Post on 16-Oct-2021
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
01-IntroductionCYS5120 - Malware Analysis
Bahcesehir UniversityCyber Security Msc Program
Dr. Ferhat Ozgur Catak 1 Mehmet Can Doslu 2
1ozgur.catak@tubitak.gov.tr
2mehmetcan.doslu@tubitak.gov.tr
2017-2018 Fall
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Table of Contents
1 Course SyllabusSyllabusReference BooksGrading
2 IntroductionBasic conceptsDefinitionTarget Systems
3 Mobile MalwareMobile MalwareInstaAgentAceDeceiverBankBotAcnetdoor
Mitigations4 Industrial Systems
ScadaScada AttacksIndustrial Systems MalwareShodanModbusStuxnetDuqu
5 IoTDefinitionIoT PlatformsIoT ApplicationsMiraiBashlite
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Table of Contents
1 Course SyllabusSyllabusReference BooksGrading
2 IntroductionBasic conceptsDefinitionTarget Systems
3 Mobile MalwareMobile MalwareInstaAgentAceDeceiverBankBotAcnetdoor
Mitigations4 Industrial Systems
ScadaScada AttacksIndustrial Systems MalwareShodanModbusStuxnetDuqu
5 IoTDefinitionIoT PlatformsIoT ApplicationsMiraiBashlite
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Syllabus
Expected Syllabus, subject to change
I Week 1: IntroductionI Main conceptsI Malware: definition, aim and
analysis requirementsI General analysis methods
I Week 2: Basic Static AnalysisI Basic Static AnalysisI Static analysis for Windows
and Linux OSI Week 3: Behaviour Analysis
I DefinitionI ToolsI Process
I Week 4: Assembly
I Memory management analysisI Intro to CPU architectureI x86 registersI Instruction sets
I Week 5: Code AnalysisI IDA Pro, GDBI Debuggers
I Week 6: Static AnalysisBlocking Methods
I PackersI Week 7: Dynamic Analysis
Blocking MethodsI Debugger blocking
I ....
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Reference Books
Reference BooksI Practical Malware Analysis : The Hands-On Guide to Dissecting
Malicious Software , Michael Sikorski, Andrew Honig -2012I Malware Analyst’s Cookbook, Michael Hale Ligh, Matthew Richard,
Steven Adair, Blake Hartstein – 2010
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Grading
Grading Policy (Also subect to change)I Midterm %30I 1st Hmw %10I 2nd Hmw %10I Final %50
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Table of Contents
1 Course SyllabusSyllabusReference BooksGrading
2 IntroductionBasic conceptsDefinitionTarget Systems
3 Mobile MalwareMobile MalwareInstaAgentAceDeceiverBankBotAcnetdoor
Mitigations4 Industrial Systems
ScadaScada AttacksIndustrial Systems MalwareShodanModbusStuxnetDuqu
5 IoTDefinitionIoT PlatformsIoT ApplicationsMiraiBashlite
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Basic concepts I
MalwareI Malware, short for malicious software, is an umbrella term used to
refer to a variety of forms of hostile or intrusive softwareI Examples : computer viruses, worms, Trojan horses, ransomware,
spyware, adware, scareware,I It can take the form of executable code, scripts, active content, and
other software.
Trojan (or Trojan horse)
Trojan, is any malicious computer program which misleads users of its trueintent. The term is derived from the Ancient Greek story of the deceptivewooden horse that led to the fall of the city of Troy.
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Basic concepts II
WormI A computer worm is a standalone malware computer program that
replicates itself in order to spread to other computers.I It uses a computer network to spread itself, relying on security failures
on the target computer to access it.
RansomwareI Ransomware is a type of malicious software from cryptovirology that
threatens to publish the victim’s data or perpetually block access to itunless a ransom is paid.
I While some simple ransomware may lock the system in a way which isnot difficult for a knowledgeable person to reverse, more advancedmalware uses a technique called cryptoviral extortion, in which itencrypts the victim’s files, making them inaccessible, and demands aransom payment to decrypt them.
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Basic concepts III
RootkitI A rootkit is a collection of computer software, typically malicious,
designed to enable access to a computer or areas of its software thatwould not otherwise be allowed (for example, to an unauthorized user)and often masks its existence or the existence of other software.
I The term rootkit is a concatenation of ”root” (the traditional name of theprivileged account on Unix-like operating systems) and the word ”kit”(which refers to the software components that implement the tool).
