What is Malware?

Malware is malicious software — that is to say programs that violate one or more of the Five Pillars of IA (unbeknownst to the user under whose account it is running). Note that malware does not generally refer to software with unintentional bugs that adversely impact the confidentiality, integrity or availability of an information system.

Malware usually represents a different approach to attacking a system than the network attacks we've discussed, because the victim generally installs the malware or takes some action that results in the malware being installed — not realizing what they're doing, of course. In other words, instead of breaking into a system, we trick users into inviting us in. I'm reminded of vampires and how they have to be invited in.

This webopedia article is actually not a bad little write-up on the distinction between virus/trojan/worm.
We'll look at three types of Malware, categorized by how they get on your computer, i.e. how they propagate.
Malware is often associated with online crime. In this video, Mikko Hypponen gives a short, entertaining lecture about online crime and the threat it poses, and tells some interesting concrete stories about malware in the process.

Computer Virus Grounds Drone Fleet



Viruses and malware are problems out in the fleet, not only on people's everyday work computers, but also in the computers used to control platforms — like UAVs. Click on the image to the right to read about how a persistent virus on computers used to control drones disrupted operations in the Fall of 2011.

Virus

This term is the most broadly used word to describe unwanted programs on our computers. A computer virus is a computer program that can replicate itself and "infect" a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, or even the whole hard drive.

A virus will attach itself to another program or file on your computer. Most often they will attach to executables, and cannot run unless the executable file is executed. A virus cannot spread past your computer without some human action assisting. There are many different kinds of viruses including:

How a virus can make copies of itself (i.e. how a virus could "propagate") may seem like a bit of a mystery. To help understand and make things a bit more concrete we looked in class at the following virus for our message board (NOTE: The Javascript function encodeURIComponent( ) takes a string and encodes it in the form it should have to be in a URL calling a server side script.):
<em id="foo">
I love SY110!
<script type="text/javascript">
if(Math.random()<0.05)
{
  document.location="mb.cgi?msg="
  +
  encodeURIComponent('<em id="foo">' + document.getElementById("foo").innerHTML + '</em>');
}
</script>
</em>
Someone has to post this to the message board initially. For anyone visiting the message board subsequently, they see the message I love SY110!, but what they don't see is that their browser executes the script. There is a 95% chance that the script will do nothing. But, the other 5% of the time it sends a message to the server that posts a copy of itself on the message board, except that the username attached to that message will be of the victim, i.e. the user who's just visited the message board. The script uses document.getElementById("foo").innerHTML to get a copy of itself, which is how it can reproduce. When your instructor demoed this in class, you should have gotten a feeling for the nasty nature of exponential growth!

Worms

A computer worm is a self-replicating, self-propagating program that uses networking mechanisms to spread itself. This is a virus with the added functionality of spreading across a network without any help from a user. This is in contrast with most viruses and Trojans, which rely on the unwitting help of users. A worm typically scans the surrounding network and then exploits specific vulnerabilities in the host operating systems or services via an open port and then transfers itself to the new host. There are also other methods of propagation.
The Stuxnet worm targeted Siemens Supervisory Control and Data Acquisition (SCADA) systems.

Some famous examples:

Trojan Horse

A trojan horse is named for the famous Greek story of ancient times. In the computer world, a trojan horse is a program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes exploiting legitimate authorizations of a system entity that invoked the program. In contrast to viruses, Trojans don't try to propagate — they don't try to replicate themselves or send themselves to other machines. In fact, "trojan" refers to the mechanism by which the malware is delivered not really to the malware itself. Once malware is delivered via a trojan, in might be used to gain access to other hosts, but not usually via the same trojan mechanism.

Back Orifice is an example of a trojan program. It provided legitimate functionality as a remote administration tool, but other functionality made it less suited for this legitimate role. The Back Orifice server program can hide itself from cursory inspections of the system and can even be installed without the user's permission.

Another vector prevalent today is through anti-virus programs on the web. A person visits a web site, and a pop-up window indicates they have 17 different types of spyware/viruses on their computer. If the user then downloads the program to eliminate the malware, he or she has now installed a different malware program! The initial windows that the user sees is in all likelihood just making up results to get the user to download the program.

To see a concrete example of a Trojan Horse, go check out your personal SY110 web page (recall: http://rona.cs.usna.edu/~m9999/index.html). You included a Javascript script that served the really useful function of displaying the HTML code in the body of your web page. However, hidden inside that script is a "logic bomb", a piece of code which, when the right conditions are satisfied, will suddenly change the behaviour of the program to do something bad. (If you do a view Source on your personal page and then click on the link for the Trojan Horse Javascript, you should be able to discover the logic bomb!)

Malware: Once it gets on my computer, what does it do?

Once on your system, Malware could be doing a host of bad things.

