2023 Do you agree or disagree with these two statements why or why not | Assignment Collections

Do you agree or disagree with these two statements, why or why not?

Response should be 130 words and 1 reference per response.

Cathy Dillon wrote:

1.       njRAT targeted Middle East high-level organizations, particularly the government, telecom, and energy sectors. It has the capability to completely take over a victim’s system including: steal browser data, log keystrokes, activate webcams, manipulate registry, etc. njRAT can be spread through the use of USB drives and embedded applications. The executable file named “’authorization.exe” has been embedded using Microsoft Word or PDF files and sent as email attachments to victims. The attack appeared to have originated in Vietnam and the U.K. based on IP addresses although attackers could have spoofed systems originating from these countries to hide their true identity and location (Walker, 2013).

Attackers used obfuscation to avoid detection of the njRAT (Walker, 2013). It was determined that antivirus programs were not set to detect such a threat (General Dynamics, 2013) although these programs provide only limited protection and can only detect known Trojans (GFI, 2011). One method that can be used to detect njRAT since it used obfuscation to avoid detection is SAFE. SAFE is a “static analyzer for executables that detects malicious patterns in executables and is resilient to common obfuscation transformations” (Christodorescu&Jha, 2003). For an effective method of detecting and preventing RAT attacks, “reliable and powerful anti-virus software” that has the latest and up-to-date upgrades should be used. Using anti-spyware application and firewall can also help in detection and prevention of this type of attack (Paine, 2012).

2. Kelly Ann Reisenweber wrote“

To obfuscate is “to make so confused or opaque as to be difficult to perceive or understand” and obfuscation is “the act or an instance of making something obscure, dark, or difficult to understand” (Farlex, 2013). This definition clearly shows a concerted effort to conceal, and in the same instance, to make something difficult to define.  Christodorescu and Jha make a straight, forward thinking analogy when they describe malicious code detection as an obfuscation-deobfuscation game in their paper, Static Analysis of Executables to Detect Malicious Patterns. 

It is a game in every sense of the word since there is a volley back in forth between two key players: the malicious hackers who work to conceal the payload by hiding it and the security researchers who work to detect specific instances of the malicious code and define the differing versions in an effort to prevent the advancement of the hackers win, thereby ultimately preventing the malicious hacker from reaping the benefits of whatever the malware is designed to do.  The deobfucators, the security researchers, job is to determine what the code is affecting, how it is damaging the infected system(s), how to contain it it if is spreading throughout the network and to define the variant specifically enough to update the anti-virus solutions with the new code variation and prevent future use. More simply put, it’s like a game of chess. The malicious hackers conceal a payload in malicious code like strategic chess moves designed to obtain an end result. There are endless moves and countermoves, all easily tweaked and difficult to detect just like advance chess moves are designed to be discovered after it’s too late to prevent the overtaking of the piece.  Altering the code slightly so its signature is not detectable furthers the game and the victims, the deobfuscator’s trying to clear the confusion, lose when they fail to detect the new malware signature.   

Rootkits and Trojan horses are two examples of how malware can be hidden on an asset.

     Rootkits – A rootkit contains code which infects a device or a network by hiding inside file or system folders and concealing system activity resulting from the execution of the malware (UMUC, 2011, Module 8). 

     Trojan Horses – “Trojan horses masquerade as useful programs, but contain malicious code to attack the system or leak data”. (Christodorescu and Jha, 2003, p. 1)  The very nature of a malicious payload masquerading as a legitimate file is obscuring.  What lends credence to a Trojan horse’s ability to bypass the systems security features and ultimately infect the computer without triggering an alert is the fact that it is hidden.

An example of a Trojan horse is a polymorphic virus disguised as a game, like a blackjack poker game in the Android Market. Christodorescu&Jha further explain a polymorphic virus best as:

“A virus [that] uses multiple techniques to prevent signature matching. First, the virus code is encrypted, and only a small in-clear routine is designed to decrypt the code before running the virus. When the polymorphic virus replicates itself by infecting another program, it encrypts the virus body with a newly generated key, and it changes the decryption routine by generating new code for it. To obfuscate the decryption routine, several transformations are applied to it. These include: nop-insertion, code transposition (changing the order of instructions and placing jump instructions to maintain the original semantics), and register reassignment (permuting the register allocation). These transformations effectively change the virus signature.”

To reduce the game play, dynamic monitoring should be employed for increased malicious code detection (Christodorescu&Jha, 2003, p. 3).