27.3 Malware | Vicky's Page

Section 7.3 Malware

As you study this section, answer the following questions:

What are the two categories of malware?
Which type of malware provides the hacker with covert remote access to the infected system?
What are some malware prevention steps?
What type of environment should be used when analyzing malware?

In this section, you will learn to:

Counter malware with Windows Defender
Configure Windows Defender application control
Configure URL blocking

The key terms for this section include:

Key Terms and Definitions

Key Terms and Definitions
Term	Definition
Malware	Malicious software designed to damage the infected system, steal data, gain unauthorized access, or a variety of other malicious purposes.
Virus	A self-replicating malware that attaches itself to a legitimate program.
Trojan horse	Malware that provides a hacker with covert remote access to a victim's system by opening ports in the infected system.
Ransomware	Malware that scans a computer for user files and encrypts them. The user must pay a ransom to regain access to the files.
Spyware	Malware that is designed to collect and forward information regarding a victim's activities.
Rootkit	Malware that consists of multiple programs that give the hacker root (administrator) access to the system.
Persistence	A mechanism that is executed when a host restarts, a user logs off, or another user logs into the system.
Static analysis	Malware analysis method in which the code is examined without executing the malware itself.
Dynamic analysis	Malware analysis method where the malware is executed, and its behavior and effects are observed and analyzed.
Sandboxing	A technique that isolates malware in a closed virtual environment to conduct tests and analyze the data for threats and vulnerabilities.

This section helps you prepare for the following certification exam objectives:

Exam	Objectives
CompTIA CySA+ CS0-003	1.1 Explain the importance of system and network architecture concepts in security operations Operating system (OS) concepts Windows Registry 1.2 Given a scenario, analyze indicators of potentially malicious activity Network-related Host-related Memory consumption Malicious processes File system changes or anomalies Application-related Other Obfuscated links 1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity Tools Endpoint security File analysis Strings Sandboxing 1.4 Compare and contrast threat-intelligence and threat-hunting concepts Threat hunting Indicators of compromise (IoC) Collection Analysis Application 2.1 Given a scenario, implement vulnerability scanning methods and concepts Asset discovery Device fingerprinting Static vs. dynamic Reverse engineering Fuzzing 2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities Broken access control 2.5 Explain concepts related to vulnerability response, handling, and management Patching and configuration management 4.1 Explain the importance of vulnerability management reporting and communication Action plans Awareness, education, and training
TestOut CyberDefense Pro	1.2 Monitor software and systems Configure execution control and verify digital signatures 2.1 Perform threat analysis Determine the types of vulnerabilities associated with different attacks 2.2 Detect threats using analytics and intelligence Use endpoint protection tools 3.1 Implement security controls to mitigate risk Implement antivirus and endpoint security 4.1 Manage security incidents Resolve malware, ransomware, and phishing attacks 4.2 Manage devices Secure smartphones, tablets, and laptops

Exam

Objectives

CompTIA CySA+ CS0-003

1.1 Explain the importance of system and network architecture concepts in security operations

Operating system (OS) concepts
- Windows Registry

1.2 Given a scenario, analyze indicators of potentially malicious activity

Network-related
Host-related
- Memory consumption
- Malicious processes
- File system changes or anomalies
Application-related
Other
- Obfuscated links

1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity

Tools
- Endpoint security
- File analysis
  - Strings
- Sandboxing

1.4 Compare and contrast threat-intelligence and threat-hunting concepts

Threat hunting
- Indicators of compromise (IoC)
  - Collection
  - Analysis
  - Application

2.1 Given a scenario, implement vulnerability scanning methods and concepts

Asset discovery
- Device fingerprinting
Static vs. dynamic
- Reverse engineering
- Fuzzing

2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities

Broken access control

2.5 Explain concepts related to vulnerability response, handling, and management

Patching and configuration management

4.1 Explain the importance of vulnerability management reporting and communication

Action plans
- Awareness, education, and training

TestOut CyberDefense Pro

1.2 Monitor software and systems

Configure execution control and verify digital signatures

2.1 Perform threat analysis

Determine the types of vulnerabilities associated with different attacks

2.2 Detect threats using analytics and intelligence

Use endpoint protection tools

3.1 Implement security controls to mitigate risk

Implement antivirus and endpoint security

4.1 Manage security incidents

Resolve malware, ransomware, and phishing attacks

4.2 Manage devices

Secure smartphones, tablets, and laptops

7.3.1 Malware Overview

Click one of the buttons to take you to that part of the video.

Malware Overview 00:00-00:28 Malicious software, or malware, is one of the biggest threats facing computer and network systems today. These programs are designed to damage the infected system, steal data, gain unauthorized access, or a variety of other malicious purposes. In this lesson, we'll look at some of the more common types of malware you need to be aware of, and we'll also look at some ways to help prevent malware infection and how to detect and get rid of a malware infection.

Malware Types 00:28-02:42 All malware can be grouped into one of two categories – commodity malware or targeted malware. Commodity malware is designed by someone and sold on the dark web. Commodity malware relies on exploiting systems that are not using malware detection software or are not keeping their detection software updated.

Targeted malware is created with a specific target in mind and may be created with the intention of compromising only one system or network, such as the government or financial institutions, and is much more difficult to detect.

There are many different types of malware you need to be aware of. The first we'll look at is a virus. A virus is a self-replicating malware that attaches itself to a legitimate program. When the program is run, the virus can execute its payload and replicate, or copy itself, to infect other parts of the computer. A virus can be designed to create all sorts of trouble in a computer system, such as slowing the system down, deleting files, logging keystrokes, and more.

Trojan Horses are another common malware type. This malware provides a hacker covert remote access to a victim's system by opening ports in the infected system. The Trojan Horse hides inside a legitimate program and then opens the ports in the system without the user realizing anything is wrong.

Ransomware is malware that can cause a lot of damage. Once a computer is infected with this malware, it will scan the system for user files and encrypt them. If the user wants their files back, they have to pay the attacker. But there's no guarantee that the hacker will send the decryption key once the victim's paid for it.

Spyware is a type of malware designed to collect and forward information regarding a victim's activities. While this type of malware doesn't usually damage machines, it's extremely invasive.

The last type of malware we'll look at is the very dangerous rootkit. The term comes from combining root, the equivalent of an administrator on Linux, and kit, which refers to the software being executed.

A rootkit consists of programs that give the hacker root or administrator access to the target machine. These programs can then install other malware and give the hacker persistent remote access to the infected system with full control.

As you can see, malware infection can lead to a lot of damage, so it's essential that we do everything possible to prevent an infection.

Malware Prevention 02:42-03:50 One of the first and most important steps we can take to prevent a malware infection is to educate users on common threats.

Users should know not to click links inside of emails, not to open or download files from unknown sources, and don't visit untrusted websites. Users should also be familiar with how to recognize a phishing attack so they can avoid being tricked.

Every device should have proper anti-malware software installed. This includes a strong anti-virus program and a firewall. If we don't have a hardware firewall for our network, a software firewall on the computer will suffice. Having these programs will help prevent malware from getting to the device. Windows has a great antimalware program called Windows Defender that comes installed and enabled when you install Windows. If another third-party anti-malware is installed, Windows Defender will be disabled automatically.

Regardless of using a third-party program or Windows Defender, you must ensure that the definitions, also called signatures, are kept up to date. Signatures are like a unique fingerprint; every malware and antimalware program keeps a database of these definitions to detect a piece of malware and know how to remove it.

