1. Introduction to Malware and How The Internet Makes Money
In this section we’ll talk about malware. We’ll start off by how the actual internet makes its money. We’ll define malware, Trojans and backdoors. We’ll define things like viruses and worms as well as spyware, loss prevention and other types of creepy things. We’ll discuss net cat in depth and executable wrappers, malware avoidance detection and some malware countermeasures.
2. Things that make the World Go Around – Well as far as the Internet is concerned
Now I’ll typically start out this chapter by asking the students, what does malware mean to you? So if I were to ask you at lunch or over coffee or whatever, and I said one of the technicians said that I had malware on my machine, what exactly does that term mean to you? I’m looking kind of for a definition and yes, guys, I know I’m talking to myself here, but I’ve been doing this for so long, this is how I typically deep most people will respond back, well, it’s malicious software. It’s software that does stuff you don’t want it to do. It can be very destructive. And I usually counter that with something like so you’re saying it’s malicious. Okay, that’s fine. There are pieces of malware. Take the position that they are helping you.
Now I don’t know who screwed their head on in my opinion, but this is the position that they take. By learning more about your preferences, we can bring advertisements up to help you. In my opinion, this is just a bad idea. I can see a train wreck on this 100 miles away. But be that as it may, let me give you my definition of malware. Most of the time when we install some piece of software, we naturally take it out of the box and we read every line on that package before we open it. Is that correct? Well, if you are actually reading all of that stuff, all I can say is kudos to you because I usually fall asleep about the third line written in such a way that it’s very difficult to understand.
Let me give you my definition of malware. My definition of malware would be software running on your computer that if you really knew what it was doing, you’d probably choose not to run it. And in a nutshell, that’s really what malware is. Malware is executing on your machine, taking CPU cycles. And I guarantee you, when it comes time to make the monthly payment on your computer, they’re not going to be forking over any more money. How the Internet Works the internet works by advertisement. We simply, as an internet consuming community, need to take a stronger stance on privacy. Now some of you guys may be fairly young and some of you guys may be in your 40s or fifty s.
And it never ceases to amaze me that when I see young kids, they have no problem giving away all their details. That just kind of makes my skin crawl. I was at my doctor’s office just the other day and he was wanting to take a picture. I’d broken my foot and the, the girl came back. Oh, I don’t know the code to your phone. He said it’s, it’s 4362. I said, don’t do that, put it in for me. It you know, when, when you’re insecurity, a lot of these things are just kind of grade on you and you really just want to shake them about the shoulders and say, please don’t do that. So Malware, as we said before, is probably software running on your computer, but if you really knew exactly what it was doing, you’d probably choose not to run it because the software that they download is more of a lost leader.
For example, if you downloaded the plug in for Weather Bug just to see what the temperature is in the outlook, I guarantee you folks, the people that made that software did not make it because they like the way that you look. They made it so they can collect information on you. They can collect information on perhaps where you’re going, what clicks that you click on. If you just simply go out to CNN as an example, you’ll see this wholeheartedly let me pause for just a second. I’m going to set up a little demo for you. Now, I actually hope I haven’t showed this to you before, and if I have, I guess I’ll cut it out of one of the other videos. But my classes tend to start running together when I’m doing two or three up in a week.
At any rate, what I’m going to show you is a little utility called Ghostory. And this Ghostery utility is designed to alert you to who’s tracking you, as well as being able to thwart that. In other words, stop that. But what I’m going to do is I’m just going to enable Ghost. Now I’m going to go out here on another tab and I’m just going to go out to, let’s say, a news. Let’s go out to CNN. All right, that’s pretty politically correct, I guess, which day of the week it is. But what I want you to notice right here is ghostery already has accumulated 23 trackers. So 23 trackers, and I’m going to display them for you. Just click on this. Click here all the way to 41 trackers. Now, okay, so here are 30 advertising trackers.
Atlas, Bing ads, Google Publishing. Basically what they’re doing is they are looking to see what you click on. All right? For example, if I were a Trump fan not saying I am, but if I was, I might click on a story down here and it would give Ghostry a clue to, oh, he must be a Republican or he must be interested in climate change, or he must be interested in this or in that or whatever it would happen to be. This is how the Internet works. I had a very smart man tell me something one time, and I’m going to pass this on to you and it’s going to take a couple of moments for you to kind of let it boil down and figure it out. When we get on the Internet, we are most often looking for something more than likely to buy or to go to the show or whatever.
