Defense Against the Dark Arts: Week 1


One of the classes I’m taking this term focuses on computer security. Each week we’re required to write a summary of what we learned, of which this is the first. If your eyes are already glazing over, fear not! We’re also required to frame it for an audience with no specific knowledge of computer security, so hopefully I can manage to keep it relevant and interesting.

This week’s material was divided into two parts:

  • A series of lectures by Christiaan Beek, a computer security expert at McAfee
  • A basic laboratory exercise in which we were required to observe the behavior of a piece of malware

Lecture

Terminology

Whenever I’m learning a new subject I like to keep a list of definitions. After all, knowing the lingo is an important part of knowing just about anything. Here are the terms I came across this week:

  • Malware: Something you don’t want on your machine. A portmanteau of malicious software. A general term for viruses, trojans, etc.
  • Virus: A type of malware defined by the fact that it replicates itself. Also known to spread itself via networks.
  • Trojan: a type of malware which gains access to a system through some form of deception, generally does not replicate itself.
  • Packer: Used to encrypt malware in order to avoid detection by anti-virus software.
  • Ransomware: Malware that encrypts a victim’s files until they pay a ransom.
  • Anti-Virus: Also known as “AV.” Generally, software designed to protect against or remove malware.
  • APT: Acronym for an advanced, persistent threat. An attacker with skill, resources, and motivation to pursue a particular target.
  • Honeypot: Something that is used to attract malware so that it can be investigated or contained. Could be a file, a system, or something else.
  • Goat: A system that is “sacrificed” in the interest of investigating malware.
  • Patient zero: The machine on which an infection started.
  • Dynamic analysis: Studying malware by observing what it does while executing.
  • Static analysis: Studying malware by looking at its structure or code without executing.
  • Checksum: Viruses are identified by their checksum.

Motivation

In addition to adding new terminology, the presenter also discussed why people write and deploy malware. Needless to say, money is a common driver, as is the case for many types of criminal activity. Someone may write malware to steal credit card numbers, or to encrypt someones files until they pay a ransom. Malware may also be written for political purposes, as in the Democratic National Committee hacks during the 2016 presidential election. It might be written for notoriety, out of curiosity, or, in the words of the presenter, “to see how far one can take things.”

Vulnerabilities

The presenter discussed also gave a brief overview the ways in which computer systems are vulnerable to attack. These include the user, who might click on a link which allows malware access to their system. Oftentimes the software itself is vulnerable. He mentioned that vulnerabilities exist in Windows XP that cannot be fixed. As such, if a system running Windows XP is connected to the internet it will almost certainly be compromised.

Tools

I learned about a variety of tools from this week’s material, namely:

  • AntiSpy: Allows tracking down viruses and malware.
  • FlyPaper: Freezes processes before they exit so that they can be examined.
  • FakeNet: Sets up a fake network to catch traffic.
  • Process Monitor: For tracking and monitoring processes.
  • Process Explorer: For monitoring processes.
  • Volatility: Allows the examination of the contents of random access memory.

All of these applications run on Windows (though they may have Unix or other variants) and were used in the lab detailed below (with the exception of Volatility).

Lab

This week’s lab required us to run a piece of malware on a virtual machine (VM). Running malware in a VM provides many benefits, namely that it isolates the effect of the malware and allows easily returning to previous states (snapshots).

I had a lot of trouble getting the VM to run properly. At first I wasn’t sure whether this was the malware or another program or a lack of resources for the VM. Eventually I discovered that it was a resources issue and so was able to complete the lab by running analysis tools one at a time.

The malware is a type of trojan which writes and deletes some files, modifies the hosts file, and attempts to download files from the internet. These effects were explored using the applications detailed above.

Side note: When I searched for the checksum of the malware we observed in the lab, I was able to find a listing for it on McAfee’s website.