Lecture 15 Page 1 CS 136, Fall 2010 Malware CS 136 Computer Security Peter Reiher November 18, 2010.

Slides:



Advertisements
Similar presentations
Thank you to IT Training at Indiana University Computer Malware.
Advertisements

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Lecture 12 Page 1 CS 236 Online When you run it, the Greeks creep out and slaughter your system Trojan Horses Seemingly useful program that contains code.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Computer Viruses.
What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Chapter Nine Maintaining a Computer Part III: Malware.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Lecture 14 Page 1 CS 236 Online Malware CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Threat to I.T Security By Otis Powers. Hacking Hacking is a big threat to society because it could expose secrets of the I.T industry that perhaps should.
Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.
Lecture 26 Page 1 Advanced Network Security Malware for Networks Advanced Network Security Peter Reiher August, 2014.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
1 Higher Computing Topic 8: Supporting Software Updated
Lecture 12 Page 1 CS 136, Fall 2013 Malware CS 136 Computer Security Peter Reiher November 5, 2013.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
IT internet security. The Internet The Internet - a physical collection of many networks worldwide which is referred to in two ways: The internet (lowercase.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Viruses Hackers Backups Stuxnet Portfolio Computer viruses are small programs or scripts that can negatively affect the health of your computer. A.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Security CS Introduction to Operating Systems.
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.
Topic 5: Basic Security.
Malicious Software.
Lecture 13 Page 1 CS 136, Fall 2012 Malware CS 136 Computer Security Peter Reiher November 13, 2012.
Computer Security Threats CLICKTECHSOLUTION.COM. Computer Security Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity.
Lecture 12 Page 1 CS 136, Spring 2014 Malware CS 136 Computer Security Peter Reiher May 15, 2014.
Understand Malware LESSON Security Fundamentals.
W elcome to our Presentation. Presentation Topic Virus.
Types of Computer Malware. The first macro virus was written for Microsoft Word and was discovered in August Today, there are thousands of macro.
Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.
Lecture 15 Page 1 CS 136, Spring 2009 Malware CS 136 Computer Security Peter Reiher May 21, 2009.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Lecture 12 Page 1 CS 136, Spring 2016 Malicious Software Computer Security Peter Reiher May 12, 2016.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Lecture 14 Page 1 CS 136, Fall 2011 Malware CS 136 Computer Security Peter Reiher November 10, 2011.
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
Created by the E-PoliceSlide 122 February, 2012 Dangers of s By Michael Kuc.
SAMET KARTAL No one wants to share own information with unknown person. Sometimes while sharing something with someone people wants to keep.
Botnets A collection of compromised machines
Malicious Software Computer Security Peter Reiher February 21, 2017
Outline Introduction Viruses Trojan horses Trap doors Logic bombs
Outline Introduction Viruses Trojan horses Trap doors Logic bombs
VIRUS HOAX + BOTS. VIRUS HOAX + BOTS Group Members Aneeqa Ikram Fatima Ishaque Tufail Rana Anwar Amjad.
Outline What does the OS protect? Authentication for operating systems
Worms Programs that seek to move from system to system
Outline Introduction Viruses Trojan horses Trap doors Logic bombs
Outline What does the OS protect? Authentication for operating systems
Botnets A collection of compromised machines
NET 311 Information Security
Chap 10 Malicious Software.
Malware CS 136 Computer Security Peter Reiher February 25, 2010
Chap 10 Malicious Software.
Worms Programs that seek to move from system to system
Presentation transcript:

Lecture 15 Page 1 CS 136, Fall 2010 Malware CS 136 Computer Security Peter Reiher November 18, 2010

Lecture 15 Page 2 CS 136, Fall 2010 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Malware components

Lecture 15 Page 3 CS 136, Fall 2010 Introduction Clever programmers can get software to do their dirty work for them Programs have several advantages for these purposes –Speed –Mutability –Anonymity