Summary 03:50-04:09 That'll wrap up this lesson on malware. In this lesson, we looked at many common types of malware you'll run across, such as viruses and Trojan Horses. We then reviewed some important malware prevention steps, including user-training, using a good anti-malware program, and keeping those definition files up to date.

7.3.2 Use Windows Defender Application Control

Click one of the buttons to take you to that part of the video.

Use Windows Application Control 00:00-00:54 When it comes to technology, there's nothing worse than bad guys using viruses and malware to mess with your systems. Fortunately, you can use Windows Defender Application Control (WDAC) to make it much harder for hackers to do that.

WDAC is an application whitelisting technology that reduces the risk of viruses and other malware. WDAC uses Code Integrity (CI) policies that are implemented by the Windows kernel early in the boot sequence, before most of the other operating system code starts.

The CI policies allow administrators to lock down systems by allowing only certain things to run. The downside for many administrators is that there is no GUI management tool they can use to configure WDAC. You must use PowerShell if you want to implement it. With that, let's look at how it works.

Implement Windows Defender Application Control 00:54-01:40 How difficult is it to implement WDAC? Well, the Microsoft documentation for WDAC and App Locker is over 250 pages of information. It's not what most people would call easy.

There are also a few prerequisites for WDAC. You must have UDFI firmware, and, according to Microsoft documentation, you also need Windows 10 Enterprise or Windows Server 2016 or above.

When you create a default policy, you'll want to make sure that the reference computer is free of viruses and other malware. The device should also have all the applications installed that the user will need to run it. If your organization has several departments that each require different apps, you may want to create a reference machine for each department.

Create a Code Integrity Policy File 01:40-03:18 To create a WDAC default policy, we'll use PowerShell commands on the reference machine. To make this easier, we've copied the commands to a text file. We'll copy and paste each one to avoid making any typing errors.

So, let's paste in the first command. Before we press Enter, let's look at what this command does.

New-CIPolicy indicates that we're creating a new XML code integrity policy. MyPolicy.xml is the name of the file we're creating. By default, this will be saved in the same location that you are running the command. If you want to save it somewhere else, you could use the -FilePath parameter.

Next, we have '-Level'. This parameter specifies the level of detail our new policy will include. In this example, we're using Pca which is a shortcut for PcaCertificate. PcaCertificate adds the highest available certificate in the provided certificate chain to signers.

Now we need to indicate what portion of our drive will be scanned. To do that, we use the -ScanPath parameter followed by the path.

The last parameter is '-UserPEs'. This parameter lets the command know that we want to include the user mode files in our scan.

To shorten the amount of time it takes to complete this scan, we're just going to have it scan the desktop of this user's profile. With that, let's press Enter and wait for the scan to complete.

Notice that if I do a search in this folder, I can see that the XML file was created.

Convert an XML Policy File to Binary 03:18-04:01 Before you can use this information in the Group Policy setting, you need to convert the XML file to a binary file. To do that, we're going to copy and paste the next line of code.

This command converts MyPolicy.xml to binary and saves it as a new file named MyPolicy.bin.

When you press Enter, the .bin file is created. We also get a warning, but we can ignore that for now.

Again, if we look in the System32 folder, we see that the .bin file has been created . This is the file we'll use when we create the Group Policy.

Note that if you need to create more policies, you'll must merge them. Only one policy is allowed on devices.

Distribute WDAC Policy with Group Policy 04:01-05:23 So, once we have the policy, we can use Group Policy to distribute the settings to other systems on our domain. To do that, we need to switch to a Windows server.

We're on the Windows 2019 server. We've already copied the file over and stored it on the hard drive. Now we want to create a Group Policy to distribute the settings. The first thing we must do is come up here to Tools, and open Group Policy Management.

Let's right-click the domain, select Create a GPO in this domain, and link it here. We'll name it WDAC and click OK. Let's right-click the new policy and select Edit.

Now we navigate to Computer Configuration > Policies > Administrative Templates > System > Device Guard. Double-click the Deploy Windows Defender Application Control setting. In the Deploy Windows Defender Application Control dialog box, we're going to select Enabled. Now we specify the path to the Code Integrity Policy file here: C:\WDAC\MyPolicy.bin. Click Apply and then OK.

Remember that this is a complicated process. We've just scratched the surface. Make sure you do lots of testing before you distribute the policy on your domain.

Summary 05:23-05:38 That's it for this demo. In this demo, we created a Windows Defender Application Control policy on a reference system and used Group Policy to distribute it to other machines on our domain.

7.3.5 Set Up URL Blocking

Click one of the buttons to take you to that part of the video.

Configuring Web Threat Protection 00:00-00:23 In this demo, we're going to block and filter websites, domains, and other web content. There are numerous tools that you can use to do this. Some are commercial tools that you pay for, and others are open-source tools you can use for free. In this demo, we're going to use pfBlockerNG on our pfSense appliance.

Review Prerequisites 00:23-01:04 Before we get started, it's important to configure two rules for our DNS. We want to force our users to use our DNS, and not someone else's. Why does this matter? Because we're going to block sites based on URLs. We'll confirm that by looking at our firewall rules. Under LAN, I've already created two rules. The first is allowing DNS to my pfSense appliance, and the second is blocking all other DNS connections. So, basically, you're going to use my pfSense for DNS, or you're not going to have any DNS.

Creating rules is not part of this lesson. We're just here to confirm that our rules have been created.

Install pfBlockerNG 01:04-01:54 Now, pfBlockerNG is not installed on pfSense by default. It's a package that's installed from Package Manger on pfSense. Installing packages on pfSense is very simple, so let's run through that process quickly. I'll go to System > Package Manager. Choose Available Packages and search for 'pfBlockerNG'. I see two here, and it looks like there's a new one in development, so I'm going to stick with the first one for this demo.

Click Install and then Confirm to install the pfBlockerNG package. This might take a few minutes to finish, so be patient, and don't refresh the page while you're waiting.

It looks like it's done, so I'll scroll down, and we have success. pfBlockerNG is installed.

Configure pfBlockerNG 01:54-03:02 Next, we need to configure it. Let's go to Firewall > pfBlockerNG. If we'd gone and lookced for pfBlockerNG before we started, it wouldn't have been there. It was added when we installed the package. Click on it to go to the settings.

The first thing we need to do on this page is check this box, Enable pfBlockerNG.

We want to make sure that Keep Settings is also checked. This will keep our settings if pfBlockerNG is updated with a new version. We certainly don't want to reconfigure it every time that happens.

For our Cron settings, I'll just pick every two hours. If you're not familiar with Cron, it's a Linux utility that schedules jobs to run at specific times.

We can leave the next several settings at their defaults. I'll go down to Interface/Rules Configuration. The first thing I'll do here is set our Inbound firewall Rules to WAN and make sure the Rule Action is set to Block. For our Outbound Firewall Rules, we'll set this to LAN and set the Rule Action to Reject.

Now I'll scroll down and click Save.

Configure DNSBL 03:02-04:25 Now we want to configure DNSBL, or DNS Block Lists. I'll come up here and click on the DNSBL tab. The first thing to do is to check the Enable DNSBL checkbox. If Enable TLD is checked, uncheck it. We won't use this while it's still in Beta.

Now, for our DNSBL Virtual IP, we need to pick an IP address that's isolated from our network. This is an IP where rejected DNS requests are basically sent to die. For my test network, I'll put in '10.10.200.1'. For DNSBL Listening Port, I'll leave the default port. For DNSBL SSL Listening Port, I'll leave that at the default also.

