Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.

Slides:



Advertisements
Similar presentations
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Advertisements

Thank you to IT Training at Indiana University Computer Malware.
By Hiranmayi Pai Neeraj Jain
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Lecture 12 Page 1 CS 236 Online When you run it, the Greeks creep out and slaughter your system Trojan Horses Seemingly useful program that contains code.
Lecturer: Fadwa Tlaelan
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.
Introduction to Security Computer Networks Computer Networks Term B10.
Threats To A Computer Network
Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Chapter Nine Maintaining a Computer Part III: Malware.
Advanced Persistent Threats CS461/ECE422 Spring 2012.
Introduction to Honeypot, Botnet, and Security Measurement
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Unit 2 - Hardware Computer Security.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Threat to I.T Security By Otis Powers. Hacking Hacking is a big threat to society because it could expose secrets of the I.T industry that perhaps should.
Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.
Lecture 26 Page 1 Advanced Network Security Malware for Networks Advanced Network Security Peter Reiher August, 2014.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Introduction to ITE Chapter 9 Computer Security. Why Study Security?  This is a huge area for computer technicians.  Security isn’t just anti-virus.
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
Lecture 12 Page 1 CS 136, Fall 2013 Malware CS 136 Computer Security Peter Reiher November 5, 2013.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Trojan Virus By Forbes and Mark. What is a Trojan virus Trojans are malicious programs that perform actions that have not been authorised by the user.
Denial of Service (DoS) DoS attacks are aggressive attacks on an individual computer or groups of computers with the intent to deny services to intended.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
Malicious Software.
Lecture 13 Page 1 CS 136, Fall 2012 Malware CS 136 Computer Security Peter Reiher November 13, 2012.
Lecture 12 Page 1 CS 136, Spring 2014 Malware CS 136 Computer Security Peter Reiher May 15, 2014.
Understand Malware LESSON Security Fundamentals.
Lecture 15 Page 1 CS 136, Fall 2010 Malware CS 136 Computer Security Peter Reiher November 18, 2010.
Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.
Lecture 15 Page 1 CS 136, Spring 2009 Malware CS 136 Computer Security Peter Reiher May 21, 2009.
Role Of Network IDS in Network Perimeter Defense.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Lecture 12 Page 1 CS 136, Spring 2016 Malicious Software Computer Security Peter Reiher May 12, 2016.
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Lecture 14 Page 1 CS 136, Fall 2011 Malware CS 136 Computer Security Peter Reiher November 10, 2011.
By Thomas Pantone Cosc 380.  A virus is a type of malware that self replicates after being executed and inserts itself into other programs, data files,
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
Created by the E-PoliceSlide 122 February, 2012 Dangers of s By Michael Kuc.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Botnets A collection of compromised machines
Malicious Software Computer Security Peter Reiher February 21, 2017
Outline Introduction Viruses Trojan horses Trap doors Logic bombs
Viruses and Other Malicious Content
Worms Programs that seek to move from system to system
Botnets A collection of compromised machines
NET 311 Information Security
Chap 10 Malicious Software.
Malware CS 136 Computer Security Peter Reiher February 25, 2010
Chap 10 Malicious Software.
Crisis and Aftermath Morris worm.
Test 3 review FTP & Cybersecurity
Introduction to Internet Worm
Worms Programs that seek to move from system to system
Presentation transcript:

Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious behavior The Internet worm used to be the most famous example –Blaster, Slammer, Witty are other worms Can spread very, very rapidly

Lecture 14 Page 2 CS 236 Online The Internet Worm Created by a graduate student at Cornell in 1988 Released (perhaps accidentally) on the Internet Nov. 2, 1988 Spread rapidly throughout the network –6000 machines infected

Lecture 14 Page 3 CS 236 Online How Did the Internet Worm Work? The worm attacked vulnerabilities in Unix 4 BSD variants These vulnerabilities allowed improper execution of remote processes Which allowed the worm to get a foothold on a system –And then to spread

Lecture 14 Page 4 CS 236 Online The Worm’s Actions Find an uninfected system and infect that one Here’s where it ran into trouble: –It re-infected already infected systems –Each infection was a new process –Caused systems to wedge Did not take intentional malicious actions against infected nodes

Lecture 14 Page 5 CS 236 Online Stopping the Worm In essence, required rebooting all infected systems –And not bringing them back online until the worm was cleared out –Though some sites stayed connected Also, the flaws it exploited had to be patched

Lecture 14 Page 6 CS 236 Online Effects of the Worm Around 6000 machines were infected and required substantial disinfecting activities Many, many more machines were brought down or pulled off the net –Due to uncertainty about scope and effects of the worm

Lecture 14 Page 7 CS 236 Online What Did the Worm Teach Us? The existence of some particular vulnerabilities The costs of interconnection The dangers of being trusting Denial of service is easy Security of hosts is key Logging is important We obviously didn’t learn enough

Lecture 14 Page 8 CS 236 Online Code Red A malicious worm that attacked Windows machines Basically used vulnerability in Microsoft IIS servers Became very widely spread and caused a lot of trouble

Lecture 14 Page 9 CS 236 Online How Code Red Worked Attempted to connect to TCP port 80 (a web server port) on randomly chosen host If successful, sent HTTP GET request designed to cause a buffer overflow If successful, defaced all web pages requested from web server

Lecture 14 Page 10 CS 236 Online More Code Red Actions Periodically, infected hosts tried to find other machines to compromise Triggered a DDoS attack on a fixed IP address at a particular time Actions repeated monthly Possible for Code Red to infect a machine multiple times simultaneously

