CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Malware.

Slides:



Advertisements
Similar presentations
Thank you to IT Training at Indiana University Computer Malware.
Advertisements

By Hiranmayi Pai Neeraj Jain
1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Chapter Nine Maintaining a Computer Part III: Malware.
CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Malware.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Hacker Zombie Computer Reflectors Target.
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
Internet Security facilities for secure communication.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Malware.
1 Higher Computing Topic 8: Supporting Software Updated
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Malware.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
CSC 382: Computer SecuritySlide #1 Firewalls. CSC 382: Computer SecuritySlide #2 Single Host Firewall Simplest type of firewall—one host acts as a gateway.
Recent Internet Viruses & Worms By Doppalapudi Raghu.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
CSC 382/582: Computer SecuritySlide #1 CSC 382/582: Computer Security Integrity Management.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Network Monitoring.
©Ian Sommerville 2004Software Engineering Case Studies Slide 1 The Internet Worm Compromising the availability and reliability of systems through security.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
Malicious Software.
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.
Changes in Computer Security Will You Be Better Off?
Understand Malware LESSON Security Fundamentals.
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
CIT 380: Securing Computer SystemsSlide #1 CIT 380 Securing Computer Systems Threats.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 3 Network Security Threats Chapter 4.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Covert Channels.
MALICIOUS SOFTWARE Rishu sihotra TE Computer
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
By Thomas Pantone Cosc 380.  A virus is a type of malware that self replicates after being executed and inserts itself into other programs, data files,
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
NET 311 Information Security
CSC 482/582: Computer Security
Chap 10 Malicious Software.
CSC 382/582: Computer Security
Security.
Chap 10 Malicious Software.
Operating System Concepts
Crisis and Aftermath Morris worm.
Introduction to Internet Worm
Presentation transcript:

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Malware

CIT 380: Securing Computer SystemsSlide #2 Worm Components 1.Vector 2.Propagation Engine 3.Target Selection 4.Scanning Engine 5.Payload

CIT 380: Securing Computer SystemsSlide #3 Vector Software to gain access to target host. Common vectors: –Buffer overflow exploits. –Network file sharing, both NFS/SMB and P2P. –Social-engineering via or IM. –Weak passwords. –Parasitism: target backdoors and worm flaws.

CIT 380: Securing Computer SystemsSlide #4 Propagation Engine Transfers worm to host exploited by vector. –Small worms like Slammer included in vector. Worm Propagation Methods: –FTP –HTTP –SMB –TFTP

CIT 380: Securing Computer SystemsSlide #5 Remote Control Interface RCI allows creator to control infected hosts. Many worms do not have a RCI. May be a well-known backdoor program. Common remote control features: Start/stop infecting new targets. Download new vectors. Download new target selectors. Download new payloads.

CIT 380: Securing Computer SystemsSlide #6 Target Selection Selecting targets for potential infection. address harvesting –Address books. –Parse disk files. –Search news groups. Network share enumeration –Check for filesystems shared with other systems..

Target Selection Network scanning –Target hosts on current network and connected nets. –Randomized scanning of Internet space. Web searching –Search Google for addresses or vulnerable software CIT 380: Securing Computer SystemsSlide #7

CIT 380: Securing Computer SystemsSlide #8 Scanning Engine Check targets for vulnerabilities. –If vector small, scanning can be skipped. Scan for vulnerable services. –Like targeted nmap port scan. OS Check –Check for correct OS for vector to work. Version checking. –Check version of target software. –May customize vector based on information.

Facebook book.htmhttp:// book.htm CIT 380: Securing Computer SystemsSlide #9

Quarantine rantine.htmhttp:// rantine.htm CIT 380: Securing Computer SystemsSlide #10

CIT 380: Securing Computer SystemsSlide #11 Morris Worm First Internet Worm: November 1988 Multi-architecture: Sun, VAX Multi-vector –sendmail (debug backdoor) –fingerd (buffer overflow) –rsh (open.rhosts; password cracking)

CIT 380: Securing Computer SystemsSlide #12 Morris Worm Spreading algorithm Local network topology: gateways, neighbors. Used users’.rhosts,.forward files. Limited reinfection rate. Detection Avoidance Forged process listing as (sh). Removed created files quickly after use.