Scroll down a bit until we get to DNSBL IP Firewall Rule Settings. Here, under List Action, we want to set this to Deny Both. For Enable Logging, we want to choose Enable so that logs are recorded.

We'll skip over Advanced Inbound and Outbound Firewall Rule Settings and Alexa Whitelist. But under Custom Domain Whitelist, we can enter in some URLs. Just as an example, let's put in a few URLs. I'll type 'www.google.com', 'play.google.com', and also 'drive.google.com'.

Come down and click Save.

DNSBL Feeds 04:25-06:40 Now we need to go to the DNSBL Feeds tab and then click on Add. I'm going to add a few DNS block lists. There are hundreds of these lists out on the internet. They're typically categorized so you can pick and choose what to block. We're going to grab some that are hosted on Github, so I'll open up another tab and type in the URL for the site. The site says that it's a repository with several reputable hosts files that are merged into a single unified hosts file with duplicates removed. They've done a lot of work for us so we don't have to thanks, Github!

I'll scroll down here and find the one for Social. I'll click on the link, come up here, and copy it to the clipboard. Now let's jump back over to my pfBlocker configuration page. I'll click into the DNS Group Name field and type in 'DNSBLockListGroup'. For Description, I'll enter 'DNS Block List'. For Source, I'll go ahead and paste in the URL that I copied from the other page. I'll type 'Social' for the Header/Label field.

Now let's go ahead and add another list. Click Add, go back, and this time, let's grab the gambling list. Copy that to the clipboard and go back to our settings page. We'll paste that into the sources and call it 'Gambling'.

Let's go back and look at our different lists again. You can see that some categories are already combined. Gambling and social are combined, but I added them separately. You can also find lists from lots of other sites.

We still have a few things to do on the Settings page, so let's go back there. For List Action, we want to pick Unbound from the dropdown. For Update Frequency, we'll pick Once a day. Now let's enter a few sites to our Custom Block List. I'll just make up a few: 'fakesite.com', 'gamblingsite.com', and 'badsite.com'. We'll leave the Update Custom List set to Default, come down, and click on Save.

Update 06:40-07:09 Now we need to force pfBlockerNG to update. We'll go up to the Update tab. Make sure that the Update radial button is selected and click on Run. Now we need to go to Status > Services and restart the DNSBL service. Then we'll come down and restart the Unbound service. Now, if our users go to one of the sites on any of the lists, the content will be blocked.

Summary 07:09-07:24 That's it for this demo. In this demonstration, we installed and configured pfBlockerNG to block and filter websites, domains, and other web content.

7.3.7 Malware Analysis

Click one of the buttons to take you to that part of the video.

Malware Analysis 00:00-00:40 Malware has been around for decades, and the threats are continuous and evolving daily. An age-old saying states that, "To defeat your enemy, you must understand them." In this lesson, I'll discuss malware analysis. Malware analysis' aim is to prepare you to respond to an attack. A thorough analysis should provide you with the knowledge of what the damage is, its extent, and what to do to guard against it in the future. There are two methods for analyzing malware. They're called static and dynamic analysis.

Static Analysis 00:40-01:03 Static analysis is also known as code analysis. Static analysis is safe, as the malware doesn't run at all. This method involves reverse engineering by going through the malware's code without executing it to understand its function. Common static analysis techniques include file fingerprinting, scanning, string searching, identifying obfuscation and packing methods, and malware disassembly.

Static Analysis 01:03-01:15 When a malicious program is found, it's run through a program that uses an algorithm to generate a unique hash. This hash is added to the malware threats database in antivirus software programs.

File Fingerprinting 01:15-01:48 This hashing process is often called file fingerprinting. It can be thought of like adding a digital fingerprint or hash to a malware database, almost like a criminal's fingerprint being added to the America's Most Wanted database. SHA-1 and MD5 are the most common hash functions used for file fingerprinting. You can also use others to create your own fingerprints before you run a dynamic test in order to create a comparison baseline. Be sure to check again during or after running the program to see if its values changed.

Scanning 01:48-02:28 Scanning is the process of inspecting a malware file with an antivirus program. This is like scanning the fingerprints of malware and comparing them with the stored fingerprints in a criminal database.

Malware fingerprints are also called signatures. You can make changes to your existing controls to identify malware through rule-writing. In this method, rules are used to identify malware by signature or fingerprint. In addition to scanning locally, you can upload a file to a website, such as virustotal.com. These websites provide additional information about what the malware is and which antivirus engines flag it.

String Searches 02:28-02:44 String searches are another malware analysis technique. When the malware's code isn't obfuscated, the tester should be able to find plaintext strings throughout the code. Extracting these strings often gives you hints about a malware program's functionality.

Packer Detection Tools 02:44-03:04 Often, attackers use packers for compression or for other obfuscation techniques that hide a malware program's execution. There are tools available to detect known packers. Knowing if malware is packed

and what it's packed with can be helpful to you when you want to run deeper tests without damaging the original code.

Disassemblers 03:04-03:18 Finally, disassembling malware allows you to learn everything about the program and what it's designed to do. Loading the malware into a disassembler program gives you the raw code, allowing you to see and decipher almost everything.

Dynamic Analysis 03:18-03:36 Signature-based static analysis is important in identifying malware. But to get the clearest picture of the threat, you need dynamic analysis as well. Dynamic analysis is the process of actually running the malware, observing its behavior, and analyzing it.

Dynamic Analysis 03:36-03:55 Dynamic analysis looks at what the malware does and identifies technical signatures that confirm its purpose. These signatures include domain names, file path locations, registry keys, IP addresses, created files, DLL files, and linked files on the system or network.

Dynamic Analysis 03:55-04:18 Advanced dynamic analysis can include running a debugger, such as WinDbg or GDB. This provides more granular-level information about the malware's code and allows you to see how the system changes during execution. To ensure the most in-depth results, you should perform both static and dynamic analysis.

Sandboxing 04:18-04:44 Security analysts use sandboxes to dynamically test malware. As a child, you probably played in a sandbox, which was a controlled environment that allowed you to explore, create, and try out ideas safely with an adult watching over you. A cybersecurity sandbox isn't much different. It's a controlled environment where a security analyst can test malware without putting the rest of the organization at risk.

Summary 04:44-05:13 That's it for this lesson. In this lesson, we covered malware analysis. First, we looked at static analysis, which is a signature-based process that focuses on reverse-engineering code. Then we looked at dynamic analysis, which is a behavior-based process. We also discussed how important it is to use a sandbox with dynamic analysis to keep the malware contained during testing.

7.3.8 Malware Analysis Facts

The aim of malware analysis is to help you respond to a malware attack. A thorough analysis should provide knowledge of what the damage is, the extent of the damage, and what to do to guard against it in the future. The two methods for analyzing malware are static and dynamic.

This lesson covers the following topics:

Static analysis
Dynamic analysis

Static Analysis

Static analysis:

Is signature-based.
Is also known as code analysis.
Analyzes code without executing it.
Is safer because the code is not executed.
Has several tools and techniques available.

The following table lists static analysis techniques:

Static Analysis Technique	Description
Fingerprinting	File fingerprinting is the process of identifying unique malware programs by generating a hash for the program. Be aware that: Hashes can be checked throughout the analysis process for changes. SHA-1 and MD5 are the most common hash functions. File fingerprinting does not work well with encrypted, password-secured, or media files.
Scanning	Scanning is the process of inspecting for malware with a local anti-malware program or using an online scanner. Rule writing can increase security by scanning for malware signatures or fingerprints.
Searching for strings	String searching is the process of scanning the code for plain text strings. Plain text strings can indicate the purpose and functions of malware.
Identifying obfuscation/packing	Identifying obfuscation/packing is the process of identifying packers and obfuscation methods. Many tools are available for unpacking.
Disassembling malware	Disassembling malware is the process of decompiling the malware code to break it down to raw code. This technique is part of the reverse engineering process.

