively strengthen the infrastructure of a company against malicious attacks.
It is critical to have a protection that is built upon multiple layers and the defenses should be implemented with the standards of procedure. Some highlighted examples of layered protection against ransomware is listed below: Block access to malicious web pages, links, and block spam Protect servers by maintaining current updates and patching Apply endpoint to endpoint protection to prevent the spread of ransomware Anti-virus protection on multiple layers
In addition to countermeasures, best practices are essential to the overall prevention against malicious threats. They should be followed daily and the application of best practices contributes to information security awareness in a company. Update software on a regular basis. Unpatched software is by far one of the top root causes of exploitation by hackers that utilize malware Avoid opening emails that are not verified and embedded links. This prevents the execution of client-side attacks which require an action on the behalf of the user. Create backup copies of all important files on at least two types of media and have a third backup on a separate platform. Ensure that the preferred anti-virus solution is set to scan all removable media before configuring the system to run the drivers within the media device. The drivers are one of the areas where malware will attempt to compromise for initial infection.
Forensics is critical in mitigation and establishing the technical basis for implementing standards of procedure into policy. The point of origin (POI) of a malware attack directly correlates with the point of mitigation (POM) because the beginning of an attack gives insight into how to prevent the next attack. The point of origin could be difficult to determine if the malicious attack mimics the activity of a worm while a viral attack could potentially be traced to a single system. Technologies, such as antivirus scanners, are often used to reach a conclusion or identification of a malicious attack yet multiple AVs can provide varying names for the same string. Manual inspection of available forensic logs and records via network traffic can provide additional confirmation of the cause of malicious breaches. The section below emphasizes several ways to conduct forensic methods that are very common in malware investigations. Below is a screenshot of the impact of a file that is packed to emulate the exact function of the legitimate and original file. Figure 4- Requires Permission from User- Legitimate Application
Figure 5-Suspicious Application
Figure 6-Photo Tools2- (Original) and PhotoMake (Fraudulent)
The screenshots show a few things that require some attention. PhotoTools2, which is the original file, was packed into a file that had the custom output of PhotoMake.exe. The icon or logo of the packed file matches the exact logo of the original file. Note: I tested the scanning ability of an AV solution and it DID NOT flag the file! There are some packers that fall into the category of FUD which is abbreviated for “Fully UnDetectable”. Figure 5, however, shows that the packed file did not have a verified publisher so it requests permission from the user to continue with the installation process. Black hat hackers use a packer to bypass Anti-Virus detection and firewall by both scrambling and compressing a file to create a new signature. Since packers are commonly used in malware, analysis of the MD5 hash is key to conducting further investigation. See the screenshot below: Figure 7- MD5 Hash- Original Application (Ipadian.exe)
Figure 8- MD5 Hash- Fraudulent Application (Ipad.exe)
Figure 9- Original and Fraudulent Desktop Icon (Identical)
The above screenshots show that the packed file was slightly smaller than the original file which is ipadian.exe. The packed file, however, looks identical to the original file so you can see why packers are a favorite among black hat hackers. The packed file, also, has a different MD5 signature than the original file as well. Therefore, one of the steps in investigating malicious attacks would involve the analysis of the MD5 hash as previous national incidents have “paved the way” for signature bases. The Microsoft Windows Operating system has been a prime target for malware for decades yet the locations within the file system that are often changed do not vary much within the categories of malware. Forensic engineers should look for evidence of malware in some common places but not limited to as listed below: C://Username/AppData/Local/Microsoft/..(This is a commonplace due to the local rights that are tied to the account and access to the Windows system) HKLMSOFTWAREMicrosoftWindowsNTCurrentVersion..(Figure 3 is a visual reference for this location as a trojan can be configured to compromise this registry key and run upon startup) There is a sub-section of additional forensic best practices that are recommended for initial investigation and mitigation. They are listed below and they should be incorporated into a standard of procedure for a thorough investigation. Investigation-o Remove or detach all infected systems from the network to prevent further spread of infection o Take multiple snapshots of each infected network share or drive to prepare for forensic investigation o Logs should contain activity that traces at least 10 days so all possible scenarios of origins of infection can be analyzed and eliminated. o Since malware can be layered or coupled with other types of malware, take notice of all traffic through these ports and protocols, (FTP, HTTP, HTTPS, SMTP, 667, 1807, 421, 1095) Mitigation- o Update all software components that are lacking proper updates o Ensure that the AV solution is multi-layered to monitor web traffic and actively run on all systems with the ability to scan removable media before running the devices o Terminate malicious network connections o Reconfigure network-based security controls to block all connections to a specific IP that is associated with malicious activity o Ensure that the AV solution is capable of quarantine or removal of the threat and not limited to detection
Malicious attacks are constantly evolving so the healthcare industry would consistently adapt and adopt innovative countermeasures that are effective against these threats. Since malware has multiple types and various ways of attack, it is important to be proactive in information security awareness and applying policies and procedures. Although unpatched software components are one of the top attack vectors for potential breaches, in-service training has proven to be effective in increasing awareness of every individual. Attacks such as botnets, ransomware, and Trojans all prey on client-side interaction and start with a point of origin that finds its beginning on a single click or a moment of the negligence of proper procedure.