BackdoorI A backdoor is a method, often secret, of bypassing normal
authentication or encryption in a computer system, a product, or anembedded device (e.g. a home router), or its embodiment, e.g. as partof a cryptosystem, an algorithm, a chipset.
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Basic concepts IV
KeyloggerI Keystroke logging, often referred to as keylogging or keyboard
capturing, is the action of recording (logging) the keys struck on akeyboard, typically covertly, so that the person using the keyboard isunaware that their actions are being monitored.
I Data can then be retrieved by the person operating the logging program.I A keylogger can be either software or hardware.
Remote Access Trojan (RAT)I A remote access trojan (RAT) is malware that controls a system via a
network connection as if by physical access.I While desktop sharing and remote administration have many legal uses,
RAT is usually associated with criminal or malicious activity.I RAT is typically installed without the victim’s knowledge, often as
payload of a Trojan horse, and will try to hide its operation from thevictim and from security software.
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Basic concepts V
Zombie (or Bot)I A zombie is a computer connected to the Internet that has been
compromised by a hacker, computer virus or trojan horse program andcan be used to perform malicious tasks of one sort or another underremote direction.
I Botnets of zombie computers are often used to spread e-mail spamand launch denial-of-service attacks (DOS attacks).
I Most owners of ”zombie” computers are unaware that their system isbeing used in this way. Because the owner tends to be unaware, thesecomputers are metaphorically compared to fictional zombies.
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Basic concepts VI
C2 Server(Command and Control Server)I command-and-control (C & C) servers are used to remotely send often
malicious commands to a botnet, or a compromised network ofcomputers.
I The term originated from the military concept of a commanding officerdirecting control to his/her forces to accomplish a goal.
I C&C servers were popular for using internet relay chat (IRC) networks,legitimate websites, and dynamic DNS services.
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Basic concepts VII
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Basic concepts VIII
Exploit KitI An exploit kit is a software kit designed to run on web servers, with the
purpose of identifying software vulnerabilities in client machinescommunicating with it, and discovering and exploiting vulnerabilities toupload and execute malicious code on the client.
I Exploit kits that have been named include the MPack, Phoenix,Blackhole, Crimepack, RIG, Angler, Nuclear, Neutrino, Magnitude exploitkits.
Zero DayI A zero-day vulnerability is a computer-software vulnerability that is
unknown to those who would be interested in mitigating the vulnerability(including the vendor of the target software).
I Until the vulnerability is mitigated, hackers can exploit it to adverselyaffect computer programs, data, additional computers or a network.
I An exploit directed at a zero-day vulnerability is called a zero-dayexploit, or zero-day attack.
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Basic concepts IX
ObfuscateI Obfuscation is the deliberate act of creating source or machine code
that is difficult for humans to understand.I Programmers may deliberately obfuscate code to conceal its purpose
(security through obscurity) or its logic or implicit values embedded in it,primarily, in order to prevent
I tampering,I deter reverse engineering,I or even as a puzzle or recreational challenge for someone reading the
source code.
DeobfuscateI To deobfuscate is to convert a program that is difficult to understand into
one that is simple, understandable and straightforward.I There are tools available to deobfuscate a tough code or program into a
simple and understandable form.
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Basic concepts X
Packer
that makes the code fuzzified.
ScarewareI Scareware is a form of malware which uses social engineering to cause
shock, anxiety, or the perception of a threat in order to manipulate usersinto buying unwanted software.
Spam-sending malwareI This type of malicious software in case the user performs the spam
sending after the computer is affected by malicious software.