Lecture 15 Page 4 CS 136, Fall 2010 Where Does Malicious Code Come From? Most typically, it’s willingly (but unwittingly) imported into the system –Electronic mail (most common today) –Downloaded executables Often automatically from web pages –Sometimes shrink-wrapped software Sometimes it breaks in Sometimes an insider intentionally introduces it

Lecture 15 Page 5 CS 136, Fall 2010 Magnitude of the Problem Considering viruses only, by 1994 there were over 1,000,000 annual infections –One survey shows 10-fold increase in viruses since 1996 In November 2003, 1 in 93 scanned by particular survey contained a virus 2008 CSI report shows 50% of survey respondents had virus incidents –Plus 20% with bot incidents 2009 Trend Micro study shows 50% of infected machines still infected 300 days later

Lecture 15 Page 6 CS 136, Fall 2010 Viruses “Self-replicating programs containing code that explicitly copies itself and that can ‘infect’ other programs by modifying them or their environment” Typically attached to some other program –When that program runs, the virus becomes active and infects others Not all malicious codes are viruses

Lecture 15 Page 7 CS 136, Fall 2010 How Do Viruses Work? When a program is run, it typically has the full privileges of its running user Including write privileges for some other programs A virus can use those privileges to replace those programs with infected versions

Lecture 15 Page 8 CS 136, Fall 2010 Before the Infected Program Runs Infected Program Uninfected Program Virus Code

Lecture 15 Page 9 CS 136, Fall 2010 The Infected Program Runs Infected Program Uninfected Program Virus Code

Lecture 15 Page 10 CS 136, Fall 2010 Infecting the Other Program Infected Program Uninfected Program Virus Code Infected Program

Lecture 15 Page 11 CS 136, Fall 2010 Macro and Attachment Viruses Modern data files often contain executables –Macros – attachments –Ability to run arbitrary executables from many applications, embedded in data Popular form of new viruses –Requires less sophistication to get right

Lecture 15 Page 12 CS 136, Fall 2010 Virus Toolkits Helpful hackers have written toolkits that make it easy to create viruses A typical smart high school student can easily create a virus given a toolkit Generally easy to detect viruses generated by toolkits –But toolkits are getting smarter

Lecture 15 Page 13 CS 136, Fall 2010 How To Find Viruses Basic precautions Looking for changes in file sizes Scan for signatures of viruses Multi-level generic detection

Lecture 15 Page 14 CS 136, Fall 2010 Precautions to Avoid Viruses Don’t import untrusted programs –But who can you trust? Viruses have been found in commercial shrink-wrap software The hackers who released Back Orifice were embarrassed to find a virus on their CD release Trusting someone means not just trusting their honesty, but also their caution

Lecture 15 Page 15 CS 136, Fall 2010 Other Precautionary Measures Scan incoming programs for viruses –Some viruses are designed to hide Limit the targets viruses can reach Monitor updates to executables carefully –Requires a broad definition of “executable”

Lecture 15 Page 16 CS 136, Fall 2010 Containment Run suspect programs in an encapsulated environment –Limiting their forms of access to prevent virus spread Requires versatile security model and strong protection guarantees –No use to run in tightly confined mode if user allows it to get out

Lecture 15 Page 17 CS 136, Fall 2010 Viruses and File Sizes Typically, a virus tries to hide So it doesn’t disable the infected program Instead, extra code is added But if it’s added naively, the size of the file grows Virus detectors look for this growth Won’t work for files whose sizes typically change Clever viruses find ways around it –E.g., cavity viruses that fit themselves into “holes” in programs

Lecture 15 Page 18 CS 136, Fall 2010 Signature Scanning If a virus lives in code, it must leave some traces In early and unsophisticated viruses, these traces were essentially characteristic code patterns Find the virus by looking for the signature

Lecture 15 Page 19 CS 136, Fall 2010 How To Scan For Signatures Create a database of known virus signatures Read every file in the system and look for matches in its contents Also check every newly imported file Also scan boot sectors and other interesting places

Lecture 15 Page 20 CS 136, Fall 2010 Weaknesses of Scanning for Signatures What if the virus changes its signature? What if the virus takes active measures to prevent you from finding the signature? You can only scan for known virus signatures

