|
Paranoia Is Not A Problem, When It's A Normal Response To Experience.
Links
- Welcome to CACroll's Small LANs
- Home
- Site Feed - Atom
- MS-MVP Program
Web Counter- Please Sign My Guestbook
- My Mom's Recent Trip To Russia
- PChuck's Kitchen
Other Articles
Archived ArticlesJuly 2005
December 2005
CACroll Small LANs
Hacking Redefined
This article is an attempt to decribe malware, its delivery mechanisms, its payloads, and its detection and prevention, in a canonical and objective format. Modern malware is taking on new forms that it's hard to comprehend how aggressively it's developed and deployed.
And even though it's malware, it's hard NOT sometimes to admire how professionally it's developed and deployed (as an IT professional only, NOT as a computer owner). Computer owners, who become victime of hacking, will NOT admire the tools, or the attackers.
One of the problem is how you describe what's happening? Which came first - the chicken or the egg? How do you define hacking, other than what a hacker does?
For the purpose of this article, I make the following definitions.
- Hacking is aggressive, deceiptful, and intentional misuse of any computer not legally owned by any Attacker, for commercial, financial, or personal purpose.
- Hacker is the person, or groups of people, doing the Hacking.
- Malware is the tool used for Hacking, AND the payoff of the Hacking.
- Victim is the legal owner of the computer Attacked by a Hacker.
Malware includes:
- Adware - Software that delivers, or influences the delivery of, commercial material (aka advertisements) to the Victims computer.
- Hijackware - Software that makes the Victims computer do things not intended by the Victim.
- Spam - Unwanted Messages delivered to the Victims computer.
- Spyware - Software that collects and transmits personal information about the Victims computer, or about the Victim, to persons who have no legal entitlement to that information.
- Trojans - Software accompanied, in a package with software requested by, and installed when the requested software is intentionally installed by, the Victim.
- Viruses - Software that installs itself, and makes itself part of, software known by, and trusted by, the Victim.
- Worms - Software that travels by itself, and installs itself, on the Victims computer without any intent, or knowledge, of the Victim.
The people performing the Hacking Attacks have been formerly referred to as, variously:
- Adware / Spyware Writers.
- Hackers (Classically).
- Spammers.
- Virus Writers.
In the past, this cross-referencing was not necessarily done. Classically, Malware was of a distinct nature, and one type of malware was not used by another type, or group, of Attackers. Today, we have combined Attacks, where:
- Spam is used to deliver Trojans to be installed on Victims computers.
- Adware / Spyware is installed as Trojans.
- Trojans, installed on Victims computers, are used in the delivery of Spam to other Victims.
- Trojans, installed on Victims computers, are used in the delivery of Worms to other Victims.
- Viruses are used to attack people or software used to defend against Adaware, Spam, and Spyware.
- Viruses, having infected the Victims computer, can become Worms, and attack other computers on the same Network.
- Viruses or Worms were used to Attack the data on the Victims computer, rendering the data unusable unless actual money was paid by the Victim to the Attacker. No, this is NOT fiction.
Trojans
The term Trojan refers classically to the ancient story of the Trojan Horse in Greece. A Trojan is software which travels, as a separate component, in a package of Host software that is requested by, and intentionally installed by, the Victim.
A Trojan can be anything as innocent as an extra toolbar, installed as a part of the Victims browser, and used to "enhance the browsing experience", to software that makes the Victims computer act in a three role Spam delivery capacity. A Trojan typically requires action (wilfull or otherwise) by the victim to install.
Viruses
A virus is software that travels as an integral part of Host software, that is intentionally installed by the Victim. A virus installs itself into an innocuous Host file, which is passed from Victim 1 to Victim 2. Both Victims intentionally pass the file, without either being aware of the total nature of its contents.
Worms
A worm is software that travels from Host to Host in a trusted media, such as the computer network (with no firewalls in place), or in email (with no malware malware / virus scanning software in place). A worm typically requires no action, or intentional action anyway, by the Victim, for propagation.
Hackers
The classical Hacker was a disenfranchised teenager, hiding in his bedroom, attacking an individual computer owned by a single Victim, for amusement.
