history of malware defense

8/14/2019 History of Malware Defense

1/8

Expert Reference Series of White Papers

1-800-COURSES www.globalknowledge.com

Preparing forTomorrows Threat

Today:What We Can Learn

from the History of

Malware and Defenses


2/8

Copyright 2009 Global Knowledge Training LLC. All rights reserved. 2

Preparing for Tomorrows Threat Today:What We Can Learn from the History of Malware and Defenses

Mike Gregg, CISA, CISSP, CISM, MCSE, CTT+, A+, N+, Security+, CNA

IntroductionThere is one given in the IT security realm and that is change. The challenges aced by security proessionalsa decade ago are much dierent than the challenges we ace today. Not long ago, hackers concentrated theireorts on malicious sotware that was designed or recognition, ame, and glory. Attack vectors o the 21st cen-tury have changed; now, many attacks are nancial in nature. Current FBI estimates indicate that malicious sot-ware and attacks targeting identity thet cost American businesses and consumers more than $50 billion a year.Yesterdays virus is todays custom malware, while denial o service attacks have been replaced with botnets.

Early AttacksWhile it might be nice to believe that there was a time when malware did not exist, the truth is that malwarehas been around almost since the beginning o the computer age. The phrase computer virus came intoexistence in 1984 when Fred Cohen was working on his doctoral thesis. In his thesis, he was discussing sel-replicating programs, and an advisor suggested he call them computer viruses.

About this time, programmers started writing sel-replicating code. Ral Burger, a German computer systemsengineer, created one o the rst sel-replication programs, Virdem, in 1985. Interest in these programs led Mr.

Burger to give the keynote speech at the Chaos Computer Club later that year. His discussion on computerviruses encouraged others in this emerging eld. Soon, many viruses started to be released into the wild. Oneearly computer virus that spread around the world was the Brain virus. The Brain virus was written by two broth-ers in Pakistan. The Brain virus targeted a foppy disk by inecting its boot sector. It had ull-stealth capabilitybuilt in. Systems that boot to DOS look or les like io.sys, command.com, cong.sys, and autoexec.bat; i theseles are tainted, the computer will load the virus into memory and inect other users that inserted a foppy diskinto the inected system. The brothers thought the virus would bring them business and notoriety. While they didend up getting many calls to their business, most who called were upset. In the end, the brothers were orced tochange their phone number to escape the food o negative calls.

Other early attacks have a similar story. Consider the Melissa virus, which was written by David Smith. The goal

o the virus was to get the attention o the girl he named the virus ater. In 1999, at the height o the inection,more than 300 corporations computer networks were taken completely o line. The virus, which also had thetraits o a worm, used the victims email account to send the malware to others. Because the virus appeared tocome rom someone the victim knew and probably trusted, a large portion o the public was tricked into open-ing the inected document. Melissa not only spread itsel via email, but it also inected the Normal.dot templatele that is typically used to create Word documents. By perorming this unction, the virus would then place


3/8


a copy o itsel within each le the user created. As a result, one user could easily inect another by passinginected documents. David Smith was identied and eventually sentenced to ve years in prison. Today, viruseshave evolved into many dierent categories including boot sector, stealth, polymorphic, multipart, sel-garbling,and meme.

Early DefensesDeenses against these early attacks included anti-virus, IDSs, and vulnerability assessment. Anti-virus programscan use one or more techniques to check les and applications or viruses. Signature scanning anti-virus pro-grams work in a similar ashion as IDS pattern matching systems. Signature scanning anti-virus sotware looksat the beginning and end o executable les or known virus signatures, which are nothing more than a serieso bytes ound in the viruses code. Heuristic scanning is another method that anti-virus programs use. Sotwaredesigned or this unction examines computer les or irregular or unusual instructions. Integrity checking canalso be used to scan or viruses. Integrity checking works by building a database o checksums or hashed values.These values are saved in a le. Periodically, new scans occur and the results are compared to the stored results.While not very eective or data les, this technique is useul or programs and applications as the contentso executable les rarely change. Activity blockers can also be used by anti-virus programs. An activity blocker

intercepts a virus when it starts to execute and blocks it rom inecting other programs or data.

One way to veriy your anti-virus program is working is the EICER test. I you copy the ollowing string into atext le and rename it as an executable, your anti-virus should fag it as a virus.

X5O!P%@AP[4\PZX54(P^)7CC)7$EICAR-STANDARD-ANTIVIRUS-TEST-

FILE!$H+H*

It is not actually a virus, the code is harmless. Its just a tool developed by the European Institute o ComputerAnti-virus Research (EICER) used to test the unctionality o anti-virus sotware. Virus creators attempt to cir-

cumvent the signature process by making viruses polymorphic.

