What are three types of malware that have the primary traits of circulation and or infection?

Successfully reported this slideshow.

Your SlideShare is downloading. ×

Malware and Social Engineering Attacks

More Related Content

1. 1. CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition Chapter 2 Malware and Social Engineering Attacks
2. 2. © Cengage Learning 2015 Objectives • Define malware • List the different types of malware • Identify payloads of malware • Describe the types of social engineering psychological attacks • Explain physical social engineering attacks CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 2
3. 3. © Cengage Learning 2015 Attacks Using Malware • Malicious software (malware) – Enters a computer system: • Without the owner’s knowledge or consent – Uses a threat vector to deliver a malicious “payload” that performs a harmful function once it is invoked • Malware is a general term that refers to a wide variety of damaging or annoying software CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 3
4. 4. © Cengage Learning 2015 Attacks Using Malware • Attackers can mask the presence of their malware by having it “mutate” or change • Three types of mutating malware: – Oligomorphic malware - changes its internal code to a predefined mutation whenever executed – Polymorphic malware - completely changes from its original form whenever it is executed – Metamorphic malware - can rewrite its own code and thus appears different each time it is executed CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 4
5. 5. © Cengage Learning 2015 Attacks Using Malware • Malware can be classified by the using the primary trait that the malware possesses: – Circulation - spreading rapidly to other systems in order to impact a large number of users – Infection - how it embeds itself into a system – Concealment - avoid detection by concealing its presence from scanners – Payload capabilities - what actions the malware performs CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 5
6. 6. © Cengage Learning 2015 Circulation/Infection • Three types of malware have the primary traits of circulation and/or infections: – Viruses – Worms – Trojans CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 6
7. 7. © Cengage Learning 2015 Viruses • Computer virus - malicious computer code that reproduces itself on the same computer • Program virus - infects an executable program file • Macro - a series of instructions that can be grouped together as a single command – Common data file virus is a macro virus that is written in a script known as a macro • Virus infection methods: – Appender infection - virus appends itself to end of a file • Easily detected by virus scanners CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 7
8. 8. © Cengage Learning 2015 Viruses • Virus infection methods (cont’d.) – Swiss cheese infection - viruses inject themselves into executable code • Virus code is “scrambled” to make it more difficult to detect – Split infection - virus splits into several parts • Parts placed at random positions in host program • The parts may contain unnecessary “garbage” doe to mask their true purpose CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 8
9. 9. © Cengage Learning 2015 Viruses CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 9
10. 10. © Cengage Learning 2015 Viruses • Viruses perform two actions: – Unloads a payload to perform a malicious action – Reproduces itself by inserting its code into another file on the same computer • Examples of virus actions – Cause a computer to repeatedly crash – Erase files from or reformat hard drive – Turn off computer’s security settings – Reformat the hard disk drive CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 10
11. 11. © Cengage Learning 2015 Viruses • Viruses cannot automatically spread to another computer – Relies on user action to spread • Viruses are attached to files • Viruses are spread by transferring infected files CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 11
12. 12. © Cengage Learning 2015 Worms • Worm - malicious program that uses a computer network to replicate – Sends copies of itself to other network devices • Worms may: – Consume resources or – Leave behind a payload to harm infected systems • Examples of worm actions – Deleting computer files – Allowing remote control of a computer by an attacker CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 12
13. 13. © Cengage Learning 2015 Trojans • Trojan horse (Trojan) - an executable program that does something other than advertised – Contain hidden code that launches an attack – Sometimes made to appear as data file • Example – User downloads “free calendar program” • Program scans system for credit card numbers and passwords • Transmits information to attacker through network CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 13
14. 14. © Cengage Learning 2015 Trojans CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 14
15. 15. © Cengage Learning 2015 Concealment • Rootkits - software tools used by an attacker to hide actions or presence of other types of malicious software – Hide or remove traces of log-in records, log entries • May alter or replace operating system files with modified versions that are specifically designed to ignore malicious activity • Users can no longer trust their computer that contains a rootkit – The rootkit is in charge and hides what is occurring on the computer CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 15
16. 16. © Cengage Learning 2015 Payload Capabilities • The destructive power of malware can be found in its payload capabilities • Primary payload capabilities are to: – Collect data – Delete data – Modify system security settings – Launch attacks CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 16
17. 17. © Cengage Learning 2015 Collect Data • Different types of malware are designed to collect important data from the user’s computer and make it available at the attacker • This type of malware includes: – Spyware – Adware – Ransomware CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 17
18. 18. © Cengage Learning 2015CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition Collect Data • Spyware - software that gathers information without user consent – Uses the computer’s resources for the purposes of collecting and distributing personal or sensitive information • Keylogger - captures and stores each keystroke that a user types on the computer’s keyboard – Attacker searches the captured text for any useful information such as passwords, credit card numbers, or personal information 18
19. 19. © Cengage Learning 2015CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition Collect Data • A keylogger can be a small hardware device or a software program – As a hardware device, it is inserted between the computer keyboard connection and USB port – Software keyloggers are programs installed on the computer that silently capture information • An advantage of software keyloggers is that they do not require physical access to the user’s computer – Often installed as a Trojan or virus, can send captured information back to the attacker via Internet 19
20. 20. © Cengage Learning 2015CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition Collect Data 20
21. 21. © Cengage Learning 2015CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition Collect Data • Adware - program that delivers advertising content in manner unexpected and unwanted by the user – Typically displays advertising banners and pop-up ads – May open new browser windows randomly • Adware can also perform tracking of online activities – Information is gathered by adware and sold to advertisers 21