Dynamic Analysis

Dynamic analysis:

Is behavior-based.
Executes malware while closely monitoring it
Has several tools and techniques available.
Tests in a sandbox:
- Controlled environment
- Isolated
- Observable
- A safe way to execute malware code without risk.

Dynamic analysis looks at what the malware does and identifies technical signatures that confirm its purpose. These signatures include the following:

Domain names
File path locations
Registry keys
IP addresses
Created files
DLL files
Linked files on the system or network

The process of studying malware and its effects is known as host integrity monitoring. This involves using the same tools and processes to take a snapshot of the system before and after the malware is executed. The techniques used by host integrity monitoring are described in the following table.

Technique	Description
Ports	Malware often opens ports on computers. You can use tools such as Netstat to show open ports.
Processes	Malware can hide by posing as genuine Windows services or processes. You can use Process Monitor or similar tools to help determine if processes are malware.
Registry	Because malware often creates registry keys, monitoring the registry for changes is important. Scanning the registry for suspicious keys can aid in tracking a malware infection.
Windows services	Malware can spawn Windows services or rename malicious processes to look like a Windows service and evade detection. You can use Windows Service Manager to detect changes in services and scan for suspicious Windows services.
Startup programs	Malware can set itself to load with Windows in startup programs. You can verify startup programs manually or with a tool like WinPatrol or Autoruns.
Event logs	Analyze event logs to identify malicious or suspicious activities.
Installation	When software is installed or uninstalled, traces of the application data can be left on the system. You can use monitor programs, such as SysAnalyzer, to help track programs being installed or uninstalled.
Files and folders	Malware normally modifies the system's files and folders. Use file and folder integrity checkers such as Tripwire or SigVerif, the built-in Windows file verifier.
Device drivers	Malware can hide inside untrusted or invalid device drivers. Verify that device drivers are valid and trusted.
Network traffic	Most malware generates network traffic. Analyze network traffic with programs like Wireshark to see what the malware is doing and track it down.
DNS	Some malware is capable of changing a system's DNS information. Use DNSQuerySniffer, DNSstuff, or similar programs to monitor DNS requests and system settings. You can monitor DNS requests and identify whether the malware can change those settings.
Application Program Interface (API) calls	APIs are part of the Windows OS that allows external applications to access OS information such as file systems, threads, and errors. You can use API Monitor to see how the malware interacts with the operating system.

7.3.9 Signs of Malware Infection

Click one of the buttons to take you to that part of the video.

Malware Infection Indicators 00:00-02:40 A malware infection can cause all sorts of problems on a computer system or network. Computer and network systems should have anti-malware programs installed and constantly monitoring and protecting the network, but a lot of the malware out there is designed to circumvent these protections. It's important to constantly monitor the network systems and look for potential signs of a malware infection and to not solely rely on anti-malware programs. In this lesson, we'll take a look at some of the signs that could point to a malware infection.

The signs of a malware infection will often look like a hacker has gained access to a system. Increased processor and memory usage, file and directory manipulation, and unauthorized changes can all mean a malware infection has occurred. When you see any of these signs, further investigation must take place to discover what exactly is going on.

A lot of malware programs rely on attaching themselves to a legitimate program. This allows the malware to bypass the anti-malware protections and infect the system. Some malware, like Trojan Horses, will then download and install other programs on the infected systems. These programs can be used to cause further damage or allow a hacker remote access. If you notice new unauthorized software being installed, this can mean a malware infection has occurred.

One of the goals of any hacker and malware is to create a persistent connection to the infected system. Persistence can be obtained by executing specific tasks when a host restarts, a user logs off, or another user logs into the system. Unauthorized scheduled tasks or changes to the registry can indicate that a malware infection has gained persistence.

Scheduled tasks are used to automate tasks such as running backups or performing basic maintenance. Some malware will create scheduled tasks to perform functions such as opening communication with a command and control server or executing a payload every time the system restarts.

Monitoring scheduled tasks to ensure none have been modified or no new tasks exist should be done on a regular basis.

This can be done by checking the Task Scheduler applet and monitoring the System or Security Event Logs. Creating, changing, enabling, or disabling a scheduled task will generate a log file showing who made the changes and when.

Modifying the registry is a favorite method of malware to gain persistence. Because the registry is so large, there are plenty of opportunities for malicious activity. However, there are a few key spots to keep an eye on.

Autorun entries are a favorite target because they're hidden from view by default. Malware also targets registry entries related to drivers and services and tries to change file associations in the registry. Registry keys associated with security settings will also be targeted and changed by some malware.

Summary 02:40-03:07 That'll wrap up this lesson on signs of a malware infection. In this lesson, we went over some of the more common signs of a malware infection, including new software being installed, unauthorized scheduled tasks, and changes to the registry. Because malware can hide itself inside legitimate programs, it can be difficult to identify that a malware infection has occurred. Constant monitoring of the computer and network systems is critical in quickly identifying and getting rid of a malware infection.

7.3.10 Signs of Malware Infection Facts

Malware can cause a variety of issues on computer and network systems. Even if these systems have anti-malware installed, malicious programs can still bypass these security solutions on occasion. Because of this risk, it is important to constantly monitor your systems for any indicators that a malware infection has occurred. We call these indicators of compromise (IoCs).

This lesson covers the following topics:

Unauthorized software IoCs
Persistence IoCs

Unauthorized Software IoCs

One of the most obvious IoCs is locating known malicious software on a system, such as worms, viruses, and Trojans. The presence of malware doesn't always translate to a major crisis but warrants prompt and decisive action to understand the risks.

The presence of common attack tools is also highly concerning, but many of the same tools are often used by security personnel and administrators as a normal part of their work. Unauthorized software includes web, DNS, or virtualization server software installed on a workstation. Workstations typically do not run these services, and the presence of these tools is likely unauthorized.

The following table describes some software indicators of compromise that may point to a malware infection:

Malware IoC	Description
Unauthorized scheduled tasks	Scheduled Tasks is the Windows utility designed to allow routine or important maintenance processes to run in an organized and automated way. Scheduled tasks are often used to run backups and maintenance scripts and are also often abused by attackers and malware. Malware may use scheduled tasks to automate communication with a C&C server or launch a reverse shell when the system restarts. Monitoring scheduled tasks for changes and reviewing new items is important to ensure they are authorized. Changes to Windows Scheduled Tasks generate an event recorded in the System or Security Event Log containing details about the change, such as the task's name, who made the change, and a timestamp. Event ID 4698 indicates a scheduled task was created or modified, and Event ID 4700 indicates a scheduled task was enabled or disabled. Searching for events using keywords like Task Scheduler or Task Scheduler Service can also help locate activity.
File system or Registry changes	File system and Registry changes can indicate or suggest a security breach or attack has occurred. An attacker may change critical system configuration stored in system files or Registry keys to change or disable essential security settings or store malware and scripts. Look for any of the indicators listed below. The creation of new files or folders in unexpected locations or with unusual names. Unexpected or unauthorized changes to files (tampering). Removing temp files, clearing temp folders, or deleting log entries. This signals that an attacker is trying to cover their tracks and remove evidence of their actions. Changes to Registry keys related to security settings. This often indicates an attempt to gain unauthorized access to or disable security features. Unauthorized changes to user accounts or group membership. This could indicate an attempt to gain elevated privileges or to create a backdoor. (User and group settings are stored in the /etc/passwd and /etc/group configuration files on Linux systems.)

