"Malware are the cyber weapons of the information age" | ||
| --Samir Datt | ||
Our information age lives are driven by technology. Day in, day out, we live with technology from morning to evening. Technology drives our lives, governs our behavior, manages our finances, enables our work, facilitates our communications, and even enhances our relationships. Hence, it should not come as a surprise that technology also drives the crimes of today. A whole new industry has come up around technology-driven crimes. Organized criminals have taken to cyber crime in a big way. Even countries and states have gone in for cyber warfare. Where there is crime and war, weapons cannot be far behind. Weaponization of the Internet is a multibillion-dollar industry and malware, as we know it, is the weapon of choice.
In this chapter, we will work towards understanding malware, its different types, the various indicators of compromise, and the forensic methods of investigating malware.
We will divide our study into the following topics:
- Knowing malware
- Trends in malware evolution
- Malware types and their impact
- Understanding malware payload behavior
- Malware attack architecture
- Indicators of Compromise
- Performing malware forensics
The word "mal" has its origin in Latin and means "bad" in English. "Ware", on the other hand, carries the meaning of "products". Hence, when we put these two together, we get the sense of having bad products or goods made with a bad intent.
As per NIST publication SP800-83, malware, also known as malicious code or malicious software, is meant to signify a program that is inserted (usually covertly) in a system with the intent of compromising or disrupting the confidentiality, integrity, or availability of the victim's data, applications, or operating system. Over the past few years, malware has emerged as an all encompassing term that includes all sorts of malicious programs, including viruses, worms, Trojans, rootkits, and so on.
Today, malware is considered the most significant external threat to computers and networks. Malware causes considerable losses to organizations in terms of the widespread damage caused, disruption of functioning, and huge recovery efforts required to get back to normal. Spyware is a significant subcategory of malware, which focuses on breaching user privacy. Spyware is used to monitor user activity (both online and offline); gather personal information, especially, related to online financial actions; and then, send it to criminals for subsequent misuse.
In the previous chapters, we understood a number of tools used for network forensics. Just as we, the digital 007s of the network world, have our tools of trade, criminals and bad guys also have their own set of tools that they use to further their own nefarious purposes. These tools are known as malware. Though, malware comes in a wide variety, cyber criminals wish to install malware on victims' digital devices to achieve at least one of the following objectives:
- To gather and steal pertinent information (ID theft, keylogging, and so on)
- To provide remote access to the attacker to permit control of the infected/compromised computer and its resources
- To use the infected machine as a staging point to infect/investigate the rest of the network
- To use the infected machine to send out spam to the unwary
- To carry out a denial-of-service (DoS) attack by flooding the network or slowing down the connection
- To encrypt the infected disk and demand ransom to decrypt the files (ransomware)
- To remain undetected for as long as possible (turn off anti-virus and so on)
- To resist removal or enhance persistence
The menace of malware is growing by leaps and bounds. In fact, a recent news item from SC Magazine UK (http://www.scmagazineuk.com/research-shows-12-new-malware-strains-discovered-every-minute/article/448978/) mentions that 12 new malware strains are discovered every minute.
Making malware is no longer left in the realm of kids that do it for kicks. Malware manufacture, sale, and distribution is now a serious organized crime with really large amount of money riding on it. Recent reports of the money extracted for decrypting files that were encrypted by bitcoin ransomware such as CryptoWall and CryptoLocker show victims reporting losses as high as $18 million over a 14 month period (http://www.coindesk.com/fbi-malware-victims-should-pay-bitcoin-ransoms/).
Just like making a professionally manufactured product in any manufacturing facility, malware today is also manufactured or written to exacting specifications. This is done by talented programmers who write exploits to leverage vulnerabilities in existing software and hardware in use by the targets or planned victims. Malware is actually a part of a long chain of activities and helps in enabling the objectives of the attackers or cyber criminals.
The usual stages in this exercise are as follows:
- Reconnoiter: At this stage, the attacker carries out a preliminary recce to identify the potential targets (if using a shotgun approach, the attacker may attempt to access many, select the weakest or take a more targeted approach). This process can be manual or automated, depending on the attackers' objectives.
- External information gathering: At this stage, the attacker will proceed with network mapping, fingerprinting, and vulnerability identification.
- Target penetration: This is the usual stage where malware comes into play. This is when exploitation of the previously identified vulnerabilities takes place. Malware is usually delivered to the target via a delivery mechanism or the target is enticed to an infected site for a drive-by infection.
- Privilege escalation: This is the stage where the malware steps up its game with the objective of gaining the maximum level of privileges to the system and network.
- Persistence: At this stage, the malware works out means and ways of maintaining continuous access as well as preventing itself from being detected or removed. Additional backdoors are built, the network is scanned for further exploitable vulnerabilities, more root/administrator-level accounts are accessed, tracks are covered, logs are deleted, and evidence of compromise is eliminated.
A lot of these stages tend to telescope into each other. Malware authors have now moved onto bundling malware exploit kits that carry a number of different malwares, each targeted at different environments, which when bundled together, increase the possibility of identifying, compromising, and penetrating targets.