Choose ONLY ONE topic from the following topics for your presentation:
NOTE: (Topics are drawn from your project work in order to minimize effort).
1. Current Security Threats
2. Identify Vulnerabilities in IT Security
3. Analyzing Malicious Windows Programs
4. Analyzing Code Constructs in Malware
Please do an audio recording of your presentation with PowerPoint slides.
- You may use Microsoft PowerPoint software to record your audio on each slide (video is not required).
- PowerPoint presentation guidelines:
- Include title slide
- Minimum and Maximum of 12 slides including title slide and bibliography.
- Notes are required for each slide except title slide.
- Individual presentations should be timed to end in approximately 15 to 20 minutes.
- Powerpoint (PPT) (with audio recording) file should be submitted on Canvas by each individual in order to receive a grade for your presentation.
- Rubric used for grading is posted on Canvas.Current Security Threats and Identifying Vulnerabilities in IT Security
Part 1: Current Security Threats
The main security threats that may be encountered by Aim Higher College include; Inadequate system logging, overdependence on the security monitoring software, outdated Operating System (OS), Inadequate security due to technological innovations. The college has been advancing and growing and this has led to the migration to the automated systems so as to expand and supplement the existing systems. Aim Higher College has various departments and offices that use old and leased computers which may not have been updated for quite some time. This challenges might cause a lot of security threats on the system.
The over-dependence on the security monitoring system by the staff of Aim Higher College depicts more information and data to be managed than the ability of the staff of the college to manage. It is therefore, very important to put in place a security system that can help detect and prevent the attacks on the system (CVE, n.d). If a new threat appears that the security monitoring software cannot detect, we are left open attack or penetration from that area. The threat is the same if the client is not installed on any new computer, or the security monitoring software updated and configured to monitor the system, we are again left open attack or penetration from that area.
Inadequate system logging is another security threat that can attack the system of Aim Higher College. Because of staff reductions, the college tend to more dependent on our security monitoring software. We rely on this reduced staffing to review and monitor the system logs. Another issue would be updating these systems. Currently, we have to wait for down time after the school year is over to start applying these updates. We are vulnerable to changes that may find newer issues in our logs until these updates are performed. We should move to a more standardized monthly update of these log tracking systems. We also have many systems that are not subject to active log monitoring. These systems should be added to the systems we do track. As we have increased our network and server footprint, we have yet to increase the capacity we can handle. With the current speed of technology innovations outpacing our security on site. We have many students that are connected to our network via a Wi-Fi connection. Although it is a separate system, there is still a chance of them attaching infected or improperly configured devices. With the expanded use of wireless technology, we see many students using their smart-phones and tablets to access email on our server. This additional wireless usage combined with our existing student accounts have our current email server near capacity. We will need to look at expanding the server capacity to resolve the issues. We also have seen an increase in the filtering due to these devices being on the wireless network. This increased filtering is causing a bottle neck and slowing the network traffic of the overall campus. We should increase to an additional filter to Aim Higher College to help prevent the issues (CVE, n.d).
Another threat to the Aim Higher College is outdated Operating Systems (OS). As Aim Higher College is on a lease role. We have an extended lease roll for some of our systems which leaves some outdated computers and operating systems on our network. The College also have a few older servers which have not been replaced with newer servers and operating systems due to budget constraints. With the end of support for Windows XP and Server 2003 we need to migrate to newer operating systems. We are going to start lease rolling the current systems to resolve the issues we have with older desktops. We need to find the resources in the budget to resolve the issues with our older systems and servers. The company should consider updating the Operating system to a newer version and upgrading the servers to the newer version that is compatible with the operating systems (Oriyano, 2011).
The above threats indicates various areas of concern that the Aim Higher College should consider and work on. It is until the areas of concern are worked on that the security of the system can be worked on. Addressing of the highlighted threats will be important enough in improving the IT security of the Aim Higher College against the attacks. Since the departments in the college have been using older and probably computers that are not updated for quite some time, it is important to update the operating systems and if possible purchase newer computers to increase the effectiveness and efficiency of the IT systems in the college which will turn improve the productivity of workers in the institution. Carrying out an internal audit on the IT systems will also be of great help in detecting and preventing security threats in the system.
