Malware and Social Engineering Attacks

Security+ Guide to Network Security Fundamentals, Fifth Edition

By Mark Ciampa
1
 Instead, the virus seeks to a random

Malware
location in the host program and
overwrites the file with itself at that
location.

CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 2

 Attacks Using Malware
• Malicious software (malware)
– Enters a computer system:
• Without the owner’s knowledge or consent
– deliver a malicious “payload” that performs a harmful
function once it is invoked
• Malware is a general term that refers to a wide
variety of damaging or annoying software

CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 3

 What does malware do?
Potentially nearly anything (subject to permissions)
• Brag: “APRIL 1st HA HA HA HA YOU HAVE A VIRUS!”
• Destroy: files, hardware
• Crash the machine, e.g., by over-consuming resource
Fork bombing or “rabbits”: while(1) { fork();
• Steal information (“exfiltrate”)
• Launch external attacks: spam, click fraud, DoS
• Ransomware: e.g., by encrypting files
• Rootkits: Hide from user or software-based detection
Often by modifying the kernel
• Man-in-the-middle attacks to sit between UI and reality

4
 Attacks Using Malware
• Malware can be classified by the using the primary
trait that the malware possesses:
– Circulation - spreading rapidly to other systems in order to
impact a large number of users
• by using the network to which all the devices are connected,
through USB flash
• drives that are shared among users, or by sending the malware as
an email attachment.
• Malware can be circulated automatically or it may require an action
by the user.

CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 5

 Attacks Using Malware
• Infection - how it embeds itself into a system
• Some malware attaches itself to a benign program while other
malware functions as a stand-alone process.

• Concealment - avoid detection by concealing its

presence from scanners
• Payload capabilities - what actions the malware
performs
– Steal password
– Delete data
– Modify system security settings
– Participate in DDos

6
 Circulation/Infection
• Three types of malware have the primary traits of
circulation and/or infections:
– Viruses
– Worms
– Trojans

CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 7

 Viruses
• Viruses perform two actions:
– Unloads a payload to perform a malicious action
– Reproduces itself by inserting its code into another
file on the same computer
• Examples of virus actions
– Cause a computer to repeatedly crash
– Erase files from or reformat hard drive
– Turn off computer’s security settings
– Reformat the hard disk drive

CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 8

 Viruses
• Viruses cannot automatically spread to another
computer
– Relies on user action to spread
• Viruses are attached to files (autorun.exe on
storage devices, Email attachements)
• Viruses are spread by transferring infected files

CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 9

 Viruses
• Computer virus - malicious computer code that
reproduces itself on the same computer
• Program virus - infects an executable program file
• Macro - a series of instructions that can be
grouped together as a single command
– Common data file virus is a macro virus that is
written in a script known as a macro

10
11
CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 12
 Detecting the virus
• Signature-based Detection- Compare the content
of a file to a dictionary of virus

13
 Detecting the virus
• Behavior-based Detection- Behavior-based
malware detection evaluates an object based on its
intended actions before it can actually execute that
behavior.
• Some examples include any attempt to discover a
sandbox environment, disabling security controls,
installing rootkits, and registering for autostart.

14
15
CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 16
Instead, the virus seeks to a random location in the host program and overwrites
the file with itself at that location.

CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 17

Virus infection methods:
•Appender infection - virus appends
itself to end of a file
• Easily detected by virus
scanners

18
CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition
 Viruses

CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 19

 Encrypted virus

• This technique neutralizes all signatures that

were created based on patterns found in the
payload, since the payload is only decrypted
when running.
• Its idea was to hide the fixed signatures by
scrambling the virus therefore making it
unrecognizable by the virus scanner.

20
 Encrypted virus
• Encrypt your payload and use a decryptor at the
beginning of the code. When the code is executed, the
decryptor will decrypt the payload, which will carry out
its malicious mission.
• After that, the decryptor will re-encrypt the payload with
a different key.

21
Encrypted virus

22
 Viruses

Classic example: Encrypts virus code and then divide decryption

engine into different pieces and inject these pieces throughout the
infected program code 23