22. 22. © Cengage Learning 2015CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition Collect Data • Ransomware - prevents a user’s device from properly operating until a fee is paid – Is highly profitable – Nearly 3 percent of those users who have been infected pay the ransom without questions, generating almost $5 million annually • A variation of ransomware displays a fictitious warning that there is a problem and users must purchase additional software online to fix the problem 22
23. 23. © Cengage Learning 2015CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition Collect Data 23
24. 24. © Cengage Learning 2015 Delete Data • The payload of other types of malware deletes data on the computer • Logic bomb - computer code that lies dormant until it is triggered by a specific logical event – Difficult to detect before it is triggered – Often embedded in large computer programs that are not routinely scanned CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 24
25. 25. © Cengage Learning 2015 Modify System Security • Backdoor - gives access to a computer, program, or service that circumvents normal security to give program access – When installed on a computer, they allow the attacker to return at a later time and bypass security settings CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 25
26. 26. © Cengage Learning 2015 Launch Attacks • Zombie - an infected computer that is under the remote control of an attacker • Groups of zombie computers are gathered into a logical computer network called a botnet under the control of the attacker (bot herder) • Infected zombie computers wait for instructions through a command and control (C&C) structure from bot herders – A common C&C mechanism used today is HTTP, which is more difficult to detect and block CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 26
27. 27. © Cengage Learning 2015 Launch Attacks CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 27
28. 28. © Cengage Learning 2015 Social Engineering Attacks • Social engineering - a means of gathering information for an attack by relying on the weaknesses of individuals • Social engineering attacks can involve psychological approaches as well as physical procedures CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 28
29. 29. © Cengage Learning 2015 Psychological Approaches • Psychological approaches goal: to persuade the victim to provide information or take action • Attackers use a variety of techniques to gain trust without moving quickly: – Attacker will ask for only small amounts of information – The request needs to be believable – Will use slight flattery or flirtation to “soften up” victim – Attacker “pushes the envelope” to get information – Attacker may smile and ask for help CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 29
30. 30. © Cengage Learning 2015 Impersonation • Impersonation - attacker pretends to be someone else: – Help desk support technician – Repairperson – Manager – Trusted third party – Fellow employee • Attacker will often impersonate a person with authority because victims generally resist saying “no” to anyone in power CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 30
31. 31. © Cengage Learning 2015 Phishing • Phishing - sending an email claiming to be from legitimate source – Tries to trick user into giving private information • Many phishing attacks have these common features: • Deceptive web links • Logos • Urgent request • Variations of phishing attacks – Pharming - automatically redirects user to a fraudulent Web site CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 31
32. 32. © Cengage Learning 2015 Phishing • Variations of phishing (cont’d.) – Spear phishing - email messages target specific users – Whaling - going after the “big fish” • Targeting wealthy individuals – Vishing (voice phishing) • Attacker calls victim with recorded “bank” message with callback number • Victim calls attacker’s number and enters private information CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 32
33. 33. © Cengage Learning 2015 Phishing CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 33
34. 34. © Cengage Learning 2015 Spam • Spam - unsolicited e-mail – Primary vehicles for distribution of malware – Sending spam is a lucrative business • Cost spammers very little to send millions of spam messages • Filters look for specific words and block the email • Image spam - uses graphical images of text in order to circumvent text-based filters – Often contains nonsense text so it appears legitimate CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 34
35. 35. © Cengage Learning 2015 Spam CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 35
36. 36. © Cengage Learning 2015 Hoaxes • Hoaxes - a false warning, usually claiming to come from the IT department • Attackers try to get victims to change configuration settings on their computers that would allow the attacker to compromise the system • Attackers may also provide a telephone number for the victim to call for help, which will put them in direct contact with the attacker CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 36
37. 37. © Cengage Learning 2015 Typo Squatting • Typo squatting - redirecting a user to a fictitious website based on a misspelling of the URL – Also called URL hijacking • Example: typing goggle.com instead of google.com • Attackers purchase the domain names of sites that are spelled similarly to actual sites – Many may contain a survey that promises a chance to win prizes or will be filled with ads CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 37
38. 38. © Cengage Learning 2015 Watering Hole Attack • Watering hole attack - a malicious attack that is directed toward a small group of specific individuals who visit the same website • Example: – Major executives working for a manufacturing company may visit a common website, such as a parts supplier to the manufacturer CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 38
39. 39. © Cengage Learning 2015 Physical Procedures • Dumpster diving – Digging through trash to find information that can be useful in an attack • Tailgating – Following behind an authorized individual through an access door – An employee could conspire with an unauthorized person to allow him to walk in with him (called piggybacking) – Watching an authorized user enter a security code on a keypad is known as shoulder surfing CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 39
40. 40. © Cengage Learning 2015 Physical Procedures CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 40
41. 41. © Cengage Learning 2015 Summary • Malware is malicious software that enters a computer system without the owner’s knowledge or consent • Malware that spreads include computer viruses, worms, and Trojans • Spyware is software that secretly spies on users by collecting information without their consent • Type of spyware include keylogger, adware and ransomware CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 41
42. 42. © Cengage Learning 2015 Summary • A logic bomb is computer code that is typically added to a legitimate program but lies dormant until triggered by a specific logical event • A backdoor gives access to a computer, program, or service that circumvents any normal security protections • One of the most popular payloads of malware today carried out by Trojans, worms, and viruses is software that will allow the infected computer to be placed under the remote control of an attacker (infected computer is known as a zombie) CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 42
43. 43. © Cengage Learning 2015 Summary • Social engineering is a means of gathering information for an attack from individuals • Types of social engineering approaches include phishing, dumpster diving, and tailgating • Typo squatting (URL hijacking) takes advantage of user misspellings to direct them to fake websites • A watering hole attack is directed toward a smaller group of specific individuals, such as major executives working for a manufacturing company CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 43

• CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition
  Chapter 2
  Malware and Social Engineering Attacks
  
• Objectives
  Define malware
  List the different types of malware
  Identify payloads of malware
  Describe the types of social engineering psychological attacks
  Explain physical social engineering attacks
  
• Attacks Using Malware
  Malicious software (malware)
  Enters a computer system:
  Without the owner’s knowledge or consent
  Uses a threat vector to deliver a malicious “payload” that performs a harmful function once it is invoked
  Malware is a general term that refers to a wide variety of damaging or annoying software
  
• Attacks Using Malware
  Attackers can mask the presence of their malware by having it “mutate” or change
  Three types of mutating malware:
  Oligomorphic malware - changes its internal code to a predefined mutation whenever executed
  Polymorphic malware - completely changes from its original form whenever it is executed
  Metamorphic malware - can rewrite its own code and thus appears different each time it is executed
  
• Attacks Using Malware
  Malware can be classified by the using the primary trait that the malware possesses:
  Circulation - spreading rapidly to other systems in order to impact a large number of users
  Infection - how it embeds itself into a system
  Concealment - avoid detection by concealing its presence from scanners
  Payload capabilities - what actions the malware performs
  
• Circulation/Infection
  Three types of malware have the primary traits of circulation and/or infections:
  Viruses
  Worms
  Trojans
  
• Viruses
  Computer virus - malicious computer code that reproduces itself on the same computer
  Program virus - infects an executable program file
  Macro - a series of instructions that can be grouped together as a single command
  Common data file virus is a macro virus that is written in a script known as a macro
  Virus infection methods:
  Appender infection - virus appends itself to end of a file
  Easily detected by virus scanners
  
