yuzat.cafe

INM441: Network Security

Lectures:

1. Attacks and Exploits
2. Threat Landscape
3. Malware I

Lecture 3: Malware I

16/02/2024
Dr Fadi El-Moussa @ BT

Staged Malware:

1. Warhead (vulnerability to access system)
2. Infection Engine (install malicious code, open ports, infect files)
3. Propogation Engine (scan LAN, shared network files, emails)
4. Payload (potentially request download from external source)

Attackers may have portals telling them which systems are infected with info on the system and which version of their malware is on the system.

Rootkits let you hide processes, files and network connections (locally on wireshark).
Has several types: User mode, Kernel mode, Hypervisor, Bootkit, BiOS.
In order, to run a rootkit in the kernel you need access to a specific dll library and can only be used with specifc authentication.
However, malware can fake this authentication.

DDoS attackers may use IRC to send Command & Control messages to bots.
Nowadays they use http or https. BitTorrent is also used.

IoT devices have no to minimum security due to less processing power and limited configurability from users. Not made to be updated.
(Mirai malware, Reaper, BrickerBot)

Evasion Techniques

• Encryption (code or traffic) per infection based on MAC address.
• Changing encryption key to stop signature-based detection.
• Decentralised C&C system which can't be shut down easily.
• Malware Armored, which disables anti-malware software and pretends to be it. Or adds itself to whitelist.

Lecture 2: Threat Landscape

09/02/2024
Dr Azvine - Global Head of Security Research @ BT

New generations of malware:
Viruses - 1990s
Worms - 2000s
Spyware - 2005
APT's* Cyberware - 2015
Autonomous Malware - Now

*Advanced Persistent Threat (combination of malware)

See log4J[1][2] and solarwinds[3] hack for supply chain attack examples.

Phishing is still a leading cause of attacks.
Blackeye[4] used to clone websites for phishing.
Often sent by email with fake URL.

Malware-as-a-service delivery model. Paying people to develop malware.
Malicious LLM alternatives[5] to ChatGPT used to generate malware.

Quantum computing arms race changing our encryption approach.
1000 years today = 2.5 mins post quantum

[1] https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/
[2] https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach#SolarWinds_exploit
[3] https://en.wikipedia.org/wiki/Log4Shell
[4] https://github.com/EricksonAtHome/blackeye
[5] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/wormgpt-and-fraudgpt-the-rise-of-malicious-llms/

Extra Links
https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Lecture 1: Attacks and Exploits

01/02/2024

Taxonomies/Classification

• By motivation (curiosity, political, revenge)
• By skill level (skids, professional, government sponsored)
• By target (company, government, infrastructure)

Models of attack:
Typically 3 stages: Reconnaissance -> Gaining access -> Cover up

Examples:
Lockheed Martin Cyber Kill Chain
Trend Micro Attack Stages

Spoke about how vulnerabilities are found.
Some sources :

1. https://www.exploit-db.com
2. https://www.tenable.com/security/research

Kali Linux tools. With emphasis on Metasploit

1. https://www.metasploit.com
2. https://nmap.org/ncat/
3. https://www.kali.org/tools

Back to Notes List