chapter 2 Malware and Social Engineering Attacks After completing this chapter, you will be able to do the following: ● Describe the differences between a virus and a worm ● List the types of malware that conceals its appearance ● Identify different kinds of malware that is designed for profit ● Describe the types of social engineering psychological attacks ● Explain physical social engineering attacks 41 42 Chapter 2 Malware and Social Engineering Attacks Today’s Attacks and Defenses Successful software companies use a variety of strategies to outsell their competition and gain market share. These strategies may include selling their software at or below a com- petitor’s price, offering better technical support to customers, or providing customized software for clients. And if all else fails, a final strategy can be to buy out the competition through a merger or acquisition. These strategies are also being widely used by attackers who sell their attack software to others. Approximately two out of three malicious Web attacks have been developed using one of three popular attack toolkits. The toolkits are MPack (the most popular attack toolkit, which has almost half of the attacker toolkit mar- ket), NeoSploit, and ZeuS. These toolkits, which are bought and sold online through the underground attacker community, are used to create customized malware that can steal personal information, execute fraudulent financial transactions, and infect computers without the user’s knowledge. The toolkits range in price from only $40 to as much as $8,000. The developers behind these attack toolkits compete fiercely with each other. Some of their tactics include updating the toolkits to keep ahead of the latest security defenses, advertising their attack toolkits as cheaper than the competition, and provid- ing technical support to purchasers. Some attack toolkits even have features to prevent piracy, or the unauthorized copying of the toolkit. And just as in the legitimate busi- ness world, mergers and acquisitions are not uncommon. For example, the developer of the attack toolkit SpyEye announced that he had “officially acquired” the ZeuS source code from the original ZeuS developer, who was no longer involved with the “development, sale or support of ZeuS.” The SpyEye developer also said that he would be “providing existing ZeuS customers with support services,” and that the tech- nologies from SpyEye and ZeuS source code would be merged to create a “more capa- ble kit for future releases.”1 Yet attackers resort to other competitive measures that a legitimate software com- pany would never consider. One toolkit can create malware that, when it infects a user’s computer, will seek out any other existing malware on that computer and destroy it. Otherattacktoolkitsinstall“backdoors” in their code so that the developers can monitor how their customers are using the toolkits. And in some instances, these backdoors can even steal the data from the attacker’s malware that it has just stolen from its victim. Most computer users today think attacks on their computers come from malicious software programs, or malware. These programs are created by attackers to silently infiltrate computers with the intent to do harm. Malware can intercept data, steal information, launch attacks, or damage a computer’s software so that it no longer properly functions. An estimated 60 million Attacks Using Malware 43 instances of malware exist and the number continues to grow. According to a major security vendor, in 2010 alone, attackers created 34 percent of all existing malware.2 With the focus on malware, another means of attack is often overlooked: social engineering. Tricking users into giving out information or performing a compromising action is also a 2 favorite type of attack today. Due to user apathy or confusion about good security practices, most successful attacks are the result, in part, of deceiving users. In fact, defeating security through a person instead of using technology is often the most cost-effective type of attack and can also generate some of the highest success rates. This chapter examines attacks through malware and social engineering. It begins by looking at the three different categories of attacks that utilize malicious software. Then it explores how attacks through users are being used today. Defenses against these and other types of attacks will be discussed in the Hands-On Projects at the end of this chapter and in later chapters. Attacks Using Malware 3.1 Analyze and differentiate among types of malware Malware is software that enters a computer system without the user’s knowledge or consent and then performs an unwanted—and usually harmful—action. Malware is a general term that refers to a wide variety of damaging or annoying software programs. One way to classify malware is by its primary objective. Some malware has the primary goal of rapidly spreading its infection, while other malware has the goal of concealing its purpose. Another category of malware has the goal of making a profit for its creators. Much debate has focused on how to classify the different types of malware. One proposal is to classify it by propagation, infection, self- defense, capabilities, exfiltration, command/control, and post opera- tion. Another proposal is to classify malware by vector, payload, and invocation. It should be noted that the three categories used here— spreading, concealing, and profiting—are not exclusive. That is, spread- ing malware also tries to conceal itself, yet in comparison to other types of malware its main goal is to replicate itself. Malware That Spreads The two types of malware that have the primary objective of spreading are viruses and worms. These are also some of the earliest types of malware to impact personal computer systems. Viruses A biological virus is an agent that reproduces inside a cell. When a cell is infected by a virus, the virus takes over the operation of that cell, converting it into a virtual factory 44 Chapter 2 Malware and Social Engineering Attacks to make more copies of it. The cell is forced to produce thousands of identical copies of the original virus very rapidly. Biologists often say that viruses exist only to make more viruses. The polio virus can make over one million copies of itself inside a single infected human cell. A computer virus (virus) is malicious computer code that, like its biological counterpart, repro- duces itself on the same computer. A virus first inserts itself into a computer file (which can be either a data file or program). This can be done in several different ways: ● Appender infection. The virus first appends itself to the end of a file. It then moves the first three bytes of the original file to the virus code and replaces them with a “jump” instruction pointing to the virus code. When the program is launched, the jump instruction redirects control to the virus. An appender infection is shown in Figure 2-1. ● Swiss cheese infection. Some viruses inject themselves into the program’s executable code instead of at the end of the file. Any overwritten original code is transferred and stored inside the virus code for proper execution of the host program after the infection. Figure 2-2 illustrates a Swiss cheese infection. ● Split infection. In this technique the virus is split into several parts. The parts are placed at random positions throughout the host program, overwriting the original contents of the host. The overwritten parts are stored at the end of the file, and a table is used to reference their locations. The head of the virus code starts in the beginning of the file and then gives control to the next piece of the virus code, and so on, as shown in Figure 2-3. PROGRAM CODE JMP ROGRAM CODE VIRUS CODE Figure 2-1 Appender infection © Cengage Learning 2012 There are over 20 different known methods that viruses use to infect a file. These vary in the level of sophistication and all are designed to avoid detection. Attacks Using Malware 45 PROGRAM CODE JMP ROGRAM CODE 2 VIRUS CODE Figure 2-2 Swiss cheese infection © Cengage Learning 2012 VIRUS CODE (Head) PROGRAM CODE PROGRAM CODE VIRUS PART 3 VIRUS PART 7 VIRUS PART 5 VIRUS CODE (Body) VIRUS PART 6 VIRUS PART 4 VIRUS PART 2 Figure 2-3 Split infection © Cengage Learning 2012 Each time the infected program is launched or the file is opened, either by the user or the computer’s operating system, the virus performs two actions. First, it tries to reproduce itself by inserting its code into another file on the same computer. Second, it unloads a malicious payload and performs some action. Although a virus can do something as simple as dis- play an annoying message (often political in nature and with poor spelling), as shown in Figure 2-4), most viruses are much more harmful. Viruses have performed the following actions: ● Caused a computer to crash repeatedly ● Erased files from a hard drive ● Made multiple copies of itself and consumed all of the free space in a hard drive ● Turned off the computer’s security settings ● Reformatted the hard disk drive 46 Chapter 2 Malware and Social Engineering Attacks Figure 2-4 Annoying virus message © Cengage Learning 2012 Sometimes a virus will remain dormant for a period of time before unleashing its payload. A virus can only replicate itself on the host computer on which it is located; it cannot auto- matically spread to another computer. Instead, it must typically rely on the actions of users to spread to other computers. Because viruses are attached to files, viruses are spread by a user transferring those files to other devices. For example, a user may send an infected file as an e-mail attachment or copy it to a USB flash drive and give the drive to another user.