Part 2: Identify Vulnerabilities in IT Security
Aim Higher College is a fictitious institution that is located in the United States. There are various courses the institution offers such as information security, nursing and business management both in undergraduate and post-graduate levels. As a new information security analyst employee in the institution, I have been tasked to analyze the threats and vulnerabilities of the information system of the college and provide the appropriate recommendations to help safeguard the system of the institution. The institution has been encountering various attacks on its systems from various target attackers with malicious intentions. In this paper, I’ll review the ports and vulnerability scan data that was gathered recently from a typical system to help identify the ports and services that are mostly exposed to the attackers and the vulnerabilities that exist in the system.
This report will therefore, provide an in-depth analysis of the vulnerability scans and recent ports that were carried out on the typical system retrieved from the network of the institution. My review will focus on the ports that were found open along with the threats that can invade the ports. The report will also discuss the high level vulnerabilities and give a suggestion of the appropriate recommendations to foster the security of the system.
Aim Higher College focuses on the safeguarding the security of the systems and improving the standards with regard to the Information Technology (IT) security. This involves safeguarding the system from threats and vulnerabilities that could expose the system to security threats. The recent scan ran on the institution’s system indicated two major issues which include; the open ports and services on the system and a high severity index of vulnerabilities on the system. The open ports and services is very important since it helps in the identification of threats that the system is likely to be exposed to, the measures that can be taken to protect them. The high and severe vulnerabilities that were diagnosed can also be used to find the appropriate solution for each vulnerability.
Port 139 is used for Samba. This refers to a software protocol which allows PCs and applications on a Local Area Network (LAN) to communicate and interact with the hardware and to ensure data transmission across the network. The idea that computers are communicating over a network raises a security concern since over the network crucial information such as system names, domain names and information concerning the account can easily be retrieved. The identification of an active port 139 by an attacker on the network is very risky since an attacker can run a diagnostic software across the TCP/IP protocol. The tool helps the attacker to identify the computer names, IP addresses and the network shares on the network. Samba is more prone to remote Disk Operating Systems (DOS) vulnerability according to OpenVAS vulnerability report (2015). Samba is very vulnerable to 3.4.5 and earlier versions. The appropriate measure is to either close the 139 port through the firewall or consider updating the Samba version of the PC to latest versions (Oriyano, 2011).
Port 21 is used for Very Secure File Transfer Protocol Daemon (vsftpd). This is the file transfer protocol (FTP) server found in Linux Operating Systems. The file transfer protocol refers to one of the common methods that facilitates remote access of files. The FTP protocol just like telnet is unencrypted and this basically means that information transmitted in a session can be captured hence making the session more vulnerable to the attacks. The OpenVAS report (2015) recommends that the attackers tend to use Very Secure File Transfer Protocol Daemon (vsftpd) to gain access to the system. The recommended solution for this kind of vulnerability is to download the repair package from the internet. The repair package can then be pushed into the system on a network.
Port 80 is used for Hypertext Transfer Protocol (https) applied in the World Wide Web (WWW). This port is listened to by the server and it sends the requests to the server from the web client. The Trojan horse mostly attacks port 80 and therefore, this port being open is risky to the security of the system. The remote servers also support TRACE methods which could be used for the XST attacks. The best remedy for this is to disable the trace methods supported by the remote servers and updating the PHP versions. The incoming traffic can also be blocked through the firewall.
3306 port is used for MySQL. This port is used to connect to the MySQL database server. The injection attacks, remote code executions and remote logging of the MySQL servers are more common in this port (Oriyano, 2011). The recommended solution for the security of this port is to enforce strong passwords on the servers and to update the version of the database servers.
Port 22 is for Secure Socket Shell (SSH). The SSH refers to a network protocol that provides a more secure way to the administrators to have access to the remote computer. It also refers to the utility package that helps in the implementation of the protocol. A secure shell offers a more encrypted data communications and authentication between to computers on the network. The remote computer could easily be accessed by default login credentials according to OpenVAS report (2015). The remedy for this, should be changing the passwords as soon as it is appropriate.