Another early deense was intrusion detection. The idea o intrusion detection was introduced in 1980 withJames Andersons paper, Computer Security Threat Monitoring and Surveillance. Dr. Dorothy Denning built uponthis work when she began working on the rst deployable IDS designed to monitor user access to governmentmainrames and create proles o users based upon their activities. Later, in 1997, ISS developed one o the rstcommercial network intrusion detection systems called RealSecure. A year later, in 1998, Martin Roesch led thedevelopment o Snort.

Intrusion detection engines or techniques can be divided into two distinct types or methods, anomaly and signa-ture. An anomaly-based IDS has the ability to learn normal behavior and alert administrators when somethingout o the ordinary occurs. A signature-based or pattern-matching IDS system relies on a database o knownattacks. These known attacks are loaded into the system as signatures. As soon as the signatures are loadedinto the IDS, it can begin to guard the network. The signatures are usually given a number or name so that theadministrator can easily identiy an attack when it sets o an alert. Alerts can be triggered or ragmented IPpackets, streams o SYN packets (DoS), or malormed ICMP packets. The alert might be congured to change


4/8


the rewall conguration, set o an alarm, or even page the administrator. While the development o the IDShelped security proessionals track what attackers were doing, these tools are detective in nature and did littleto prevent attacks.

Vulnerability assessment tools were another early deense that caused the big changes in the security arena.

In the early 1990s, two well known security proessionals, Dan Farmer and Wietse Venema, wrote a landmarkpaper titled Improving the security of your site by breaking into it.They went on to code the rst automatedpenetration tool known as SATAN (System Administrator Tool or Analyzing Networks). Dan Farmer was actu-ally red rom his job at Sun or development o the program. At the time, some people believed that suchtools would aid the attackers more than security proessionals. Vulnerability assessment tools provided securityproessionals a way to easily examine what ports were open on a system or network.

A New Century Brings New ThreatsWhile many IT shops were ocusing on Y2K bug, attackers were busy thinking up new ways to bypass earlydeenses. As an example, the term spyware was not even used until around the year 2000. Zone Labs was one o

the rst to use the phrase spyware when it stated, A computer with an always-on connection has a perma-nent IP address, which makes it especially vulnerable to Spyware attacks. Since the year 2000, there has beena huge increase in spyware, extortion-ware, and attacks ocused on making money. Spyware is not just one typeo program. Its an entire category o malicious sotware that includes adware, Trojans, keystroke loggers, andinormation-stealing programs. These programs have become increasingly intelligent. Many have the capabil-ity to install themselves in more than one location, and any attempt to remove them triggers the sotware tospawn a new variant in a uniquely new location. One example is CoolWebSearch. CoolWebSearch is actuallya bundle o browser hijackers united only to redirect their victims to targeted search engines and food themwith popup ads. Another example is Cryzip. This piece o malware was developed to extort money rom anyoneinected. Ater encrypting all o the users les, the malware orders its victims to deposit a ransom into an e-goldaccount to obtain the key.

The new century also brought about a rise in Botnets. Botnets are a simply a massive collection o computersthat have been compromised or inected with dormant bots or zombies. Most malware researchers estimatethat there are thousands o botnets in operation at any time. One massive botnet was used to deliver theStorm Trojan. According to www.sophos.com, it is believed that Storm could have inected more than 50 millioncomputers. During its height, Storm was believed to be sending billions o SPAM messages a day. To realize thepower o a botnet o this size, imagine a botnet that has inected 10,000 home users across the United States;i each o these compromised computers has nothing more than a basic 56k dial-up connection to the Internet,the collective bandwidth adds up to 56 gigabits o bandwidth. For an explanation o how Storm unctions, takea moment to review http://en.wikipedia.org/wiki/Storm_botnet.

New DefensesDeenses have had to evolve to meet threats o this size and potential. Anti-spyware, intrusion prevention, andnext-generation vulnerability assessment tools are three such deenses. Running anti-spyware programs hasbecome an accepted practice and a part o routine computer security practices. Some well-known anti-spywareprograms include Spybot Search & Destroy, Microsot Windows Deender, Webroot Spy Sweeper, MacAee Virus


5/8


Scan, and Anti Spyware. Anti-spyware best practices can be ound at http://www.onguardonline.gov/topics/spy-ware.aspx.