Lecture 14 Page 11 CS 236 Online Code Red Stupidity Bad method used to choose another random host –Same random number generator seed to create list of hosts to probe DDoS attack on a particular fixed IP address –Merely changing the target’s IP address made the attack ineffective

Lecture 14 Page 12 CS 236 Online Code Red II Used smarter random selection of targets Didn’t try to reinfect infected machines Added a Trojan Horse version of Internet Explorer to machine –Unless other patches in place, reinfected machine after reboot on login Also, left a backdoor on some machines Didn’t deface web pages or launch DDoS Didn’t turn on periodically

Lecture 14 Page 13 CS 236 Online Impact of Code Red and Code Red II Code Red infected over 250,000 machines In combination, estimated infections of over 750,000 machines Code Red II is essentially dead –Except for periodic reintroductions of it But Code Red is still out there

Lecture 14 Page 14 CS 236 Online Stuxnet Scary worm that popped up in 2010 Targeted at SCADA systems Appears to try to alter industrial processes –Targeted nuclear enrichment equipment –Apparently particularly Iranian equipment Very sophisticated, very specifically targeted –Speculation is built by a government

Lecture 14 Page 15 CS 236 Online Worm, Virus, or Trojan Horse? Terms often used interchangeably Trojan horse formally refers to a program containing evil code –Only run when user executes it –Effect isn’t necessarily infection Viruses seek to infect other programs Worms seek to move from machine to machine

Lecture 14 Page 16 CS 236 Online Botnets A collection of compromised machines Under control of a single person Organized using distributed system techniques Used to perform various forms of attacks –Usually those requiring lots of power

Lecture 14 Page 17 CS 236 Online What Are Botnets Used For? Spam (90% of all is spam) Distributed denial of service attacks Hosting of pirated content Hosting of phishing sites Harvesting of valuable data –From the infected machines Much of their time spent on spreading

Lecture 14 Page 18 CS 236 Online Botnet Software Each bot runs some special software –Often built from a toolkit Used to control that machine Generally allows downloading of new attack code –And upgrades of control software Incorporates some communication method –To deliver commands to the bots

Lecture 14 Page 19 CS 236 Online Botnet Communications Originally very unsophisticated –All bots connected to an IRC channel –Commands issued into the channel Starting to use peer technologies –Similar to some file sharing systems –Peers, superpeers, resiliency mechanisms –Conficker’s botnet uses peer techniques Stronger botnet security becoming common –Passwords and encryption of traffic

Lecture 14 Page 20 CS 236 Online Botnet Spreading Originally via worms and direct break-in attempts Then through phishing and Trojan horses Conficker used multiple vectors –Buffer overflow, through peer networks, password guessing Regardless of details, almost always automated

Lecture 14 Page 21 CS 236 Online Characterizing Botnets Most commonly based on size –Reliable reports of botnets of hundreds of thousands –Estimates for Conficker over 5 million –Trend Micro estimates 100 million machines are members of botnets Controlling software also important Other characteristics less examined

Lecture 14 Page 22 CS 236 Online Why Are Botnets Hard to Handle? Scale Anonymity Legal and international issues Fundamentally, if a node is known to be a bot, what then? –How are we to handle huge numbers of infected nodes?

Lecture 14 Page 23 CS 236 Online Approaches to Handling Botnets Clean up the nodes –Can’t force people to do it Interfere with botnet operations –Difficult and possibly illegal –Recent US government approaches here Shun bot nodes –But much of their activity is legitimate –And no good techniques for doing so

Lecture 14 Page 24 CS 236 Online Spyware Software installed on a computer that is meant to gather information On activities of computer’s owner Reported back to owner of spyware Probably violating privacy of the machine’s owner Stealthy behavior critical for spyware Usually designed to be hard to remove

Lecture 14 Page 25 CS 236 Online What Is Done With Spyware? Gathering of sensitive data –Passwords, credit card numbers, etc. Observations of normal user activities –Allowing targeted advertising –And possibly more nefarious activities

Lecture 14 Page 26 CS 236 Online Where Does Spyware Come From? Usually installed by computer owner –Generally unintentionally –Certainly without knowledge of the full impact –Via vulnerability or deception Can be part of payload of worms –Or installed on botnet nodes

Lecture 14 Page 27 CS 236 Online Malware Components Malware is becoming sufficiently sophisticated that it has generic components Two examples: –Droppers –Rootkits

Lecture 14 Page 28 CS 236 Online Droppers Very simple piece of code Runs on new victim’s machine Fetches more complex piece of malware from somewhere else Can fetch many different payloads Small, simple, hard to detect

Lecture 14 Page 29 CS 236 Online Rootkits Software designed to maintain illicit access to a computer Installed after attacker has gained very privileged access on the system Goal is to ensure continued privileged access –By hiding presence of malware –By defending against removal

Lecture 14 Page 30 CS 236 Online Use of Rootkits Often installed by worms or viruses –E.g., the Pandex botnet Generally replaces system components with compromised versions –OS components –Libraries –Drivers

Lecture 14 Page 31 CS 236 Online Ongoing Rootkit Behavior Generally offer trapdoors to their installers Usually try hard to conceal themselves –And other nefarious activities –Conceal files, registry entries, network connections, etc. Also try to make it hard to remove them Sometimes removes others’ rootkits –Another trick of the Pandex botnet

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.