In conclusion, the report has highlighted some of the vulnerabilities associated with the open ports on the system. The identified loopholes on the system can be closed and the less sever ports worked on (Zenmap, n.d). As a new information security analyst employee in the Aim Higher College, I will consider adopting the recommendation with the network team to minimize or prevent the vulnerabilities. We will also review the firewall set-up to only allow the relevant ports and to block those ports that are more risky to the security of the IT systems of the college.
Part 3: Analyzing Malicious Windows Programs (Lab 7.1 from PMA)
1. How does this program ensure that it continues running (achieves persistence) when the computer is restarted?
The malware always uses the two common ways to manage persistence. They are:
· They get into the system and they register themselves as one of the services to the system and give themselves options where they auto-start themselves.
· They generate an entry in the startup registry key. In our case, the entry was looking like HKLM\SOFTWARE\Microsoft\Windows\CurentVersion\Run
From the file, we can examine the imports to find out if really there exist other related imports. As in figure 1.0 below.
Figure 1.0. Related imports
From the import window in figure 1,0 above there are no registered windows that are related to the manipulating registry but there exist imports that are related directly to the managing system service. Since when the execution has begun, the StartServiceCtrlDispatcherA file was called, to move to where it is located in data, one will only need to double-click it. The invocation site is located at 0x401028 and to locate it one shall have to first highlight the import and then command by pressing X as indicated in figure 1.1.
Fig. 1.1 StartServiceCtrlDispatcherA
Immediately after the invocation site, there is another call that can be obtained to a subroutine referred to as sub_401040. To check this subroutine, double click to open it then scroll while inside where more calls that have been imported are located like CreateService and OpenSCManager. All these are indicated in figure 1.3 as follows. The name of the service can be seen as it is being created at “Malservice” as is witnessed from the CreateServiceA argument.
Figure 1.3 sub_401040.
2. Why does this program use a mutex?
Mutex is the best creator of infections and will find out if the system is already infected with malware or it has not. To determine how this is used in malware, again we shall have to visit the imports window and find out if there is any importation of APIs as in figure 2.0. Again figure 2.1 is an indication of how we can follow imports to their basic invocation sites where a mutex is created.
Figure 2.0 mutex
Fig. 2.1 HGL345
3. What is a good host-based signature to use for detecting this program?
A good host-based signature might be anything that the malware either generated or modified within the host that has already been infected and might be useful in the process of recognizing the malware such as the filenames, memory structures, services, and the registry keys. From the earlier two questions, we have realized that they are made up of a host-based signature that we can say it is good. That is “Malservice” as the service name and “HGL345” as a mutex name.
4. What is a good network-based signature for detecting this malware?
A network-based signature does not need to be anything tangle provided that the activity in the network can identify malware and differentiate it from other running applications such as an application from a specific network whose parameters are unique of making contact with a certain IP address or even MAC address or a simple URL. For example, we can use a window check and see if it is possible to recognize any string that is related to a network. From the window string, we recognize a URL as in figure 3.0.
Figure 3.0. URL string.
If we look at the imports, we recognize an import from either wininet.dll or ws2_32.dll. From the import window, we realize that the malware has taken captive 2 APIs from the network meant for HTTP applications in the network. From the invocation sites of the imports, we find out that the malware is attempting to connect to the URL from the string.
Figure 3.1 Malware attempting to connect.
5. What is the purpose of this program?
The program is purposed to implement in the sub_401040 where the malware and the mutex establish services. From that subroutine, we can be able to find out the afterward functions of the malware. The initial malware established the service “malservice” and also the mutex “HGL345.” When done the malware proceeds to create a timer whose functions shall be triggered at certain future times. What follows is the crucial part where the malware finds its way into the loop and the loop can be seen using either text or graph view. Figure 4.0 is an indication.
Figure 4.0. Functioning of the malware
From the codes, one can tell that the loop shall remain running for 20 times. That is in 14 hex. The loop counter is presented in esi where it begins at 14h before the loop while making use of move esi, 14 hours instructions. While inside the loop, they are decremented downwards until the 0x401137 gets to 0. To find out all the processes in the loop, we apply a call to 1 API which will generate a parallel running thread.