Intrusion prevention systems (IPSs) are seen as an extension to intrusion detection. The term Intrusion Preven-tion System was rst used by Andrew Plato and represented a step orward rom traditional IDSs. An IPS takes

a more proactive approach than the IDS. Whereas an IDS is seen as a detective control, an IPS is seen as a pre-ventive control. When an IPS is deployed, it monitors the network or malicious or unwanted behavior and canreact in real-time to block or prevent those suspect activities. As an example, i a user brings a laptop to workthat is inected with a virus, an IPS can detect the virus and place the laptop user on a separate VLAN that onlyhas access to an anti-virus update.

One o the rst commercial IPSs that was developed was StormWatch in 2001. StormWatch used a kernel-basedanalysis o malicious trac that built on access control rules based on acceptable behavior. While the concepto an IPS overcame many o the problems associated with IDS, it still lacked a means o testing the eciency osuch systems.

In 2002, TippingPoint developed the IPS testing tool Tomahawk to help build a standard means o testing an IPS.Today, Tomahawk is reely available or testing any IPS or intrusion detection system (IDS) and is available athttp://tomahawk.sourceorge.net/.

Next-generation vulnerability assessment tools started to appear around the year 2000. One such tool, Nessus,is a powerul, fexible security scanning and auditing tool. It takes a basic nothing or granted approach. Theconcept o Nessus was rst developed in the late 1990s by Renaud Deraison and was conceived to be an open-source program. The design used community support to allow or ast updates. This open design would allowcommunity members to develop their own plug-ins or their use or use by the community. Nessus has evolvedsince these early days and is used as a component o commercial products designed by IBM, VeriSign, Counter-pane Internet Security, Symantec, ScannerX, and others. The Nessus Client and Server Model oers a distributed

means o perorming vulnerability scans. Nessus tells you what is wrong and provides suggestions or xing agiven problem. You can learn more about Nessus at http://www.nessus.org/nessus/. The basic components oNessus include.

TheNessusClientandServerModel

TheNessusPlugins

TheNessusKnowledgeBase

Bleeding-Edge ThreatsThe third and nal section o this paper examines the uture o malware and the deenses needed to counter

these bleeding-edge attacks. While attacks are still ocused on making money, the motives are changing. Currenttrends indicate that computer crime is no longer the exclusive realm o the underworld and organized crime.Corporate espionage and government-sponsored spies are two emerging threats. These new attack vectors usea variety o techniques such as social engineering and spear phishing to perorm surgical strikes designed togain inormation, access, or data. These attacks can result in nancial loss, and the loss o government secrets,corporate secrets, or highly sensitive inormation.


6/8


Consider the ollowing examples. In 2002, the CEO o Qualcomm reported a laptop stolen that contained highlysensitive data that could be o great value to oreign governments. The lack o encryption made this loss o dataeven more damaging.

In 2007, the rst recorded nation state DDoS attack was launched against Estonia. During this time, Estonia

came under a series o attacks that brought its Internet communications to its knees. Estonian institutions andbusinesses were targeted. The attack was motivated by the removal o a Soviet war memorial rom the center oTallinn, Estonia. Moving this Bronze Soldier was seen as an insult to the memory o Russian soldiers who werekilled during World War II. Emerging attack vectors show a willingness by attackers to bring down networks tocause nancial damage to the victim.

In 2008, our members o an Israeli private investigation rm were jailed ater being ound guilty o using cus-tom malware to spy on and steal commercially sensitive inormation rom a variety o companies, including theHOT cable television group and a large mobile phone operator. In 2008, it was also reported that U.S. authoritieswere investigating whether Chinese ocials secretly copied the contents o a government laptop computer dur-ing a visit to China by Commerce Secretary Carlos M. Gutierrez. Other new attacks have ocused on

TheiPhone-FirstiPhoneTrojanin2008targetedafakephonermware1.1.3prep iPodandsolidstatemusicdevices-Podslurpallowstheattackertostealcondentialinformationfrom

a business by loading malware on the portable device

Portablestorage-USBattacks(Hacksaw,Switchblade,Dumper)thatusestoragedevicestostealsensi-tive data

Many new attacks have been developed to take advantage o the prolieration o USB ports and devices. Theattackers tools are capable o a range o activities rom stealing inormation to running Nmap and other vulner-ability scans, and sending the data to remote locations. USB thumb drives are now even being used to executeUSB-driven worms.

Bleeding-Edge DefensesJust as attackers have opened new ronts in the ongoing cyber war, security proessionals have been working onnew deenses. Deenses include Intrusion Detection and Prevention (IDP), Network Access Control (NAC), andadvanced penetration tools.

