1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 Malicious Software.

Slides:



Advertisements
Similar presentations
Computer Security Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Chapters 14 and 15 Operating Systems: Internals and Design Principles,
Advertisements

30/04/2015Tim S Roberts COIT13152 Operating Systems T1, 2008 Tim S Roberts.
Cryptography and Network Security Chapter 19 Fourth Edition by William Stallings.
NS-H /11041 Malicious Software. NS-H /11042 Why bother to secure data? Information has value, it can affect our lives and our livelihood Information.
Cryptography and Network Security Malicious Software Third Edition by William Stallings Lecturer: Dr. Saleem Alzoubi.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Malicious Software programs exploiting system vulnerabilities known as malicious software or malware program fragments that need a host program e.g. viruses,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Henric Johnson1 Intruders and Viruses Henric Johnson Blekinge Institute of Technology, Sweden
After this session, you should be able to:
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Intruders significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders: –masquerader.
Cryptography and Network Security Chapter 21
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
CSCE 815 Network Security Lecture 20 Intruders / Intrusion Detection April 3, 2003.
Hofstra University – Network Security Course, CSC290A
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.
Malicious Software Malicious Software Han Zhang & Ruochen Sun.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
CSCE 201 Attacks on Desktop Computers: Malicious Code Hardware attacks.
Virus and Antivirus Team members: - Muzaffar Malik - Kiran Karki.
Data Security and Encryption (CSE348) 1. Lecture # 27 2.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
Fundamentals of The Internet Learning outcomes After this session, you should be able to: Identify the threat of intruders in systems and networks and.
VIRUSES - Janhavi Naik. Overview Structure Classification Categories.
Structure Classifications &
1 Chapter 19: Malicious Software Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal, U of Kentucky)
1 Higher Computing Topic 8: Supporting Software Updated
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
CSCE 522 Lecture 12 Program Security Malicious Code.
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
Chapter 11 Malicious Software
Viruses and Related Threats. 2 Summary  have considered:  various malicious programs  trapdoor, logic bomb, trojan horse, zombie  viruses  worms.
Malicious Code By Diana Peng. What is Malicious Code? Unanticipated or undesired effects in programs/program parts, caused by an agent with damaging intentions.
Fourth Edition by William Stallings Adapted form lecture slides by Lawrie Brown.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
30.1 Lecture 30 Security II Based on Silberschatz & Galvin’s slides And Stallings’ slides.
For any query mail to or BITS Pilani Lecture # 1.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
BY FIOLA CARVALHO TE COMP. CONTENTS  Malicious Software-Definition  Malicious Programs Backdoor Logic Bomb Trojan Horse Mobile Code Multiple-Threat.
Viruses a piece of self-replicating code attached to some other code – cf biological virus both propagates itself & carries a payload – carries code to.
Malicious Software.
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
Chapter 19 – Malicious Software What is the concept of defense: The parrying of a blow. What is its characteristic feature: Awaiting the blow. —On War,
Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
Computer Security Threats CLICKTECHSOLUTION.COM. Computer Security Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity.
Advanced Anti-Virus Techniques
Cryptography and Network Security Chapter 19 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
MALICIOUS SOFTWARE Rishu sihotra TE Computer
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Malicious Programs (1) Viruses have the ability to replicate themselves Other Malicious programs may be installed by hand on a single machine. They may.
Prof. Wenguo Wang Network Information Security Prof. Wenguo Wang Tel College of Computer Science QUFU NORMAL UNIVERSITY.
Detected by, M.Nitin kumar ( ) Sagar kumar sahu ( )
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Company LOGO Malicious SW By Dr. Shadi Masadeh 1.
MALWARE.
Malicious Software.
Viruses and Other Malicious Content
NET 311 Information Security
MALICIOUS SOFTWARE A.Sivaramakrishnan, AP
Chap 10 Malicious Software.
Chap 10 Malicious Software.
Chapter 9 Intruders and Viruses.
Presentation transcript:

1 Ola Flygt Växjö University, Sweden Malicious Software

2 Outline  Viruses and Related Threats  Malicious Programs  The Nature of Viruses  Antivirus Approaches  Advanced Antivirus Techniques  DDoS attacks and countermeasures

3 Viruses and ”Malicious Programs” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”). Other “Malicious Programs” may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs).

4 Taxonomy of Malicious Programs

5 Backdoor or Trapdoor  secret entry point into a program  allows those who know access bypassing usual security procedures  have been commonly used by developers  a threat when left in production programs allowing exploited by attackers  very hard to block in OS

6 Logic Bomb  one of oldest types of malicious software  code embedded in legitimate program  activated when specified conditions met  E.g., presence/absence of some file  particular date/time  particular user  when triggered typically damage system  modify/delete files/disks, halt machine, etc.

7 Trojan Horse  program with hidden side-effects  which is usually superficially attractive  E.g., game, s/w upgrade, etc.  when run performs some additional tasks  allows attacker to indirectly gain access they do not have directly  often used to propagate a virus/worm or install a backdoor  or simply to destroy data  Mail the password file.