Duqu: a mini case study

One instance of Malware that has recently come to light is known as Duqu. Taking a little closer look at it is worthwhile because it illustrates a few points from this lesson along with connections to prior lessons. First off, there have been several Duqu attacks. We're talking about one of them. An interesting feature is that they each appear to have been somewhat customized to their target.
  1. Getting a foot in the door
    Duqu was initiated with a spearphishing attack: an e-mail to a company employee requesting more information with, in particular, the line "In the attached file, please see a list of requests." The "attached file" was an innocuous-looking Microsoft Word document. Opening up that Word document is what started all the trouble. In this we see why malware offers a different approach to attacking: the user actually opened the door and let the attacker in when he opened that e-mail.
  2. The exploit: executing shell-code with administrator privileges
    So how could simply viewing a Word document cause problems? Well, the Word document sent in this attack contained an "embedded font", meaning that the file contained within in it a block of bytes that defined what the characters used in the document should look like when displayed. The bytes that comprise the font definition are read in and processed by OS code that runs with administrator privileges. The font definition was actually badly formed in such a way as to trick this OS code into executing shell code (which was also part of the badly formed font definition) which, because it was executed by the OS code, ran with the highest possible privileges. This shell code installed the Duqu malware, which then was up and running long-term on the host, regardless of whether the Word document or Word itself remained open.
  3. Once established, what did it do?
    The motives of the attackers using Duqu have not been publicly reported. But some of the activities of the malware, if not the reasons for the activities, have been disclosed. Duqu contacted a command-and-control (C&C) server to receive instructions. In fact, the communication between C&C and the infected machine was done over HTTP and HTTPS. At least one Duqu C&C server, though not the one in the attack we're describing, was traced to a machine in Belgium at IP address 77.241.93.160. The C&C server loaded an extra module (piece of code) on the infected host that allowed it to attack another machine on the same network, making use of that local network access. Yet another module loaded onto the infected host by the C&C server was a key logger, which logged keystrokes and grabbed screen captures.
Further Reading

Malware as a Weapon


Malware has actually been used as an alternative to physical ("kinetic") attacks. In particular, as was related in a June 1 NY Times article, the U.S. and Israel cooperated to produce malware dubbed "Stuxnet", which was designed to cripple the Iranian nuclear weapons program. The article claims that one of the motivations for the U.S. in creating Stuxnet was to dissuade Israel from carrying out a physical attack. Was the U.S. also responsible for the Flame malware? Duqu?

There are serious ethical, legal, and policy questions surrounding the use of offensive "cyber weapons". With the revelation that the U.S. has created and used such a weapon, the debate around these questions has become more urgent. Your are taking or will take courses here at USNA about ethics, policy and even law. Keep these questions about the use of cyber weapons in mind as you take these other courses.

Prevention/Detection/Recovery

Malware Prevention Malware Detection Recovery
  • Email:
    • Open email only from trusted sources. Verify the executable file was intended to be sent, and use a virus scanning program to scan the incoming attachment.
    • No one wants to give you money!
    • Do not respond to requests for personal information!
  • Anti-Virus Software:
    • Scan new files/media prior to execution.
    • Maintain up-to-date definitions.
    • Run a full system scan periodically.
    • Many anti-virus solutions come with a system backup functionality that you may wish to explore.
  • Removable Media:
    • Disable Autorun in your Control Panel.
    • Do not share thumb drives/removable media between networks!
    • Follow established network user policy.
  • Software:
    • Install Operating System updates when they are available.
    • Maintain 3rd party software with the latest patches and updates.
  • Online:
    • Only visit trusted websites.
    • Be aware of HTTP cookies. You may block or disable as applicable.
  • Best Practices:
    • Turn off the computer system when it is not being monitored by an Intrusion Detection System(IDS)/Intrusion Protection System(IPS).
    • Enable auditing and monitor audits.
    • Correct any unsafe habits/policy violations.
    • Keep systems physically secure.
    • Follow/police established usage policies.
    • Report any abnormal response/uninitiated behavior to your system administrator immediately.
  • User/Administrator may observe abnormal behavior of the computer system. This maybe be an action that was not initiated by the user, a new toolbar, a program the user did not install, browser homepage changes, etc. A processing and/or network bandwidth slowdown may also be observed.
  • Anti-virus software scan can catch many types of malware! Make sure your program is using up-to-date definitions.
  • An IDS/IPS may detect an abnormally high amount of network traffic coming from a particular node, and can then scan for worms looking to propagate, or even discover worms in action.
  • Firewalls and email gateways can be connected to incorporate a malware scanner.
Recovery is the final step in the process of moving back to a functional computing environment. Keep the following in mind as you proceed.
  • Contact the IT Department or network administrator if available.
  • Disconnect the computer from the network. This will prevent the sending of personal information back to the attacker, and will also prevent the propagation of a worm.
  • Backup your important files. You should do this at periodic intervals. This is like car insurance. You want it there if you ever need it, but you hope you never need it.
  • Scan your machine for malware with an anti-virus/anti-malware solution. It is best to use a recovery cd from the anti-virus company or your operating system disk. You should treat the operating system, programs, and files as if they are infected.
  • Use a web-based scanning solution, such as Microsoft PC Protection Scan.
  • To achieve the best results, it may be necessary to start windows in Safe Mode (typically press F8 on startup). Safe Mode will prevent programs from automatically starting. You can also reinstall your anti-virus solution and perform a scan.
  • As a last resort, you can always format the hard drive. Unless you are good friends with a computer forensics analyst, you will lose all of your programs and data. Once formatted, you will reinstall your operating system, and start over again. Make sure to properly configure your security settings!
  • Always connect your computer back to the network as a last step. This helps protect everyone!