Lecture 26 Page 1 Advanced Network Security Malware for Networks Advanced Network Security Peter Reiher August, 2014.

Slides:



Advertisements
Similar presentations
Thank you to IT Training at Indiana University Computer Malware.
Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
By Hiranmayi Pai Neeraj Jain
Lecture 12 Page 1 CS 236 Online When you run it, the Greeks creep out and slaughter your system Trojan Horses Seemingly useful program that contains code.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.
Introduction to Security Computer Networks Computer Networks Term B10.
Lecture 22: Internet Security Intro to IT COSC1078 Introduction to Information Technology Lecture 22 Internet Security James Harland
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Threats and Attacks Principles of Information Security, 2nd Edition
Introduction to Honeypot, Botnet, and Security Measurement
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Unit 2 - Hardware Computer Security.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
Lecture#2 on Internet and World Wide Web. Internet Applications Electronic Mail ( ) Electronic Mail ( ) Domain mail server collects incoming mail.
Threat to I.T Security By Otis Powers. Hacking Hacking is a big threat to society because it could expose secrets of the I.T industry that perhaps should.
Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.
Honeypot and Intrusion Detection System
Active Worms CSE 4471: Information Security 1. Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
Lecture 12 Page 1 CS 136, Fall 2013 Malware CS 136 Computer Security Peter Reiher November 5, 2013.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Attacks On systems And Networks To understand how we can protect our system and network we need to know about what kind of attacks a hacker/cracker would.
Denial of Service (DoS) DoS attacks are aggressive attacks on an individual computer or groups of computers with the intent to deny services to intended.
Lecture 18 Page 1 Advanced Network Security Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.
©Ian Sommerville 2004Software Engineering Case Studies Slide 1 The Internet Worm Compromising the availability and reliability of systems through security.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
BY FIOLA CARVALHO TE COMP. CONTENTS  Malicious Software-Definition  Malicious Programs Backdoor Logic Bomb Trojan Horse Mobile Code Multiple-Threat.
Malicious Software.
Lecture 13 Page 1 CS 136, Fall 2012 Malware CS 136 Computer Security Peter Reiher November 13, 2012.
Lecture 12 Page 1 CS 136, Spring 2014 Malware CS 136 Computer Security Peter Reiher May 15, 2014.
Understand Malware LESSON Security Fundamentals.
Lecture 15 Page 1 CS 136, Fall 2010 Malware CS 136 Computer Security Peter Reiher November 18, 2010.
Types of Computer Malware. The first macro virus was written for Microsoft Word and was discovered in August Today, there are thousands of macro.
Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.
Lecture 15 Page 1 CS 136, Spring 2009 Malware CS 136 Computer Security Peter Reiher May 21, 2009.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Lecture 12 Page 1 CS 136, Spring 2016 Malicious Software Computer Security Peter Reiher May 12, 2016.
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
Lecture 14 Page 1 CS 136, Fall 2011 Malware CS 136 Computer Security Peter Reiher November 10, 2011.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Created by the E-PoliceSlide 122 February, 2012 Dangers of s By Michael Kuc.
Botnets A collection of compromised machines
Malicious Software Computer Security Peter Reiher February 21, 2017
Instructor Materials Chapter 7 Network Security
Outline Introduction Viruses Trojan horses Trap doors Logic bombs
Outline Introduction Viruses Trojan horses Trap doors Logic bombs
Viruses and Other Malicious Content
Worms Programs that seek to move from system to system
Botnets A collection of compromised machines
NET 311 Information Security
Chap 10 Malicious Software.
A Distributed DoS in Action
Malware CS 136 Computer Security Peter Reiher February 25, 2010
Chap 10 Malicious Software.
Crisis and Aftermath Morris worm.
Test 3 review FTP & Cybersecurity
Introduction to Internet Worm
Worms Programs that seek to move from system to system
Presentation transcript:

Lecture 26 Page 1 Advanced Network Security Malware for Networks Advanced Network Security Peter Reiher August, 2014

Lecture 26 Page 2 Advanced Network Security Outline Malware concepts Worms Botnets

Lecture 26 Page 3 Advanced Network Security Introduction Clever programmers can get software to do their dirty work for them Programs have several advantages for these purposes –Speed –Mutability –Anonymity

Lecture 26 Page 4 Advanced Network Security Types of Malicious Code Viruses Worms Trojan Horses Trapdoors Logic bombs Botnets Spyware Ransomware And many others

Lecture 26 Page 5 Advanced Network Security How Does Malicious Code Enter a System? Nowadays, usually over the network Sometimes through packets remotely exploiting a vulnerability More often downloaded as the result of a user action Or attached to Possible to enter through other mechanisms –But not as common

Lecture 26 Page 6 Advanced Network Security Magnitude of the Problem Considering viruses only, by 1994 there were over 1,000,000 annual infections –One survey shows 10-fold increase in viruses since 1996 In November 2003, 1 in 93 scanned by particular survey contained a virus 2008 CSI report shows 50% of survey respondents had virus incidents –Plus 20% with bot incidents 2009 Trend Micro study shows 50% of infected machines still infected 300 days later

Lecture 26 Page 7 Advanced Network Security Malware Classifications Is a particular piece of malware a botnet, a worm, a virus, a Trojan Horse? A much less important question than: –How did it get on your machine? –What is it doing while it’s there? –How do you get rid of it?

Lecture 26 Page 8 Advanced Network Security Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious behavior The Internet worm used to be the most famous example –Blaster, Slammer, Witty are other worms Can spread very, very rapidly

Lecture 26 Page 9 Advanced Network Security The Internet Worm Created by a graduate student at Cornell in 1988 Released (perhaps accidentally) on the Internet Nov. 2, 1988 Spread rapidly throughout the network –6000 machines infected

Lecture 26 Page 10 Advanced Network Security How Did the Internet Worm Work? The worm attacked vulnerabilities in Unix 4 BSD variants These vulnerabilities allowed improper execution of remote processes Which allowed the worm to get a foothold on a system –And then to spread

Lecture 26 Page 11 Advanced Network Security The Worm’s Actions Find an uninfected system and infect that one Here’s where it ran into trouble: –It re-infected already infected systems –Each infection was a new process –Caused systems to wedge Did not take intentional malicious actions against infected nodes

Lecture 26 Page 12 Advanced Network Security Stopping the Worm In essence, required rebooting all infected systems –And not bringing them back on the network until the worm was cleared out –Though some sites stayed connected Also, the flaws it exploited had to be patched Why didn’t firewalls stop it? –They weren’t invented yet

Lecture 26 Page 13 Advanced Network Security Effects of the Worm Around 6000 machines were infected and required substantial disinfecting activities Many, many more machines were brought down or pulled off the net –Due to uncertainty about scope and effects of the worm

Lecture 26 Page 14 Advanced Network Security What Did the Worm Teach Us? The existence of some particular vulnerabilities The costs of interconnection The dangers of being trusting Denial of service is easy Security of hosts is key Logging is important We obviously didn’t learn enough

Lecture 26 Page 15 Advanced Network Security Code Red A malicious worm that attacked Windows machines Basically used vulnerability in Microsoft IIS servers Became very widely spread and caused a lot of trouble

Lecture 26 Page 16 Advanced Network Security How Code Red Worked Attempted to connect to TCP port 80 (a web server port) on randomly chosen host If successful, sent HTTP GET request designed to cause a buffer overflow If successful, defaced all web pages requested from web server

Lecture 26 Page 17 Advanced Network Security More Code Red Actions Periodically, infected hosts tried to find other machines to compromise Triggered a DDoS attack on a fixed IP address at a particular time Actions repeated monthly Possible for Code Red to infect a machine multiple times simultaneously