Malware IoC

Description

Unauthorized scheduled tasks

Scheduled Tasks is the Windows utility designed to allow routine or important maintenance processes to run in an organized and automated way. Scheduled tasks are often used to run backups and maintenance scripts and are also often abused by attackers and malware. Malware may use scheduled tasks to automate communication with a C&C server or launch a reverse shell when the system restarts. Monitoring scheduled tasks for changes and reviewing new items is important to ensure they are authorized.

Changes to Windows Scheduled Tasks generate an event recorded in the System or Security Event Log containing details about the change, such as the task's name, who made the change, and a timestamp. Event ID 4698 indicates a scheduled task was created or modified, and Event ID 4700 indicates a scheduled task was enabled or disabled. Searching for events using keywords like Task Scheduler or Task Scheduler Service can also help locate activity.

File system or Registry changes

File system and Registry changes can indicate or suggest a security breach or attack has occurred. An attacker may change critical system configuration stored in system files or Registry keys to change or disable essential security settings or store malware and scripts. Look for any of the indicators listed below.

The creation of new files or folders in unexpected locations or with unusual names.
Unexpected or unauthorized changes to files (tampering).
Removing temp files, clearing temp folders, or deleting log entries. This signals that an attacker is trying to cover their tracks and remove evidence of their actions.
Changes to Registry keys related to security settings. This often indicates an attempt to gain unauthorized access to or disable security features.
Unauthorized changes to user accounts or group membership. This could indicate an attempt to gain elevated privileges or to create a backdoor. (User and group settings are stored in the /etc/passwd and /etc/group configuration files on Linux systems.)

There are many tools made for malware detection. However, in some cases, malware code can detect when analysis tools have been launched and shut down before it's found. One way to get around this problem is to boot the tool from a separate operating system.

Worms, Trojans, and viruses are the most common examples of unauthorized software on a system. But be on the lookout for harder-to-notice instances as well. Attackers sometimes modify existing files and legitimate software to use in their attack. Below are some examples of this unauthorized usage.

Use of a hypervisor to run unauthorized software
Installation of a DNS or web server on a host machine
Use of a host file for a pharming attack

The following table describes tools that can be used when searching for unauthorized software:

Tool	Description
Application viewers	Application viewers show application usage and history. They can be used to analyze: Browser history Browser cookies IM history Call history Emails Contact lists
Prefetch files	Windows prefetch files record: Application name Date and time of access File path DLL used by the executable

Persistence IoCs

Persistence is a mechanism that is executed when a host restarts, a user logs off, or another user logs into the system. There are two general types of persistence IoCs:

Change or anomaly in the Registry
An unauthorized scheduled task

The following table lists a few of the most common Registry vulnerabilities:

Vulnerability	Description
Autorun	Autorun entries are frequently targeted because they are hidden from view by default. If you suspect an autorun key has been compromised, examine the following keys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
Services	Malware targets Registry entries related to drivers and services. If you suspect a service key has been compromised, examine the entries in HKLM\SYSTEM\CurrentControlSet\Services.
File associations	Malware can change file associations found in the Registry. Executable and shell-type files are most frequently targeted because a user can unknowingly launch a malicious application when opening an executable file. If you suspect file associations have been compromised, examine the entries in HKLOM\SOFTWARE\Classes and HKCU\SOFTWARE/Classes.

Windows Task Scheduler can be used to create and run tasks at prescheduled times. All of these tasks are recorded and can be viewed in the History tab. Here you can find the time the action was recorded, the event ID, the type of action taken, and more.

7.3.11 Search Memory Dump for Malware

Click one of the buttons to take you to that part of the video.

Search Memory Dump for Malware 00:00-00:20 Memory is used to store information, either permanently or temporary. What we're going to look at is temporary memory, or Random Access Memory. We won't turn this into a lesson about how memory works, but rather we'll just deal with temporary memory how to capture it and how to view the contents.

Capture Memory 00:20-02:37 There are several tools that can be used to capture memory. For Windows, we have DumpIt, Magnet RAM Capture, and Forensic Tool Kit Imager, or FTK Imager. There are tools for other operating systems, such as Linux Memory Grabber for Linux. For this demo, I'm going to use FTK Imager. FTK Imager uses a GUI interface, but other tools are command line tools, such as DumpIt.

The best practice when capturing memory is to not install or store anything on the machine you're investigating. You'll want to do this with removable media. And of course, you certainly can't turn the machine off. Otherwise, the data in memory will be lost. Check the documentation for the tool you're using to find out the proper way to use it. For this demo, I have FTK Imager on this machine. This isn't the best practice but it was previously installed.

I'll come down to the search bar; I type in FTK and go ahead and open it. I'll say click Yes for the User Account Control. Once opened, I just need to go to the File Menu and come down to Capture Memory. My Memory Capture dialog window pops up and the first thing I do is find somewhere to save the memory dump. I'll navigate to this external drive that's called Forensic Tools, select the folder called Memory Dump, and click OK. You can also include the page file. This is the file on the hard disk where memory is copied when your computer needs to free up some space. I'll select that. We could also choose to select Create AD1 file. AD1 files is a FTK image file, but we won't select that for this demo. Now, I click on Capture Memory and it proceeds to create two files one for the memory dump and the other for the page file. I'm on a virtual machine with only two gigs of memory, so this will only take a few seconds. I'll close out of here and exit.

Now, I'm going to confirm that those files are there. I'll go to Windows Explorer and navigate to the folder with the files in them. Here I have my memdump.mem file and also my pagefile.sys file. Notice that my memory dump file is about two gigs in size. If using a USB drive, make sure it's larger than the memory in the machine. So, a computer with 8 gigabytes of memory isn't going to fit on a 4-gigabyte flash drive.

That's all there is to capturing memory. Now, let's look at the contents of a memory dump.

View Captured Memory 02:37-04:08 We could look at the memory that we just captured, but it's from this virtual machine that I'm working on, and to be honest whatever we find in memory will be boring stuff. Instead, I downloaded a memory dump to look at that might have something more interesting on it.

Let's go over to our C drive and, under that, I have a folder called Memory. In here you can see I have a file called volatility.exe, which is the program Volatility. I have their website opened; let's take a quick look at it and see what this does. Basically, it says that Volatility is used for analyzing the runtime state of the volatile storage on a machine or RAM.

Back in Windows Explorer, we have another file in here called cridex.vmem. This is a memory dump that contains some malware. Let's look at what exactly we have here. I'll bring up the Wikipedia page that tells us more about it. We won't spend a lot of time looking at this, but it says that Cridex is a form of malware that steals bank credentials by using macros in Microsoft Word or Excel.

I have another tab open and it's a page on GitHub. If you want to practice looking at different types of malware in memory dumps, you can find them here and download some to look at. Here's the one I downloaded for this demo. There are other sites also. One word of caution: use virtual machines that are in a sandbox and isolated from other systems on the network if you're going to open up memory dumps and examine them.

This last page I have open is the information page about Cridex. We'll come back to this in a few minutes.