See, for instance, War Games, one of the earliest movies about Hackers.
Today, Hackers use programs that they may release as Trojans, as Viruses, or as Worms. The Hack, which when installed on the Victims computer, may make that computer part of a Botnet. A Botnet, or entire army of computers controlled by a Hacker, can be sold to individuals or corporations for delivery of Spam, for hosting of Adware or Spyware, or for the creation of even more Botnets. As of June 2005, the reported value of ONE bot was $.55 USD, thus a 10,000 member Botnet (a not at all abnormal number) could net the Hacker $5,000 or so.
So let's classify the malware.
We can classify it by delivery mechanism.
- Trojans - Software accompanied, in a package with software requested by, and installed when the requested software is intentionally installed by, the Victim.
- Viruses - Software that installs itself, and makes itself part of, software known by, and trusted by, the Victim.
- Worms - Software that travels by itself, and installs itself, on the Victims computer without any intent, or knowledge, of the Victim.
We can classify it by payload.
- Adware - Software that delivers, or influences the delivery of, commercial material (aka advertisements) to the Victims computer.
- Hijackware - Software that makes the Victims computer do things not intended by the Victim.
- Spam - Unwanted Messages delivered to the Victims computer.
- Spyware - Software that collects and transmits personal information about the Victims computer, or about the Victim, to persons who have no legal entitlement to that information.
Malware Detection
So, if there's malware out there, how do we know what's out there? More importantly, how do we describe what's out there? And how do we remove what's on our computers, and then hopefully, keep it from coming back?
You have to know what's there before you can fight it. Knowing what's there is a matter of detecting it. Basic malware detection is based upon two alternate processes.
- Behaviour analysis and detection.
- Signature analysis and detection.
Behaviour analysis, also known as heuristic analysis, takes a suspect file (or a computer system), opens it (operate it), and sees what it does. Sophisticated heuristics are used by some antivirus / antitrojan products, which contain a sandbox, which is a replica of the operating system, within the AV / AT product code. A suspect file is copied into the sandbox, opened from within, and observed. If its opening makes suspicious references to the system services provided by the (replica) operating system, it is suspected to be malware, and examined further.
Signature analysis takes the actual contents of the various bytes in a suspicious file, and mathematically calculates a hash of the contents. The hash becomes the signature, which is compared against a database listing known malware. If suspected malware has a hash matching known malware, it is determined to be malware.
Malware analysis can be done heuristically against the entire system. Note the difference between adware and spyware. The first will typically generate incoming network traffic; the second, outgoing.
By statefully looking for incoming or outgoing traffic, compared against what should be expected, malicious activity can be detected. Software designed to look for malicious incoming traffic will be better at detecting adware, software designed to look for malicious outgoing traffic will be better at detecting spyware.
Signature analysis is a much simpler process, but demands more work. To do a signature analysis of the system (a trojan or virus scan) requires taking each file, one at a time, on the entire system, generating a signature from the file, and comparing each against each entry in a very long list (database) of known malware. Multiply the number of files in your typical system, against the number of possible (known) malware, and you see what a massive effort that is. And each time a new set of signatures is produced (and with some antivirus products, it's multiple times / day), a rescan could be appropriate.
Some malware is encrypted, to fool the signature scanners. Malicious code is taken, and subjected to rearrangement (packing), with some packing containing random operations which makes unpredictable results. Simple signature checking (and the bad guys, in some cases, know what procedures are followed to produce the signatures) won't detect packed code, which follows no known pattern. So suspect files have to be examined for unpacking code embedded in the code, and in some cases, the unpacking has to be allowed to execute so the signature checking can take place. This makes signature checking even more complex, and more time consuming.
On the other hand, its somewhat possible that having unpacking code in a file indicates that it's malware. Most legitimate code (excepting openly compressed files) does not use unpackers, as most legitimate code is already in an executable state. So when an AV / AT scan finds a file with an embedded unpacker, it's a strong possibility that the file contains malware. Of course, the malware still has to be analysed, to determine just what malware it is. But the scanner doesn't have to continue the heuristic analysis, just switch to the signature check.
0 comments