Systems designed to detect and deend against intrusions have matured into hybrid devices, so much so, that by2006, the US government started to reer to such devices as Intrusion Detection and Prevention Systems (IDPS).This was solidied with the release o NIST 800-94 , A Guide to Intrusion Detection and Prevention Systems,which dened IDS and IPS as ollows: IDS and IPS technologies oer many o the same capabilities, and admin-

istrators can usually disable prevention eatures in IPS products, causing them to unction as IDSs.

Another emerging deense is Network Access Control (NAC). NAC oers administrators a way to veriy that de-vices meet certain health standards beore theyre allowed to connect to the network. Laptops, desktop comput-ers, or any devices that do not comply with predened requirements can be prevented rom joining the network


7/8


or can even be relegated to a controlled network where access is restricted until the device is brought up to therequired security standards. NAC can help achieve optimal network security by providing the ollowing.

1. Access control: Organizations ace special challenges in tracking who has access to the network and ithe level o access they have is appropriately set.

2. Malicious code: Most attacks against small businesses are automated and potentially debilitating to

the business. These attacks can appear as viruses, worms, Trojans, and bots.3. Mobile device security: Mobile devices such as USB drives, iPods, and camera phones allow data and

inormation to be moved in and out o the network without normal access controls, creating a denitesecurity hazard.

There are several dierent incarnations o NAC available. These include inrastructure-based NAC, endpoint-based NAC, and hardware-based NAC.

Vulnerability and penetration tools have also advanced since the development o tools such as SATAN. Today,many third-generation security assessment tools are available, as are tools that can be used to simulate an at-

tack against a network. Metasploit, released around 2003, is one such tool. According to the Metasploit website,the Metasploit Framework is a development platorm or creating security tools and exploits. The ramework isused by network security proessionals to perorm penetration tests, system administrators to veriy patch instal-lations, product vendors to perorm regression testing, and security researchers world-wide. Metasploit is anattack platorm with three basic ways that it can be controlled. These methods include

ThemsfwebAsimplepoint-and-clickinterface

ThemsfconsoleAconsole-basedinterface

ThemsfcliAcommandlineinterface

The basic approach includes

1. Selecting the exploit module to be executed2. Choosing the conguration options or the exploit options

3. Selecting the payload and speciying the payload options to be entered

4. Launching the exploit and waiting or a response

SummaryIt has been said that those who ail to learn rom the past are doomed to repeat it, and there is a lesson to belearned in this message or security proessionals. Many times, we get lulled into thinking that security meansprotection against current threats. But the truth is that attackers are always looking or the next attack vectorand or new ways to target an organizations IT resources. What is needed is a sound methodology that can be

used to help protect rom yesterdays, todays, and tomorrows attack vectors. This includes

1. Risk assessment

2. Policy

3. Implementation


8/8


4. Training

5. Audit

Using a methodology as shown here on a periodic basis helps companies reassess critical assets, practicedeense in depth, and apply the principle o least privilege eectively. Risk assessments, asset valuation, and

periodic reviews o threats and vulnerabilities should drive the security process.

Learn MoreLearn more about how you can improve productivity, enhance eciency, and sharpen your competitive edge.Check out the ollowing Global Knowledge courses:

Certied Ethical Hacker

Essentials o Inormation Security - Security+

CISA Prep Course

Deending Windows Networks

For more inormation or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with asales representative.

Our courses and enhanced, hands-on labs oer practical skills and tips that you can immediately put to use. Ourexpert instructors draw upon their experiences to help you understand key concepts and how to apply them toyour specic work situation. Choose rom our more than 700 courses, delivered through Classrooms, e-Learning,and On-site sessions, to meet your IT and management training needs.

About the AuthorMichael Gregg has 20 years inormation security experience. Mr. Gregg is the CTO o Superior Solutions, Inc., aHouston-based IT security consulting and auditing rm. Mr. Gregg has led security risk assessments, establishingsecurity programs within top corporations and government agencies. He is an expert in security risk assessment,security risk management, security criteria, and building corporate security programs.

Mr. Gregg holds two associates degrees, a bachelors degree, and a masters degree. Some o the certicationshe holds include CISA, CISSP, CISM, MCSE, CTT+, A+, N+, Security+, CNA, CCNA, CIW Security Analyst, CEH,CHFI, CEI, DCNP, ES Dragon IDS, ES Advanced Dragon IDS, and SSCP.

In addition to his experience perorming security assessments, Mr. Gregg has authored or coauthored more than

10 books, including Certifed Ethical Hacker Exam Prep(Que), CISSP Exam Cram 2(Que), Build Your Own Net-work Security Lab(Wiley), and Hack the Stack(Syngress). Mr. Gregg has created more than 15 security-relatedcourses and training classes or various companies and universities.

history of malware defense

Documents