Run Volatility 04:08-08:49 Let's run Volatility. It's done from the command line, so I'll come down here to the search field and type in 'cmd'. I right-click and choose to run it as an administrator. Click Yes to allow it to run. I have my Command Prompt open here. I need to go to the directory where my Volatility program is located. If we look at Windows Explorer, you can see we have a folder called Memory in the root of our C drive. We also want to take note that our memory dump is there.

First, let's move to the directory; I type 'cd c:/memory' and press Enter. Now, let's type 'dir' to see the contents of our folder. Here's my memory dump and here's Volatility. I'm going to type 'volatility.exe' to run the program and enter '-h' so we can see our help options. All these here are the plug-ins that we can use. Let's look at a few of these.

This one here image info is used to identify information for the image. This will tell us about the operating system and some other information. Down here a little way, we have ps list. This lists the running processes from our memory dump. The next one, which is called ps scan, will also show processes that've been terminated. Under that, we have ps tree, which just lists things in a hierarchal view. Now, I'll go up and take a look at this one conn scan. This will scan for TCP connections. Right above that, we have Connections. This will show us open connections but only with older operating systems. Now, let's try a few of these out. I'll type 'cls' to clear the screen.

In Command Prompt, I'll arrow up until I get to 'volatility.exe -h'. I backspace and type '-f' to identify the file. Finish this with 'cridex.vmem imageinfo'. Now it says it's doing a KDBG search. KDBG is the structure maintained by the Windows kernel for debugging purposes. It contains a list of the running processes and loaded kernel modules. It also contains some version information that allows you to determine which operating system version the memory dump came from. We can see this is an older memory dump from a Windows XP machine. There's some other useful information here, such as the date it was created.

I'll use my up arrow to bring up the last command, hit backspace, type in 'pslist', and press Enter. Here, I see the processes that were running when the memory dump was captured. I have the Name, PID, when the process started, and so on. We can look at these processes and try to determine if anything is out of the ordinary.

I'll clear my screen, up arrow to the last command again this time type 'psscan'and press Enter. Here I can see some more processes that are hidden or have been terminated. Once again, I have my labels here. I have Name, PID, Time created, and also Time exited.

This time we'll look at the process tree. I'll up arrow, backspace, and type 'pstree'. This gives us the processes in a tree view, or hierarchal view.

Now, lets look at the DLL files that our memory capture has. I'll clear my screen and then type 'dlllist' to print a list of the DLL files that were in use. If I scroll up, you can see perhaps dozens or hundreds of DLL files.

Let's take a look at the Sophos website for a minute. Here we can see some information about the malware that's supposed to be affecting this memory dump. The site tells us some things, such as the MD5 hash value and a variety of other information. What I want to look at is this down here the known IP connections that's associated with the malware. Let's go back to our Command Prompt window and see if there were any network connections when this memory dump was captured.

I'll up arrow to the last command, type in 'connscan', and press Enter. It gets two IP addresses. I wonder if either of these are in that list. I'll just look for the one here that ends in the 5.140 on port 8080. I'll go back to the website and scan down this list here. This looks like the IP address that we have, which is 41.168.5.140. We go back to our command window and, sure enough, it's the same IP address.

I'll clear the screen and do one more. This one checks connections. Up arrow and this time type 'connections'; then press Enter. Here it is again, the same IP address that was on the Sophos website.

Remember, use the '-h' parameter to bring up Help in Volatility and get a list of the different plug-ins you can try. Also, remember to do this on a machine that's isolated from the network and other machines.

Summary 08:49-09:08 That's it for this demonstration. In this demo, we captured a memory image from a Windows machine using FTK Imager. Then we used a program called Volatility to examine a memory dump that contained malware and had a connection to a malicious IP address.

7.3.13 Create a Virus

Click one of the buttons to take you to that part of the video.

Create a Virus 00:00-00:43 Once upon a time, everyone in the computer world got along, and viruses didn't exist. But that time is long gone. Today, the people that create viruses are very tech savvy. Wouldn't using those skills to create something useful be better for them, and for everyone else? Absolutely. So, you might be dazed and confused when I tell you that in this demo, we're going to create a virus. Don't fall out of your chair! There are several good reasons for you to learn how to create a virus. First of all, I want you to be aware of how easy it is to create a virus. In addition, as a security analyst, you may use a virus you create to test systems' and users' behaviors. So, let's get started.

JPS Virus Maker 00:43-02:24 Today, there's an app or program for just about everything, and creating a virus is not different. We're going to use a program called JPS Virus Maker. Your antivirus, browser, firewall, and everything in between will recognize this program as malicious, so I had to modify the system before I could even install the program. I'm also using a virtual machine, so I took a snapshot before starting this demo in case something goes horribly wrong.

To get started, I'll open the virus maker. You can see that the interface is pretty simple. Some of the things I can do are disable the registry, disable msconfig, and hide services. None of these things are technically viruses, but are definitely really annoying.

Let's move over to the next page.

The scariest thing about this program is that you can have it run a custom command. For instance, I could enter in a command to run a script to install a backdoor on the system that I could gain access to later.

Down here, I can make the finished virus have an icon such as a jpeg or PDF.

Here are some action options, such as having the machine restart, log off, or turn off.

Here, I can specify what the virus will look like after it has started and installed. And to the right, I can specify a server name. This list of names all looks like things that a normal user would not recognize as something that should not be running on their system.

Now I'll come down and click Create Virus!, and a dialog pops ups to tell me the creation was successful. I'll close the program, and let's open up the folder where the program is sitting. I'll see what looks like a PDF file with the name of Sender. I'm not going to open this file on my system; if I'm an attacker, I'm going to send it as an attachment or do something else to get a user to open it on their system.

Summary 02:24-02:41 That's it for this demo. In this demo, we looked at how to create a virus with JPS Virus Maker. We discussed some of the things a virus can do and how we might deliver a virus to a victim.

7.3.14 Create an HTTP Trojan

Click one of the buttons to take you to that part of the video.

Create an HTTP Trojan 00:00-00:53 Distributing Trojans to unsuspecting victims is one of hackers' favorite tricks. Many Trojans are extremely complex and give a hacker a lot of power over the victim's device. In this demo, we're going to discuss a tool called HTTP RAT. RAT stands for remote access Trojan. In this case, it means that this tool can create an application that hosts a web server on the victim's machine that grants access to system information, including the victim's personal files. While this tool is older, it still shows the kind of capabilities remote access Trojans can have. Be aware that this Trojan is detected by virtually every antivirus tool that exists today. For that reason, I'm not going to distribute the Trojan to another machine. Instead, I'm going to run it on the machine I create the Trojan on. This way, we can still see the Trojan's capabilities, and we don't have to evade antivirus software.

Create the Trojan 00:53-01:32 HTTP RAT is a very simple tool and only has a few options. It has an option to email the user information about the targeted machine so that the user knows how to access the web server. It also has an option that will disable the firewall on the targeted machine and an option to set the port number we'll access the web server on. I'm going to disable the notification option, since I already know this machine's IP address. I'm going to leave the port set to 80. But if you're trying to compromise a computer, it's a good idea to run your exploit on a non-standard network port so that it doesn't interfere with the normal functionality of the targeted computer.

I've selected the appropriate option. Let's hit Create.

Run the Trojan 01:32-01:56 Now that the Trojan is created, I have a file called httpserver on my desktop. I'll run that now and approve any permission requests that appear.

After we approve that request, it doesn't look like anything is happening. I can verify that our Trojan is running by opening up Task Manager. It looks like the program is, in fact, running. That means we can move on to accessing the new backdoor that we created.

