Abstract
Three forms of malware that originally had legitimate applications, but have over time been developed as malicious software are taken into account: ActiveX control, Telnet, and NetBIOS. They are explained first, then the risks user can face if his computer is infected with that malware are given, and the countermeasures which should be taken in order to combat the malware. After that, the compare and contrast of the three forms of malware mentioned above is given. In the end, two recent forms of malware, Flame and FinFisher are explained.
ActiveX control
What is an ActiveX control?
ActiveX is a software component of Microsoft Windows. It is already installed in a computer with Internet Explorer. ActiveX controls are small programs, sometimes called add-ons that are used on the Internet. They can enhance browsing experience by allowing animation or they can help with tasks such as installing security updates at Microsoft Update. Some websites require installing ActiveX controls to see the site or perform certain tasks on it. When these websites are being visited, Internet Explorer asks to install the ActiveX control. The website that provides the ActiveX control should tell the visitor what the control is for. It should also provide relevant details on the web page before or after the warning. Internet Explorer blocks websites from using an ActiveX control if the website tries to use the ActiveX control in a way that might not be safe.
What are the risks?
ActiveX controls and web browser add-ons are small programs that are used extensively on the Internet. They can make browsing more enjoyable by providing toolbars, stock tickers, video, animated content, and more. These programs can malfunction, however, or give the unwanted content. In some cases, these programs can be used to collect information from a computer in ways the owner might not approve, possibly damage information on a computer, install software on a computer without the ownerfs consent, or allow someone else to control a computer remotely. Given these risks, ActiveX controls or add-ons should be installed only if the publisher and the website offering it are completely trusted. Here's a good rule to follow: If an ActiveX control is not essential to a computer activity, installing should be avoided.
The countermeasures
When an ActiveX control is chosen for installing, Internet Explorer displays a dialog box that identifies the publisher and asks the user if he wants to run the file. Donft run must be clicked if the website and publisher are not trusted. Only ActiveX controls that have been downloaded and installed by the user can be deleted. ActiveX controls that were preinstalled or add-ons of any kind cannot be deleted, but they can be disabled. To delete an ActiveX control that have been installed, the Manage add-ons tool in Internet Explorer must be used. If the add-on cannot be removed within Manage Add-ons, it can be uninstalled through Control Panel.
References:
1. http://windows.microsoft.com/en-US/Windows7/Why-does-Internet-Explorer-block-some-ActiveX-controls
2. http://www.microsoft.com/security/pc-security/activex.aspx
Telnet
What is telnet?
Telnet is an old computer protocol (set of programmatic rules). Telnet is famous for being the original Internet when the Net first launched in 1969. Telnet stands for 'telecommunications network', and was built to be form of remote control to manage mainframe computers from distant terminals. In those original days of large mainframe computers, telnet enabled research students and professors to 'log in' to the university mainframe from any terminal in the building. This remote login saved researchers hours of walking each semester. While telnet pales in comparison to modern networking technology, it was revolutionary in 1969, and telnet helped pave the way for the eventual World Wide Web in 1989. While telnet technology is very old, it is still in some use today by purists. Telnet has evolved into a new modern version of remote control called 'SSH', something that many modern network administrators use today to manage linux and unix computers from a distance. Telnet is a protocol that allows anyone to connect to remote computers (called hosts) over a TCP/IP network (such as the Internet). You use software called a telnet client on your computer to make a connection to a telnet server (i.e., the remote host). Once your telnet client establishes a connection to the remote host, your client becomes a virtual terminal, allowing you to communicate with the remote host from your computer. In most cases, you'll need to log into the remote host, which requires that you have an account on that system. Occasionally, you can log in as guest or public without having an account. Telnet clients are available for all major operating systems.
What are the risks? Telnet can be used to connect to virtually any machine that listens on ports. In other words, one can connect to any machine that has certain ports open. Once connected to a machine, one need to issue unix based commands to interact with the remote service. For example, a user don't need to login, check and send mails only through his email service provider's interface but this can be achieved using simple telnet commands. It is because of this reason that many hackers can send spoofed emails or access information such as which services are running on the remote machine. This is also called banner grabbing or daemon tracking. Black hat hackers can also use telnet to sniff network packets which might contain sensitive information such as usernames and passwords. This is achieved by using telnet and network utilities such as tcpdump and wireshark. On January 27, 2011 an article in the Internet shows that: \Hackers using Telnet to attack corporate servers; the 40-year-old remote access protocol is increasingly being used in attacks that came from mobile networks, according to Akamai. This report from Akamai Technologies shows that hackers appear to be increasingly using the Telnet remote access protocol to attack corporate servers over mobile networks.. (http://www.infoworld.com/d/security-central/hackers-using-telnet-attack-corporate-servers-619)
The countermeasures Telnet is a remote access tool used to log into remote servers, but it has been gradually replaced by SSH, also known as Secure Shell. Administrators are generally advised to disable Telnet if the protocol is not used to prevent attacks targeting it. Telnet is disabled by default on Windows7 for the simple reason that it is sometimes used as a callout mechanism by malware, and is generally not used by ordinary users, and thus a good candidate for disabling-by-default. Telnet client is not a security risk in-and-of-itself - although you can certainly turn it into one by sending usernames and passwords to servers which will transmit unencrypted over the network.
