EC Council CEH 312-50 – Malware – Software Goes Undercover Part 2
July 15, 2023

5. Defining Malware: Spyware

Now we get into more of a controversial type of malware known as spyware. And spyware actually appeared back in the late 1990s when several researchers, one that I can recall is Steve Gibson that actually looked at information being passed back to vendors. And he got to looking into it and wondering, why is this information on a little piece of a software like cute FTP, passing back information to the vendors? It’s almost like they’re spying on us. And there’s where the term spyware was coined. Now, spyware is a software or hardware, possibly installed on a computer that gathers information about that particular user, their computer usage, or that type of stuff for later retrieval by whoever controls the spyware.

The software is typically installed without the user’s knowledge. Now, this spyware can be also further broken down into a couple of different categories surveillance, spyware and advertising. Spyware surveillance software includes things like keyloggers screen capture devices, Trojans, all of those kinds of things. Large companies are often used to monitor computer usage of employees. Now, I put a graphic up here for a company by the name of Bluecoat. And Bluecoat creates a man in the middle attack, if you will, on all of the encrypted connections going in and out of their corporation, if you choose to use their software. But what they’re doing is they’re injecting a fake certificate that their computer image has already trusted.

So no dialog box comes up and they can completely see what’s going on in your environment. Let me hold that thought for just a second and bring up a previous slide we looked at. Now, if you recall when we were talking about the sniffing chapter, we wanted to break SSL traffic. And you can liken this to what’s coming into your corporate environment if you’re using a blue coat system. You could think of this as being the end user. Sally in marketing, let’s say, and Sally decides she wants to go to her bank account to check to see how much money she’s going to have the weekend to go to some party. Well, unbeknownst to Sally, the corporation has installed a blue coat device.

And this is along the lines of what would happen. Sally would send out an SSL request, blue Coat would stop it, blue Coat would then send out one of its own. And a real certificate from, let’s say, bank of America came back to Bluecoat it, copied it, altered it, and sent out a fake certificate. Although this certificate right here was not popped up because the image that was created for that machine and Sally in marketing had already trusted that certificate, so nothing would come up. Now, of course, the next thing is going to happen is an encrypted connection would come back to Bluecoat, where they would then be able to break open that connection, inspect it for anything they wanted, seal it back up with the original certificates, send it back to bank of america.

And Sally is happy as a clam because she knows she has this much money to party. Well this is all fine and well and good and actually perfectly legal because you have signed that right away. When you first started with that company if you remember if you were working for a large company the very first day they bring in a great big stack of papers sign here, sign here, sign here, sign here. And by the time you’re done with it you don’t know really what you’ve signed. One of those is that it basically gives them the right to monitor any encrypted connections going in and out of their corporation.

So let’s go back to Sally. Let’s say Sally finds this out. Oh my gosh. You mean they could know what my Pin number is on my bank account? They know what’s in my bank account? Well I’m not going to stand for this. I’m going to march right in there to Human Resources and put my foot down. And you know when Sally walks in there you know what they’re going to say? Don’t use our machines to do your personal business. Never really thought about it like that. You see in reality they don’t really have much choice in doing this because virtually everything on the internet today is moving towards SSL.

That means we have an encrypted pipe from point A to point B. And if we need to break it open for security reasons we should be able to do so. Now that’s not to say there couldn’t be some nefarious person running the Bluecoat server and collect Sally’s password. I mean that’s possible. But I ran a Blue Coat server one time and it primarily looks for words and phrases. So you would have to really kind of circumvent that to pull that kind of thing out. But and then again if it really bothers you do what Human Resources told you to do. Don’t use their machines to do your personal business. So.

6. Data Loss Prevention (DLP) and other Creepy things

Now, one of the most important trends that we see in the computer and enterprise environment is something called data loss protection. Well, what is that? That’s a nice way of saying spying on you. And I put my tongue in my cheek when I say that, because as you’re going to see when we go through this, it absolutely is necessary from the point of view of the corporate owners. So I chose to show you this company, Forcepoint, but there’s a number of different companies that do this. And what they’re basically advertising here is they stop data theft, they meet regulatory requirements, and secure your intellectual property. Your IP, or your intellectual property is absolutely the most important, maybe next to your employees, the most important asset that you have in your corporation.

So what it does is it detects potential data breaches and data exfiltration transmissions. And what data exfiltration transmissions is when somebody comes in and steals your data, they typically do this by looking at the normal amount of flow out of an SQL database. So, for example, if it returns a couple of records, well, that’s okay. But all of a sudden, it’s returning 650 gig. Oh boy, something’s going on. Data exfiltration transmissions. And it also prevents them by monitoring, detecting, and even blocking sensitive data while in use. So Forcepoint’s guide to building your own data loss protection strategy and process is that too many organizations make the mistake of trying to address data security needs of the entire enterprise through a DLP project.

