Malware Analisys, XSS, Botnets
Malicious software, or malware, plays a part in most computer intrusion and security incidents. Any software that does something that causes harm to a user, computer, or network can be considered malware, including viruses, trojan horses, worms, rootkits, scareware, and spyware. While the various malware incarnations do all sorts of different things (as you’ll see throughout this book), as malware analysts, we have a core set of tools and techniques at our disposal for analyzing malware.
Malware analysis is the art of dissecting malware to understand how it works, how to identify it, and how to defeat or eliminate it. And you don’t need to be an uber-hacker to perform malware analysis. With millions of malicious programs in the wild, and more encountered every day, malware analysis is critical for anyone who responds to computer security incidents. And, with a shortage of malware analysis professionals, the skilled malware analyst is in serious demand.
A malware almost always found on the Windows operating system—by far the most common operating system in use today. Also executables, since they are the most common and the most difficult files that you’ll encounter.
Cross Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
A bot is a piece of malware that infects a computer to carry out commands under the remote control of the attacker. A botnet (short for “robot network”) is a network of computers infected by malware that are under the control of a single attacking party, known as the “bot-herder.”
Each individual machine under the control of the bot-herder is known as a bot. From one central point, the attacking party can command every computer on its botnet to simultaneously carry out a coordinated criminal action. The scale of a botnet (many comprised of millions of bots) enable the attacker to perform large-scale actions that were previously impossible with malware. Since botnets remain under control of a remote attacker, infected machines can receive updates and change their behavior on the fly. As a result, bot-herders are often able to rent access to segments of their botnet on the black market for significant financial gain.
Common botnet actions include:
- Email spam– though email is seen today as an older vector for attack, spam botnets are some of the largest in size. They are primarily used for sending out spam messages, often including malware, in towering numbers from each bot. The Cutwail botnet for example, can send up to 74 billion messages per day. They are also used to spread bots to recruit more computers to the botnet.
- DDoS attacks– leverages the massive scale of the botnet to overload a target network or server with requests, rendering it inaccessible to its intended users. DDoS attacks target organizations for personal or political motives or to extort payment in exchange for ceasing the attack.
- Financial breach– includes botnets specifically designed for the direct theft of funds from enterprises and credit card information. Financial botnets, like the ZeuS botnet, have been responsible for attacks involving millions of dollars stolen directly from multiple enterprises over very short periods of time.
- Targeted intrusions– smaller botnets designed to compromise specific high-value systems of organizations from which attackers can penetrate and intrude further into the network. These intrusions are extremely dangerous to organizations as attackers specifically target their most valuable assets, including financial data, research and development, intellectual property, and customer information.
Botnets are created when the bot-herder sends the bot from his command and control servers to an unknowing recipient using file sharing, email, or social media application protocols or other bots as an intermediary. Once the recipient opens the malicious file on his computer, the bot reports back to command and control where the bot-herder can dictate commands to infected computers.
How botnets spread
A number of unique functional traits of bots and botnets make them well suited for long-term intrusions. Bots can be updated by the bot-herder to change their entire functionality based on what he/she would like for them to do and to adapt to changes and countermeasures by the target system. Bots can also utilize other infected computers on the botnet as communication channels, providing the bot-herder a near infinite number of communication paths to adapt to changing options and deliver updates. This highlights that infection is the most important step, because functionality and communication methods can always be changed later on as needed.
As one of the most sophisticated types of modern malware, botnets are an immense cybersecurity concern to governments, enterprises, and individuals. Whereas earlier malware were a swarm of independent agents that simply infected and replicated themselves, botnets are centrally coordinated, networked applications that leverage networks to gain power and resilience. Since infected computers are under the control of the remote bot-herder, a botnet is like having a malicious hacker inside your network as opposed to just a malicious executable program.