A certain function is assigned to the thread when it is created and the name has to be parallel to the argument so that it generates a CreateThread API. The name of the function running inside the loop shall be StartAdress. To find out what goes on inside, one shall have to double click the name of the procedure. The figure below indicates the StartAdxdress.
Figure 4.1. StartAdxdress
Inside StartAddress, there exist another loop procedure and there is no counter three from the codes of the loop which means it is an infinite loop. If InternetOpenUrlA API is given one call, it shall request the HTTP using the URL “http:/www.malwareanalysisbook.com.” There is a possibility of getting an infinite loop that sends a request to HTTP to a certain webserver and will do it again and again because there are 20 running threads. This means, the malware is a denial of service attack.
6. When will this program finish executing?
From the malware, we know we have the outer loop that is o the run at a rate of 20 times creating the same number of current threads. Once the thread is running, they shall never stop. They shall remain to send HTTP requests forever to a certain server. Figure 5.1 gives an explanation where the outer loop shall run for 20 times and comes to a stop. The 20 threads shall however run forever making the program never to come to an end once it starts execution.
runs 20 times
Creates 20 threads
Figure 5.0. Continuously running threads
Part 4: Analyzing Code Constructs in Malware (Lab 6.1 from PMA)
1. What is the major code construct found in the only subroutine called by main?
If we open IDA Pro, the subroutine might not indicate the “main.” The main function is therefore clear enough to be the first subroutine and hence the sub_401000. If the connection state is retrieved, from the local system, the variable receiver that is accompanied by LDPWORD that receives the connection and DWORD which reserves the parameter has to be o. From the C structure, we can say that there exists an if statement because there is a condition that can be described as jump jz to the loc_40102B and the connection became successful to sub_40105F. In a graphical view, the same can also be confirmed and both of the outcomes shall end with a loc_40103A.
2. What is the subroutine located at 0x40105F?
The subroutine shall be a print statement since the program has identified the subroutine and called it once after every \n string has been called and in both of every outcome of a function’s ft statement
3. What is the purpose of this program?
The program is intended to check the availability of an internet connection and if on a printf status it shall be running on the endpoint. Once it recognizes an active connection, it shall successfully print the internet connection and it is not found, then it shall display the printf error of 1.1 implying there is no internet. The malware can use the program to check connections before making attempts of connecting to them.
Common Vulnerabilities and Exposure (CVE). Retrieved from: https://cve.mitre.org/find/index.html
Jones & Bartlett Learning, LLC. (2015). OpenVAS Vulnerability Scan Report.
Oriyano, S.P., Gregg, M. (2011). Chapter 6: Port Scanning. Hacker Techniques, Tools, and Incident Handling. pp. 137-157.
Zenmap Intense Scan Results pdf. Retrieved from: https://hacking_ts_zenmapscan.pdf
Filho A, Rodríguez R and Feitosa E 2021, Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation Frameworks, Digital Threats: Research and Practice, 3:2, (1-28), Online publication date: 30-Jun-2022.
Nicholas C, Joyce R and Simske S Document engineering issues in malware analysis Proceedings of the 21st ACM Symposium on Document Engineering, (1-1)
Donadio J, Guerard G and Amor S Collection of the Main Anti-Virus Detection and Bypass Techniques Network and System Security, (222-237)
Bakht, H. (2020). Cyber security. Protecting the electoral system msc and/or PhD research project proposal. Humayun Bakht.
HUANG, Q., WU, D., & SUN, X. (2020). Hierarchical method to analyze malware behavior. Journal of Computer Applications, 30(4), 1048-1052. https://doi.org/10.3724/sp.j.1087.2010.01048
Le-Khac, N., & Choo, K. R. (2020). Cyber and digital forensic investigations: A law enforcement practitioner’s perspective. Springer Nature.
Mohanta, A., & Saldanha, A. (2020). Debugging tricks for unpacking malware. Malware Analysis and Detection Engineering, 639-664. https://doi.org/10.1007/978-1-4842-6193-4_17
Sikorski, M., & Honig, A. (2019). Practical malware analysis: The hands-on guide to dissecting malicious software. No Starch Press.