• Viruses
  Virus infection methods (cont’d.)
  Swiss cheese infection - viruses inject themselves into executable code
  Virus code is “scrambled” to make it more difficult to detect
  Split infection - virus splits into several parts
  Parts placed at random positions in host program
  The parts may contain unnecessary “garbage” doe to mask their true purpose
  
• Viruses
  Figure 2-3 Split infection
  
• Viruses
  Viruses perform two actions:
  Unloads a payload to perform a malicious action
  Reproduces itself by inserting its code into another file on the same computer
  Examples of virus actions
  Cause a computer to repeatedly crash
  Erase files from or reformat hard drive
  Turn off computer’s security settings
  Reformat the hard disk drive
  
• Viruses
  Viruses cannot automatically spread to another computer
  Relies on user action to spread
  Viruses are attached to files
  Viruses are spread by transferring infected files
  
• Worms
  Worm - malicious program that uses a computer network to replicate
  Sends copies of itself to other network devices
  Worms may:
  Consume resources or
  Leave behind a payload to harm infected systems
  Examples of worm actions
  Deleting computer files
  Allowing remote control of a computer by an attacker
  
• Trojans
  Trojan horse (Trojan) - an executable program that does something other than advertised
  Contain hidden code that launches an attack
  Sometimes made to appear as data file
  Example
  User downloads “free calendar program”
  Program scans system for credit card numbers and passwords
  Transmits information to attacker through network
  
• Trojans
  Table 2-2 Difference between viruses, worms, and Trojans
  
• Concealment
  Rootkits - software tools used by an attacker to hide actions or presence of other types of malicious software
  Hide or remove traces of log-in records, log entries
  May alter or replace operating system files with modified versions that are specifically designed to ignore malicious activity
  Users can no longer trust their computer that contains a rootkit
  The rootkit is in charge and hides what is occurring on the computer
  
• Payload Capabilities
  The destructive power of malware can be found in its payload capabilities
  Primary payload capabilities are to:
  Collect data
  Delete data
  Modify system security settings
  Launch attacks
  
• Collect Data
  Different types of malware are designed to collect important data from the user’s computer and make it available at the attacker
  This type of malware includes:
  Spyware
  Adware
  Ransomware
  
• Collect Data
  Spyware - software that gathers information without user consent
  Uses the computer’s resources for the purposes of collecting and distributing personal or sensitive information
  Keylogger - captures and stores each keystroke that a user types on the computer’s keyboard
  Attacker searches the captured text for any useful information such as passwords, credit card numbers, or personal information
  
• Collect Data
  A keylogger can be a small hardware device or a software program
  As a hardware device, it is inserted between the computer keyboard connection and USB port
  Software keyloggers are programs installed on the computer that silently capture information
  An advantage of software keyloggers is that they do not require physical access to the user’s computer
  Often installed as a Trojan or virus, can send captured information back to the attacker via Internet
  
• Collect Data
  Table 2-3 Technologies used by spyware
  
• Collect Data
  Adware - program that delivers advertising content in manner unexpected and unwanted by the user
  Typically displays advertising banners and pop-up ads
  May open new browser windows randomly
  Adware can also perform tracking of online activities
  Information is gathered by adware and sold to advertisers
  
• Collect Data
  Ransomware - prevents a user’s device from properly operating until a fee is paid
  Is highly profitable
  Nearly 3 percent of those users who have been infected pay the ransom without questions, generating almost $5 million annually
  A variation of ransomware displays a fictitious warning that there is a problem and users must purchase additional software online to fix the problem
  
• Collect Data
  Figure 2-7 Ransomware computer infection
  
• Delete Data
  The payload of other types of malware deletes data on the computer
  Logic bomb - computer code that lies dormant until it is triggered by a specific logical event
  Difficult to detect before it is triggered
  Often embedded in large computer programs that are not routinely scanned
  
• Modify System Security
  Backdoor - gives access to a computer, program, or service that circumvents normal security to give program access
  When installed on a computer, they allow the attacker to return at a later time and bypass security settings
  
• Launch Attacks
  Zombie - an infected computer that is under the remote control of an attacker
  Groups of zombie computers are gathered into a logical computer network called a botnet under the control of the attacker (bot herder)
  Infected zombie computers wait for instructions through a command and control (C&C) structure from bot herders
  A common C&C mechanism used today is HTTP, which is more difficult to detect and block
  