We’re looking for something. If we’re not looking for something, we are the customer. What do you mean, Tim? What do you mean we’re the customer? It says so right here in the 49 trackers. The ghostry is selling all of my particular pieces of information to whoever will buy it. So you are either looking for something or you are the customer. And if that upsets you a little bit, I’m sorry, guys, that’s how the internet works. I’ve said before several times, they don’t put these free news stories and all this information on here because they like the way you look. Unfortunately, they want to get something out of it. And what they want to get out of it are your preferences.
And hopefully that’s all they’re getting. I want you to notice that we can set up and restrict this site and I can block all of these trackers as well as even the ads. Now, when I’m doing something like that, CNN gets their money from these ads. It very well could come a day when I go out to CNN, if I blocked it, they may pop up something and says, excuse me, this is how we make our money. Could you please consider enabling your cookies and unblocking your trackers so that we can continue with our normal way we do business? If I say no, maybe they don’t let me in, or maybe they do. You can kind of see that’s where the money is coming from. And I wanted to mention that.
3. Trojans and Back Doors
You know, isn’t it always the case when you open up a brand new section the first thing they want to hit you with is definitions? This is not going to be any different because we need to define things like malware Trojan horses, viruses and worms and how they differ from each other. So let’s start off with defining malware Trojans MACD source. Now, a Trojan horse or a Trojan in computing is a non self replicating type of a malware program containing malicious code that when executed carries out actions determined by the nature of the Trojan. Typically what happens it causes the loss or theft of data and possible system harm as well. Now, the term actually was derived from the story of the wooden horse used to trick the defenders of Troy into taking in concealed warriors into the ancient city of Antelonia.
Because computer trojans often employ a form of social engineering, presenting themselves as a routine, useful or interesting in order to persuade victims to install it, or possibly maybe even it is a gift. A trojan often acts as a back door contacting, a controller, typically known as the command controller, because we have to have somebody organizing this thing. Atrocion often acts as a back door contacting a controller which can then have unauthorized access to the affected computer. Now, the Trojan and back doors are not themselves easily detectable. If they carry out significant computing or communications activity it may cause the computer to run noticeably slowly.
Malicious programs are classified as Trojans if they do not attempt to inject themselves into other files. That would actually constitute what’s? A definition of a virus or otherwise propagate themselves from one machine to another. I e the definition of a worm. A computer may host a Trojan via a malicious program. A user is duped into executing often an email attachment disguised to be unsuspicious for example, a routine form to be filled out or a drive by download, for example. The next thing we want to talk about is a backdoor. And a backdoor is pretty much what you think it is. It’s a way to get in leaving yourself access where somebody hopefully wouldn’t be able to determine that has been left open for you.
So a back door in a computer system or a crypto system or algorithm if you want to look at it that way, is simply a method of bypassing securing illegal remote access to a computer, obtaining access to plain text and so on while attempting to remain undetected the whole time. Industry experts have estimated that a zero day attack may fetch prodigious sums of governmental information. They could exfiltrate tremendous amounts of information if they had the opportunity to do that. Now, the threat of the back door surfaced when multi user and network operating systems became really widely adopted. A couple of gentlemen, peterson in turn discussed computer subversion in a paper published in the proceedings back in I think it was 1967 at the Afips conference.
What information that I find interesting is that they noted a class of active infiltrations that use a trap door, and their term trap door indicates that entry points into the system to bypass security facilities and permit even direct access to the data. But the trap door is not necessarily visible. The use of the word trapdoor coincidences with more recent definitions of a backdoor. However, since the advent of the public key encryption, the term trapdoor has acquired a different meaning. Much more generally, a security breach were discussed at Linked in a Rand Corporation task force published under the arpa sponsorship back in the early 70s. Now, a backdoor in a login system may take the form of a hard coded user ID and password combination, which gives access to the system.
A famous example of this backdoor was used in a plot device in the 1983 film War Games, in which the architect of the wo PR computer system had inserted a hard coded password, in other words, his dead son’s name, if you remember the film Matthew broderick. And they had to let the machine learn that nuclear annihilation was not plausible because we would all be erased if you remember that. Although the number of backdoors and systems use a proprietary software, in other words, software whose source code is not publicly available is not widely credited, as they’re nevertheless frequently exposed. programmers have even succeeded in secretly installing large amounts of benign code. We typically know these as Easter eggs, and they’re more of a fun thing defined.
One last thing I wanted to note it’s possible to create a backdoor without modifying the source code of a program or even modifying it after the compilation happens. This can be done by rewriting the compiler so it recognizes code during the compilation that triggers inclusion of a backdoor in the compiled output. When the comprised compiler finds such a code, it compiles it as normal. But it also inserts the back door, perhaps a password recognition routine of sorts. So when the user provides that input, he gains access to some likely undocumented aspect of the computer program. This attack was first outlined by Ken Thompson in his famous paper reflections on trusting Trust.