8 Zombie  program which secretly takes over another networked computer  then uses it to indirectly launch attacks (difficult to trace zombie’s creator)  often used to launch distributed denial of service (DDoS) attacks  exploits known flaws in network systems

9 Bacteria  A “Bacteria” replicates until it fills all disk space, or CPU cycles.

10 Worms  A program that replicates itself across the network (usually riding on messages or attached documents (e.g., macro viruses).  Similar to virus, but spreads across the network instead of between files.

11 Viruses  a piece of self-replicating code attached to some other code  attaches itself to another program and executes secretly when the host program is executed.  propagates itself & carries a payload  carries code to make copies of itself  as well as code to perform some covert task

12 Virus Phases  Dormant phase - the virus is idle  Propagation phase - the virus places an identical copy of itself into other programs  Triggering phase – the virus is activated to perform the function for which it was intended  Execution phase – the function is performed  Details usually machine/OS specific  exploiting features/weaknesses

13 Virus Structure program V := {goto main; ; subroutine infect-executable :={loop: file := get-random-executable-file; if (first-line-of-file = ) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if condition holds} main: main-program :={infect-executable; if trigger-pulled then do-damage; goto next;} next: }

14 Types of Viruses  Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs.  Memory-resident Virus - Lodges in main memory as part of the residual operating system.  Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses).  Stealth Virus - explicitly designed to hide from Virus Scanning programs.  Polymorphic Virus - mutates with every new host to prevent signature detection.  Metamorphic virus - mutates with every infection, but rewrites itself completely every time. Making it extremely difficult to detect.

15 A Compression Virus

16 Macro Viruses Microsoft Office applications allow “macros” to be part of the document. The macro could run whenever the document is opened, or when a certain command is selected (Save File).  Platform independent.  Infect documents, delete files, generate and edit letters.

17 Virus  spread using with attachment containing a macro virus  triggered when user opens attachment  or worse even when mail viewed by using scripting features in mail agent  hence propagates very quickly  usually targeted at Microsoft Outlook mail agent & Word/Excel documents

18 Worms  replicating but not infecting program (does not attach itself to a program)  typically spreads over a network  Morris Internet Worm in 1988  using users distributed privileges or by exploiting system vulnerabilities  worms perform unwanted functions  widely used by hackers to create zombie PC's, subsequently used for further attacks, esp DoS  major issue is lack of security of permanently connected systems, esp PC's

19 Worm Operation  worm has phases like those of viruses:  dormant  propagation  search for other systems to infect  establish connection to target remote system  replicate self onto remote system  triggering  execution

20 Morris Worm  best known classic worm  released by Robert Morris in 1988  targeted Unix systems  using several propagation techniques  simple password cracking of local pw file  exploit bug in finger daemon  exploit debug trapdoor in sendmail daemon  if any attack succeeds then replicated self

21 Malicious Software Protection  Have well-known virus protection and anti spybot programs etc., configured to scan disks and downloads automatically for known viruses.  Do not execute programs (or "macro's") from unknown sources (e.g., PS files, HyperCard files, MS Office documents.  Avoid the most common operating systems and programs, if possible.

22 Malicious Software Protection  Best countermeasure is prevention (do not allow a virus to get into the system in the first place.)  But in general not possible  Hence need to do one or more of:  detection - of viruses in infected system  identification - of specific infecting virus  removal - restoring system to clean state

23 Antivirus Approaches 1st Generation, Scanners: searched files for any of a library of known virus “signatures.” Checked executable files for length changes. 2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes. 3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behaviour (e.g., scanning files). 4th Generation, Full Featured: combine the best of the techniques above. Scanning & activity traps, access controls etc.

24 Advanced Antivirus Techniques  Generic Decryption (GD)  CPU Emulator  Virus Signature Scanner  Emulation Control Module  For how long should a GD scanner run each interpretation?  Digital Immune System

25 Digital Immune System

26 Behavior-Blocking Software  integrated with host OS  monitors program behavior in real-time  eg file access, disk format, executable mods, system settings changes, network access  for possibly malicious actions  if detected can block, terminate, or seek ok  has advantage over scanners  but malicious code runs before detection

27 Distributed Denial of Service Attacks (DDoS)  Distributed Denial of Service (DDoS) attacks form a significant security threat  making networked systems unavailable  by flooding with useless traffic  using large numbers of “zombies”  growing sophistication of attacks  defense technologies struggling to cope

28 Distributed Denial of Service Attacks (DDoS)

29 Direct DDoS attack

30 Reflector DDoS Attack

31 DDoS Countermeasures  three broad lines of defense: 1. attack prevention & preemption (before) 2. attack detection & filtering (during) 3. attack source traceback & identification (after)  huge range of attack possibilities  hence evolving countermeasures

32 Summary  have considered:  various malicious programs  trapdoor, logic bomb, trojan horse, zombie  viruses  worms  countermeasures  distributed denial of service attacks