CIT 380: Securing Computer SystemsSlide #13 Morris Worm Resource Requirements Disk Space. C compiler and linker. Network connection to parent computer. Problems Didn’t limit re-infections. Saturated CPU, network resources.

CIT 380: Securing Computer SystemsSlide #14 Malware Self-Protection Anti-debugging Detect/disable debuggers when used to analyze code. Attack anti-malware tools Disable anti-malware tools upon infection. Kill processes or destroy/modify signatures. API checksums Avoid having UNIX/Win32 API calls in code. Store checksums of API names and search for match.

Malware Self-Protection Code obfuscation Use unusual tricks and unused code to avoid dissassembly and prevent quick analysis of purpose. Self-modifying code. CIT 380: Securing Computer SystemsSlide #15

CIT 380: Securing Computer SystemsSlide #16 Self-Protection Compression Code looks almost random; size is smaller. Use unusual executable packers to avoid analysis. Data encryption Encrypt strings, hostnames, IP addresses to avoid detection.

Self-Protection Embedding Use multiple levels of executable packers like UPX. Scanners have to understand and have time to parse and decompress each file format. CIT 380: Securing Computer SystemsSlide #17

CIT 380: Securing Computer SystemsSlide #18 Self-Protection Entry-Point Obscuring Changing initial code or entry point easy to notice. Alter program code to gain control randomly. Host morphing Alter host file during infection to prevent removal.

CIT 380: Securing Computer SystemsSlide #19 Self-Protection: Encryption Encrypt all code except small decryptor. –Note that copy protected files will have similar decryptors to prevent analysis too. –Often uses multiple decryptors. –Change encryption key dynamically. Random Decryption Algorithm (RDA) –Choose random key for encryption. –Brute force search for key to decrypt. –Slows VMs/debuggers used for analysis.

CIT 380: Securing Computer SystemsSlide #20 Self-Protection: Polymorphism Alter malware code with each infection. –Cannot be detected by signature scanning. –May alter decryptor only or entire code. –Insert junk instructions that do nothing. –Fragment and rearrange order of code. –Alternate sets of instructions for the same task. Ex: SUB -1 instead of ADD 1 –Randomize names in macro viruses.

CIT 380: Securing Computer SystemsSlide #21 Case Study: Zmist EPO, encrypted, polymorphic virus. Code integration Decompiles PE files to smallest elements. Inserts virus randomly into existing code. Rebuilds executable. Polymorphic decryptor Inserted as random fragments linked by JMPs. Randomizes self with ETG engine.

CIT 380: Securing Computer SystemsSlide #22 Payloads Accidentally destructive. Replication damages data or exhausts system resources due to malware bugs. Ex: Morris Worm reinfected hosts, using all CPU. Nondestructive. Displays message, graphics, sound, or open CD door. Ex: Christma worm on IBM network in Destructive. Triggers randomly or on some event or machine type. Deletes files or overwrites data. Hardware destroyers: overwrite BIOS.

CIT 380: Securing Computer SystemsSlide #23 Payloads Denial of Service Sometimes accidental due to high network use. Launch DDOS attack with all infected systems. Data Theft Phishing scams and spyware. Encryptors (ransomware) Encrypts user data. Ex: One_Half encrypts disk; enables access while running. Ex: AIDS Info: encrypts disk and holds for ransom. Spam Use network of infected systems to launder spam . Ex: Sobig worm.

CIT 380: Securing Computer SystemsSlide #24 Malware Interactions What happens when a virus infects a worm? Typically both propagate. May use each other’s self-protection techniques. What if anti-virus software removes a virus? Likely leaves unknown virus/worm alone. Partial removal can mutate the malware into a new form.