4. Defining Malware: Viruses and Worms
Okay, guys, just a few more of our god awful definitions. We’ll be hitting the ground running. Okay? So a virus is typically defined as a type of malware. When executed, it replicates by inserting copies of itself, possibly modified ones, into other computer programs, data files, perhaps the boots sector or the hard drive anything that would be executed. So when this replication succeeds, the affected areas are said to be quote unquote, infected. Now, viruses often perform some type of harmful activity on infected hosts such as stealing hard drive space or perhaps CPU time, accessing private information or even corrupting data, displaying political or humorous messages on the user’s screen, spamming their contacts or logging their keystroke.
However, not all viruses carry destructive payload or attempt to hide themselves. The defining characteristic of viruses is that there are self replicating computer programs which install themselves without the user’s consent. And I wanted to clarify, when I said self replicating, I’m talking about within the same computers. There was a very popular virus called the Michelangelo virus back. It’s actually many decades ago, but it would come up and on Michelangelo’s birthday, format your hard drive, and there were computer users all over the world that would not turn on their computer on Michelangelo’s birthday. So there ends up being a lot of hype and hysteria in these types of things as well.
Now, virus writers use social engineering techniques and exploit detailed knowledge of security vulnerabilities in order to gain access to their host computer resources. The vast number of viruses, well over 99% of them, target systems running Microsoft Windows. It’s just simply a bigger piece of the pie. And they actually employ a variety of mechanisms to infect new hosts and often using complex antidetection stealth strategies to evade antivirus software. Motives for creating viruses can be anything from seeking profit to maybe sending some political message of some kind personal, amused, defame. One of their coworkers perhaps demonstrate that a vulnerability does exist in the software that they’ve been talking about and would like to have.
Thick may have remembered the old researcher who was so disturbed by anthrax getting out into the public, he made a public spectacle of himself showing how easy it might be done by infecting a number of people. This is back in the early millennium. This is something along that type of a line. Now, computer viruses currently cause billions of dollars worth of economic damage each year due to causing systems failures wasting computer resources, corrupting data, increasing maintenance costs. In response, free open source antivirus tools have been developed and a multibillion dollar industry of antivirus software has cropped up selling virus products to Windows users.
Unfortunately, no currently existing antivirus is able to catch all computer viruses, especially the new ones, because once a virus is discovered, it goes to the research team. They counteracted and put out a patch. And that time to delivery is our problem. Computer security researchers are actively searching for new ways to enable antivirus solutions to more effectively detect emerging viruses before they’ve already become widely distributed. Lastly, let’s get to our worm. The actual term worm was first used in the John Brunell’s 1975 novel called The Shock Wave Writer. In that novel, one of the characters designs and sets off a data gathering worm in an act of revenge against powerful men who run a national electronic information web that induces mass conformity.
You may have the biggest ever worm loose on the internet and it automatically sabotages any attempt to monitor it. There’s never been a worm with that tough ahead or that long of a tail. On November 2, 1988, a very famous case with a gentleman by the name of Robert Tappin Morris, who is a Cornell University computer science graduate student, unleashed what became known as the Morris worm, disrupting a large number of computers did on the internet guested at the time to be about one 10th of all those connected. Of course, he was brought to trial and during the Morris appeal process, the US court of Appeals estimated the cost of removing the virus from each installation was in the range of anywhere from $200 to $53,000, and thus promoting the formation of Cert, which stands for the coordination center and phage mailing list.
Moore’s himself became the first person tried and convicted under the very 1st 1986 Computer Fraud and Abuse Act. The important things to note about worms is it’s a standalone malware computer program. It replicates itself in order to spread to other computers. Often it uses a computer network to spread itself, relying on security failures on the target computer to access. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause some harm to the network, even if it’s just consuming bandwidth where they can’t run a denial of service attack, if you will. Whereas viruses always corrupt and modify files on the target computer. Unless you were on the moon in the last month, you are very familiar with the wanna cry worm.
And the wanna cry worm is probably the biggest breakout that we’ve actually had in computer systems. It brought down virtually the entire Nas, the national health system in the UK. And there was no love lost on the Russians, the Americans, the Europeans. It was an equal opportunity worm, if you might say. It was actually caused by a zero day fault in Microsoft Windows that the NSA had been sitting on for quite some time. The NSA knew about it, but they wanted to reserve that for their own uses, if you will. Unfortunately, that was leaked and there’s always bad guys in the world. And those bad guys came up with a way to leverage the worm not to just break into your computer system, but to also hold you for ransom for it.