References:
1. http://kb.iu.edu/data/aayd.html
2. http://searchnetworking.techtarget.com/definition/Telnet
3. http://netforbeginners.about.com/od/t/f/what_is_telnet.htm
4. http://www.articleswave.com/tutorials/basic-telnet-tutorial.html
5. http://www.infoworld.com/d/security-central/hackers-using-telnet-attack-corporate-servers-619
NetBIOS
What is NetBIOS?
NetBIOS is a software protocol for providing computer communication services on local networks. Software applications on a NetBIOS network locate each other via their NetBIOS names. A NetBIOS name is up to 16 characters long and in Windows, separate from the computer name. Applications on other computers access NetBIOS names over UDP port 137. Two applications can communicate over a NetBIOS session when one (the client) sends a command to "Call" another (the server) over TCP port 139 on a remote computer. Both sides issue "Send" and "Receive" commands to deliver messages in both directions. The "Hang-Up" command terminates a NetBIOS session. NetBIOS can support connectionless communications via UDP datagrams on port 138. NetBIOS was developed in 1983 by Sytek as an API for software communication over IBM PC Network LAN technology. On PC-Network, as an API alone, NetBIOS relied on proprietary Sytek networking protocols for communication over the wire. Because PC
Network only supported up to 80 devices in its most accommodating mode (baseband), NetBIOS was itself designed with limited nodes in mind. NetBIOS provides three distinct services: - Name service for name registration and resolution. - Datagram distribution service for connectionless communication. - Session service for connection-oriented communication.
What are the risks? By default NetBIOS runs on port 139. It gives the various information about computers on a network, which includes computer name, username, domain, group, and many others. NBTSTAT is the command to manually interact with NetBIOS over TCP/IP. An intruder could use the output from an nbtstat command against a computer to begin gathering information about it. The next step for an intruder would be to try and list the open shares on the given computer, using the net view command. This information would give the intruder a list of shares which he would then use in conjunction with the Net Use command, a command used to enable a computer to map a share to its local drive.
The countermeasures
A null session occurs when one logs in to a system with no username or password. NetBIOS null sessions are a vulnerability found in the Common Internet File System. Once a hacker has made a NetBIOS connection using a null session to a system, they can easily get a full dump of all usernames, groups, shares, permissions, policies, services, and more using the Null user account. The NetBIOS null session uses specific port numbers on the target machine. Null sessions require access to TCP ports 135, 137,139, and/or 445. One of the countermeasures is to close these ports on the target system. This can be accomplished by disabling SMB (Server Message Block) services on individual hosts by unbinding the TCP/IP WINS client from the interface in the network connectionfs properties. For wireless networks, one of the countermeasures is to close the port 138. A security administrator can also edit the Registry directly to restrict the anonymous user from login. In addition, the Administrator account can be renamed to a nonobvious name (e.g., not admin or root), and set up a decoy Administrator account with no privileges.
References:
1. http://compnetworking.about.com/od/windowsnetworking/g/netbios.htm
2. http://searchnetworking.techtarget.com/definition/NetBIOS
3. http://en.wikipedia.org/wiki/Netbios
4. http://luizfirmino.blogspot.com/2011/07/understand-snmp-enumeration-and-its.html
Compare and contrast
Telnet and NetBIOS are both network related. Both of them are used for remote connection between computers. Telnet is a program that uses the telnet protocol over TCP/IP to talk to a telnet daemon to have a remote command line session, whereas NetBIOS is a lower level networking protocol. As for ActiveX control, it is a web-based component which enhances browsing experience, and is installed together with the Internet Explorer. NetBIOS is often used by Windows computers, and by Unix/Linux type computers running Samba. Its commands can often be used over the Internet. In many cases, however,
NetBIOS commands will be blocked by firewalls. Telnet and NetBIOS are DOS-based programs which means, that their commands can be run in DOS environment (cmd.exe). They are integrated with operating systems. As for ActiveX control, it is web-based component and is integrated with web browser Microsoft Internet Explorer.
Recent forms of malware
Flame (malware)
Flame is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is being used for targeted cyber espionage in Middle Eastern countries (Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories). Its discovery was announced on 28 May 2012 by MAHER Center of Iranian National CERT (Computer Emergency Response Team), Kaspersky Lab and CrySyS Lab of the Budapest University of Technology and Economics. The last of these stated in its report that it "is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found." The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption . some strong, some weak . and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language . an uncommon choice for malware. Flame can spread to other systems over a local network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity and network traffic. The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices. This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers. Analysis of Flame by the Kaspersky Lab indicates that itfs designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.
References:
1. http://en.wikipedia.org/wiki/Flame_%28malware%29
2. http://www.wired.com/threatlevel/2012/05/flame/
FinFisher (malware) FinFisher, also known as FinSpy, is surveillance software marketed by Gamma International, also known as the Gamma Group, a software firm based in the United Kingdom which markets the spyware through law enforcement channels. The malware is designed to spy on you via your phone. It can monitor your apps, emails, text messages, and voice calls. It can phone home to send data as well as get further instructions. It can track your location. Your phone can get infected if you are tricked into downloading the spyware, which can be disguised as something other than FinSpy. You donft even have to be using your browser: it can come via a text message that looks like itfs from your cellular provider, asking you to install an app or perform a system update.
References:
1.http://en.wikipedia.org/wiki/FinFisher
2. http://thenextweb.com/mobile/2012/08/29/finfisher-malware-goes-mobile-infects-android-iphone-blackberry/