Lecture 15 Page 21 CS 136, Fall 2010 Polymorphic Viruses A polymorphic virus produces varying but operational copies of itself Essentially avoiding having a signature Sometimes only a few possibilities –E.g., Whale virus has 32 forms But sometimes a lot –Storm worm had more than 54,000 formats as of 2006

Lecture 15 Page 22 CS 136, Fall 2010 Stealth Viruses A virus that tries actively to hide all signs of its presence Typically a resident virus For example, it traps calls to read infected files –And disinfects them before returning the bytes –E.g., the Brain virus

Lecture 15 Page 23 CS 136, Fall 2010 Combating Stealth Viruses Stealth viruses can hide what’s in the files But may be unable to hide that they’re in memory Also, if you reboot carefully from a clean source, the stealth virus can’t get a foothold Concerns that malware can hide in other places, like peripheral memory

Lecture 15 Page 24 CS 136, Fall 2010 Other Detection Methods Checksum comparison Intelligent checksum analysis –For files that might legitimately change Intrusion detection methods –E.g., look for attack invariants instead of signatures Identify and handle “clusters” of similar malware

Lecture 15 Page 25 CS 136, Fall 2010 Preventing Virus Infections Run a virus detection program –Almost all CSI reporting companies do –And many still get clobbered Keep its signature database up to date –Modern virus scanners do this by default Disable program features that run executables without users asking –Quicktime had this problem a couple years ago Make sure users are very careful about what they run

Lecture 15 Page 26 CS 136, Fall 2010 How To Deal With Virus Infections Reboot from a clean, write-protected floppy or from a clean CD ROM –Important to ensure that the medium really is clean –Necessary, but not sufficient If backups are available and clean, replace infected files with clean backup copies –Another good reason to keep backups Recent proof-of-concept code showed infection of firmware in peripherals...

Lecture 15 Page 27 CS 136, Fall 2010 Disinfecting Programs Some virus utilities try to disinfect infected programs –Allowing you to avoid going to backup Potentially hazardous, since they may get it wrong –Some viruses destroy information needed to restore programs properly

Lecture 15 Page 28 CS 136, Fall 2010 When you run it, the Greeks creep out and slaughter your system Trojan Horses Seemingly useful program that contains code that does harmful things

Lecture 15 Page 29 CS 136, Fall 2010 Basic Trojan Horses A program you pick up somewhere that is supposed to do something useful And perhaps it does –But it also does something less benign Games are common locations for Trojan Horses Downloaded applets are also popular locations Frequently found in attachments Bogus security products also popular

Lecture 15 Page 30 CS 136, Fall 2010 Recent Trends in Trojan Horses Trojan horses in pirated copies of iWorks, Adobe Photoshop CS4, Windows 7 Release Candidate –Found on peer file sharing networks Macs aren’t safe any more Zeus Trojan horse very widespread –Used for on-line bank fraud, stealing proprietary data, etc. –Spread by phishing, drive-by downloads

Lecture 15 Page 31 CS 136, Fall 2010 Trapdoors A secret entry point into an otherwise legitimate program Typically inserted by the writer of the program Most often found in login programs or programs that use the network But also found in system utilities

Lecture 15 Page 32 CS 136, Fall 2010 Trapdoors and Other Malware Malware that has taken over a machine often inserts a trapdoor To allow the attacker to get back in –If the normal entry point is closed Infected machine should be handled carefully to remove such trapdoors –Otherwise, attacker comes right back

Lecture 15 Page 33 CS 136, Fall 2010 Logic Bombs Like trapdoors, typically in a legitimate program A piece of code that, under certain conditions, “explodes” Also like trapdoors, typically inserted by program authors Often used by disgruntled employees to get revenge –Dismissed Fannie Mae employee planted one in October 2008 –If not found first, would have shut down Fannie Mae for at least a week

Lecture 15 Page 34 CS 136, Fall 2010 Extortionware Attacker breaks in and does something to system –Demands money to undo it Encrypting vital data is common –Recent Irish incidents also encrypted backups Unlike logic bombs, not timed or triggered