Malware Interactions Competition and Parasitism Malware may remove competing malware. May exploit backdoors/RCI left by previous malware. May infect competing malware, hijacking its propagation. CIT 380: Securing Computer SystemsSlide #25

CIT 380: Securing Computer SystemsSlide #26 Theory of Malicious Code Theorem 1: It is undecidable whether an arbitrary program contains a computer virus. Proof: Define virus v as TM program that copies v to other parts of the tape, while not overwriting any part of v. Reduce to Halting Problem: T’ running code V’ reproduces V iff running T on V halts. Theorem 2: It is undecidable whether an arbitrary program contains malicious logic.

CIT 380: Securing Computer SystemsSlide #27 Detecting Malware Signature-based –Look for known patterns in malicious code. –Defeated by polymorphic viruses. Smart scanning –Skips junk instructions inserted by poly engines. –Skips whitespace/case changes in macro viruses.

Detecting Malware Decryption –Brute-forces simple XOR-based encryption. –Checks decrypted text against small virus sig to decide whether has plaintext or not. CIT 380: Securing Computer SystemsSlide #28

CIT 380: Securing Computer SystemsSlide #29 Detecting Malware Code Emulation –Execute potential malware on VM. –Scan VM memory after certain # iterations. –Watch instructions for decryptor profile. Code Optimization. –Optimize away junk instructions and odd techniques used by polymorphic viruses.

CIT 380: Securing Computer SystemsSlide #30 Detecting Malware Heuristics –Code execution starts in last section. –Suspicious code redirection. –Suspicious section ACLs or size. –Suspicious library routine imports. –Hard-coded pointers into OS kernel. Neural Network Heuristics –IBM researchers trained neural net to recognize difficult polymorphic viruses. –Released in Symantec antivirus.

CIT 380: Securing Computer SystemsSlide #31 Detecting Malware Behavior-based –Watch for known actions from malicious code. –Network access signature of worm. –Unexpected use of dangerous system calls.

Detecting Malware Integrity Checking –Host-based Intrusion Detection System. –Record MAC, size, dates, ACL of files. –Periodically check for changes. –ex: Tripwire, AIDE, Osiris CIT 380: Securing Computer SystemsSlide #32

CIT 380: Securing Computer SystemsSlide #33 Defenses: Data vs. Code Separate data and instructions –Virus treats program as data Writes self to file. –Virus treats program as instructions Virus executes when program is run. –Solution: Treat all programs as data until trusted authority marks as executable. Development difficult when compilers can’t produce executable code.

CIT 380: Securing Computer SystemsSlide #34 Defenses: Information Flow Limit Information Flow –Virus executes with user’s identity. –Soln: Limit information flow between users. Set flow distance to be one for users A, B, C. A creates virus (fd=0), B executes it (fd=1). C cannot execute B’s infected program (fd=2). –Indirect virus spread limited. –How can we track information flow?

CIT 380: Securing Computer SystemsSlide #35 Defenses: Least Privilege Limit programs to least privilege needed example: SELinux Mail virus example 1.Virus arrives via . 2.Virus exploits bug in client to execute. 3.Virus saves self to file in Startup folder. 4.Virus infects Office documents. How least privilege would stop –Mail application cannot create virus binaries. –Mail application cannot write to Startup folder. –Mail application cannot write to Office documents.

CIT 380: Securing Computer SystemsSlide #36 Defenses: Sandboxes Execute code in protected sandbox or VM. Virtual Browser Appliance Linux guest running Firefox under VMWare. Infections can only attack VM, not real host. Reset VM to initial state if infected.

CIT 380: Securing Computer SystemsSlide #37 Defenses: Anomaly Detection Validate program actions with policy Limit access to system calls. Example: systrace. Check statistical characteristics. Programmer style. Compare source code with object. Statistics of write frequencies, program executions.

CIT 380: Securing Computer SystemsSlide #38 Defenses: Counter-worms Worm that removes other worms from net. Nachi/Welchia Multi-vector W32 worm Nachi.A removes W32/Blaster worm Nachi.B removes W32/MyDoom worm Installed MSRPC DCOM patch to prevent future infections from Blaster. Removes self after Side-effects Infected Diebold ATMs Worm traffic DOSed Internet, esp Microsoft.