Explore the Backdoor 01:56-03:00 This tool's web server protocol is a little old, so it doesn't always work in newer web browsers. I'm going to open up Internet Explorer and navigate to this computer's IP address to access the backdoor interface. Up here, in the address bar, I'll type in 10.0.2.15 and press Enter.

Now that I have the interface up, I can see that I installed HTTP RAT successfully. The options that are available are to show running processes, browse the computer's file system, and show some information about the computer.

On the running processes page, I can see the programs running on the computer, and I can close any of them by clicking Kill. As I scroll down, you can see all the processes that are running on the system.

On the browse page, I'm presented with a list of drives on the computer. And as I explore deeper in the file structure, I can see actual files on the computer. I can run any program that's on the machine. I can also download or delete any file I like.

The last page available through this tool is the Computer Info page. It shows some very simple stats about the computer, including its name and the users that are on the machine.

Summary 03:00-03:13 And that's it for this demo. We looked at how to create a remote access Trojan using HTTP RAT, and we saw what that Trojan is capable of doing.

7.3.15 Use ProRat to Create a Trojan

Click one of the buttons to take you to that part of the video.

Create a Trojan Server Using ProRat Tool 00:00-00:33 Remote Access Trojans, or RATs, can be simple or very complex. The Trojan, which is called ProRat, is capable of performing some pretty serious tasks. I'm going to use the Trojan to attack the same computer that I create it on. Like other RATs, antivirus software will detect ProRat pretty quickly. Rather than providing a web interface to interact with the victim machine, ProRat provides a GUI application. It has a client-server relationship, so we need to make the server that will compromise our target machine.

Create the Trojan 00:33-01:48 To start, I'll open up ProRat. There are a lot of options here, but most of them aren't useful until we have a victim to connect to. I'll start by clicking Create > Create ProRat Server. Since I know the information for this machine, I can disable all the notification options. Now, before I create the server, I need to select a few options to configure it to do what I want. On the General Settings tab, I'm going to uncheck all the options on the top half of the screen. Most of these options don't work on Windows 10, so they aren't very useful to us. Next, it's important to note the port number and password. I can see my port is 5110, and the password is 123456. We'll use this information to connect to the victim's machine. Since it won't hurt to keep the invisibility options selected, I'll move on to the Bind with File tab.

With ProRat's help, you can make it more likely that a user will run the Trojan. Many users are unlikely to run a file called RunMe.exe, but they might run a file named CreditCardInfo.exe, and that's what the Bind with File page is for. I can tell ProRat to run whenever a specific file is opened, but in this scenario, I'll just run the Trojan directly.

The Server Extensions and Server Icon options are fine as they are, so I'll click Create Server Now. And now I can run the server.

Use the Trojan 01:48-03:00 Security has gone a long way since Windows XP, and I have to take an extra step to launch the Trojan. I need to run it as an administrator to make it work. Let's do that now and see if I can connect to the Trojan server. I'll come down to Windows Explorer, and we'll navigate to the folder where I downloaded the program. I'll right-click on server.exe and click Run as administrator. Say Yes to the User Access Control and allow access to the firewall. Now let's get these windows out of the way and click on Connect. My password is 123456. Click OK, and it looks like I got connected.

I can take a look at some of the other options inside ProRat now. I won't go through all of the options, but let's take a look at some of the more interesting ones.

PC Info can tell us about the computer. If I click System Information, it'll show me the computer name, the current user, and a few other details. Applications shows me a list of running processes and an option to kill them. Opening chat takes over the victim machine and wouldn't allow me to recover, since I'm running the server and client on the same computer. I can browse the victim machine and download files with File Manager. Finally, if I want to further compromise the victim's machine, I can use R. Downloader to download and install a more serious virus on the computer.

Summary 03:00-03:16 And that's it for this demo. We discussed remote access Trojans, and we looked at a Trojan called ProRat, which is a very powerful tool that can allow a hacker to completely take over a victim's machine.

7.3.16 Mobile Device Attacks

Click one of the buttons to take you to that part of the video.

Mobile Device Attacks 00:00-00:31 Mobile devices have become an integral part of our daily lives in today's world. We use our mobile devices to communicate, shop, bank, and manage our lives. The amount of data that's sent through these devices is staggering. With all this sensitive information being transmitted by these things we carry around in our pockets, it's easy to see why they're such a huge target for hackers.

In this lesson, I'll look at some mobile device vulnerabilities and some common attacks you should be aware of.

Mobile Device Vulnerabilities 00:31-03:57 Mobile devices share many of the same security concerns that come with other computing devices, like stolen passwords, phishing, and spoofing. But mobile devices also have security issues that are unique to them. Let's look at some of these unique issues.

First, mobile apps are a major source of vulnerabilities. Since practically everything we do on our devices is done through these apps, our devices are inherently vulnerable if apps aren't secured properly.

Most good apps stick to their own sandbox. This means that the app is limited to only the resources that it needs to perform its intended functions. This prevents apps from interfering with each other and can prevent malware from spreading. But some malware can exploit an app and break out of the sandbox.

An app store itself can also be a vulnerability. For the most part, app stores keep malware out of their systems, but sometimes a program sneaks in for a little bit until it's discovered and pulled.

It's possible for users to sideload apps from unofficial stores that contain malware. To sideload these unofficial apps, the device usually needs to be jailbroken or rooted. This means that someone was able to bypass the security features, and in doing so, made the device easier for a hacker to infiltrate.

Another common vulnerability is unsecure communication. These can be mobile-to-mobile, app-to-server, or mobile-to-something-else transmissions, like to a Bluetooth device for example. Apps package and send out sensitive data in cleartext as well, which makes it easy for anyone to capture and read.

According to the Open Web Application Security Project, commonly just called OWASP, the number one risk for mobile devices is improper platform usage. Almost all mobile device operating systems provide well-documented security capabilities. Sadly, though, many app developers fail to use these capabilities correctly or even at all. This opens a whole slew of vulnerabilities on our devices.

Another common mobile device vulnerability is weak authentication, such as not having a strong password, pin, or pattern lock. Mobile devices are designed to easily connect to wireless networks so that users can connect to different networks as they travel around. Devices often make unprotected wireless connections without the user even knowing it's happened. Another vulnerability is the fact that most mobile devices update automatically unless you turn this feature off. And even so, out-of-date operating system software continues to be a problem. The same goes for patching applications.

All these vulnerabilities fall into one of three attack vectors. First, we have device vulnerabilities. These include browser-based attacks, like phishing and clickjacking. Phone and SMS attacks, including SMiShing and application-based attacks, fall under the device category. System OS vulnerabilities are things like weak passwords and rooting.

The next category is the network. This includes connecting to Wi-Fi using weak encryption, rogue access points, packet sniffing, on-path attacks—also known as man-in-the-middle attacks—and more. The final category is the database. Mobile apps store data in databases, which can be vulnerable to SQL injection, privilege escalation, data dumping, and OS command execution.

As you can see, mobile devices can be subject to quite a few vulnerabilities. Attackers are well aware of this and exploit them to the greatest extent possible.

Mobile Device Attacks 03:57-05:38 Mobile device attacks can be quite devastating to our devices and data. Let's look at some of the common attacks we see hackers attempt.

One of a hacker's primary goals is to trick a victim into clicking on links that lead them to malicious sites or to downloadable malware. Attackers usually use SMiShing attacks to achieve this. SMiShing is just a phishing attack that uses text messages. If a victim falls for an attack like this, the results can be disastrous.