Lecture 15 Page 35 CS 136, Fall 2010 Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious behavior The Internet worm used to be the most famous example –Blaster, Slammer, Witty are other worms Can spread very, very rapidly

Lecture 15 Page 36 CS 136, Fall 2010 The Internet Worm Created by a graduate student at Cornell in 1988 Released (perhaps accidentally) on the Internet Nov. 2, 1988 Spread rapidly throughout the network –6000 machines infected

Lecture 15 Page 37 CS 136, Fall 2010 How Did the Internet Worm Work? The worm attacked vulnerabilities in Unix 4 BSD variants These vulnerabilities allowed improper execution of remote processes Which allowed the worm to get a foothold on a system –And then to spread

Lecture 15 Page 38 CS 136, Fall 2010 The Worm’s Actions Find an uninfected system and infect that one Here’s where it ran into trouble: –It re-infected already infected systems –Each infection was a new process –Caused systems to wedge Did not take intentional malicious actions against infected nodes

Lecture 15 Page 39 CS 136, Fall 2010 Stopping the Worm In essence, required rebooting all infected systems –And not bringing them back on the network until the worm was cleared out –Though some sites stayed connected Also, the flaws it exploited had to be patched

Lecture 15 Page 40 CS 136, Fall 2010 Effects of the Worm Around 6000 machines were infected and required substantial disinfecting activities Many, many more machines were brought down or pulled off the net –Due to uncertainty about scope and effects of the worm

Lecture 15 Page 41 CS 136, Fall 2010 What Did the Worm Teach Us? The existence of some particular vulnerabilities The costs of interconnection The dangers of being trusting Denial of service is easy Security of hosts is key Logging is important We obviously didn’t learn enough

Lecture 15 Page 42 CS 136, Fall 2010 Code Red A malicious worm that attacked Windows machines Basically used vulnerability in Microsoft IIS servers Became very widely spread and caused a lot of trouble

Lecture 15 Page 43 CS 136, Fall 2010 How Code Red Worked Attempted to connect to TCP port 80 (a web server port) on randomly chosen host If successful, sent HTTP GET request designed to cause a buffer overflow If successful, defaced all web pages requested from web server

Lecture 15 Page 44 CS 136, Fall 2010 More Code Red Actions Periodically, infected hosts tried to find other machines to compromise Triggered a DDoS attack on a fixed IP address at a particular time Actions repeated monthly Possible for Code Red to infect a machine multiple times simultaneously

Lecture 15 Page 45 CS 136, Fall 2010 Code Red Stupidity Bad method used to choose another random host –Same random number generator seed to create list of hosts to probe DDoS attack on a particular fixed IP address –Merely changing the target’s IP address made the attack ineffective

Lecture 15 Page 46 CS 136, Fall 2010 Code Red II Used smarter random selection of targets Didn’t try to reinfect infected machines Adds a Trojan Horse version of Internet Explorer to machine –Unless other patches in place, will reinfect machine after reboot on login Also, left a backdoor on some machines Doesn’t deface web pages or launch DDoS Didn’t turn on periodically

Lecture 15 Page 47 CS 136, Fall 2010 Impact of Code Red and Code Red II Code Red infected over 250,000 machines In combination, estimated infections of over 750,000 machines Code Red II is essentially dead –Except for periodic reintroductions of it But Code Red is still out there

Lecture 15 Page 48 CS 136, Fall 2010 Stuxnet Scary worm that popped up last year Targeted at SCADA systems Appears to try to alter industrial processes –Speculation suggests it targets nuclear enrichment equipment Very sophisticated, very specifically targeted

Lecture 15 Page 49 CS 136, Fall 2010 Worm, Virus, or Trojan Horse? Terms often used interchangeably Trojan horse formally refers to a program containing evil code –Only run when user executes it –Effect isn’t necessarily infection Viruses seek to infect other programs Worms seek to move from machine to machine