https://youtu.be/n8mbzU0X2nQ
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Definition and Aim
DefinitionI Malicious Software ⇒ Malware Software ⇒ Malware
AimI Information leakageI distributed denial-of-serviceI To harm the target system
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Target Systems
Malware classification
I Mobile I Industrial systems I IoT devices
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Table of Contents
1 Course SyllabusSyllabusReference BooksGrading
2 IntroductionBasic conceptsDefinitionTarget Systems
3 Mobile MalwareMobile MalwareInstaAgentAceDeceiverBankBotAcnetdoor
Mitigations4 Industrial Systems
ScadaScada AttacksIndustrial Systems MalwareShodanModbusStuxnetDuqu
5 IoTDefinitionIoT PlatformsIoT ApplicationsMiraiBashlite
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Mobile Malware
Figure: New android malwares per year 1
1https://thenextweb.com/apps/2017/05/04/android-350-malware-apps-hour/Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Mobile Malware Types
Figure: Distribution of new mobile malware by type in 2015 and 2016 2
2https://securelist.com/mobile-malware-evolution-2016/77681/Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Mobile Malware Geography
Figure: The geography of mobile threats by number of attacked users, 2016 3
3https://securelist.com/mobile-malware-evolution-2016/77681/Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Mobile Malware Top-10
Figure: TOP 10 countries by the percentage of users attacked by mobile malware 4
4https://securelist.com/mobile-malware-evolution-2016/77681/Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
InstaAgent
InstaAgentI InstaAgent, an app that connects to Instagram and promises to track
the people that have visited a user’s Instagram account,I It appears to be storing the usernames and passwords of Instagram
users, sending them to a suspicious remote server.I it’s reading Instagram account usernames and passwords, sending them
via clear text to a remote server -
Figure: InstaAgent 5
5https://www.macrumors.com/2015/11/10/malicious-instaagent-instagram-app/Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
AceDeceiver
AceDeceiverI AceDeceiver was available on the App Store in the form of several
different applications, including AS Wallpaper and i4picture.I Using a specialized Man-in-the-Middle attack that exploits FairPlay (a
part of Apple’s DRM) AceDeceiver can trick iOS users into installingmalware onto their iOS devices.
Figure: AceDeceiver 6
6https://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
BankBot
BankBotI It was developed to siphon money from bank accounts of the victims, it
gains administrator priv. on the mobile devices in order to control them.
Figure: AceDeceiver 7
7http://securityaffairs.co/wordpress/55586/malware/bankbot-android-malware.htmlDr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Acnetdoor
AcnetdoorI It opens a back door on TCP port 8080 and waits for commands from
remote a site.I It obtains the device’s IP address and sends it to the remote location.I It transfer information to/from the client using 3DES Encryption
encryption.
Figure: Acnetdoor 8
8https://www.symantec.com/security response/writeup.jsp?docid=2012-051611-4258-99&tabid=2
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Mitigations
MitigationsI Using Mobile Antivirus SoftwareI Applying Operating System UpdatesI Evaluation of permissions for the applications to be loaded
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Table of Contents
1 Course SyllabusSyllabusReference BooksGrading
2 IntroductionBasic conceptsDefinitionTarget Systems
3 Mobile MalwareMobile MalwareInstaAgentAceDeceiverBankBotAcnetdoor
Mitigations4 Industrial Systems
ScadaScada AttacksIndustrial Systems MalwareShodanModbusStuxnetDuqu
5 IoTDefinitionIoT PlatformsIoT ApplicationsMiraiBashlite
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Scada
ScadaI Supervisory control and data acquisition (SCADA) is a system of
software and hardware elements that allows industrial organizations to:I Control industrial processes locally or at remote locationsI Monitor, gather, and process real-time dataI Directly interact with devices such as sensors, valves, pumps, motors, and
more through human-machine interface (HMI) softwareI Record events into a log file
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Scada Attacks
Figure: Industrial control systems attacks over years 9
9https://securityintelligence.com/attacks-targeting-industrial-control-systems-ics-up-110-percent/Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Industrial Systems Malware Types
BusinessIT Systems
FinancialIntegrity
Denial ofService
Loss ofinformation
IndustrialControl
Systems
Loss of view
Loss of control
Chaos
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Shodan I
ShodanI Shodan is a search engine that lets the user find specific types of
computers (web cams, routers, servers, etc.) connected to the internetusing a variety of filters.
I https://www.shodan.io
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Shodan II
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Shodan III
KeywordsI country: find devices in a particular countryI city: find devices in a particular cityI geo: you can pass it coordinatesI hostname: find values that match the hostnameI net: search based on an IP or /x CIDRI os: search based on operating systemI port: find particular ports that are openI before/after: find results within a timeframe
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Modbus I
Modbus
I Modbus is a serial communications protocol originally published by Modicon (nowSchneider Electric) in 1979 for use with its programmable logic controllers (PLCs).
I It has since become a de facto standard communication protocol and is now acommonly available means of connecting industrial electronic devices.
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Modbus II
Some Industrial ProtocolsI MODBUSI FIELDBUSI PROFIBUSI PROFINET
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Modbus III
MODBUS/TCP protocol vulnerabilities 10
I Lack of Confidentiality: All MODBUS messages are transmitted in clear textacross the transmission media.