Another one is the Agent Smith attack. Attackers build an app and get users to download it through third-party app stores. When the app is installed, the malicious code spreads through the device and replaces other legitimate apps with fake malicious versions. A massive amount of fake ads are displayed on the device and the attacker can steal data and money from the victim.

An attacker might also be able to exploit a vulnerability in the Signaling System 7, or SS7, communication protocol. This protocol is used to communicate on a different cellular network, such as when you're roaming. With this exploit, attackers might be able to carry out an on-path attack and steal an app's login credentials, exfiltrate sensitive data, or get around the two-factor authentication.

Simjacker is an attack that exploits a vulnerability in a SIM card's S@T browser. The attacker sends a malicious text message and is able to take control of the SIM card settings. He or she can then make phone calls, send messages, connect to malicious site, and more.

These are just a few examples of the attacks that hackers can carry out on our mobile devices. As manufacturers develop new devices and features, hackers are right there, discovering new vulnerabilities and exploitations.

Summary 05:38-06:05 That's it for this lesson. In this lesson, we looked at mobile device vulnerabilities and where they occur, including within the device itself, on the network, and in the database. We also covered a few of the attacks that hackers carry out on mobile devices. As a security specialist, you need to be aware of these vulnerabilities and attacks so you can take appropriate steps to protect your devices.

7.3.17 Mobile Device Attack Facts

Mobile devices are an integral part of our daily lives. These devices are used to shop, bank, and manage all aspects of life. The amount of data transmitted through these devices makes them a valuable target for attackers. Security specialists should be aware of the device vulnerabilities and attacks that are used against them.

This lesson covers the following topics:

Mobile device vulnerabilities
Mobile device attacks
Sandboxing for malware analysis

Mobile Device Vulnerabilities

Some security concerns are unique to mobile devices, and other concerns have a special emphasis in a mobile environment. The following table lists a few of these concerns.

Mobile Device Vulnerabilities	Description
Malicious websites	Malicious or compromised websites are often used to launch web or network attacks. An attacker can design a website to easily determine the device being used and use malicious code that specifically targets that device.
Unsecured apps	Most users spend more time online using apps than a browser. These apps may not have the same security protections as a browser. The mobile device platform's app store can also be a vulnerability. App stores strive to keep malware out of their systems, but sometimes a malicious program is allowed in the store until it is discovered and pulled. Users can also sideload malicious apps from unofficial stores. The device usually needs to be jailbroken or rooted to sideload these unofficial apps. This means many security features are bypassed, making it easier for a hacker to attack the device.
Phishing attacks	Phishing and other social engineering attacks are often more productive on mobile device users. Users can be easily distracted when using a mobile device. Mobile device users share the same kind of information on social media that the mobile attackers are asking for. On a mobile device, users might not be as alert to sharing sensitive information or downloading malware.
Sandbox/isolation	Most legitimate apps function within a sandbox, making them programmatically isolated from other apps. This means the app is limited to the resources it needs to perform its intended functions. This isolation prevents apps from interfering with each other and can prevent malware from spreading on the device. However, some malware can exploit vulnerabilities and break out of the sandbox. Misuse of app permissions can also lead to data loss. Many free apps, even those in an official app store, work as advertised but may send personal or corporate data to a remote system. This data is often used by advertisers but can just as easily be used by cybercriminals.
Lost and stolen devices	Data loss can occur when a mobile device is lost or stolen. A mobile device's small size makes it easy to carry and easy to lose. Mobile devices are easy prey for thieves who target them for the information they contain.
Insecure communication	Insecure communication occurs when sensitive data is packaged and transmitted into or out of the device in cleartext, making it easy for a hacker to capture and read. These communications can be: Mobile-to-mobile App-to-server Mobile-to-something-else (i.e., Bluetooth devices)

Mobile device vulnerabilities all fall into one of three attack vectors. The following table shows which vector a vulnerability falls under:

Mobile Device Attack Vector	Description
Device	These vulnerabilities exist on the mobile device itself. Examples include: Browser-based: Phishing Clickjacking Phone SMiShing Application-based vulnerabilities System OS Weak passwords Rooting/jailbreaking
Network	Vulnerabilities that exist in the mobile network include: Wi-Fi with weak encryption Rogue access points Packet sniffing On-path attacks
Database	Mobile apps store data in databases. Vulnerabilities in this category include: SQL injection Privilege escalation Data dumping OS command execution

Mobile Device Attacks

Mobile device attacks can be devastating to the device and the data stored on it. The following table describes some of the common attacks that can be used against mobile devices:

Mobile Device Attack	Description
Smishing	SMiShing is a phishing attack that uses text messages. The goal is to get users to click on a malicious link that may direct them to the attacker's malicious website or to download malware.
Agent Smith attack	The Agent Smith attack allows the attacker to steal data or money from the victim. The process for this attack is as follows: The attacker builds an app and gets users to install it through a third-party app store. Once installed, the app spreads malicious code through the device and can replace legitimate apps with fake malicious versions. Fake ads are displayed on the device. The attacker can also retrieve data and steal money from the user.
SS7 vulnerability	The signaling system 7 (SS7) communication protocol is used to communicate on a different cellular network, such as when roaming. This attack exploits vulnerabilities in the SS7 protocol, allowing an on-path attack in which the attacker can: Steal login credentials. Steal sensitive data on the device. Bypass two-factor authentication.
Simjacker	A simjacker attack allows the attacker to take control of a device's SIM card. This attack works by sending an SMS message to the victim. This message contains hidden SIM instructions supported by the device's S@T browser. This browser is an application that resides on the SIM card, not the phone itself. Because the SMS message is sent to the SIM card, the user does not see the message. The user does not need to take any action for the attack to work. If successful, this attack can allow the attacker to: Make phone calls. Send messages. Connect to malicious sites. Track the device.

Sandboxing for Malware Analysis

The nature of modern malware means that signature-based tools are less likely to block execution automatically. Manual analysis of malware can provide intelligence that identifies wider IoCs, which can inform the development of custom signatures, IDS rules, and behavior-based rulesets for EDR solutions. Malware analysis must take place in a controlled environment to mitigate intrusion and data breach risks during the analysis process.

Sandboxing is a technique that isolates untrusted data in a closed virtual environment to conduct tests and analyze the data for threats and vulnerabilities. Sandbox environments intentionally limit interfacing with the host environments to maintain the hosts' integrity. Sandboxes are used for various purposes, including testing application code during development and analyzing potential malware.

Analyzing files sent to a sandbox can include determining whether the file is malicious, how it might have affected certain systems if run outside the sandbox, and what dependencies it might have with external files and hosts. Sandboxes offer more than traditional antimalware solutions because they analyze the actions performed by malware after it is activated. This type of analysis often reveals hidden characteristics that avoid detection by conventional analysis and also reveals details useful for detection and forensic activities.

To effectively analyze malware, sandboxes should provide the following features:

Monitor any system changes without direct user interaction.
Execute known malware files and monitor for changes to processes and services.
Monitor network sockets for attempted connections, such as using DNS for Command & Control.
Monitor all system calls and API calls made by programs.
Monitor program instructions between system and API calls.
Take periodic snapshots of the environment.
Record file creation/deletion during the malware's execution.
Dump the virtual machine's memory at key points during execution.

The sandbox host used for malware analysis should be physically or logically isolated from the main network. Malware analysis should be the only purpose for the host. Virtualization offers convenient sandbox capabilities. However, exploits designed to target virtual machines and hypervisors cannot be ignored, so an isolated virtual platform is an important consideration for sandboxing activities. Sandbox protections must also consider additional host patch management and network access control precautions.