Lecture 26 Page 18 Advanced Network Security Code Red Stupidity Bad method used to choose another random host –Same random number generator seed to create list of hosts to probe DDoS attack on a particular fixed IP address –Merely changing the target’s IP address made the attack ineffective

Lecture 26 Page 19 Advanced Network Security Code Red II Used smarter random selection of targets Didn’t try to reinfect infected machines Adds a Trojan Horse version of Internet Explorer to machine –Unless other patches in place, will reinfect machine after reboot on login Also, left a backdoor on some machines Doesn’t deface web pages or launch DDoS Didn’t turn on periodically

Lecture 26 Page 20 Advanced Network Security Impact of Code Red and Code Red II Code Red infected over 250,000 machines In combination, estimated infections of over 750,000 machines Code Red II is essentially dead –Except for periodic reintroductions of it But Code Red is still out there

Lecture 26 Page 21 Advanced Network Security Stuxnet Scary worm that popped up in 2010 Targeted at SCADA systems –Particularly, Iranian nuclear enrichment facilities Altered industrial processes Very specifically targeted

Lecture 26 Page 22 Advanced Network Security Where Did Stuxnet Come From? Stuxnet was very sophisticated –Speculated to be from unfriendly nation state(s) –New York Times claims White House officials confirmed it (no official confirmation, though) Research suggests SCADA attacks do not need much sophistication, though –Non-expert NSS Labs researcher easily broke into Siemans systems Duqu worm might be Stuxnet descendent –Appears to be stealing certificates

Lecture 26 Page 23 Advanced Network Security Botnets A collection of compromised machines Under control of a single person Organized using distributed system techniques Used to perform various forms of attacks –Usually those requiring lots of power

Lecture 26 Page 24 Advanced Network Security What Are Botnets Used For? Spam (90% of all is spam) Distributed denial of service attacks Hosting of pirated content Hosting of phishing sites Harvesting of valuable data –From the infected machines Much of their time spent on spreading

Lecture 26 Page 25 Advanced Network Security Botnet Software Each bot runs some special software –Often built from a toolkit Used to control that machine Generally allows downloading of new attack code –And upgrades of control software Incorporates some communication method –To deliver commands to the bots

Lecture 26 Page 26 Advanced Network Security Botnet Communications Originally very unsophisticated –All bots connected to an IRC channel –Commands issued into the channel Most sophisticated ones use peer technologies –Similar to some file sharing systems –Peers, superpeers, resiliency mechanisms –Conficker’s botnet uses peer techniques Stronger botnet security becoming common –Passwords and encryption of traffic

Lecture 26 Page 27 Advanced Network Security Botnet Spreading Originally via worms and direct break-in attempts Then through phishing and Trojan Horses –Increasing trend to rely on user mistakes Conficker uses multiple vectors –Buffer overflow, through peer networks, password guessing Regardless of details, almost always automated

Lecture 26 Page 28 Advanced Network Security Characterizing Botnets Most commonly based on size –Estimates for Conficker over 5 million –Zeus-based botnets got 3.6 million machines in US alone –Trend Micro estimates 100 million machines are members of botnets Controlling software also important Other characteristics less examined

Lecture 26 Page 29 Advanced Network Security Why Are Botnets Hard to Handle? Scale Anonymity Legal and international issues Fundamentally, if a node is known to be a bot, what then? –How are we to handle huge numbers of infected nodes?

Lecture 26 Page 30 Advanced Network Security Approaches to Handling Botnets Clean up the nodes –Can’t force people to do it Interfere with botnet operations –Difficult and possibly illegal –But some recent successes Shun bot nodes –But much of their activity is legitimate –And no good techniques for doing so

Lecture 26 Page 31 Advanced Network Security Conclusions Malware is widely used by attackers to automate their actions It is increasingly powerful and dangerous There are increasing numbers of different pieces of malware Much malware uses the network to get to its destination Some malware uses the network to do its damage

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.