But then the struggle to demonstrate value crops up. Forcepoint has developed a guide to building your DLP strategy and process, dealing with seven phases that are critical to its long term success. And I really like these, and that’s the reason I’m showcasing this now. How a proper training program can make or break a DLP process, how DLP can be used to spread awareness about your organization’s data security policies, and why it’s important to have a policy management process in place to ensure that new policies are created and managed effectively, and why so many organizations struggle to show the value behind Dop. Remember the old world War II term, loose lips sink ships? Well, that’s absolutely the case with intellectual property.

Why should one company work and spend billions of dollars developing a very important technique when another company can simply go into their records and steal it? They spent the billions, the other company steals the information, and it’s up and running. And maybe they even file a patent on it before the other person. There’s a lot of corporate espionage that happens in the world today. So let’s look at their life cycle. Here we have in phase one, where they’re talking about success and freeze project scope. In phase two, we identify the critical data loss protection user profile. Then they identify sensitive information and business requirements. In phase four, they design and manage the Dop policy.

In phase five, they fine tune the policies and incident management. So in other words, what’s going to happen when the flag goes up? Are we going to hold the guy in a box or understand what’s going to happen when it detects a brief? Phase six implements an awareness and training program. And then phase seven manages the project and tracks its progress. Every single bean counter in the world today wants to know how effective their projects are. And if you can’t show your project is effective, cost effective in saving the company money. Well, I think we all know what’s going to happen to your project. A couple of things that I did want to mention here that some of the data loss protection software uses.

First off, let’s digress back to Blue Coat for just a moment. And let’s say we have a person that works in our It department. We’ll call him Creepy Al. He wears glasses with tapes on both sides and a pin pocket protector and can’t really get all of his words out. The girls kind of shimmer away from they just don’t really trust. But he happens to be running our Blue Coat server. That might make some people, if they knew what was going on, a little bit uncomfortable. But you see, Bluecoat is using a script, as I talked about before. Well, take that same scenario here and look at what forcepoint or another vendor is doing. You can see here in phase two and phase three, we’re identifying critical DLP user profile. In phase three, we identify sensitive information and business requirements.

So to be able to identify sensitive business information, that means we’ve got to give Creepy Owl our critical business information, don’t we? Well, here’s where the magic kind of comes in. And I’m hoping some of you guys already figured this out. We don’t give it to him. We give him a hash value of what it is. Now you see how the magic of cryptography kind of works its way into all of our lives, doesn’t it? So we don’t have to give up our proprietary technology to somebody who we might not feel all that comfortable with. We give them the hash values of that. And then when the data comes through its various endpoints, such as email in and out through the web or basically any orifice that bits of data can come in and out of the organization, the DLP software should be scrutinizing that and comparing it with the hash values of its sensitive information.

If there’s a match, it should send up a red flag. I tell you guys that whenever it seems like we’re taking two steps forward, don’t we always take one step back? There’s always some evil person in the world that figures out how to use this technology well, I guess to make them a lot of money, but also for things that just kind of make your skin crawl, right? I’m going to talk right now about a company. It’s called a spy tech firm like GPO. And there’s a number of them, it’s not just them that let government everything on a smartphone. And if you have the money, well, they’ve got the product. All you need to do is come up with about $1. 1 million, and, hey, you’re done.

And so the article that I found reads, want to invisibly spy on iPhone owners without their knowledge, gather their every keystroke, sound message and location? Well, if you needed to do that badly enough, there is a company that can help. Unfortunately, that will cost you about 650 large plus 500 large and setup fee. With an Israeli outfit called NSO Group, you can spy on more people if you would like to check out the company’s price list. The NSO Group is one of a number of companies that sell surveillance tools that can capture all the activity on a smartphone, like a user’s location and personal contacts. These tools can even turn the phone into a secret recording device. And I’m going to talk a little bit more about that in a second. Since its founding six years ago, the NSO Group has kept a low profile.

But last month, Pewdie researchers caught its spirit trying to gain access to the iPhone of human rights activists in the United Arab Emirates. Now, I can tell you right now, from personal experience going to Dubai, they definitely have the religious police. And if you wear your shorts too high, your dress covering your face, all these kinds of things, you could actually be run in and arrest. I had this one gentleman in my class that he was kind of chunky, and he said that he wore a Speedo to the beach, and they arrested him. I told him just as a joke for the class, I said, you know what? If I was at that beach, I would help them put you in the car and chip in for gas. Class kind of laugh, but they kind of take it to the extreme.