CIT 380: Securing Computer SystemsSlide #39 Fast Worms Slammer Worm Characteristics –Attacked MS SQL servers. –Worm is single 404-byte UDP packet. –Random-scan (PRNG bugs limited.) –Limited by network bandwidth, not latency. –Observed scan rate of 26,000 hosts/second.

Fast Worms –Infected 90% of vulnerable hosts in 10 min. –Too fast for humans to react. –Shutdown 13,000 Bank of America ATMs due to compromising db servers, heavy traffic. CIT 380: Securing Computer SystemsSlide #40

CIT 380: Securing Computer SystemsSlide #41 Profitable Malware Sobig –W32 worm using /network share vectors. –Contains upgrade mechanism Worm checked sites every few minutes. When site valid, downloaded code. Later variants could update upgrade server list. –Downloaded payload from upgrade mechanism Key logger. Wingate proxy server (for spam proxying.)

CIT 380: Securing Computer SystemsSlide #42 Profitable Malware Trojans Backdoor.Lala transfers authentication cookies for eBay, PayPal, etc. to maker. PWSteal.Bancos automates phishing by displaying fake web pages when browser goes to certain bank sites. Spyware and Adware More than ever using Trojan techniques. Win32/Bube virus exploits IE flaw and acts as a virus infecting IE, then downloads adware.

CIT 380: Securing Computer SystemsSlide #43 Mobile Malware 2004: Cabir virus infecting Symbian OS mobile phones using Bluetooth appeared in June. 2005: Commwarrior-A worm spreads to Symbian series 60 phones via phone’s MMS.

Mobile Malware Around a 1000 pieces of mobile malware exist. For Blackberries and Palm Pilots too. Expect more as smart phones become common. CIT 380: Securing Computer SystemsSlide #44

CIT 380: Securing Computer SystemsSlide #45 Offline Impact Davis-Besse nuclear power plant Slammer infected Plant Process Computer and Safety Parameter Display System (Jan 2003.) Analog backups unaffected. Infected contractor’s network, then moved through T1 line that bypassed plant firewall. Seattle 911 system Slammer disabled computer systems. Dispatchers reverted to manual systems Blackout Blaster infected First Energy systems.

CIT 380: Securing Computer SystemsSlide #46 Modern Malware is Stealthy: rootkit techniques common. Targeted: targets smaller banks and countries, leverages current events: –January: Storm Worm appears via with subject “230 dead as storm batters Europe.” –February: Miami Dolphins Stadium site hacked before superbowl so that it would infect browsers with trojan that grabbed WoW data. Blended: combine trojan, virus, worm features. Web-based: use web for delivery and update. Profit-driven: the goal is to make money.

CIT 380: Securing Computer SystemsSlide #47 References 1.Ross Anderson, Security Engineering, Wiley, Matt Bishop, Computer Security: Art and Science, Addison-Wesley, William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2 nd edition, Fred Cohen, Simson Garfinkel, Gene Spafford, and Alan Schartz, Practical UNIX and Internet Security, 3 rd edition, O’Reilly & Associates, Alexander Gostev, “Malware Evolution: January - March 2005,” April Elias Levy, “Crossover: Online Pests Plaguing the Offline World,” IEEE Security & Privacy, Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed, 5th edition, McGraw-Hill, Hilarie Orman, “The Morris Worm: A Fifteen-Year Perspective,” IEEE Security & Privacy, Cyrus Peikari and Anton Chuvakin, Security Warrior, O’Reilly & Associates, Ed Skoudis, Counter Hack Reloaded, Prentice Hall, Ed Skoudis and Lenny Zeltser, Malware: Fighting Malicious Code, Prentice Hall, Staniford, Stuart, Paxson, Vern, and Weaver, Nicholas, ‘How to 0wn the Internet in Your Spare Time,” Proceedings of the 11th USENIX Security Symposium, Peter Szor, The Art of Computer Virus Research and Defense, Addison-Wesley, Trend Micro, “1H2007 Threat Roundup,” up_final_jul2007.pdf, up_final_jul2007.pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.