IT Security - 2 Exercise 1 (Malware)

Tanmaya Mahapatra Matriculation Number : 340959 tanmaya.mahapatra@rwth-aachen.de Bharath Rangaraj Matriculation Number : 340909 bharath.rangaraj@rwth-aachen.de

Mohibullah Kamal Matriculation Number : 341323 mohibullah.kamal@rwth-aachen.de October 16, 2013

Task - 1 : Malware Relations

Question 1 What is the purpose of a trojan? Solution: Trojans are malicious codes/Software which have an overt purpose as well as a covert purpose. The overt purpose is well documented and known to the user executing it while the covert purpose is hidden and not in the knowledge of the average Computer users. Some of the widely known covert purposes of Trojans are : Installation of other kinds of Malware. Identity Theft Data theft. Electronic Money theft. Data corruption. Keystroke logging. Giving root/admin access to the compromised System. System malfunctioning like unanticipated System reboots, kernel panic, Blue screen of Death etc. Question 2 What is the purpose of a rootkit? Solution: Rootkits are generally considered to be malicious and they are know for their stealthiness. Rootkit = root + kit. Some of the known purposes of rootkits are: 1

 Providing an attacker with full access to the compromised system via a backdoor. Hide other kinds of malware present in the system like viruses and keyloggers The compromised systems can be used to attack other systems (Zombie Systems ) But in some cases the rootkits also serve genuine purposes and are installed by users intentionally like : Used for attack detection in honeypots. Anti-theft protection : Rootkit will sent a report periodically to a central authority so that the laptop can be monitored and wiped out in case of theft. Conceal cheating in online games Bypassing Microsoft Product Activation : Not legal though Question 3 Is a rootkit a virus? Solution: No, rootkits are not viruses. They are tools which aid to hide the presence of other malwares like trojans and viruses. Listed below are some points which dierentiate a rootkit from a Virus : 1. The payload of a rootkit is particularly meant to maintain the integrity of the system - compromise of the system while a virus can have any sort of payload. 2. A virus attempts to spread while a rootkit limits itself to maintaining control of one system. Question 4 How do trojans and rootkits relate to one another? Solution: Rootkits are a type of Trojan horse program which when installed on a victims machine : 1. Changes the behaviour of the Operating System 2. Provides stealthiness to the activities of the Rootkit Author. 3. Gives root access to the attacker. 4. Replace Normal programs and System Libraries with dierent versions which appear to function normally to an average user. But Rootkits dier from Trojans to a great extent. Namely, They are more advanced than Trojans. Rootkits are designed to go unnoticed.

Page 2

 They do not incorporate active mechanisms that prevent them from being detected. Trojan horses generally use an innocuous name, such as datale or misc, to employ hiding mechanism while rootkits have mechanisms that actively hide their presence from anti-virus and anti-spyware programs, system management utilities, and system and network administrators. Trojan programs are generally created within systems that have been compromised; i.e., they do not replace existing programs and les, but are instead new programs that are installed. In contrast rootkits actually replace operating system programs and system libraries. Question 5 What does a malware author have to do to turn a remote administration software into a trojan? Solution: Performing some covert operations turns a remote admin software into a trojan.

Task 2: Malware from nation state actors

Question 1 According to the Edward Snowden leaks, the NSA records a considerable amount of todays internet trac. Why does the NSA nevertheless develop its own malware to infect computers of target subjects? Solution: The prime reason why NSA monitored Internet trac was for security reason and to uncap the users who used ToR (The onion router) to send anonymous packets for which they directly hacked the ToR Mozilla Firefox plugin which was later patched by Mozilla. Their prime reason was not to attack but to monitor.

Task 3: Malware analysis

Question 1 What are the most common techniques of malware researchers to collect samples of malware? Solution: The most commonly methods/techniques used by researchers to collect samples of malware are : Honeypot It is an isolated, unprotected and monitored system,containing seemingly valuable for attacker resources, aimed at collecting examples of malicious activity. Honeyclient It is an automated client-side vulnerable system executed in a controlled environment.