They also discovered a second target, a Mexican journalist who wrote about corruption in the Mexican government. Now, internal NSO Groupmails contracts and commercial proposals obtained by The New York Times offer insight into how companies in this secretive digital surveillance industry actually operate. The emails and documents were provided by two people who have had dealings with them, but they didn’t want to be named for fear of reprisal. The other thing I wanted to mention that’s just come out within the last couple of weeks is how sensitive are devices that we carry with us? Folks, you have to get past the point of calling your phone a phone. It’s not a phone.

It’s a computer. It’s a computer with very highly sensitive sensors, much better than we have as a human. Our hearing, for example, will be able to detect tones from 300, about 2800 Hz. Our phones can listen above and below that range. There have been documented cases for apps like McDonald’s Corporation and several others where your phone will be in listening mode as you walk by a McDonald’s, as you walk by this particular store. Then they know, hey, this is right on his path. He frequents this area. Let’s put up an ad on his phone for free fries with the big Mac or whatever would happen to be. So big brother is definitely watching.

7. Distributing Malware

Okay? So naturally if we get malware, there’s got to be some way that we obtained it. And here’s more popular ways. A nefarious individual or group or company may decide to distribute malware. Now, most malware requires action, or maybe negligent action or inaction to make it onto a host system. Usually scammers use a variety of tricks to get victims to download, install, and run malware on the computers or devices. Malware distribution is largely dependent upon social engineering for this particular purpose. I don’t know, I guess the good lord or whoever is your divine creator has decided to embellish us with the right to be helpful or tried to be helpful. And we as human beings typically do that and to a fault.

As you’re going to see. The number one way that we typically get malware of some kind is by email attachments. And there was a study done just a couple of weeks ago that said if we could get people to stop downloading and clicking on unknown links in their email, we would get rid of 95% of the malware today. Take for example, wanna cry? Oh my gosh, that was devastating. And what it did was there’s got to be one smart elic in the company that downloads and opens that particular tainted attachment. And the worm goes to work. It goes to work on a hole. That was secretive, I guess you might say that was part of the NSA’s hoard of trophies that was discovered and then they attached to that ransomware.

So I guess if you wanted to look for the smoking gun, you might have to go all the way back to the person who clicked that email to open it. And we’ve all done. It very difficult to get an email attachment that looks like an excel spreadsheet. And if you work at a large corporation, it might say something like, top management salaries xls for this year. I tell you what, most individuals would have a very difficult time not opening that. So email attachments, number one. Viruses and trojans often disguise themselves as innocent attachments. In phishing emails, users are tricked into downloading the malware that poses maybe as an invoice form, maybe an image or some document or a cat playing a piano, who knows?

Once on the user’s device, the malware either unpacks itself or waits for the user to attempt to open it before executing its code. Links in the phishing email scams or malicious websites. Often phishing email scams try to direct victims to websites under the pretense of a threat. Your account will be disabled. Warning suspicious activity has been detected on this account or deal. Limited time offer. If you click now, you could get this iPhone for only $49. These links typically lead to malicious sites that download malware on the victim’s device when they load the page. Then we have malvertizing. Malvertising is kind of a nuke. It on the block. You might say malvertizing or malicious advertising downloads malware to a victim’s device when the victim loads a Web page that displays malicious advertisement.

Now, malverizing is actually a very pervasive problem because it’s poorly controlled by the advertisers. They don’t even vet these advertisements. They basically say, okay, here you’re going to be queued up to go whenever they type this, or whatever. And basically, bottom line, they infect individuals because we’re looking at their ads on these sites. One of the last very important one is lost or apparently valuable storage devices. And this is a social engineering dream. Some social engineers leave Malwareinfected thumb drives or other storage devices in public locations where they’re likely to be discovered. I remember when I was doing a pen test for a mortgage company, the It department would enter in through another door because it was quicker to go through that to get to their desks, and it was by the dumpsters.

So I had purchased a couple of brand new I think at the time, they were HP dumb drives, and I infected them with malware. I cleverly put them back into the package to where they looked like they were brand new. Now, one thing that you have to admit that if they are working in it has a real good likely chance they’re going to have administrative or at least escalated privileges. And out of three thumb drives that I threw on the ground near the dumpsters, two of them worked. So when you think about it, when someone plugs a storage device into the computer to determine its content, the malware in the device has already happened. It could transfer itself to the computer and infected especially.

This is a big point never plug suspicious or unknown storage devices into a computer. Most of the people that work for a company might think, okay, well, this is not my computer. It’s a company computers. Let me try it. I’ll take this home. I even knew a friend of mine that was, I guess, a little unscrupulous, and he would go to a local computer store that would sell USB drives by the bulk. He would buy several of them and go back home and infect them with malware, bring them back in, and then when no one’s looking, dump them back into the bin. The last one on our list is just simply negligent negligence. All of these attack methods are made easier if a computer or device owner has not kept the software on the computer device up to date.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!