I Lack of Integrity: There are no integrity checks built into the MODBUSapplication protocol. As a result, it depends on lower layer protocols to preserveintegrity
I Lack of Authentication: There is no authentication at any level of the MODBUSprotocol. One possible exception is some undocumented programmingcommands.
I Simplistic Framing: MODBUS/TCP frames are sent over established TCPconnections. While such connections are usually reliable, they have a significantdrawback. TCP connection is more reliable than UDP but the guarantee is notcomplete.
I Lack of Session Structure: Like many request/response protocols (i.e. SNMP,HTTP, etc.) MODBUS/TCP consists of short-lived transactions where the masterinitiates a request to the slave that results in a single action. When combined withthe lack of authentication and poor TCP initial sequence number (ISN) generationin many embedded devices, it becomes possible for attackers to inject commandswith no knowledge of the existing session.
10https://www.cyberbit.com/ot-security/scada-modbus-protocol-vulnerabilities/Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Stuxnet
Stuxnet
Worms are effective for three types of systems.I Windows operating systemI Siemens PCS 7, WinCC and STEP7 WindowsI Siemens S7 PLCs
https://www.youtube.com/watch?v=scNkLWV7jSw
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Duqu
Duqu 11
I Duqu is a collection of computer malware discovered on 1 September2011,
I thought to be related to the Stuxnet worm
11https://cockpitci.itrust.lu/duqu-a-son-of-stuxnext-summary-of-technical-analysis/Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Table of Contents
1 Course SyllabusSyllabusReference BooksGrading
2 IntroductionBasic conceptsDefinitionTarget Systems
3 Mobile MalwareMobile MalwareInstaAgentAceDeceiverBankBotAcnetdoor
Mitigations4 Industrial Systems
ScadaScada AttacksIndustrial Systems MalwareShodanModbusStuxnetDuqu
5 IoTDefinitionIoT PlatformsIoT ApplicationsMiraiBashlite
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
The Internet of Things I
The Internet of things (IoT)I IoT is the network of physical devices, vehicles, and other itemsI embedded with electronics, software, sensors, actuators, and network
connectivityI which enable these objects to collect and exchange data.I Experts estimate that the IoT will consist of about 30 billion objects by
30 billion.
Security ConcernsI Concerns have been raised that the IoT is being developed rapidly
without appropriate consideration of the profound securitychallenges involved.
I The firewall, security update and anti-malware systems used for thoseare generally unsuitable for the much smaller, less capable, IoTdevices.
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
IoT Platforms
Platforms
I Raspberry PiI Intel Edison, GalileoI Arduino UNOI Beaglebone Black
I Banana Pi, Orange Pi
I Adafruit
I TI CC3200
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
IoT Applications 12
Smart CitiesI Smart ParkingI Smart LightingI Waste ManagementI Smart Roads
Smart MeteringI Smart GridI Tank levelI Water FlowI Silos Stock Calculation
Smart EnvironmentI Forest Fire DetectionI Air PollutionI Snow Level MonitoringI Earthquake Early Detection
RetailI Supply Chain ControlI NFC PaymentI Intelligent Shopping AppI Smart Product Management
12http://www.libelium.com/resources/top 50 iot sensor applications ranking/Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Mirai I
Mirai 13
I Internet’s largest ever DDoS attacks of 1 TBPS in which 145,000 hackedwebcams were used.
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Mirai II
Figure: Default passwords 14
13https://www.hackread.com/mirai-botnet-linked-to-dyn-dns-ddos-attacks/14https://intervisablog.wordpress.com/2016/10/26/here-are-the-devices-usernames-and-
passwords-used-in-iot-ddos-attacks/
Dr. Ferhat Ozgur Catak 01-Introduction
Course Syllabus Introduction Mobile Malware Industrial Systems IoT
Bashlite
BashliteI BASHLITE (also known as Gafgyt, Lizkebab, Qbot, Torlus and
LizardStresser) is malware which infects Linux systems in order tolaunch distributed denial-of-service attacks (DDoS).
I It has been used to launch attacks of up to 400 Gbps.
Figure: Bashlite 15
15https://www.hackread.com/bashlite-malware-linux-iot-ddos-botnet/Dr. Ferhat Ozgur Catak 01-Introduction