Page 3

Honeynet It is a distributed collection of honeypots and email lters intended for a large-scale collection and observation of malware. Question 2 When you are in possession of a malware sample, what are the most common analysis techniques? Solution: The analysis is either done with the help of static or dynamic techniques. But for any method chosen the rst important pre-requisite is to create a safe and eective analysis environment. This can be done either by using a bunch of dedicated computers operating in their own partitioned networks and using Virtual machines like Xen, VMware etc. There are many disadvantages of using Virtual machines like 1. The VM Software may leak information from VM to host OS. 2. The malware can detect that it is running on VM and may change its behaviour. 3. A 0-day threat can bypass the VM sandbox and interfere with host Operating Systems services. Static Analysis Techniques File Fingerprinting Before starting any work, researchers generally compute a cryptographic hash value of the les under investigation like MD5, SHA1, SHA256. Virus Scanning If the le being examined is part of a well known malware then it is a good idea to have it scanned with a Virus scanner. If the anti-virus program detects the malware then the anti-virus vendor may do some post analysis which can be very crucial. Packer Detection The most complicated step in malware analysis is the proliferation of programs that modify an executable le to obfuscate its contents and hide the actual program logic from a reverse engineer performing static analysis. Programs that modify other program les to compress or disguise their contents are most commonly referred to as packers. When a packer compresses, encrypts, or otherwise modies an executable program, the program looks much dierent from the static analysis perspective, but still runs as it did before it was packed. Once a program has been packed, the original programs logic and other meta-data are very hard to recover through static analysis. Strings It can be really benecial if we have an idea of what the code actually does. This can be know by simply gazing at the readable texts inserted in the program. Inside the PE File Format PE : Portable executable and the format used by executable on Windows Systems. Many useful information can be extracted from the metadata of the PE formatted le like : 1. Date and time of Compilation. 2. Functions imported or exported by the Program

Page 4

3. Icons, version info and other strings of information embedded. Dis-assembly The next step is to disassemble the le and analyze the assembly code instructions. Dynamic Analysis Techniques Process Monitor It is a tool that monitors all le, registry, and process activity on Windows systems. Wireshark It is a network protocol analyzer that captures, analyzes, and lters network trac. Debugging The fastest way to perform a full analysis is to use static analysis techniques coupled with the use of a good debugger like Windbg. Question 3 What is the key dierence between static and dynamic malware analysis? Solution: There are broadly 2 ways to analyze a malware. They are known as Static and Dynamic Analysis. In static analysis we closely examine the code without actually running it. The chief tools employed for this type of analysis may include but not limited to disassemblers, decompilers, source code analyzers, basic text utilities like grep, strings etc. Static analysis gives only an approximate idea about the malware but we have the advantage of scanning some of the code which does not get executed frequently. Static analysis is more safer than Dynamic analysis because it is essentially an autopsy of the code. Dynamic Analysis In this technique we generally run the code and observe its actions. The main tools employed for this purpose are debuggers, function call tracers, machine emulators, logic analyzers, and network sniers. The advantage of dynamic analysis is that it can be fast and accurate. Static Analysis Code is analyzed Gives approximate idea Safer Dynamic Analysis Code is executed and observed Gives an exact idea of the malware Highly risky

Task 4: Defeating Malware

Question 1 Why is anti-virus software often characterized as snakeoil by some renowned security researchers? Solution:

Page 5

Anti-virus manufacturers use false claims that they secure the computer against all kinds of malwares but researchers feel that the claim is just a snake oil marketing technique because of the following reasons listed below. Anti virus use techniques like blacklisting, that will scan the computer and blacklist the samples that match the malware samples in their database and claim that the computer is secured but in real it is not true because the samples database of the anti-virus may not contain the samples of any newly created malwares .In turn if the program is aected by any of those newly created malwares then the claim by the anti-virus that the computer is secured is false. Most anti virus Software uses techniques like Hash value checking and heuristics which not eective because modern malware use mutation and merging. One researcher feels that anti-virus software itself can be attacked by some malware so the claim of anti-virus that the computer is protected cannot be trusted. Question 2 What is the general problem with malware signatures? What kind of techniques try to solve this problem? Solution: The following are identied as general problems with signatures : Detecting malware using signatures may result in false positives. Signatures cannot deal with obfuscation. The recurring need to update the signatures database because dierent malwares can contain dierent signatures. The following two techniques have been devised by the researchers as an eective solution to this problem : Automatic generation of signatures Strings that can be used to detect various malwares. By using Semantic signatures. Question 3 Despite its disadvantages, what benets does anti-virus software provide? Solution: Besides the ineciency of anti-virus against new unfounded malwares, it can still protect the computer from already found malwares and can provide us the following benets. Secure sensitive information. Avoid sending Spam mails.

Page 6

 The anti-virus software can be updated regularly to keep up to date with known viruses. They can avoid nancial damage up to certain extent because the cost required to recover a crashed computer is high when compared to the price of the anti-virus software. References 1. http://www.rootkitnder.com/rootkit.htm 2. http://www.infosectoday.com/Articles/Rootkits.htm 3. http://www.porcupine.org/forensics/forensic-discovery/chapter6.html 4. http://en.wikipedia.org/wiki/Trojan horse %28computing%29 5. Introduction to Computer Security : Matt Bishop 6. Practical Malware Analysis : Kris Kendall 7. A Survey on Automated Dynamic Malware Analysis Techniques and Tools : Manuel Egele (Vienna University of Technology); Theodoor Scholte (Sap Research, Sophia Antipolis); Engin Kirda (Institute Eurecom, Sophia Antipolis) and Christopher Kruegel (University of California, Santa Barbara)

Page 7