@ISACA Volume 3: 29 January 2014 

@ISACA Relevant, Timely News

Virus-hiding Techniques
By Leighton Johnson, CISA, CISM, CIFI, CISSP

In today’s threat world where the security professional is constantly being exposed to many new and varied ways that viruses are being delivered to their supported users, there are a number of ways these viruses are being constructed to be more difficult to detect. The US National Institute of Standards and Technology (NIST)’s Computer Security Resource Center has conducted research on these hiding methods over the past few years and produced reports that detail the methods for these processes. This virus hiding is typically called “obfuscation” and some of the more common techniques are:

  1. Self-encryption and self-decryption—Some viruses can encrypt and decrypt their virus code bodies, concealing them from direct examination. Viruses that employ encryption might use multiple layers of encryption or random cryptographic keys, which make each instance of the virus appear to be different, even though the underlying code is the same.
  2. Polymorphism—A particularly robust form of self-encryption, a polymorphic virus generally makes several changes to the default encryption settings while also altering the decryption code. In a polymorphic virus, the content of the underlying virus code body does not change; encryption alters its appearance only.
  3. Metamorphism—The idea behind metamorphism is to alter the content of the virus itself rather than hide the content with encryption. The virus can be altered in several ways; for example, by adding unneeded code sequences to the source code or changing the sequence of pieces of the source code. The altered code is then recompiled to create an executable virus that looks fundamentally different from the original.
  4. Stealth—A stealth virus uses various techniques to conceal the characteristics of an infection. For example, many stealth viruses interfere with operating system (OS) file listings so that the reported file sizes reflect the original values and do not include the size of the virus added to each infected file.
  5. Armoring—The intent of armoring is to write a virus so that it attempts to prevent antivirus software or human experts from analyzing the virus’s functions through disassembly, traces and other means.
  6. Tunneling—A virus that employs tunneling inserts itself into a low level of the OS so that it can intercept low-level OS calls. By placing itself below the antivirus software, the virus attempts to manipulate the OS to prevent detection by antivirus software.

Antivirus software vendors design their products to attempt to compensate for the use of any combination of obfuscation techniques. Older obfuscation techniques, including self-encryption, polymorphism and stealth, are generally handled effectively by antivirus software. However, newer, more complex obfuscation techniques, such as metamorphism, are still emerging and can be considerably more difficult for antivirus software to overcome.

Visit the ISACA page for Cybersecurity Resources for more information on this topic.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security & Forensics Management Team of Bath, South Carolina, USA.


Affect More—Apply to Participate on ISACA’s Volunteer Bodies

Your opportunity to submit an application for the 2014-2015 volunteer term is coming to a close. The Invitation to Participate application period closes on 13 February 2014. Act now and apply to participate on one of ISACA’s volunteer bodies.

Volunteering is an opportunity to collaborate with peers around the world, ensuring successful certification programs, insightful research and guidance, comprehensive and timely education programs, and representative professional standards.

Volunteers are selected based on the resources needed in support of ISACA’s strategy, the responsibilities of its volunteer bodies, the relevant professional background of the candidates and ISACA’s desire to reflect a global perspective. All appointments are for a one-year term and are ratified by the ISACA Board of Directors.

For more information about ISACA volunteer bodies and to apply to be an ISACA volunteer, visit the Join an ISACA Volunteer Body page of the ISACA web site. Help shape the future of your profession. Apply by 13 February.


Realizing the Benefits of Certification
Caren Shiozaki, CGEIT, Chief Information Officer for TMST Inc. (Thornburg Mortgage), Shares Her Experience as a CGEIT

Caren ShiozakiAs a chief information officer (CIO), Caren Shiozaki knew that pursuing the Certified in the Governance of Enterprise IT (CGEIT) certification would pay off. “There aren’t really any professional certifications focused on the CIO, but CGEIT is as close as one can get. After researching this particular certification, I concluded that it was relevant to my role and could serve as a distinguishing factor.”

Shiozaki has seen the benefits during an uncertain time for her organization. “My company is currently in Chapter 11. As CIO, I am responsible for the governance, preservation and protection of the company’s information assets, in all forms. I have been able to leverage my certification to provide validation for my proposals.” As she meets the challenges of her current position, Shiozaki notes, “Many of my stakeholders are brilliant in law and finances, but lack an in-depth understanding of technologies and applications in problem solving. The CGEIT certification helps to establish a higher level of credibility and trust.”

Shiozaki has applied her CGEIT certification skills in her personal activities, as well. “I am president of the board for a nonprofit youth services organization, and I have utilized the basic tenets of CGEIT to establish stronger policies and procedures related to board governance.”