• Launch Attacks
  Table 2-5 Uses of botnets
  
• Social Engineering Attacks
  Social engineering - a means of gathering information for an attack by relying on the weaknesses of individuals
  Social engineering attacks can involve psychological approaches as well as physical procedures
  
• Psychological Approaches
  Psychological approaches goal: to persuade the victim to provide information or take action
  Attackers use a variety of techniques to gain trust without moving quickly:
  Attacker will ask for only small amounts of information
  The request needs to be believable
  Will use slight flattery or flirtation to “soften up” victim
  Attacker “pushes the envelope” to get information
  Attacker may smile and ask for help
  
• Impersonation
  Impersonation - attacker pretends to be someone else:
  Help desk support technician
  Repairperson
  Manager
  Trusted third party
  Fellow employee
  Attacker will often impersonate a person with authority because victims generally resist saying “no” to anyone in power
  
• Phishing
  Phishing - sending an email claiming to be from legitimate source
  Tries to trick user into giving private information
  Many phishing attacks have these common features:
  Deceptive web links
  Logos
  Urgent request
  Variations of phishing attacks
  Pharming - automatically redirects user to a fraudulent Web site
  
• Phishing
  Variations of phishing (cont’d.)
  Spear phishing - email messages target specific users
  Whaling - going after the “big fish”
  Targeting wealthy individuals
  Vishing (voice phishing)
  Attacker calls victim with recorded “bank” message with callback number
  Victim calls attacker’s number and enters private information
  
• Phishing
  Figure 2-8 Phishing email message
  
• Spam
  Spam - unsolicited e-mail
  Primary vehicles for distribution of malware
  Sending spam is a lucrative business
  Cost spammers very little to send millions of spam messages
  Filters look for specific words and block the email
  Image spam - uses graphical images of text in order to circumvent text-based filters
  Often contains nonsense text so it appears legitimate
  
• Spam
  Figure 2-9 Image spam
  
• Hoaxes
  Hoaxes - a false warning, usually claiming to come from the IT department
  Attackers try to get victims to change configuration settings on their computers that would allow the attacker to compromise the system
  Attackers may also provide a telephone number for the victim to call for help, which will put them in direct contact with the attacker
  
• Typo Squatting
  Typo squatting - redirecting a user to a fictitious website based on a misspelling of the URL
  Also called URL hijacking
  Example: typing goggle.com instead of google.com
  Attackers purchase the domain names of sites that are spelled similarly to actual sites
  Many may contain a survey that promises a chance to win prizes or will be filled with ads
  
• Watering Hole Attack
  Watering hole attack - a malicious attack that is directed toward a small group of specific individuals who visit the same website
  Example:
  Major executives working for a manufacturing company may visit a common website, such as a parts supplier to the manufacturer
  
• Physical Procedures
  Dumpster diving
  Digging through trash to find information that can be useful in an attack
  Tailgating
  Following behind an authorized individual through an access door
  An employee could conspire with an unauthorized person to allow him to walk in with him (called piggybacking)
  Watching an authorized user enter a security code on a keypad is known as shoulder surfing
  
• Physical Procedures
  Table 2-5 Uses of botnets
  
• Summary
  Malware is malicious software that enters a computer system without the owner’s knowledge or consent
  Malware that spreads include computer viruses, worms, and Trojans
  Spyware is software that secretly spies on users by collecting information without their consent
  Type of spyware include keylogger, adware and ransomware
  
• Summary
  A logic bomb is computer code that is typically added to a legitimate program but lies dormant until triggered by a specific logical event
  A backdoor gives access to a computer, program, or service that circumvents any normal security protections
  One of the most popular payloads of malware today carried out by Trojans, worms, and viruses is software that will allow the infected computer to be placed under the remote control of an attacker (infected computer is known as a zombie)
  
• Summary
  Social engineering is a means of gathering information for an attack from individuals
  Types of social engineering approaches include phishing, dumpster diving, and tailgating
  Typo squatting (URL hijacking) takes advantage of user misspellings to direct them to fake websites
  A watering hole attack is directed toward a smaller group of specific individuals, such as major executives working for a manufacturing company
  

What are the primary traits of malware?

What are the three most common types of malware?

What are 3 things malware does to a computer?

Which type of malware exploits a vulnerability on one system and then immediately searches for another computer?