Lecture 15 Page 50 CS 136, Fall 2010 Botnets A collection of compromised machines Under control of a single person Organized using distributed system techniques Used to perform various forms of attacks –Usually those requiring lots of power

Lecture 15 Page 51 CS 136, Fall 2010 What Are Botnets Used For? Spam (90% of all is spam) Distributed denial of service attacks Hosting of pirated content Hosting of phishing sites Harvesting of valuable data –From the infected machines Much of their time spent on spreading

Lecture 15 Page 52 CS 136, Fall 2010 Botnet Software Each bot runs some special software –Often built from a toolkit Used to control that machine Generally allows downloading of new attack code –And upgrades of control software Incorporates some communication method –To deliver commands to the bots

Lecture 15 Page 53 CS 136, Fall 2010 Botnet Communications Originally very unsophisticated –All bots connected to an IRC channel –Commands issued into the channel Starting to use peer technologies –Similar to some file sharing systems –Peers, superpeers, resiliency mechanisms –Conficker’s botnet uses peer techniques Stronger botnet security becoming common –Passwords and encryption of traffic

Lecture 15 Page 54 CS 136, Fall 2010 Botnet Spreading Originally via worms and direct break-in attempts Then through phishing and Trojan Horses Conficker uses multiple vectors –Buffer overflow, through peer networks, password guessing Regardless of details, almost always automated

Lecture 15 Page 55 CS 136, Fall 2010 Characterizing Botnets Most commonly based on size –Reliable reports of botnets of hundreds of thousands –Estimates for Conficker over 5 million –Trend Micro estimates 100 million machines are members of botnets Controlling software also important Other characteristics less examined

Lecture 15 Page 56 CS 136, Fall 2010 Why Are Botnets Hard to Handle? Scale Anonymity Legal and international issues Fundamentally, if a node is known to be a bot, what then? –How are we to handle huge numbers of infected nodes?

Lecture 15 Page 57 CS 136, Fall 2010 Possible Approaches to Handling Botnets Clean up the nodes –Can’t force people to do it Interfere with botnet operations –Difficult and possibly illegal Shun bot nodes –But much of their activity is legitimate –And no good techniques for doing so

Lecture 15 Page 58 CS 136, Fall 2010 Spyware Software installed on a computer that is meant to gather information On activities of computer’s owner Reported back to owner of spyware Probably violating privacy of the machine’s owner Stealthy behavior critical for spyware Usually designed to be hard to remove

Lecture 15 Page 59 CS 136, Fall 2010 What Is Done With Spyware? Gathering of sensitive data –Passwords, credit card numbers, etc. Observations of normal user activities –Allowing targeted advertising –And possibly more nefarious activities

Lecture 15 Page 60 CS 136, Fall 2010 Where Does Spyware Come From? Usually installed by computer owner –Generally unintentionally –Certainly without knowledge of the full impact –Via vulnerability or deception Can be part of payload of worms –Or installed on botnet nodes

Lecture 15 Page 61 CS 136, Fall 2010 Malware Components Malware is becoming sufficiently sophisticated that it has generic components Two examples: –Droppers –Rootkits

Lecture 15 Page 62 CS 136, Fall 2010 Droppers Very simple piece of code Runs on new victim’s machine Fetches more complex piece of malware from somewhere else Can fetch many different payloads Small, simple, hard to detect

Lecture 15 Page 63 CS 136, Fall 2010 Rootkits Software designed to maintain illicit access to a computer Installed after attacker has gained very privileged access on the system Goal is to ensure continued privileged access –By hiding presence of malware –By defending against removal

Lecture 15 Page 64 CS 136, Fall 2010 Use of Rootkits Often installed by worms or viruses –E.g., the Pandex botnet Generally replaces system components with compromised versions –OS components –Libraries –Drivers

Lecture 15 Page 65 CS 136, Fall 2010 Ongoing Rootkit Behavior Generally offer trapdoors to their owners Usually try hard to conceal themselves –And other nefarious activities –Conceal files, registry entries, network connections, etc. Also try to make it hard to remove them Sometimes removes others’ rootkits –Another trick of the Pandex botnet