When she is not applying her skills as a CGEIT at work or in her volunteer endeavors, Shiozaki likes to get outside. “I love to hike in the summer and ski in the winter. I am fortunate to be living in Santa Fe (New Mexico, USA). I can be at a ski lift within 30 minutes of leaving my office.”

Certification has proven to be useful, but also rewarding for Shiozaki. “There is a certain cachet in having this certification because it is still so rare in the CIO world. It is definitely a validation of my knowledge and experience. Those who know about it often demonstrate their appreciation of that and it is always rewarding when that happens.”

And to anyone considering pursuit of the CGEIT certification, Shiozaki says, “Stop thinking about it and just go for it! I would like to see the ranks of CGEIT grow so that it becomes as recognized and understood as other ISACA certifications.”


New Complimentary SecaaS White Paper Available

ISACA’s latest white paper, Security as a Service: Business Benefits With Security, Governance and Assurance Perspectives, presents the potential impact of Security as a Service (SecaaS) on the enterprise. It identifies prospective business benefits, challenges and risk, and it presents recommended governance and risk management practices to minimize risk and optimize value from investments.

Security as a Service recommends asking the following key questions to ensure risk is managed:

  1. Which cloud service model is best suited for our organization’s needs?
  2. Where will the information be located and what retention policies apply?
  3. How will the information be protected (what physical and logical controls will be in place)?
  4. How will we include the provider and outsourced services in the business continuity and disaster recovery plans?
  5. Can data be transferred to another provider if the contract is terminated?

“Enterprises can outsource information security services, but they cannot outsource accountability for security,” said Patrick Hanrion, CISM, CISSP, CNE, Expedia, and author of the white paper. “Answering these questions helps to ensure that controls are in place to protect the enterprise’s information assets.”

Download this complimentary white paper today. Information on current research projects is posted on the Current Projects page of the ISACA web site.


Book Review: The Tangled Web: A Guide to Securing Modern Web Applications
Reviewed by Ibe Etea, CISA, CRISC, ACA, CFE, CIA, CRMA, ISO 9001:2008 QMS LA

The Tangled Web: A Guide to Securing Modern Web Applications, by Michal Zalewski, takes a deep look at the basics of the web, the security issues and the effective methods in which to stem those vulnerabilities. The book provides a standard reference for web developers, users and programmers alike with its unassuming structure. The intriguing universe of the web is demystified in this detailed work, in which the author has created a unique insight into the structure, themes, coding and apps of the web from a practical security standpoint that should stimulate the interest of IT professionals.

A unique feature of the book is the detailed examples of parsing codes and scripting in manifold forms, and deployment of web apps and features safely to ensure reduced risk of exposure to the numerous threats and attacks that besiege the web environment as we know it today. Online risk management is also a key focus of the book. A key strength of the text is the “cheat sheets” that provide security tips, coding and scripting techniques, and summaries at the end of each chapter.

The book is divided into three parts. This first part, aptly titled “Anatomy of the Web,” begins with the world of the URL, where communication gaps between the web browser and the URL address filters create vulnerabilities at the web application level. Next, there is an introduction to the Hypertext Transfer Protocol (HTTP), its history, and its various encoding themes, with HTTP request types and server response codes. Hypertext Markup Language (HTML) parser behavior, encoding, forms and elements of HTTP, and related security issues are also covered, followed by a review of cascading style sheets, basic CSS Syntax, parser resynchronization risk and character encoding.

Part 2 covers security settings and themes in the web environment that arrests rogue apps, including dynamics of content isolation and the security breaches associated with popular browser plugins. It also highlights the three tiers of URL schemes (i.e., unrestricted, partly restricted, fully restricted), attacks targeting internal networks, restricted ports, and third-party cookie limitations.

Part 3 focuses on new and future security features of browsers and details many compelling security elements, such as security model extension frameworks and security model restriction frameworks. Modern developments, such as in-browser HTML sanitizers and cross-site scripting (XSS) filtering, are also treated here, as are URL protocol proposals affecting data exchange, address bar themes and web link behavior, content level features, and input/output features.

Overall, this book offers a nice balance between the technical and practical aspects of the web. The book provides adequate material and resources for browsers, penetration testers, web engineers and ethical hackers alike. It shows the importance of navigating the corridors of the modern web with security as a key theme in mind, as the Internet continues to evolve in complexity.

The Tangled Web: A Guide to Securing Modern Web Applications is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Ibe Kalu Etea, CISA, CRISC, ACA, CFE, CIA, CRMA, ISO 9001:2008 QMS LA, is a corporate governance, internal controls, fraud and enterprise risk assurance professional. He also serves as a member on the advisory council of the Association of Certified Fraud Examiners (ACFE).


Read More Articles in Our Archives